[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Adding a 2012 R2 (Srv2) Domain to 2008 R2 (Srv1) Domain Then, Promoting 2012 R2 (Srv2) to Primary

Posted on 2014-12-23
17
Medium Priority
?
353 Views
Last Modified: 2014-12-23
5 years ago, we installed a Win 2008 R2 server (Srv1) currently with AD domain.local.  Cust wants to upgrade their server hardware and server OS to WIn 2012 R2.  

We considered a clean install with a fresh install of AD on (Srv2) Win 2012 R2.
However, and to save time, we're also considering having the new server (Srv2) Win 2012 R2 join the current domain and then, promoting the (Srv2) Win 2012 R2 to become the primary domain controller and ultimately, removing the Win2008 R2 (Srv1) from the network after migrating the data.

Has anyone had any great success with adding a domain controller to a domain followed by raising/promoting the added domain controller to becoming the primary domain controller?
If so, would you care to share your procedures for doing so successfully?  Thank you.
0
Comment
Question by:eitconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 40515357
This has been done many times. The process is very straightforward. Join the machine to the existing domain through computer properties. Run the add roles wizard in server manager and select the Active Directory Domain Services role. Complete the wizard. It is now a DC. Configure all machines to use the new server for DNS including the old DC. then run dcpromo on the old DC to demote the server. The demotion will transfer any FSMO roles that need to be moved.

Make backups. Stop on errors. It is pretty straightforward.
1
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40515395
...and make the 2012 box the new time server after FSMO roles transferred

How to configure an authoritative time server in Windows Server
http://support2.microsoft.com/kb/816042
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40515408
PDCe's are the authoritative time server by default in domain environments. Just transferring that role as part of the FSMO move will do this automatically. I actually don't recommend changing NTP settings unless you are going to make an external time source authoritative.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:eitconsulting
ID: 40515410
Is there a preference of joining the domain through the "Computer Properties" versus using the Add Role Wizard from the new server which also does the same thing as joining the domain through the "Computer Properties"?  In other words, is one method better than the other?
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 40515412
I usually join the domain as a separate step simply so I can get the computer object into the right OU in ADUC and site in Sites and Services. Often makes for more efficient group policy updates and AD replication when you do promote it to a DC..
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515460
*No Points*

Just to provide a third voice.  Everything that has been stated here is spot on.  There really is no dark secret to this process.  It's success' and/or failure's are also well documented which add's another level of comfort for anyone dealing with this for the first time.

The extra benefit here is that server 2012 streamlines many of the separate steps involved as you add the role to promote it.  If your Forest/Domain functional levels are too low, the wizard alerts you.  If you need to run ADPREP, the wizard asks if you would like it to run it for you.  The only things that are not considered are additional services that are not required for a DC but as a rule are usually configured on a DC (like DHCP, Time Services [configured on the PDCe as addressed above]).  Other things like DNS and DFS are not so much of a concern as they are AD integrated.

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515485
Okay, the following yellow flag appeared while promoting Server 2012 R2 (Srv2) to a DC:
Integrated DNS has been operating successfully on the current Win2008 R2 (Srv1) since its deployment
5 years ago.

Flagged Message:

DNS Options

A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run
Windows DNS Server.  If you are integrating with an existing
DNS infrastructure, you should manually create a delegation to
this DNS server in the parent zone to ensure reliable name
resolution from outside the domain "domain.local". Otherwise,
no action is required.
0
 
LVL 34

Assisted Solution

by:it_saige
it_saige earned 1000 total points
ID: 40515511
This message means that your internal domain is not authoritative because it is something like myorganization.com.  DNS states that the authoritative server is external to the domain and that this server does not accept updates from the domain DNS zone.  You can safely disregard this message.

http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515530
Upon promoting the new Win 2012 Server (Srv2) to the primary DC, will the old Win 2008 R2 (Srv1) have to be immediately take offline or can it remain online without conflict for a couple of hours while I migrate current files from it to the new Win 2012 R2 DC?
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515550
It can remain online (and is recommended to do so) until you can verify that replication is succeeding and has completed.

http://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

-saige-
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515554
0
 

Author Comment

by:eitconsulting
ID: 40515571
The WIn 2012 R2 (Srv2) has been successfully promoted to a DC and I have documented all thus far step-by-step...  I do see the user accounts and computers replicated to the newly promoted DC.  

