Solved

DC Migration

Posted on 2015-01-27
15
69 Views
Last Modified: 2015-02-04
One of my DC's,  DC02 was recently P2V'd from a Hyper-V environment to Vmware.  Since the migration I have not had any problems with it and all dcdaig tests are successful but after reading horror stories online about p2v'ing DC's I would like to abandon it and load a fresh new DC to replace DC02.

My question is when I load up a new DC and demote DC02.  Can I give the new DC the same IP and name as DC02 after DC02 has been removed from the domain and powered off?  Or would it be safer/cleaner to leave the new DC with a new name and IP?  Just fyi, DC02 only has AD and DNS roles and does not hold any FSMO roles.  Thanks in advance.
0
Comment
Question by:RHNOC
  • 8
  • 5
  • 2
15 Comments
 
LVL 3

Accepted Solution

by:
roycbene earned 500 total points
ID: 40573253
As long as you demote the DC, then disjoin the domain gracefully (thereby setting the server object to disabled in AD), and you delete the object (thereby getting rid of the SID), then yes. I would also do a double-check in DNS to ensure there are no entries. You may want to also check your reservations in DHCP to ensure the wrong MAC address isn't going to be tied to the IP you give it. If these steps are followed, there's no reason you won't be able to recreate the DC. I've done it 100 times.

-Roy
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573303
What Roy has outlined is correct.

I would however, during the transition to make it smooth is the following...
- Promote the new DC in to the environment (with new Name and IP)
- Demote your DC02
- Once the machine has been removed from the domain and it powered off Add the IP address of the old DC02 to DC-NEW as a second IP (no a second NIC but as a second IP) This way clients that have the DC02 as a DNS server it will now point to the new DC
- Then Remove the DC-NEW optional IP
- Rename DC-NEW to DC02

Before Renaming the DC I would make sure that the DNS and SRV records are cleaned up before making this change.

Will.
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40573355
Interesting take, though I've never gone (nor needed to go) through any of that. For all we know Sysa5454 could have a sleu of developers who have that DC name (and IP) hard-coded to meet requirements of a certain ERP or other SQL/IBM-based Line of Business software and any change (regardless of how slight) having to do with the name/ip may cause major disruptions. AD is AD is AD. However, other business needs need to be taken into account when doing things of this nature. As a consultant, I find that--in most cases--the easiest way to go is to keep things the same with few changes as possible; the fewer the better.

I am Assuming you have more than one DC, and all the roles, if any, will be transferred prior to demotion? If so, everything will be fine.

If the DNS server (name) of your soon-to-be old DC is one that is handed out by your DHCP server as a primary or secondary, it's generally good practice to remove that before any changes take place. You can always add it back. Remember that, though they are available as a SERVER role,  DHCP and DNS are not Active directory (though the zone being synonymous with the AD domain name integrates and propagates changes). DNS and DHCP work hand-in-hand. AD is only another piece. It is possible to have DNS and DHCP without AD on your network. So, thusly, they are two entities and should be treated as such.

Long story short here, just make yourself a detailed checklist of all the steps and your transition will go very smoothly. :)
0
 

Author Comment

by:RHNOC
ID: 40573521
Regarding an additional DC, I do have DC01 which handles all the FSMO roles.  I also need to migrate it but that will be in the near future.  As far as a checklist this is what I have compiled so far..

1. Load new server, name it DC-New and give uniquie IP
2. DC promo DC-New (AD&DNS)
3. Demote DC02
4. Disable DC02 in AD
5. Power off DC02
6. Delete DC02 in AD
7. Check DNS for any entries of DC02 and delete if necessary.
8. Change IP of DC-New to the old DC02 IP.
9.  Rename DC-New to DC02.

Please let me know what you think..

Thanks..
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40573541
Those steps look good to me. There should be no issues as long as DNS, SRV records and all of the remnants of DC02 (original) have been removed.

Will.
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40573561
After demoting the old Domain Controller, you may want to run NTDSUTIL and check for residual DC entries juuuuuuuust in case. No harm in being sure. Other than that, everything looks great!


