Solved

Migrating Domain Controller to new physical machine

Posted on 2015-02-23
23
128 Views
Last Modified: 2015-03-23
Hi,

We do have 4 Windows Server 2008 R2 Domain Controllers in our environment, i.e. one physical and three virtual.

Our Primary DNS and DHCP is running on physical.

Physical server's hardware is going bad and its warranty is expired too; therefore, we need to move primary DNS and DHCP to one of the other virtual servers. So, if it dies, we will shouldn't be impacted.

So, how can I move primary DNS, DHCP, and other AD roles to other Domain Controller? or Are there any other advice as well?
0
Comment
Question by:A1opus
  • 8
  • 4
  • 4
  • +4
23 Comments
 
LVL 29

Expert Comment

by:Randy Downs
ID: 40625635
You will need to promote one of your other Servers & demote the one you are decommissing using DCPromo.

Try  this for DHCP

This may help for deommissioning the old server.
0
 
LVL 19

Expert Comment

by:Kash
ID: 40625652
promote the virtual server to be a DC.

then use the following link to migrate DHCP over along with reservations etc >>>> http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx
0
 
LVL 2

Author Comment

by:A1opus
ID: 40625663
Others are already Domain Controllers. When I will migrate the DHCP and DNS, how long will be down time?

Second, we are not shutting down that physical box right now but want to migrate the critical roles to other servers.
0
 
LVL 19

Expert Comment

by:Kash
ID: 40625669
if they are already DCs then they should be running a DNS on them. This means if you look up on your Workstations, they should be getting multiple DNS entries on primary and secondary.

I would like to think you shouldn't have any downtime if you follow the procedure above to migrate the DHCP

You need to check whether your physical server holds the FSMO roles and if yes then move them over to one of the VMs

you can do so by netdom /query fsmo on the server

migrating fsmo roles is also a simple job.
let me know what server holds fsmo roles
0
 
LVL 4

Expert Comment

by:Harper McDonald
ID: 40625679
Transfer or seize all FSMO roles from the physical DC to another VM DC, make sure DHCP is installed on the VM and DNS should transfer over, make sure your decommissioned DC is a Global Catalog DC.  Run DCPROMO on the old DC and decomm it.  Then go 'Office Space' on it with a bat...lol
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 40625685
This is what I would recommend...
- If the physical DC is holding any of the FSMO roles transfer them to one of the virtual DC's
Use netdom query fsmo to get the FSMO roles holder/s

So, how can I move primary DNS
With Active Directory you are using AD Integrated Zones for DNS so do not worry about primary DNS. You just need to make sure that your dhcp client scopes are changed for DNS servers if you plan to demote this physical server

DHCP migration
https://technet.microsoft.com/en-ca/library/dd379535%28v=ws.10%29.aspx

Also when you are migrating DHCP to another server if you have multiple vlans which separate your clients from servers you will need to make sure that you add your ip helper address to all of your access switches for your clients vlan.

Will.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40625688
@Harper
Transfer or seize all FSMO roles from the physical DC to another VM DC
Never Seize the FSMO roles if you do not have to this method should only be used when the DC holding any of the FSMO roles cannot be contacted. If the machine is still functioning demote it gracefully.

Will.
0
 
LVL 4

Expert Comment

by:Harper McDonald
ID: 40625714
Right...I've had to do that in a pinch before..  Just saying that the roles need to moved and then dcpromo ect..
0
 
LVL 2

Author Comment

by:A1opus
ID: 40627002
Thanks  a lot everyone for the replies.

That physical server holds following FSMO roles:

Schema Master
Domain Naming Master

How can I move the above-mentioned roles to new servers.

Yeah, all are AD integrated DNS. But this physical is primary. So, how can I demote it to secondary and promote any of other servers to Primary?

What if this server dies tomorrow before I can do anything. I believe Domain controller services and DNS will be served by other DCs. What about DHCP, clients will not get IPs, right?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 40627046
Transferring the Domain Naming Master Role
https://technet.microsoft.com/en-us/library/cc738685(v=ws.10).aspx

Transferring Schema Master Role
https://technet.microsoft.com/en-us/library/cc816645(v=ws.10).aspx

Yeah, all are AD integrated DNS. But this physical is primary. So, how can I demote it to secondary and promote any of other servers to Primary?

