Clean Install 2008R2 AD Domain 3

[bluewhaleCA]

We have a 10 year old Win 2000 AD domain with a few Server 2003 and R2 servers as well. As Microsoft's support for W2K is about at an end we've purchased a pair of DL380G6 servers to act as this offices DC's/Role Master servers. There is a lot of damage in our old domain: the most serious is a problem increasingly causing Admin equivalents to not be able to install/uninstall printers on local machines.
We've decided to create the new Server 2008R2 AD Domain from scratch. The two DC's will be named the same thing and strapped up on a different subnet on the LAN, using a slightly different domain name. The users will be created new with the same passwords on the new Domain. When the time comes, over a weekend we will remove all non DC servers and workstations from the old Domain and attach them to the new one.

1: Does anyone see a problem thus far?
2: I know ( or it used to be so <g> ) that I can't change a DC's name once it's promoted. Same with the domain name. Can I change the subnet tho? I would like to be able to swap these two DC's into the same IP's that the outgoing DC's used.


Paul

 

[Davetoo]

How many servers/workstations/users total are you talking about here?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[58sniper]

I'd create a trust between the two, then use ADMT to move everything over. Much simpler, and if done right, won't lose the profiles for the users.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[pagy]

I second 58Sniper's suggestion. Use of ADMT is the way to go here.

You can change the DC name in W2K8

http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

That is for 2008 but I see no reason why it would not work in R2.

You can also change the IP address but personally I never do, I just use new IP addresses.

If you do decide to change the IP address then after you have done so run

ipconfig /registerdns
dcdiag /fix

This will ensure that DNS service records are updated properly.

How 'slightly different' will the domain names be?
If you have example.com and your new domain is called example.lan you will run into netbios name conflicts and more than likely you won't be able to set up a trust between the 2 domain.

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[kmcferrin]

Use ADMT.

Also keep in mind that domains don't just hold security principles, those security principles are actually used for something throughout domain-connected systems. For example, Joe Smith logs into the network with his JSMITH account. But that account also has access permissions to files, folders, printers, etc that also need to be migrated. You need to make sure that whatever you do your permissions on objects within your environment are also appropriately migrated to the new accounts.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[bluewhaleCA]

I've not researched ADMT and will do so, but as we have perhaps 50+ systems recreating the domain will take perhaps a day: pulling systems from the old and attaching to the new.

I want to keep the IP's as many of the users will have a heart attack if they have to learn new IP's for getting to certain scanners etc. It will take months for the users to settle back down if I make that sort of change :[ I want to make this as invisible as possible to the engineers here.

The domain names will be from 123.com to 123inc.com thus I don't foresee a possible conflict.


Thanks for the thoughts: it's been way too many years since the various certs were obtained, and I generally have no need to work with these issues so have rusted up quite a bit.


paul

 

[kmcferrin]

I want to keep the IP's as many of the users will have a heart attack if they have to learn new IP's for getting to certain scanners etc. It will take months for the users to settle back down if I make that sort of change

A few years back some very clever people got together and figured out a solution for having to learn and remember IP addresses for devices/resources that they wanted to connect to. It involved using meaningful names that were mapped to IP addresses in the background. I believe that they called it "DNS" or something like that.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[bluewhaleCA]

> I believe that they called it "DNS" or something like
> that.

cute.

not terribly useful, but cute none the less.

 

[kmcferrin]

cute.

not terribly useful, but cute none the less.

On the contrary, DNS is extremely useful for precisely these situations.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[Davetoo]

kmcferrin is dead on here...if your users are still connecting to things via IP, they *really* need to start using DNS names.

While I'm not a fan of change for change sake...the use of DNS is definitely something that should be done right now (since it wasn't done before).

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!