Solved

Adding a 2012 R2 (Srv2) Domain to 2008 R2 (Srv1) Domain Then, Promoting 2012 R2 (Srv2) to Primary

Posted on 2014-12-23
17
349 Views
Last Modified: 2014-12-23
5 years ago, we installed a Win 2008 R2 server (Srv1) currently with AD domain.local.  Cust wants to upgrade their server hardware and server OS to WIn 2012 R2.  

We considered a clean install with a fresh install of AD on (Srv2) Win 2012 R2.
However, and to save time, we're also considering having the new server (Srv2) Win 2012 R2 join the current domain and then, promoting the (Srv2) Win 2012 R2 to become the primary domain controller and ultimately, removing the Win2008 R2 (Srv1) from the network after migrating the data.

Has anyone had any great success with adding a domain controller to a domain followed by raising/promoting the added domain controller to becoming the primary domain controller?
If so, would you care to share your procedures for doing so successfully?  Thank you.
0
Comment
Question by:eitconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 40515357
This has been done many times. The process is very straightforward. Join the machine to the existing domain through computer properties. Run the add roles wizard in server manager and select the Active Directory Domain Services role. Complete the wizard. It is now a DC. Configure all machines to use the new server for DNS including the old DC. then run dcpromo on the old DC to demote the server. The demotion will transfer any FSMO roles that need to be moved.

Make backups. Stop on errors. It is pretty straightforward.
1
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40515395
...and make the 2012 box the new time server after FSMO roles transferred

How to configure an authoritative time server in Windows Server
http://support2.microsoft.com/kb/816042
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40515408
PDCe's are the authoritative time server by default in domain environments. Just transferring that role as part of the FSMO move will do this automatically. I actually don't recommend changing NTP settings unless you are going to make an external time source authoritative.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:eitconsulting
ID: 40515410
Is there a preference of joining the domain through the "Computer Properties" versus using the Add Role Wizard from the new server which also does the same thing as joining the domain through the "Computer Properties"?  In other words, is one method better than the other?
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 40515412
I usually join the domain as a separate step simply so I can get the computer object into the right OU in ADUC and site in Sites and Services. Often makes for more efficient group policy updates and AD replication when you do promote it to a DC..
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515460
*No Points*

Just to provide a third voice.  Everything that has been stated here is spot on.  There really is no dark secret to this process.  It's success' and/or failure's are also well documented which add's another level of comfort for anyone dealing with this for the first time.

The extra benefit here is that server 2012 streamlines many of the separate steps involved as you add the role to promote it.  If your Forest/Domain functional levels are too low, the wizard alerts you.  If you need to run ADPREP, the wizard asks if you would like it to run it for you.  The only things that are not considered are additional services that are not required for a DC but as a rule are usually configured on a DC (like DHCP, Time Services [configured on the PDCe as addressed above]).  Other things like DNS and DFS are not so much of a concern as they are AD integrated.

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515485
Okay, the following yellow flag appeared while promoting Server 2012 R2 (Srv2) to a DC:
Integrated DNS has been operating successfully on the current Win2008 R2 (Srv1) since its deployment
5 years ago.

Flagged Message:

DNS Options

A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run
Windows DNS Server.  If you are integrating with an existing
DNS infrastructure, you should manually create a delegation to
this DNS server in the parent zone to ensure reliable name
resolution from outside the domain "domain.local". Otherwise,
no action is required.
0
 
LVL 34

Assisted Solution

by:it_saige
it_saige earned 250 total points
ID: 40515511
This message means that your internal domain is not authoritative because it is something like myorganization.com.  DNS states that the authoritative server is external to the domain and that this server does not accept updates from the domain DNS zone.  You can safely disregard this message.

http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515530
Upon promoting the new Win 2012 Server (Srv2) to the primary DC, will the old Win 2008 R2 (Srv1) have to be immediately take offline or can it remain online without conflict for a couple of hours while I migrate current files from it to the new Win 2012 R2 DC?
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515550
It can remain online (and is recommended to do so) until you can verify that replication is succeeding and has completed.

http://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

-saige-
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515554
0
 

Author Comment

by:eitconsulting
ID: 40515571
The WIn 2012 R2 (Srv2) has been successfully promoted to a DC and I have documented all thus far step-by-step...  I do see the user accounts and computers replicated to the newly promoted DC.  

