Replacing primary AD DC
I have a 2012 DC with these roles
WSUS
DHCP
DNS
DFS
Certificate Authority
Network Policy Server
The plan is to replace this server hardware with new server. I would like to keep the same name and IP.
Ive done it once before but at that time I didnt have all these new roles.
I guess to get to my question, I am not sure what affect renaming the DC will have on the Certificate Authority, will the workstations generate a new certificate with the new CA server once they connect to it for the first time?
The main reason we use the CA is in conjunction with NPS for wifi and LAN authentication for workstations.
As for the other roles, im confident I can replicate the settings on the new DC.
for WSUS I found this guide, unless someone has a better one?
http://www.vkernel.ro/blog/migrating-wsus-from-one-server-to-another
WSUS
DHCP
DNS
DFS
Certificate Authority
Network Policy Server
The plan is to replace this server hardware with new server. I would like to keep the same name and IP.
Ive done it once before but at that time I didnt have all these new roles.
- I plan to rename DC1 it to DC-old, but keep the IP
- Build the new DC1 with temp IP
- Setup all same roles on new DC1
- Transfer original IP to new DC1 and update the DNS records.
I guess to get to my question, I am not sure what affect renaming the DC will have on the Certificate Authority, will the workstations generate a new certificate with the new CA server once they connect to it for the first time?
The main reason we use the CA is in conjunction with NPS for wifi and LAN authentication for workstations.
As for the other roles, im confident I can replicate the settings on the new DC.
for WSUS I found this guide, unless someone has a better one?
http://www.vkernel.ro/blog/migrating-wsus-from-one-server-to-another
I don't care how many ways people tell you it's ok, I would think twice, three times, and more before renaming a domain controller. To me, it's a very risky idea, especially with other services installed.
I have no familiarity with Network Policy server and very limited with certificate services.
DHCP is easy to move
DNS is easy (don't do anything with it - it's automatically installed when promoted and with AD integrated zones, it should transfer over. Maybe note your settings if you have anything special otherwise, this should be easy).
DFS is easy - don't do anything with it
I would migrate all the services and FORGET the old DC name. If you're using DFS already, the file shares part shouldn't be a concern.
https://www.petri.com/migrate-restore-windows-server-2012-r2-certification-authority-to-new-server
Any other services should, at worst, be a quick adjustment in configs to be on a new server.
I have no familiarity with Network Policy server and very limited with certificate services.
DHCP is easy to move
DNS is easy (don't do anything with it - it's automatically installed when promoted and with AD integrated zones, it should transfer over. Maybe note your settings if you have anything special otherwise, this should be easy).
DFS is easy - don't do anything with it
I would migrate all the services and FORGET the old DC name. If you're using DFS already, the file shares part shouldn't be a concern.
https://www.petri.com/migrate-restore-windows-server-2012-r2-certification-authority-to-new-server
Any other services should, at worst, be a quick adjustment in configs to be on a new server.
Don't change a DC's name. Don't change a DC's IP address. Just don't. I have been allowed to charge way too many companies ridiculously high (well deserved, critical down) fees cleaning up severely broken environments from someone deciding they could save 10 minutes.
First, while not directly part of your question, that is *WWWAAAYYY* too much stuff on a DC. With windows virtualization rights, there is DC's should be kept pure, or at least relatively pure. Most, if not all, of those roles should be on a non-DC. For sure WSUS (IIS is a huge security footprint issue), and probably NPS. The more you can load on other servers, the better.
Once you do that, that basically makes the DC name and IP a non-issue. Retire an old one. Spin up a new one. Clients find the new one via DNS, which is easily updated via DHCP, no harm no foul.
If for some reason you have a ton of dependencies, that's a good sign you should rethink your network. Upgrades are a part of life. But for a short term fix while you architect a long term fix, you spin up a new temp DC. Name it temp-dc. Give it a temp IP. Let things replicate. Retire old DC. Then spin up new permanent DC. Give *it* the old name and the old IP (now free). Let it replicate. Then retire the temp DC. Yes installing a temp DC takes a whole 15 extra minutes. But you never rename a DC. Never change an IP address. Fully supported. Easier to back out if you need to. So many things better with that approach.
