Solved

Moving a Windows Server 2012 Domain Controller

Posted on 2013-12-12
17
430 Views
Last Modified: 2014-08-19
Bit of an odd scenario but wondering if you could shed some light.

Have a single W2K3 server on domain A.  The ex-administrator setup a new Windows 2012 Server as a (new) domain controller on domain B; citing some issues setting it up on domain A.

All user accounts and general AD info is on domain A, so this is the preferred domain to persist.

Can I switch the domain membership of the new server back to domain A without much fanfare?  A reinstall isn't ideal since there is some unrelated server-side s/w installed on the new server (which was the reason for it being introduced in the first place).

Thanks all.
0
Comment
Question by:NightHawk10
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 9

Expert Comment

by:tsaico
ID: 39715473
If domain B is being tossed out and does not have any use, you should be able to decommison the AD and DC aspects as you would normally.  Once that is done, the server will be just a computer, then you should be able to join it to the new one.

The amount of work and time though, I would be hard pressed to say you are saving any time by doing it this way vs. just re-installing the OS and your application being served.  Also, because it requires several reboots to fully remove AD, your users will still have to be either kicked out or just randomly get dropped when you restart.

I still recommend taking a weekend, have all staff commit any changes on a friday afternoon, make a back up of your application DB (most will have some sort of utility to easily do this if it is not actually a DB like SQL or Oracle), blow it out, re-install, update windows, let that run overnight, then come back Sat. and install/restore your application.
0
 

Author Comment

by:NightHawk10
ID: 39715510
Thanks tsaico,

If I decommission the AD/DC aspects and it becomes "just a computer", then I assume it lives on the peer to peer workgroup?

I guess then getting it back to the original (proper) domain is just a reverse of above; but I'll also find out whatever challenges the ex-admin had in the process.

I can't (really) do a full re-install, since a 3rd party has spent resources getting their enterprise (accounting) s/w running on it to-date...
0
 
LVL 9

Expert Comment

by:tsaico
ID: 39715795
http://technet.microsoft.com/en-us/library/cc771839(v=ws.10).aspx
for removing the last domain

You will treat it like the last domain controller since it technically is.  

You may still be in a line of trouble though, depending on how the security/Application/DB was set up.  Since there are no local admins/users on a DC, the services and such may be tied to the user accounts of domainb\admin, which is different than domaina\admin.

What accounting software was set up?
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39716368
It would help if we had the full citation of "issues" your ex-admin experienced.
Had he prepared the forest A for WS2012?
Had he prepared the domain A for WS2012?
(ADPREP.EXE ?)

If you cannot get through the "issues" then you might be looking at MIGRATION over to domain B.
The tool in this case is called "ADMT 3" - it can move users, groups, computers.
http://www.microsoft.com/en-us/download/details.aspx?id=8377

There's a guide available for ADMT migration, that you should read, understand and TEST before proceeding with Production migration.
http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39717067
On the issue of ADPREP.EXE, it no longer need be run before the first 2012 server is promoted in the environment... if it's needed, it will run as part of the AD DS configuration.  (That said, running it ahead of time isn't wrong or bad.  It used to be a necessary separate step.  It need not be now.)

Are domains A and B in the same forest or different forests?  If I had to take a guess, either the new computer wasn't able to talk to Domain A (could have been ports blocked, or the new server wasn't pointed to the old DC for DNS), or the administrator didn't have sufficient permissions to update the AD schema.  As has already been said, you'll very likely need to figure out what the cause was and fix it before you can integrate the parts back together.

And to answer the can you do it 'without much fanfare'?  Probably not.  I'd normally strongly suggest not running 3rd party software on the domain controller... and one of the reasons why not is that the domain controller doesn't have a 'normal' security system.  Any other server or workstation has local accounts and local groups on the system itself.  For normal operations, the DC doesn't have those, and relies exclusively on domain accounts and domain groups.  Without evidence to the contrary, I'd strongly suspect that is one of the reasons the 3rd party package may have been more complicated to get set up on the DC, and will break when it's DC configuration is changed.  :-(
0
 

Author Comment

by:NightHawk10
ID: 39718172
Thanks for feedback all.  I don't know the "issues" the previous admin had; just a note that he had problems and was unable to introduce the new server into the existing domain.

The accounting s/w is Sage Timberline (I'm trying to find the services and extent of its needs throughout all this).

I'll digest above and try a few attempts to see what it does in the next week or so.  Will report back.

Much appreciated for feedback to-date.
0
 
LVL 9

Expert Comment

by:tsaico
ID: 39720830
Hehe, Good old Timberline, though they re-badged a bunch of their familiar products to Sage 100, Sage Contractor, Sage 300, etc.  Personally I wish they had stayed with the old naming convention, Peachtree, Masterbuilder, Timberline, etc.  I get why they did it, but I don't remember products well when they are just a number.  I have a bunch of construction groups that use this.  For the most part, it won't be too much to migrate it to a different server.  Mainly your actual database, your macros, your reports, and your attachments.