Does this newly promoted Win 2012 R2 (Srv2) DC have to be raised or elevated to become the primary DC over the older Win 2008 R2 (Srv1)?

Or, after replication has been confirmed and data migrated from the old Win 2008 R2 (Srv1) , can this old server simply be shutdown and removed from the network?
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515583
You would not simply shutdown and remove the old server.  You would run DCPROMO on the old server as outlined by Cliff.    

Make sure though that you do not choose the option that stipulates that this is the last domain controller.

http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515641
So far so good.  Thanks for the great feedback.
I'm considering keeping the current Win 2008 (Srv1) in production merely for AD redundancy.  This being said, what if the current Win 2008 (Srv1) DC fell off the planet in the future (regardless whether both DCs were on new hardware) and we are unable to manually demote it via DCPROMO?  How would demoting it be accomplished in a redundant AD environment?
Is this where "Elevating" the 2nd/new DC must be initiated in order to deal with a fallen DC?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 250 total points
ID: 40515672
Then you would be forcefully removing the failed DC.  As I stated above, the success' and/or failures are well-documented.  Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller

If that fails then you are left with the manual removal of a failed DC.  The steps involved here are, but not limited to, a clean-up of the meta-data in AD, the associated DNS records and seizing the FSMO roles (if the failed DC was the holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles

In either case, it should be implied that you need at least one live DC.

-saige-
0
 

Author Closing Comment

by:eitconsulting
ID: 40515827
I've condensed the above topic and helpful responses here:

**Incorporating a New Domain Controller into a current AD DC environment:

New Server Name - SrvName2
Existing Domain - company-domain.local

1. Added new server to current domain via Computer Properties and rebooted.
2. Within Server Manager, Yellow Flag above appeared to "Promote Server to DC".
3. Selected "Promote Server to Domain Controller".
4. Options were pre-selected (Domain Name System (DNS) Server) and (Global Catalog (GC))
Default-First-Site-Name was also present.
5. Entered Directory Services Restore Mode (DSRM) password -
6. DNS Options
If the following yellow flagged message occurs....
 "A delegation for this DNS server cannot be created because the
 authoritative parent zone cannot be found or it does not run
 Windows DNS Server."

This message means that your internal domain is not authoritative because it is
something like yourorganization.com.  
DNS states that the authoritative server is external to the domain and that this
server does not accept updates from the domain DNS zone.  
You can safely disregard this message if using an internal domain (yourorganization.local).
http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

7. Upon completion of promoting the Win 2012 R2 (Srv2) to an AD Domain Controller,
verify objects were replicated (users, computers, etc...).  Perhaps give it 12-24 hours to fully replicate before running DCPROMO on the old server.
After all verification has been confirmed, run DCPROMO on the old server to demote the old server.    

**Make sure though that you do not choose the option that stipulates that this is the last domain controller.
http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

*If the primary domain controller can no longer be accessed to demote with DCPROMO:
8. Forcefully removing a DC Controller if a redundant one goes bad.
Then you would be forcefully removing the failed DC.  As I stated above,
the success' and/or failures are well-documented.  
Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller:
http://technet.microsoft.com/en-us/library/cc731871%28v=ws.10%29.aspx

If that fails then you are left with the manual removal of a failed DC.  
The steps involved here are, but not limited to, a clean-up of the meta-data in AD,
the associated DNS records and seizing the FSMO roles (if the failed DC was the
holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles:
http://www.petri.com/delete_failed_dcs_from_ad.htm 

In either case, it should be implied that you need at least one live DC.
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515874
Looks good.

-saige-
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question