All other Domain Controllers can still serve DNS request if this DC fails.

What if this server dies tomorrow before I can do anything. I believe Domain controller services and DNS will be served by other DCs. What about DHCP, clients will not get IPs, right?

If the server fails before transferring the roles you will need to seize the roles to another domain controller. .DNS will continue to function, DHCP will need to be installed on another machine and you will need to reconfigure your scopes if you have not backed them up.

As you have stated the only FSMO roles are Domain Naming and Schema. These roles are important but they are not 100% critical for the operation of your domain. PDC and RID master roles are the most critical roles to keep the domain functioning.

At worst if you lost schema master you would not be able to modify the AD schema until you seize the role to another DC. Also for Domain Naming you will not be able to add any external trusts or forest trust until you seize this role to another DC.

Will.
0
 
LVL 2

Author Comment

by:A1opus
ID: 40629995
Thanks everyone for such a helpful replies.

@Will Szymkowski: Your suggestions regarding helper address in core switches and never seize FSMO roles, are very helpful indeed. I didn't think about the helper address at all.

I have already moved the FSMO roles. I am little bit my homework regarding DHCP though.

In regards to DNS, I understand that DNS will work if something happens to this physical box but what I want that this machine shouldn't be primary dns anymore. How can I change this role to secondary on this physical box?
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 2

Author Comment

by:A1opus
ID: 40632698
What y'all think if I create an auxiliary DHCP server before migration? Please advise as necessary in this regard. If someone has any guide to build an auxiliary DHCP servers, please do share.
0
 
LVL 19

Accepted Solution

by:
Kash earned 100 total points
ID: 40632712
migrating DHCP is not a difficult job A1opus. The process is as following

on the current server which runs DHCP, open up command prompt as admin

1. type "netsh"
2. then type "dhcp"
3. then type " server \\servername or IP address
4. then type " export c:\dhcpdb all"

on the new server
1. copy the dhcpdb file from the old server
2. install DHCP role
3. stop the DHCP Server service
4. go to c:\windows\system32\dhcp and delte dhcp.mdb file
5. start the DHCP Server service
6. open command prompt as admin
7. type "netsh"
8. type "dhcp"
9. type "server \\servername or ip address of the new server"
10. type "import path:\dhcpdb
11. close cmd
12. authorize the DHCP server
13. stop / DHCP server service on the old server / uninstall
14. Done
0
 
LVL 2

Author Comment

by:A1opus
ID: 40632739
Hi Kash,

Thanks for such a step by step procedure. I really appreciate it.

So, when we import the dhcpdb on new server, there will be two DHCP on network as the old DHCP server is also running. Is it ok?
0
 
LVL 19

Expert Comment

by:Kash
ID: 40632741
yes that is why you need to disable the DHCP on the old server the moment you authorize the DHCP on the new server as it would start causing conflicts otherwise.
0
 
LVL 2

Author Comment

by:A1opus
ID: 40632988
So, as far as I understood. I don't need to do anything in regards of DNS because in AD integrated zones, All domain controllers run primary zones, right?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40633079
That is correct. Nothing needs to be done for DNS. As long as the server has a DNS entry in either primary or secondary (perferabley primary) you will not have any issues.

Will.
0
 
LVL 2

Author Comment

by:A1opus
ID: 40652224
Hello Folks,

Thanks for your help. I have migrated FSMO roles and DHCP successfully to new VM. Now, I have figured out that this physical box is a time server too for our non-windows machines and appliances. How can I migrate it to the new VM?
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 200 total points
ID: 40660299
Any DC can act as a NTP time server. All you need to do it to point your equipment to another domain controller. If they accept DNS, I like to create an entry for time.domain.tld and have that point to one (or more) domain controllers. Be sure that one of your domain controllers is getting time from an authoritative external source, and that you have the proper time sync settings for virtual DCs setup on the hypervisor.
0
 
LVL 2

Author Comment

by:A1opus
ID: 40660313
Thanks Kevin for the reply.

So, currently, this physical box is getting time from an authoritative external source. Now how can I disable from here and enable on any of the other DCs?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40661594
to enable an external time source on ONE of your domain controllers
w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 200 total points
ID: 40661618
You want to enable external time source on the server that holds the PDC emulator role.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now