Link to home
Start Free TrialLog in
Avatar of Laszlo Denes
Laszlo DenesFlag for Canada

asked on

Add new 2016 DC into existing 2008 R2 FFL/DFL and replace existing 2008R2 DC but with SAME NAME AND STATIC IP?

Quick question regarding the best way to do this and as always greatly appreciate any/all insights, tips and thoughts.
We currently have a FFL/DFL 2008 R2 with two 2008 R2 domain controllers.
I am planning to (after all tests/prerequisite steps, e.g. DNS health, AD replication, FSMO role transfer to other DC, etc. are successful) demote a 2008R2 DC and then replace it a newly built 2016 server standard as a DC.
Here is my challenge, i.e. the question I would like to clarify.
We are trying to keep the same name/IP (it is static obviously) for the new 2016 DC (temporary name assigned and already built but not in domain yet) as we currently have for the existing 2008R2 DC. The intent is to avoid having to individually reconfigure/repoint all services (e.g. static DNS/WINS Settings) on all member server network cards, applications/appliances that point to DC based on name/IP for LDAP integration, etc.
So would the steps be as follows or is there something else that needs to be done, before, during or after that I am still missing?
Existing name of current 2008R2 DC e.g. SERVERDC2 (with IP 192.168.1.2)
1.  Move all FSMO roles, etc. to other DC (SERVERDC1 2008R2), demote SERVERDC2 as domain DC into being only a member server, then remove it as a member server from the domain into a workgroup.
2. Rename new 2016 server, currently in workgroup with temp name, to SERVERDC2 and promote it to the domain as a member server.
3. Assign the same static IP that the previous SERVERDC2 (2008R2) had, i.e. 192.168.1.2.
4. Promote (install AD, etc.) new SERVERDC2 (2016) as domain controller.
5. Allow for DNS, AD replications across domain from other DC SERVERDC1 (2008R2) to new SERVERDC2 (2016).
6. Run health checks again (AD, DNS, etc.) and resolve any arising issues.
7. Move all FSMO roles from SERVERDC1 (2008R2) to new SERVERDC2 (2016) and then turn off SERVERDC1 (2008 R2)for a few hours to make sure everything works and then repeat step to remove SERVERDC1 (2008R2) and replace with another SERVERDC1 (now 2016) added the same way as SERVERDC2 (2016) and thus replacing the existing SERVERDC1 (2008R2) with same name and IP as well.
OR
Do I demote the existing DCSERVER2 (2008R2) as DC from the domain into being merely a member server, but then do not remove it from the domain, i.e. the computer account remains registered in domain (DNS, WINS), into a workgroup so when I change the name of the new 2016 DC from the temp name to SERVERDC2 and promote it to the domain then the computer account already exists? I am inclined to think that I totally remove the existing DC (as DC and member server) and then add everything as new, but only because we normally do not need to keep the same name/IP. So is there anything special I need to take into account or consider because of that requirement or are the above steps (1-7) correct with full removal and then full promotion/addition of new server with same name/IP?
Avatar of it_saige
it_saige
Flag of United States of America image

The better path is to demote the existing server and remove it *completely* from AD.  Server promotion shouldn't take a long time.  If you plan it accordingly, you should be able to get by with minimum fuss during some scheduled downtime.  One thing I would definitely recommend is that you ensure that you are currently using DFS-r as opposed to FRS.

https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/

-saige-
Remove completely dc from domain would be applicable only if you failed to demote it gracefully
Otherwise u could simply demote it, make sure u run ad replication and ensure that account is converted to member server simply on all dc servers, then reset it from ad users and computers snap-in and join new 2016 server to domain with that name and promote itas dc
Finally swap ip addresses
This is standard process
What points to the DCs by name? Generally, the only things that I commonly see where keeping the same name is at all important is if you are pointing to the DCs for file or print services. Otherwise, just keeping the same IP address is generally sufficient. You can also add a cname record for the old DCs after they are retired.

I always keep the same IP address when replacing DCs. The process is actually very simple. Join the new server to the domain and promote as usual. Setup DHCP, DNS, and perform all standard health checks. When you are ready to cut over, take the old DC and give it a new IP address. Then immediately take the new DC and give it the original IP address and reboot it. You are basically done at that point. Follow normal process for transferring FMSO roles  and demoting the old server.

Renaming DCs has given me weird problems and I swear that we will never do it again.
Avatar of Laszlo Denes

ASKER

yes we are running DFS-r since we raised ffl/dfl/dc to 2008 r2 :-)
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Jeff (and everyone else)
Both DC have DNS installed, but based on this article https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones
"There are no behavioral changes from Windows Server 2003-based DNS integration with Active Directory".. but "the following DNS-specific application directory partitions are created during AD DS installation: A forest-wide application directory partition, called ForestDnsZones, Domain-wide application directory partitions for each domain in the forest, named DomainDnsZones"

We are FFL/DFL and DC 2008R2 and DNS seems healthy (no errors, etc.) but when I look at our DNS (on the main DC) I do not see any of those directories mentioned above (see screenshot of what I se under DNS on our DC), but we did not make any DNS related changes (except turn on scav which is unrelated) when we raised the FFL/DFL from 2003 to 2008R2 recently. Or am I not understanding this properly (frequently with increasing age lol)?
DCDNS.jpg
Expand Forward lookup Zones to see the Application Directory Partitions. they hold the SRV records.
Thanks... found this https://www.itprotoday.com/management-mobility/how-do-i-configure-active-directory-integrated-dns
checked again and note that it says we are running it... see screenshotUser generated image
and yes I see the Application Directory partitions mentioned that hold the SRV records. DOH! LOL!
Assuming that you have to give it a new name and IP and that is really a requirement to add the old name/IP, you can double bind the old IP and add the old hostname to the server as a secondary name via NETDOM COMPUTERNAME
thank you everyone appreciate it