Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Retiring the First DNS/DC in the enterprise

Posted on 2015-02-01
5
Medium Priority
?
79 Views
Last Modified: 2015-02-10
I am ready to retire the first two Domain controllers/DNS servers (collocated) in the enterprise as they are Server2003.

I have moved the FSMO roles to 2008R2 servers.

DNS replicates to all in name server tab, which I'll check after removing that role from the 2003 Servers.

I'm looking for items to check or move before removing the founding DC/DNS servers.

Thanks
0
Comment
Question by:whoam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Assisted Solution

by:Benjamin MOREAU
Benjamin MOREAU earned 500 total points
ID: 40582902
Check you have a global catalog on your AD.
Check you have updated your DHC server (with new DNS).

If you are "stressed", you can test to shutdown your old server for 1/2 days et check if all acces are OK (files access, creating new account...)
0
 
LVL 41

Assisted Solution

by:footech
footech earned 500 total points
ID: 40583009
I'll typically do the following:
- transfer FSMO roles and verify (netdom query fsmo) from multiple servers
- run repadmin /showrepl and check for errors
- run dcdiag /v and dcdiag /v /test:dns on each DC and check for errors
- make sure DHCP is handing out correct addresses for DNS if those are changing
- best practice is to make all DCs a global catalog
- configure PDCe to sync time from external source
- reset w32tm config on old PDCe
  net stop w32time
   w32tm /unregister
   w32tm /register
   net start w32time

- you may have to update some DNS info manually, like any delegations for the _msdcs zone
- verify DNS config on new servers such as use of forwarders, any zones on the old DCs which may not be AD-integrated (and so wouldn't have been copied by AD replication)

I also think it's a good idea to turn off the old DCs for a period to verify everything functions.
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 500 total points
ID: 40583329
My steps:
1. Run DCDIAG /C /E V
2. make sure FSMO roles are moved off any DC about to be removed
3. make sure global catalogs are set for other DCs that will remain
4. make sure any system using the DNS of the server to be retired has been redirected to a new server
5. make sure DHCP settings are adjusted for ay scopes that might otherwise use the DNS server of the DCs about to be retired.
6. Turn OFF the DC to be retired for 1 week (unless something stops working, then turn it on)
7.  After 1 week, turn on the DC and decommission properly using DCPROMO and removing the DC functionality.
8.  get rid of the server
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40583417
After movement of FSMO, force AD replication and run netdom query fsmo command on all domain controllers and ensure output is same on all domain controllers
If output is not same, this is 1st thing you need to fix. In that case it is might be replication issue

After that on old PDC server run below command
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
https://technet.microsoft.com/en-us/library/cc816748(v=ws.10).aspx

on new PDC configure server to poll time from external time source
w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

Replace peers with single \ multiple NTP servers
format for entering multiple servers:
/Manualpeerlist:"server1.pool.org server2.pool.org"
https://technet.microsoft.com/en-us/library/cc786897(v=ws.10).aspx

On client machines, you may run below command thru GPO startup .bat script
w32tm /config /syncfromflags:domhier /update
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40583424
U may choose appropriate internet time servers from below article:
http://www.pool.ntp.org/en/
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question