If you have some extra hardware to run a temporary VM, I have also made my Physical box a VM using VMware, ran it virtually for a few days, while I wiped the old box.  Then from the VM made my backup and subsequent migration.
0
 

Author Comment

by:NightHawk10
ID: 39722107
Timberline (300 version?) is actually just recently setup/installed on the new 2012 server, so it's not being migrated anywhere to be clear; just the server membership itself should be moved back to the original domain A.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 9

Expert Comment

by:tsaico
ID: 39722163
Yes, I think that was clear, but you still want to treat everything like a migration in case things do not go according to plan.  Also, since the services were installed to a DC, there are no local users, so security settings, what the services started might be gone, so it still won't start up correctly.

Not to mention you also are running the risk of hitting whatever the previous guy hit that prevented him from updating the old AD to accommodate W2012.  (though I am not sure what that would be if it is just a member server vs a DC.)

Because of the unknowns, I try to treat it as worst case scenario on something like this.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39723461
If you had another Windows Server 2012 then I would like to see if it can join domain B.
You may try it in a VM say, deployed in a Hyper-V somewhere.
If not...
Backup the new server,
then demote it, destroying the domain B.
Try to join the domain A, post the issue with screenshots.
Time to find out what the issue was.
0
 

Author Comment

by:NightHawk10
ID: 39730458
Sorry no other server h/w to "experiment" with here.  While I haven't got my hands on this quite yet, I did get some feedback from the past admin (3rd hand) on what the original issues he had:

"2012 Essentials will not work  on an existing network... could not get it to join a domain with 2K3 DC... 2012 Essentials needs to be the only DC on the network... It will not allow you to make it a secondary DC and then upgrade it to primary. 2012 R2 that either just came out or is coming out (was in BETA in October) does allow you to have it as a secondary DC, but not sure if it will recognize Windows 2003."

Any comment on this?  I think he implied the solo 2K3 DC in the original domain was an issue to allow the new 2012 server to join, but anyone have comment or experiences here?

Thanks again everyone.
0
 

Author Comment

by:NightHawk10
ID: 39755453
Hi all.  Finally got in to check it out, here's a few tidbits.  Original W2K3 server is:

- fine for domain/forest functional levels set to 2003.
- fine for netdom, dcdiag, and repadmin command line results.
- valid DNS.

So it would appear the new W2K12 server should be able to join this (while I have yet to removed the AD-related membership roles in its own domain), I did notice that new box's DNS did point to itself (vs. to the original server) so not sure if that might have been a misstep that caused this path to begin with.

Otherwise, I'll be using the new W2K12 server manager to remove the roles in the next few days, so let you know where it stands then.  Thanks for any feedback at this point.

J.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39758369
When using DCPROMO to make a server 1st DC in a new domain, it is setting DNS resolver to itself to make sure this part is right.
The server's DNS resolver must be pointed to a server that can resolve all records in the domain you're trying to join. If you insist on pointing to own DNS then few alternatives exist for proper DNS integration (forwarders, delegations, secondaries).
In your case it had to be a forwarder, since demoting a DC does not remove DNS server component and does not change DNS resolver settings (of course).

As of now, first demote the W2012 server, destroying the new unneeded domain,
then just retarget W2012's DNS resolver to your existing DCs in your valid domain.
Joining old domain should work like a charm :)
0
 

Accepted Solution

by:
NightHawk10 earned 0 total points
ID: 39775394
Thanks CubeOver.  Used my lag time to scrounge up test 2012 server simulate this.  Had it installed as a single PDC in its own domain, then demoted it (via Server Dashboard, Remove Roles) and it was a workgroup server.

Then tried to re-add AD roles into an existing domain (which has a lone 2K8 PDC) and it appeared to work and restart, but the server properties still showed WORKGROUP memberhip?  I changed it to the new target domain and rebooted again.  I have AD tools and can see this new domain which it appears to have joined.  File shares can be created on the new server with usual domain accounts to assign, but a few negative symptoms arose:

- unable to use the new Add Users 2K12 wizard; it fails.
- unable to see the newly joined 2K12 server in the domain tools from 2K8 (i.e. doesn't appear as a directory server, or a domain controller, or else in AD Users and Computers, or AD Sites and Services anywhere, even via search and I'm sure the domain replication has had enough time to find the extra server by now).

Not sure if I'm missing some key roles or how to troubleshoot from here, but it shows me it's not quite seamless here.

I'm inclined to back down from all this if I'm just opening a can of worms with issues after migration (which was pointed out already).  I do appreciate everyone's input to-date.  Any more thoughts before I give up?
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39775414
I think it is time to check AD health of your W2008 domain (is it separate from the WS2003 you mentioned in your first post?).

On both WS2008 and W2012 , try running

c:\> repadmin /replsummary

c:\> dcdiag

What domain and forest level it is running at?
Any peculiar errors in the Directory Service log?
Have you checked if the DNS records were properly created in _msdcs and _sites containers?
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 40262173
OK
0
 

Author Closing Comment

by:NightHawk10
ID: 40269775
Base on all feedback to-date.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now