-R
0
 

Author Comment

by:RHNOC
ID: 40574060
Which NTDSUTIL command do you recommend to do that?
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 3

Expert Comment

by:roycbene
ID: 40574087
Have a look here:

https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Typically, in AD, if you go to the Domain Controllers OU and you don't see the server there, it's gone. However, I've seen instances where it still exists in other areas of AD. NTDSUTIL is a pretty powerful tool. If you just want to ensure there is no trace of the DC in Active Directory, run the following command from the remaining DC:

nltest /dclist:yourdomain.local  (where yourdomain.local is the name of your AD domain)

The output will provide a list of all active domain controllers. That should do you just fine. :)
0
 

Author Comment

by:RHNOC
ID: 40575833
I have one more wrench to throw in before I pull the trigger on this migration...

Although DC02 is not the PDC it is acting at the time source for the domain.  Here is the time config from DC02..

C:\Windows\system32>hostname
DC02

C:\Windows\system32>w32tm /query /source
0.pool.ntp.org,

C:\Windows\system32>w32tm /dumpreg /subkey:parameters
Value Name                           Value Type                 Value Data
------------------------------------------------------------
ServiceDll                               REG_EXPAND_SZ       %systemroot%\system32\w32time.dl
ServiceMain                           REG_SZ                        SvchostEntry_W32Time
ServiceDllUnloadOnStop     REG_DWORD             1
Type                                        REG_SZ                        NTP
NtpServer                              REG_SZ                        0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org

Here is the time config for DC01, which is the PDC...

C:\Windows\system32>w32tm /query /source
DC02

C:\Windows\system32>w32tm /dumpreg /subkey:parameters
Value Name                          Value Type                         Value Data
------------------------------------------------------------

ServiceDll                              REG_EXPAND_SZ                %systemroot%\system32\w32time.dll
ServiceMain                          REG_SZ                                SvchostEntry_W32Time
ServiceDllUnloadOnStop    REG_DWORD                     1
Type                                       REG_SZ                                NT5DS
NtpServer                             REG_SZ                                0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org

So my questions are:

1.  Shouldn't DC01(PDC) be set to NTP and get its time from an external source and DC02 be set to NT5DS?
2.  Should I make this change to DC01 before I migrate DC02 to the new server?
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40575869
You definitely should. Changing the time server is an easy change. The NTP server should, as a best practice, always be hosted on the machine that holds the PDC-Emulator role.
0
 

Author Comment

by:RHNOC
ID: 40589579
So all the steps went fine until I tried to rename the DC.  When trying to rename the DC-New to the DC02 it said the name already exists.  I had checked all AD and DNS of the entry and it was not there.  The DC-New said it would change it's name on reboot.  After the reboot the named changed on the DC but it no longer had any trust relationships with DC1.  Was I supposed to rename after I deleted the old DC and before the DC Promo?

So now when I look at the dclist, I see DC01 and DC-New.  So the name change did not take effect....

Any suggestions.
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40589652
Letcme get to a place where I can answer this. Just wanted you to know I saw it and I'll post an answer soon. :)

I will tell you in the meantime to check ADUC domain controllers OU to be sure.
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40589757
Open an elevated command prompt on the affected server and run the following command:

netdom computername <new_computer_name> /enumerate:allnames

This will display all registered names for the server in question. If the old name is still listed as an alternate, run this command to remove it:

netdom computername <new_computer_name> /remove:<old_computer_name>

Then reboot the server. Let me know if there is still an issue.
0
 

Author Comment

by:RHNOC
ID: 40589799
When trying to remove the old computer name:

Unable to remove dc-new
as analternamte name for the computer.
The error is:
Element not found.

I am thinking of just treating this like a failed DC, and clean up AD/DNS of it manually by removing the metadata and loading a fresh DC...
0
 
LVL 3

Expert Comment

by:roycbene
ID: 40589887
That's the way I would go. If the commands above didn't find it, it indeed does not exist. :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now