First, while not directly part of your question, that is *WWWAAAYYY* too much stuff on a DC. With windows virtualization rights, there is DC's should be kept pure, or at least relatively pure. Most, if not all, of those roles should be on a non-DC. For sure WSUS (IIS is a huge security footprint issue), and probably NPS. The more you can load on other servers, the better.
Once you do that, that basically makes the DC name and IP a non-issue. Retire an old one. Spin up a new one. Clients find the new one via DNS, which is easily updated via DHCP, no harm no foul.
If for some reason you have a ton of dependencies, that's a good sign you should rethink your network. Upgrades are a part of life. But for a short term fix while you architect a long term fix, you spin up a new temp DC. Name it temp-dc. Give it a temp IP. Let things replicate. Retire old DC. Then spin up new permanent DC. Give *it* the old name and the old IP (now free). Let it replicate. Then retire the temp DC. Yes installing a temp DC takes a whole 15 extra minutes. But you never rename a DC. Never change an IP address. Fully supported. Easier to back out if you need to. So many things better with that approach.
IT world isn't perfect, im working with what I have.
Ive done several dc renames and IP changes with no issues.
I guess I could do a workaround where I move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
The main issue will be the time between when I demote the old and promote the new, the other servers will still be pointed to it as primary DNS, and I dont want to go around and change them all, but during that time, DNS resolution might fail if the IP is accessible but DNS is not working.
I noticed when I do monthly updates on the server, each time during the reboot there is a 1 min window when the server responds to pings, but DNS is not initialized yet and all the other servers cant get to internet during that time due to DNS down.
This time that window will be much longer.
Ive done several dc renames and IP changes with no issues.
I guess I could do a workaround where I move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
The main issue will be the time between when I demote the old and promote the new, the other servers will still be pointed to it as primary DNS, and I dont want to go around and change them all, but during that time, DNS resolution might fail if the IP is accessible but DNS is not working.
I noticed when I do monthly updates on the server, each time during the reboot there is a 1 min window when the server responds to pings, but DNS is not initialized yet and all the other servers cant get to internet during that time due to DNS down.
This time that window will be much longer.
IF you have to go around to each machine, why are you running the DHCP role at all? Again, this points to a longer term change you could make. Use DHCP to assign the DNS server, and then you can easily make the change and not need to play musical IP addresses. Yes, we all work with what we have, but we should also always be working to improve what we have as well. This is an opportunity for that.
I'd probably still be using DHCP and use reservations and DHCP relay in most cases. For the few special cases where static really is needed, DSC would be the way to go and has been my recommend configuration for a half-decade or so.
I can't speak to your overall configuration as WAY too little information has been provided for me to do so... but your infrastructure should not require preservation of server names and IPs. It just shouldn't. If it does now, take every opportunity to IMPROVE it and prevent that going forward. Preserving the status quo is not improving it. Introduce a new DC, migrate things over to it slowly if you have to. Again no experience with NPS and little with Cert services. From what I've read, moving that is easy enough. NPS, not a clue. BUT, how many places are configured for NPS that would require you to change things? Servers DNS need updating? Fine - but you should have multiple DCs anyway if you have that complex an environment in which case the other DC can handle DNS until you get to it.
My OCD will not allow me to have DC2 and DC3 LOL! Ill keep trying to find DC1 :)
So lets just work around that :)
So lets just work around that :)
Then do a swing migration - migrate twice - once to TempDC and then back to DC1.
My desire to see you have a stable network outweighs your desire to keep things numerically sequenced.
(Have you considered DC-A?)
My desire to see you have a stable network outweighs your desire to keep things numerically sequenced.
(Have you considered DC-A?)
I dont really need the temp DC because I have DC2-4, they can handle the AD roles while i demote DC1.
My only concern was the other roles on DC1
Thats why I came up with this work around.
move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
My only concern was the other roles on DC1
Thats why I came up with this work around.
move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
In theory that should work. But I doubt it's ever been tested. WSUS will createocal accounts to do things, and promoting the machine to a DC could mangle that process since the accounts are in place already. Which is where I have to reiterate that I'd find a way... almost any way... To keep some of those heavier roles off a DC.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Lee W MVP (https:#a42361691)
-- Cliff Galiher (https:#a42361695)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Lee W MVP (https:#a42361691)
-- Cliff Galiher (https:#a42361695)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
Premium Content
You need an Expert Office subscription to comment.Start Free Trial