Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 227
  • Last Modified:

How to swap out existing domain controllers with 2 new domain Controllers

Hello:

We have 2 Windows 2  x Windows 2008 existing Domain Controllers and it is my intention to replace them with 2 new x Windows 2012 R2 Domain Controllers.

I have dome this before with Windows 2003 Server; but, I want to make sure that I am not missing anything important.  I can describe my plan below and I want to make sure that I am not missing anything important.  I have heard of others having problems setting up new Domain Controllers and I do not want to have those same problems.    Please comment on my plan below and let me know if I am missing anything important.

1.  Clearly Identify what role each current Domain Controller is providing.
        a.  Global Catalogue Server
        b.  Primary FSMO roles
        c.  DNS Server.
        d.  DHCP server ( and scope settings)

2.  Identify which Servers/PC's/Appliances have static settings that connect to the current Domain Controllers.
        a.  Firewalls - VPN / Router - DNS / Router DHCP - Relay.
        b.  Servers
        c.  Etc.

3.  Create 2 new Domain Controllers that are DNS servers as well.
        a.  Begin changing the DNS server Ip address settings on each appliance from the older DC's to the new DC's.
        b.  use the instructins from: https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/

        c.  Then begin changing the roles for each appliance (from step 2) to point to the new Domain Controllers.   This must be performed in a step by step and systematic/. organized approach.


4.  Plan to change the primary FSMO roles from the primary DC to one of the new DC's.

5.  Then when everything you can think of has been changed, now power off 1 of the Domain Controllers.
        a.  This will test if any other configuration are changes are still required.
        b.  If something undesirable happens then just power it back on.
        c.  If nothing bad happens after 3 days then one may proceed to demote that domain controller.


Question1:  Does the above plan provide a good starting point, for this project?
        a.  Any other suggestions?


Question2:  Does the web site reference https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/  provide a good reference?


Question3:  How can we test if the new Domain Controllers can see each other correctly?
         a.  I heard a story that someone setup 2 new Domain Controllers and they could not see each other.
         b.  Then eventually both DC's stopped working and no one could logon to the network.
 

Question4:  How can I properly demote the Domain Controller from the domain?
         a.  I have found 2 web resources:
                 i.  https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx
                ii.  https://www.youtube.com/watch?v=CQnwiRHoveY
1
Pkafkas
Asked:
Pkafkas
4 Solutions
 
Senior IT System EngineerIT ProfessionalCommented:
Do you have to use the same IP address for the new replacement domain controllers ?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Question1:  Does the above plan provide a good starting point, for this project?
        a.  Any other suggestions?

Don't understand why you wouldn't be running DCDIAG /C /E /V - It's an integral part all my domain migrations.

Question2:  Does the web site reference https://blogs.technet.microsoft.com/canitpro/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network/  provide a good reference?
Generally fine, but 2003 had more things you needed to do/be concerned with than 2008 based networks.


Question3:  How can we test if the new Domain Controllers can see each other correctly?
         a.  I heard a story that someone setup 2 new Domain Controllers and they could not see each other.
         b.  Then eventually both DC's stopped working and no one could logon to the network.

Again, DCDIAG.  But give some time for replication to work.  Test.  Turn off a system for a day or two and see that things work.
 

Question4:  How can I properly demote the Domain Controller from the domain?
         a.  I have found 2 web resources:
                 i.  https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx
                ii.  https://www.youtube.com/watch?v=CQnwiRHoveY

You run DCPROMO to demote.

