- Windows Server 2016
- Windows Server 2012
- Active Directory
- VPN
- Security
- Windows 10
- Windows
- Azure
Replacing an existing domain controller
Hello Experts,
The PC with my virtual domain crashed, so I can’t lab this up and find the answer myself, so I thought I would just post it and get your thoughts.
I have a domain at work where the two domain controllers are running Server 2008 R2. Since those no longer get security updates, I need to upgrade them. Thanks to delays in manufacturing and shipping, the replacement servers I ordered before Christmas just came in yesterday. A summary of our environment is as follows:
1. Two domain controllers named DC-A (IP address: 10.10.0.1) and DC-B (IP address: 10.20.0.1)
2. Domain has two sites (Campus and Downtown)
3. DC-A is in the Downtown site
4. DC-B is in the Campus site
5. There are several “home grown” applications and various configurations that make calls to Active Directory using both server name and server IP.
I want to do the following to minimize the amount of work and inconvenience on everyone:
1. Build the first new domain controller (build will be Server 2016). The new domain controller will be given a name of DC-C with an IP of 10.10.0.201.
2. Run forest and domain prep for the introduction of Server 2016 domain controllers.
3. Bring the new domain controller online and let replication take place.
4. Power off DC-A.
5. Rename DC-C to DC-A. Re-IP DC-C to 10.10.0.1.
6. Reboot DC-C. When it comes back up, it will be the new DC-A.
7. Do a clean on the metadata
I can’t see any reason that the steps above won’t work, but as I stated, I don’t have a lab to test the process in right now. Do any of you see issues with this process?
Thanks,
Nick
The PC with my virtual domain crashed, so I can’t lab this up and find the answer myself, so I thought I would just post it and get your thoughts.
I have a domain at work where the two domain controllers are running Server 2008 R2. Since those no longer get security updates, I need to upgrade them. Thanks to delays in manufacturing and shipping, the replacement servers I ordered before Christmas just came in yesterday. A summary of our environment is as follows:
1. Two domain controllers named DC-A (IP address: 10.10.0.1) and DC-B (IP address: 10.20.0.1)
2. Domain has two sites (Campus and Downtown)
3. DC-A is in the Downtown site
4. DC-B is in the Campus site
5. There are several “home grown” applications and various configurations that make calls to Active Directory using both server name and server IP.
I want to do the following to minimize the amount of work and inconvenience on everyone:
1. Build the first new domain controller (build will be Server 2016). The new domain controller will be given a name of DC-C with an IP of 10.10.0.201.
2. Run forest and domain prep for the introduction of Server 2016 domain controllers.
3. Bring the new domain controller online and let replication take place.
4. Power off DC-A.
5. Rename DC-C to DC-A. Re-IP DC-C to 10.10.0.1.
6. Reboot DC-C. When it comes back up, it will be the new DC-A.
7. Do a clean on the metadata
I can’t see any reason that the steps above won’t work, but as I stated, I don’t have a lab to test the process in right now. Do any of you see issues with this process?
Thanks,
Nick
Yup, I see issues. Your AD will not like what you do.
If both your DCs are full DCs then here is how I would do it. Of course, there are others that may do it different but I have done this many times in our Network. (We have multiple sites, 5 Full DCs and 20 RODCs)
1. Install new server as DC-A-New (the exact name is irrelevant here). give it the IP you want. Join it to your domain.
2. Make sure you know what services the current DC-A is running.
3. Make sure DC-B is a Global Catalog (should be) and holds all the FSMO roles. They will transfer off when you demote DC-A but I believe in playing it safe.
4. During a maintenance windows, Demote DC-A to a member server.
5. After demotion, change its name and IP.
6. Change the IP and name of the new server to DC-A and the current IP.
7. Add the Roles needed (DNS and ADDS at a minimum) using Server Manager.
8. Promote to Domain Controller. Since this is the first 2016 DC, it will do the Preps when it installs automatically.
9. Add any needed services
The only thing I would make sure of is that your domain/Forest Functional levels are as high as you can go now (2008R2).this is a personal recommendation, not a requirement. Server 2016 only required Server 2003 FFL/DFL.
A note here, it does not take long to promote a 2016 DC. Our maintenance windows for this were usually ~ 2 hours or so.
If both your DCs are full DCs then here is how I would do it. Of course, there are others that may do it different but I have done this many times in our Network. (We have multiple sites, 5 Full DCs and 20 RODCs)
1. Install new server as DC-A-New (the exact name is irrelevant here). give it the IP you want. Join it to your domain.
2. Make sure you know what services the current DC-A is running.
3. Make sure DC-B is a Global Catalog (should be) and holds all the FSMO roles. They will transfer off when you demote DC-A but I believe in playing it safe.
4. During a maintenance windows, Demote DC-A to a member server.
5. After demotion, change its name and IP.
6. Change the IP and name of the new server to DC-A and the current IP.
7. Add the Roles needed (DNS and ADDS at a minimum) using Server Manager.
8. Promote to Domain Controller. Since this is the first 2016 DC, it will do the Preps when it installs automatically.
9. Add any needed services
The only thing I would make sure of is that your domain/Forest Functional levels are as high as you can go now (2008R2).this is a personal recommendation, not a requirement. Server 2016 only required Server 2003 FFL/DFL.
A note here, it does not take long to promote a 2016 DC. Our maintenance windows for this were usually ~ 2 hours or so.
4. Power off DC-A.
5. Rename DC-C to DC-A.
This in particular will not work. The old DC-A needs to be removed from AD (either through normal demotion and rename or metadata cleanup, with demotion being preferred) before you can rename anything else to DC-A.
Jeff's steps above look good to me.
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Domain Controller IFM (Install From Media): Is it worth it? -
![]()
wrote an Article
![]()
SHA1 to SHA2 Migration Needs, Prerequisites and available options
-
![]()
created a Video
![]()
[Webinar] How Hackers Steal Your Credentials and Why Active Directory Must be Secure to Stop Them
-
Explore Cloud Class® ![]()
Certification: IS20 Information Systems 20 Controls - Security Controls
Premium Content
You need an Expert Office subscription to comment.Start Free Trial