Solved

Domain Controllers Upgrade

Posted on 2015-02-21
13
87 Views
Last Modified: 2015-03-06
I currently have a win2k3/win2k8 environment.  I have a win2k3 DC (BDC) and a win2k8 DC GC (PDC).  We now have a win2k12 server with three VMs, one being a DC with win2k12 as the OS replacing the win2k3 DC.  Should the win2k12 DC be the GC server with the FSMO rules or should I leave that on the win2k8 box and change that when the win2k8 server is being replaced?  What would be your recommendation?
0
Comment
Question by:mcurran1
  • 3
  • 3
  • 2
  • +4
13 Comments
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 84 total points
ID: 40623168
there is no such thing as PDC and BDC roles as it existed in NT back in the 90s
all domain controllers are equal read/write (unless it is a specific read-only domain controller)
the PDC emulator role was primarily for legacy systems though today with modern windows versions it has a different purpose (mainly for ntp)

now, as far as the 2012 server is concerned, you are not required to move the FSMO roles
if they are already on the 2008 server, they can stay there
if the 2008 server will eventually go away you can move the FSMO roles then, but by no means are you required to do so now

if your 2012 server is working fine on the domain then go ahead and gracefully remove the 2003 server
0
 
LVL 9

Assisted Solution

by:RantCan
RantCan earned 84 total points
ID: 40623173
Check domain functional level: must be 2003 before you can introduce the 2012 DC.  I am always in favor of being the least intrusive as possible. If the goal here is to remove the 2K3 DC and replace it with the 2012, then leave the 2K8 GC well alone.  

Questions:
Does the 2K3 server do anything else, like DHCP?
Is host hypervisor clustered (Hyper-V or ESX)?
Is the 2K8 bare-metal? How long until server is at end-of-life?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 40623175
There are no specific requirements where you HAVE TO move the FSMO roles from the 2008 server to the 2012 server. There really is no benefit other then if your 2012 DC has more resources. However, if you move the FSMO roles now to the 2012 DC you will not have to do it in the future when you are ready to remove the 2008 DC.

Your Functional level will not matter based on where the FSMO roles are because you still have a 2008 DC in your environment so you can only raise the functional level to the oldest DC OS in your environment.

Will.
0
 

Author Comment

by:mcurran1
ID: 40623285
Hi thanks all for getting back to me.  I am at the 2003 functional level.  At this point, should I up the functional level to a the 2008?  @Rantcan the 2k3 also functions as a terminal server (which I realize should not be done on a DC, but hardware was not available to put it somewhere else at the time, so had to make do with that configuration) and also as a file server, the 2k8 DC does DHCP and yes the 2k8 is a bare metal box and I am not clustering and I am using hyper-v.  When raising the functional level to 2k8 I must first gracefully remove the 2k3 box and then up the functional level correct?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 40623296
Yes you can only raise the functional level to the lowest OS operating system, which is 2003. You will need to successfully demote the 2003 server and when all of the 2003 servers are removed you will then be able to raise the domain and forest functional levels to 2008.

To raise to 2012 you will need to remove all 2008 DC first then you can raise the functional level again to 2012.

Will.
0
 
LVL 39

Expert Comment

by:footech
ID: 40623306
Also in regards to GC, it's generally best practice nowadays to make all DCs a GC.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 12

Assisted Solution

by:Sommerblink
Sommerblink earned 83 total points
ID: 40623315
footech:

It may be a best practice to make all DCs GCs, but only in a specific environment:  single domain/single forest.

In multiple domain forests, then the Infrastructure Master FSMO role holders CANNOT be a GC too. Doing so will cause problems.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 83 total points
ID: 40623446
@Sommerblink - Given the question, I took it as a given that this is a single domain environment.  I think your first statement is debatable.

However, your 2nd statement is not quite correct.
In multiple domain forests, then the Infrastructure Master FSMO role holders CANNOT be a GC too
...but only if not all DCs are GCs.  You can still have all DCs as GCs, even in a multi-domain environment.

Additional reading:
http://blogs.msmvps.com/acefekay/2010/10/01/global-catalog-and-fsmo-infrastructure-master-relationship/
http://blogs.msmvps.com/acefekay/2011/01/16/active-directory-fsmo-roles-explained/
http://support.microsoft.com/kb/223346
I'll quote one bit from the last link.
- Single domain forest:
   In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
- Multidomain forest:
   If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.
    If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40623459
@Footech -
Also in regards to GC, it's generally best practice nowadays to make all DCs a GC.
I would have to agree with Footech here.

Why?

Because when you add your domain controllers to your environment you want them all to be equally service-able. Meaning if you only have specific DC that are also GC's then the domain controllers that only hold the DC role only will continually have to reference other GC's for forest wide information. In certain scenarios like having Exchange in your environment this would be putting all of the load on the GC's in the envrionment.

You want all of the DC's to act as equal's in regards to providing authentication services. This also provides redundancy for the GC role and simplicity as well known all of your DC's are GC as well.

Any deployment recommendations I always state that having all DC's as GC is a good practice going forward.

Will.
0
 
LVL 12

Expert Comment

by:Sommerblink
ID: 40623905
I stand corrected Footech.

Good luck!
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40624044
If all domain controllers are GCs in multi domain, then it does not matter where the Infrastructure master role resides

Also you can run below command on PDC and ADCs to get difference between them

Net accounts

This command will show each server role:
For PDC it is "primary"
For ADC it is "Backup"
For member servers it is "server"

Even if practically no difference between PDC and ADC except PDC is having PDC FSMO role, theoretically command distinguish them

Others have already given appropriate answers
0
 

Author Comment

by:mcurran1
ID: 40643362
Well thank you for the abundance of advice here... not sure how to give credit here for a solution though...  I know I can do multiple, but it seems crazy to do them all... what would be a suggested solution for this?
0
 
LVL 39

Expert Comment

by:footech
ID: 40643466
General guidelines, from my point of view.
I would pick each post that
1) provided useful info applicable to the main question
2) didn't repeat previous posts, unless additional meaninful info was given

Then among those, do your best to assign points based on how much of your original question it answered.  Get suspicious if you're accepting more than 3 posts.  More than 5 posts and you're practically guaranteed it's probably too many.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now