asked on
Replacing primary AD DC
I have a 2012 DC with these roles
WSUS
DHCP
DNS
DFS
Certificate Authority
Network Policy Server
The plan is to replace this server hardware with new server. I would like to keep the same name and IP.
Ive done it once before but at that time I didnt have all these new roles.
I guess to get to my question, I am not sure what affect renaming the DC will have on the Certificate Authority, will the workstations generate a new certificate with the new CA server once they connect to it for the first time?
The main reason we use the CA is in conjunction with NPS for wifi and LAN authentication for workstations.
As for the other roles, im confident I can replicate the settings on the new DC.
for WSUS I found this guide, unless someone has a better one?
http://www.vkernel.ro/blog/migrating-wsus-from-one-server-to-another
WSUS
DHCP
DNS
DFS
Certificate Authority
Network Policy Server
The plan is to replace this server hardware with new server. I would like to keep the same name and IP.
Ive done it once before but at that time I didnt have all these new roles.
- I plan to rename DC1 it to DC-old, but keep the IP
- Build the new DC1 with temp IP
- Setup all same roles on new DC1
- Transfer original IP to new DC1 and update the DNS records.
I guess to get to my question, I am not sure what affect renaming the DC will have on the Certificate Authority, will the workstations generate a new certificate with the new CA server once they connect to it for the first time?
The main reason we use the CA is in conjunction with NPS for wifi and LAN authentication for workstations.
As for the other roles, im confident I can replicate the settings on the new DC.
for WSUS I found this guide, unless someone has a better one?
http://www.vkernel.ro/blog/migrating-wsus-from-one-server-to-another
WSUSActive Directory
Last Comment
Pber
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
IF you have to go around to each machine, why are you running the DHCP role at all? Again, this points to a longer term change you could make. Use DHCP to assign the DNS server, and then you can easily make the change and not need to play musical IP addresses. Yes, we all work with what we have, but we should also always be working to improve what we have as well. This is an opportunity for that.
ASKER
DHCP is for workstations on the main subnet, the servers are static on few different subnets.
I'd probably still be using DHCP and use reservations and DHCP relay in most cases. For the few special cases where static really is needed, DSC would be the way to go and has been my recommend configuration for a half-decade or so.
I can't speak to your overall configuration as WAY too little information has been provided for me to do so... but your infrastructure should not require preservation of server names and IPs. It just shouldn't. If it does now, take every opportunity to IMPROVE it and prevent that going forward. Preserving the status quo is not improving it. Introduce a new DC, migrate things over to it slowly if you have to. Again no experience with NPS and little with Cert services. From what I've read, moving that is easy enough. NPS, not a clue. BUT, how many places are configured for NPS that would require you to change things? Servers DNS need updating? Fine - but you should have multiple DCs anyway if you have that complex an environment in which case the other DC can handle DNS until you get to it.
ASKER
My OCD will not allow me to have DC2 and DC3 LOL! Ill keep trying to find DC1 :)
So lets just work around that :)
So lets just work around that :)
Then do a swing migration - migrate twice - once to TempDC and then back to DC1.
My desire to see you have a stable network outweighs your desire to keep things numerically sequenced.
(Have you considered DC-A?)
My desire to see you have a stable network outweighs your desire to keep things numerically sequenced.
(Have you considered DC-A?)
ASKER
I dont really need the temp DC because I have DC2-4, they can handle the AD roles while i demote DC1.
My only concern was the other roles on DC1
Thats why I came up with this work around.
move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
My only concern was the other roles on DC1
Thats why I came up with this work around.
move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
In theory that should work. But I doubt it's ever been tested. WSUS will createocal accounts to do things, and promoting the machine to a DC could mangle that process since the accounts are in place already. Which is where I have to reiterate that I'd find a way... almost any way... To keep some of those heavier roles off a DC.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Lee W MVP (https:#a42361691)
-- Cliff Galiher (https:#a42361695)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Lee W MVP (https:#a42361691)
-- Cliff Galiher (https:#a42361695)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
Ive done several dc renames and IP changes with no issues.
I guess I could do a workaround where I move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
The main issue will be the time between when I demote the old and promote the new, the other servers will still be pointed to it as primary DNS, and I dont want to go around and change them all, but during that time, DNS resolution might fail if the IP is accessible but DNS is not working.
I noticed when I do monthly updates on the server, each time during the reboot there is a 1 min window when the server responds to pings, but DNS is not initialized yet and all the other servers cant get to internet during that time due to DNS down.
This time that window will be much longer.