Solved

Adding a 2012 R2 (Srv2) Domain to 2008 R2 (Srv1) Domain Then, Promoting 2012 R2 (Srv2) to Primary

Posted on 2014-12-23
17
328 Views
Last Modified: 2014-12-23
5 years ago, we installed a Win 2008 R2 server (Srv1) currently with AD domain.local.  Cust wants to upgrade their server hardware and server OS to WIn 2012 R2.  

We considered a clean install with a fresh install of AD on (Srv2) Win 2012 R2.
However, and to save time, we're also considering having the new server (Srv2) Win 2012 R2 join the current domain and then, promoting the (Srv2) Win 2012 R2 to become the primary domain controller and ultimately, removing the Win2008 R2 (Srv1) from the network after migrating the data.

Has anyone had any great success with adding a domain controller to a domain followed by raising/promoting the added domain controller to becoming the primary domain controller?
If so, would you care to share your procedures for doing so successfully?  Thank you.
0
Comment
Question by:eitconsulting
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
Comment Utility
This has been done many times. The process is very straightforward. Join the machine to the existing domain through computer properties. Run the add roles wizard in server manager and select the Active Directory Domain Services role. Complete the wizard. It is now a DC. Configure all machines to use the new server for DNS including the old DC. then run dcpromo on the old DC to demote the server. The demotion will transfer any FSMO roles that need to be moved.

Make backups. Stop on errors. It is pretty straightforward.
1
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
...and make the 2012 box the new time server after FSMO roles transferred

How to configure an authoritative time server in Windows Server
http://support2.microsoft.com/kb/816042
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
PDCe's are the authoritative time server by default in domain environments. Just transferring that role as part of the FSMO move will do this automatically. I actually don't recommend changing NTP settings unless you are going to make an external time source authoritative.
0
 

Author Comment

by:eitconsulting
Comment Utility
Is there a preference of joining the domain through the "Computer Properties" versus using the Add Role Wizard from the new server which also does the same thing as joining the domain through the "Computer Properties"?  In other words, is one method better than the other?
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
Comment Utility
I usually join the domain as a separate step simply so I can get the computer object into the right OU in ADUC and site in Sites and Services. Often makes for more efficient group policy updates and AD replication when you do promote it to a DC..
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
*No Points*

Just to provide a third voice.  Everything that has been stated here is spot on.  There really is no dark secret to this process.  It's success' and/or failure's are also well documented which add's another level of comfort for anyone dealing with this for the first time.

The extra benefit here is that server 2012 streamlines many of the separate steps involved as you add the role to promote it.  If your Forest/Domain functional levels are too low, the wizard alerts you.  If you need to run ADPREP, the wizard asks if you would like it to run it for you.  The only things that are not considered are additional services that are not required for a DC but as a rule are usually configured on a DC (like DHCP, Time Services [configured on the PDCe as addressed above]).  Other things like DNS and DFS are not so much of a concern as they are AD integrated.

-saige-
0
 

Author Comment

by:eitconsulting
Comment Utility
Okay, the following yellow flag appeared while promoting Server 2012 R2 (Srv2) to a DC:
Integrated DNS has been operating successfully on the current Win2008 R2 (Srv1) since its deployment
5 years ago.

Flagged Message:

DNS Options

A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run
Windows DNS Server.  If you are integrating with an existing
DNS infrastructure, you should manually create a delegation to
this DNS server in the parent zone to ensure reliable name
resolution from outside the domain "domain.local". Otherwise,
no action is required.
0
 
LVL 32

Assisted Solution

by:it_saige
it_saige earned 250 total points
Comment Utility
This message means that your internal domain is not authoritative because it is something like myorganization.com.  DNS states that the authoritative server is external to the domain and that this server does not accept updates from the domain DNS zone.  You can safely disregard this message.

http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

-saige-
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:eitconsulting
Comment Utility
Upon promoting the new Win 2012 Server (Srv2) to the primary DC, will the old Win 2008 R2 (Srv1) have to be immediately take offline or can it remain online without conflict for a couple of hours while I migrate current files from it to the new Win 2012 R2 DC?
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
It can remain online (and is recommended to do so) until you can verify that replication is succeeding and has completed.

http://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
0
 

Author Comment

by:eitconsulting
Comment Utility
The WIn 2012 R2 (Srv2) has been successfully promoted to a DC and I have documented all thus far step-by-step...  I do see the user accounts and computers replicated to the newly promoted DC.  