Does this newly promoted Win 2012 R2 (Srv2) DC have to be raised or elevated to become the primary DC over the older Win 2008 R2 (Srv1)?

Or, after replication has been confirmed and data migrated from the old Win 2008 R2 (Srv1) , can this old server simply be shutdown and removed from the network?
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515583
You would not simply shutdown and remove the old server.  You would run DCPROMO on the old server as outlined by Cliff.    

Make sure though that you do not choose the option that stipulates that this is the last domain controller.

http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:eitconsulting
ID: 40515641
So far so good.  Thanks for the great feedback.
I'm considering keeping the current Win 2008 (Srv1) in production merely for AD redundancy.  This being said, what if the current Win 2008 (Srv1) DC fell off the planet in the future (regardless whether both DCs were on new hardware) and we are unable to manually demote it via DCPROMO?  How would demoting it be accomplished in a redundant AD environment?
Is this where "Elevating" the 2nd/new DC must be initiated in order to deal with a fallen DC?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 1000 total points
ID: 40515672
Then you would be forcefully removing the failed DC.  As I stated above, the success' and/or failures are well-documented.  Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller

If that fails then you are left with the manual removal of a failed DC.  The steps involved here are, but not limited to, a clean-up of the meta-data in AD, the associated DNS records and seizing the FSMO roles (if the failed DC was the holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles

In either case, it should be implied that you need at least one live DC.

-saige-
0
 

Author Closing Comment

by:eitconsulting
ID: 40515827
I've condensed the above topic and helpful responses here:

**Incorporating a New Domain Controller into a current AD DC environment:

New Server Name - SrvName2
Existing Domain - company-domain.local

1. Added new server to current domain via Computer Properties and rebooted.
2. Within Server Manager, Yellow Flag above appeared to "Promote Server to DC".
3. Selected "Promote Server to Domain Controller".
4. Options were pre-selected (Domain Name System (DNS) Server) and (Global Catalog (GC))
Default-First-Site-Name was also present.
5. Entered Directory Services Restore Mode (DSRM) password -
6. DNS Options
If the following yellow flagged message occurs....
 "A delegation for this DNS server cannot be created because the
 authoritative parent zone cannot be found or it does not run
 Windows DNS Server."

This message means that your internal domain is not authoritative because it is
something like yourorganization.com.  
DNS states that the authoritative server is external to the domain and that this
server does not accept updates from the domain DNS zone.  
You can safely disregard this message if using an internal domain (yourorganization.local).
http://technet.microsoft.com/en-us/library/cc754463%28v=ws.10%29.aspx

7. Upon completion of promoting the Win 2012 R2 (Srv2) to an AD Domain Controller,
verify objects were replicated (users, computers, etc...).  Perhaps give it 12-24 hours to fully replicate before running DCPROMO on the old server.
After all verification has been confirmed, run DCPROMO on the old server to demote the old server.    

**Make sure though that you do not choose the option that stipulates that this is the last domain controller.
http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

*If the primary domain controller can no longer be accessed to demote with DCPROMO:
8. Forcefully removing a DC Controller if a redundant one goes bad.
Then you would be forcefully removing the failed DC.  As I stated above,
the success' and/or failures are well-documented.  
Forcefully removing the failed DC involves running DCPROMO on a live DC.

Forcing the Removal of a Domain Controller:
http://technet.microsoft.com/en-us/library/cc731871%28v=ws.10%29.aspx

If that fails then you are left with the manual removal of a failed DC.  
The steps involved here are, but not limited to, a clean-up of the meta-data in AD,
the associated DNS records and seizing the FSMO roles (if the failed DC was the
holder of any of the FSMO roles).

Delete Failed DCs from Active Directory
Seizing FSMO Roles:
http://www.petri.com/delete_failed_dcs_from_ad.htm 

In either case, it should be implied that you need at least one live DC.
0
 
LVL 34

Expert Comment

by:it_saige
ID: 40515874
Looks good.

-saige-
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question