[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Replacing a Primary Domain Controller with new hardware

Posted on 2012-09-20
7
Medium Priority
?
1,804 Views
Last Modified: 2012-09-27
I have a single Active Directory domain that contains a primary domain controller and 2 backup controllers (all Windows Server 2003 x86 boxes).  The PDC is getting old and it's time upgrade.  We have purchased the hardware and have installed Windows Server 2012 Standard x64.  

I'm looking for recommendations on how to best proceed with swapping out the old PDC with the new hardware.  Our domain consists of 60 or so desktops and laptops.  We allow staff to use their personal laptops to access shared network resources.  At present there are approx 80 staff owned non-domain member machines that frequently connect to the network.  The main complication is that our PDC is also our main file server and all machines include shortcuts that point to the UNC path of the shares on the file server/PDC. To avoid having to deal with broken shortcuts on close to 150 machines, we'd like the new PDC to have the same name and IP address as the old one. Also, the shares have a wide variety of ACLs that would be painful to recreate manually so I need to migrate the shares and permissions.  

I'm assuming we'd need to do something along the following lines:

1. Make the new box a DC by adding the Active Directory Domain Services role. (http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx)
2. Transfer FSMO Roles to the new DC (http://www.petri.co.il/transferring_fsmo_roles.htm)

3. Migrate File Services from the PDC to the new DC (http://technet.microsoft.com/en-us/library/dd379487(v=WS.10).aspx)
4. Demote the PDC by running DCPROMO to remove AD
5. Unjoin the old PDC from the domain and remove from the network.
6. Rename the new DC to match the name of the old PDC
7. Change the new DC's IP address to match the IP address of the old PDC
8. Run DCPROMOTE on the new DC to promote it to the PDC

Some questions:

Does this seem like a reasonable approach to take or have I missed some crucial steps?
Is there a better way to do this?
Will File Services Migration preserve shares and permissions?
Do I need to do anything to ensure GPOs are preserved?

Advice, comments, suggestions gratefully accepted!

Thanks -- Steve
0
Comment
Question by:SteveV
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38420136
It seems reasonable, use these links for the 2012 dcpromo

http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

a lot has changed, you no longer have to worry about adprep (does it for you).  The dcpromo command no longer works in 2012.

Very cool getting a 2012 box up less than a month after its release.  This is the first 2012 domain controller question I have seen on here, Outstanding!!

Thanks

Mike
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 38420434
Here is how I'd do it.. it requires a staging computer and a bit more time. (could be done in a virtual machine)
1. on the staging computer create a domain controller.
2. join the new 2012 server to the domain
3. use robocopy /SEC option to copy from the OLD server to the new 2012 server.  This will copy over the ACL's from the old server to the new 2012.
4. by now new new DC should have replicated the domain architecture, including all group  policy objects.
5. demote the 2003 server and put it aside.  rename this machine and change it's ip address.. I'd also get a hardcopy of the root sharenames as the sharename doesn't always follow the 'disk filename' i.e share \\serverx\production\work could exist on c:\fileshare\abc\work
6. Disjoin new 2012 from the domain
7. remove 2003 server from the domain
8. rename, change ip's  the 2012 server, join to domain.
9. promote the 2012 server
10. wait for domain to be replicated.
11. demote and remove the scratch server.

I added the step of the scratch server since you need to keep the SAME netbios name. In future I'd use DFS file shares rather than strict UNC shares.
0
 
LVL 8

Expert Comment

by:barrykfl
ID: 38420848
Have you try migration in 2008 ...? if same domain.  so simple just join it to new domain ,
set the FSMO role mainly and Global catalog, then demote the 2003 DCs .

Make a writeable DC each site.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:SteveV
ID: 38421749
@ Mike
Thanks for the links--very handy

@ve3ofa
I already have 2 other DCs in addition to the PDC--do I really need the staging DC?   Regarding Robocopy; excellent suggestion--thanks.

@barrykfl
Not sure I follow. Addiing the new DC and promoting it isn't the hard part.  Keeping the original PDCs NETBIOS name, ip address, shares and ACLs is the bit I'm concerned about.

Thanks -- Steve
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38421814
I forgot to mention richcopy   http://technet.microsoft.com/en-us/magazine/2009.04.utilityspotlight.aspx

robocopy works too, but that GUI can be nice.

Thanks

Mike
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38422758
since you have other DC's (not RODC's I hope) then you don't need the staging DC
0
 

Author Closing Comment

by:SteveV
ID: 38441842
Thanks to all who replied.  A couple of bits of info for anyone else looking to do this in the future.

In ended up using RoboCopy over RichCopy.  For all it's convenience, RichCopy seems to have one fatal flaw; it doesn't copy ACL's reliably which I didn't discover until I copied over 500GB of data.  Some quick Googling indicates this is a common problem.

After some experimenting with a number of robocopy cli switches I ended up with the following:

robocopy \\server1\d$ d: /E /COPYALL /R:1 /B /LOG:"D:\Temp\RoboCopy\DRoboLog.log" /V /TEE

This copied the data and ACLs properly but I still needed to recreate the shares.  Recreating the shares was as simple as exporting the following registry key from the old server: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares and importing it into the new one.  Details here: http://support.microsoft.com/?kbid=125996.

We have yet to actually promote the new DC--we're planning to doing that over an up-coming long weekend on 10/6.

Steve
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question