This kinda goes with question 1a:
If you haven't done this before, you shouldn't be doing it for the first time on your production network.  Setup a test network and DO IT.  THREE TIMES.  AT LEAST.  And if you don't have the time to or interest, then hire a professional.  This is your NETWORK!  It runs your business!  If you're not experienced and/or comfortable doing this, DON'T.  Hire someone is so you get it right the first time.
1
 
Mohammed KhawajaCommented:
For question 4, what you need to do is ensure the old DCs are off, create an AD object on one DC and test to see if the second DC can see it.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
PkafkasNetwork EngineerAuthor Commented:
Since I have never used DCDiag and since we do nto have a test environment I believe it would be best to work with a consultant who has done this before.  I have swapped out 2003 Windows Servers that were domain controllers, is it that much different for 2008 R2 and 2012 R2?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
*IF* the technology interests you and you want to learn it, do so if you have the time.  Most Windows 8 and 10 computers running Professional have the capability to run VMs.  Add some RAM to your desktop or laptop running Windows 8 Pro or 10 Pro and setup a test network in VMs.  Then do this a few times to learn it.  Ask questions here regarding your testing/learning.

If you are NOT interested in learning this, then I would say your next step is to look for a consultant.  Some consultants are not comfortable doing migrations like this - I've worked for several remotely and in person.  Others are fine.  Use Experts-Exchange to vet your consultant - take their proposal / plan skillset to the forum and ask questions that, with the right answers, will make you feel confident in the person you're hiring.  

My opinion.
0
 
PkafkasNetwork EngineerAuthor Commented:
The interest is there I just want to be careful, since I feel that there is not margin for error at my work.  I think my plan is solid; but, I have never run DCDiag before.  

I think I will research DCDiag and setup 1 new Domain controller at a time.  Then begin researching the migration process as much as i can.  I should work with a consultant so I can work with them and make sure that it goes well.  That is to change the FSMO roles and such.

Then the next Domain controller will need to incorporate a DHCP scope as well.  Thank you for your feedback.
0
 
PkafkasNetwork EngineerAuthor Commented:
I did not see the 1st comment, or question to me.  No, I do not need to use the same I P address.  This will be a brand new Server with a new hostname and IP address.

I think we have gotten away from my original question.  I obviously want to learn and get the experience under my belt; but, I wish to handle the project responsibly as well.  Question1 is  the plan for preparation a good start for the Domin Name swap?  

Question2 continued, it does appears that I should research something called DCDiag as well.  Am I missing any other necessary steps, from my Outlined plan?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
One of the things a professional knows how to do is answer the question that SHOULD have been asked.

It's just as important knowing what NOT to do as it is knowing what you should do.  When I go into networks I've seen setup by other non-professionals, some of the weird stuff I've seen blows my mind.  Just because the capabilities APPEAR to be there doesn't mean you should use them in conjunction with other capabilities - sometimes you should sometimes you shouldn't. So as much as we can tell you what to do, there's no guarantee that you won't try to do something that you think is innocent and yet it causes problems on the network.  And there's no guarantee that we'll remember to tell you to do EVERYTHING because for us, this stuff can be second nature... when you don't have experience, it's like telling an alien how to make a peanut butter sandwich - take everything literally and realize if you don't detail EXACTLY what you mean, you end up with a Jar of peanut butter between two slices of bread!

The fact that you haven't even googled DCDIAG yet concerns me even more and makes me think you are simply not skilled enough at the present time.  If you want to do this responsibly then you need to know a LOT more before you begin.  The basics may be there, but it would be irresponsible of me to encourage you personally to perform this upgrade when you are clearly not ready in my opinion.

I'm sorry if I offend, but to this point, that's my opinion based on our interaction.
0
 
PkafkasNetwork EngineerAuthor Commented:
All of these questions are part of the research process.  An honest response is appreciated and I hope my honesty is appreciated as well.

The true sign of a non-professional is not to assume that everything will be easy and as a result not coming up with a thoughtful plan.  It has been my experience that putting a plan together helps ease the nerves.  With this specific plan, I will research and perhaps work with a consultant for the first DC.  Thank you for the tip on DCDIAG.
0
 
PkafkasNetwork EngineerAuthor Commented:
Due to my research and carful planning everything thankfully went well.  I wish other Administrators just as much luck with projects that they may have never done before in the future.  The key is preparation and working responsibly with the data.  It goes to show you, that one should believe in your abilities and pick and choose whom to listen to.
1

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now