Does this newly promoted Win 2012 R2 (Srv2) DC have to be raised or elevated to become the primary DC over the older Win 2008 R2 (Srv1)?

Or, after replication has been confirmed and data migrated from the old Win 2008 R2 (Srv1) , can this old server simply be shutdown and removed from the network?
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
You would not simply shutdown and remove the old server.  You would run DCPROMO on the old server as outlined by Cliff.    

Make sure though that you do not choose the option that stipulates that this is the last domain controller.

http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:eitconsulting
Comment Utility
So far so good.  Thanks for the great feedback.
I'm considering keeping the current Win 2008 (Srv1) in production merely for AD redundancy.  This being said, what if the current Win 2008 (Srv1) DC fell off the planet in the future (regardless whether both DCs were on new hardware) and we are unable to manually demote it via DCPROMO?  How would demoting it be accomplished in a redundant AD environment?
Is this where "Elevating" the 2nd/new DC must be initiated in order to deal with a fallen DC?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 250 total points
Comment Utility
Then you would be forcefully removing the failed DC.  As I stated above, the success' and/or failures are well-documented.  Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller

If that fails then you are left with the manual removal of a failed DC.  The steps involved here are, but not limited to, a clean-up of the meta-data in AD, the associated DNS records and seizing the FSMO roles (if the failed DC was the holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles

In either case, it should be implied that you need at least one live DC.

-saige-
0
 

Author Closing Comment

by:eitconsulting
Comment Utility
I've condensed the above topic and helpful responses here:

**Incorporating a New Domain Controller into a current AD DC environment:

New Server Name - SrvName2
Existing Domain - company-domain.local

1. Added new server to current domain via Computer Properties and rebooted.
2. Within Server Manager, Yellow Flag above appeared to "Promote Server to DC".
3. Selected "Promote Server to Domain Controller".
4. Options were pre-selected (Domain Name System (DNS) Server) and (Global Catalog (GC))
Default-First-Site-Name was also present.
5. Entered Directory Services Restore Mode (DSRM) password -
6. DNS Options
If the following yellow flagged message occurs....
 "A delegation for this DNS server cannot be created because the
 authoritative parent zone cannot be found or it does not run
 Windows DNS Server."

This message means that your internal domain is not authoritative because it is
something like yourorganization.com.  
DNS states that the authoritative server is external to the domain and that this
server does not accept updates from the domain DNS zone.  
You can safely disregard this message if using an internal domain (yourorganization.local).
http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

7. Upon completion of promoting the Win 2012 R2 (Srv2) to an AD Domain Controller,
verify objects were replicated (users, computers, etc...).  Perhaps give it 12-24 hours to fully replicate before running DCPROMO on the old server.
After all verification has been confirmed, run DCPROMO on the old server to demote the old server.    

**Make sure though that you do not choose the option that stipulates that this is the last domain controller.
http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

*If the primary domain controller can no longer be accessed to demote with DCPROMO:
8. Forcefully removing a DC Controller if a redundant one goes bad.
Then you would be forcefully removing the failed DC.  As I stated above,
the success' and/or failures are well-documented.  
Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller:
http://technet.microsoft.com/en-us/library/cc731871%28v=ws.10%29.aspx

If that fails then you are left with the manual removal of a failed DC.  
The steps involved here are, but not limited to, a clean-up of the meta-data in AD,
the associated DNS records and seizing the FSMO roles (if the failed DC was the
holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles:
http://www.petri.com/delete_failed_dcs_from_ad.htm

In either case, it should be implied that you need at least one live DC.
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Looks good.

-saige-
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now