Solved

How to swap out existing domain controllers with 2 new domain Controllers

Posted on 2016-10-17
9
95 Views
1 Endorsement
Last Modified: 2016-10-21
Hello:

We have 2 Windows 2  x Windows 2008 existing Domain Controllers and it is my intention to replace them with 2 new x Windows 2012 R2 Domain Controllers.

I have dome this before with Windows 2003 Server; but, I want to make sure that I am not missing anything important.  I can describe my plan below and I want to make sure that I am not missing anything important.  I have heard of others having problems setting up new Domain Controllers and I do not want to have those same problems.    Please comment on my plan below and let me know if I am missing anything important.

1.  Clearly Identify what role each current Domain Controller is providing.
        a.  Global Catalogue Server
        b.  Primary FSMO roles
        c.  DNS Server.
        d.  DHCP server ( and scope settings)

2.  Identify which Servers/PC's/Appliances have static settings that connect to the current Domain Controllers.
        a.  Firewalls - VPN / Router - DNS / Router DHCP - Relay.
        b.  Servers
        c.  Etc.

3.  Create 2 new Domain Controllers that are DNS servers as well.
        a.  Begin changing the DNS server Ip address settings on each appliance from the older DC's to the new DC's.
        b.  use the instructins from: https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/

        c.  Then begin changing the roles for each appliance (from step 2) to point to the new Domain Controllers.   This must be performed in a step by step and systematic/. organized approach.


4.  Plan to change the primary FSMO roles from the primary DC to one of the new DC's.

5.  Then when everything you can think of has been changed, now power off 1 of the Domain Controllers.
        a.  This will test if any other configuration are changes are still required.
        b.  If something undesirable happens then just power it back on.
        c.  If nothing bad happens after 3 days then one may proceed to demote that domain controller.


Question1:  Does the above plan provide a good starting point, for this project?
        a.  Any other suggestions?


Question2:  Does the web site reference https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/  provide a good reference?


Question3:  How can we test if the new Domain Controllers can see each other correctly?
         a.  I heard a story that someone setup 2 new Domain Controllers and they could not see each other.
         b.  Then eventually both DC's stopped working and no one could logon to the network.
 

Question4:  How can I properly demote the Domain Controller from the domain?
         a.  I have found 2 web resources:
                 i.  https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx
                ii.  https://www.youtube.com/watch?v=CQnwiRHoveY
1
Comment
Question by:Pkafkas
9 Comments
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41847670
Do you have to use the same IP address for the new replacement domain controllers ?
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 350 total points
ID: 41847674
Question1:  Does the above plan provide a good starting point, for this project?
        a.  Any other suggestions?

Don't understand why you wouldn't be running DCDIAG /C /E /V - It's an integral part all my domain migrations.

Question2:  Does the web site reference https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/  provide a good reference?
Generally fine, but 2003 had more things you needed to do/be concerned with than 2008 based networks.


Question3:  How can we test if the new Domain Controllers can see each other correctly?
         a.  I heard a story that someone setup 2 new Domain Controllers and they could not see each other.
         b.  Then eventually both DC's stopped working and no one could logon to the network.

Again, DCDIAG.  But give some time for replication to work.  Test.  Turn off a system for a day or two and see that things work.
 

Question4:  How can I properly demote the Domain Controller from the domain?
         a.  I have found 2 web resources:
                 i.  https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx
                ii.  https://www.youtube.com/watch?v=CQnwiRHoveY

You run DCPROMO to demote.

This kinda goes with question 1a:
If you haven't done this before, you shouldn't be doing it for the first time on your production network.  Setup a test network and DO IT.  THREE TIMES.  AT LEAST.  And if you don't have the time to or interest, then hire a professional.  This is your NETWORK!  It runs your business!  If you're not experienced and/or comfortable doing this, DON'T.  Hire someone is so you get it right the first time.
1
 
LVL 24

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 150 total points
ID: 41848013
For question 4, what you need to do is ensure the old DCs are off, create an AD object on one DC and test to see if the second DC can see it.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 41848717
Since I have never used DCDiag and since we do nto have a test environment I believe it would be best to work with a consultant who has done this before.  I have swapped out 2003 Windows Servers that were domain controllers, is it that much different for 2008 R2 and 2012 R2?
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 350 total points
ID: 41849051
*IF* the technology interests you and you want to learn it, do so if you have the time.  Most Windows 8 and 10 computers running Professional have the capability to run VMs.  Add some RAM to your desktop or laptop running Windows 8 Pro or 10 Pro and setup a test network in VMs.  Then do this a few times to learn it.  Ask questions here regarding your testing/learning.

If you are NOT interested in learning this, then I would say your next step is to look for a consultant.  Some consultants are not comfortable doing migrations like this - I've worked for several remotely and in person.  Others are fine.  Use Experts-Exchange to vet your consultant - take their proposal / plan skillset to the forum and ask questions that, with the right answers, will make you feel confident in the person you're hiring.  

My opinion.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 41849914
The interest is there I just want to be careful, since I feel that there is not margin for error at my work.  I think my plan is solid; but, I have never run DCDiag before.  

I think I will research DCDiag and setup 1 new Domain controller at a time.  Then begin researching the migration process as much as i can.  I should work with a consultant so I can work with them and make sure that it goes well.  That is to change the FSMO roles and such.

Then the next Domain controller will need to incorporate a DHCP scope as well.  Thank you for your feedback.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 41852532
I did not see the 1st comment, or question to me.  No, I do not need to use the same I P address.  This will be a brand new Server with a new hostname and IP address.

I think we have gotten away from my original question.  I obviously want to learn and get the experience under my belt; but, I wish to handle the project responsibly as well.  Question1 is  the plan for preparation a good start for the Domin Name swap?  

Question2 continued, it does appears that I should research something called DCDiag as well.  Am I missing any other necessary steps, from my Outlined plan?
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 350 total points
ID: 41853114
One of the things a professional knows how to do is answer the question that SHOULD have been asked.

It's just as important knowing what NOT to do as it is knowing what you should do.  When I go into networks I've seen setup by other non-professionals, some of the weird stuff I've seen blows my mind.  Just because the capabilities APPEAR to be there doesn't mean you should use them in conjunction with other capabilities - sometimes you should sometimes you shouldn't. So as much as we can tell you what to do, there's no guarantee that you won't try to do something that you think is innocent and yet it causes problems on the network.  And there's no guarantee that we'll remember to tell you to do EVERYTHING because for us, this stuff can be second nature... when you don't have experience, it's like telling an alien how to make a peanut butter sandwich - take everything literally and realize if you don't detail EXACTLY what you mean, you end up with a Jar of peanut butter between two slices of bread!

The fact that you haven't even googled DCDIAG yet concerns me even more and makes me think you are simply not skilled enough at the present time.  If you want to do this responsibly then you need to know a LOT more before you begin.  The basics may be there, but it would be irresponsible of me to encourage you personally to perform this upgrade when you are clearly not ready in my opinion.

I'm sorry if I offend, but to this point, that's my opinion based on our interaction.
0
 
LVL 1

Author Comment

by:Pkafkas
ID: 41854818
All of these questions are part of the research process.  An honest response is appreciated and I hope my honesty is appreciated as well.

The true sign of a non-professional is not to assume that everything will be easy and as a result not coming up with a thoughtful plan.  It has been my experience that putting a plan together helps ease the nerves.  With this specific plan, I will research and perhaps work with a consultant for the first DC.  Thank you for the tip on DCDIAG.
0

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now