New DC - Same Name - Same IP

[vkalra]

Okay, I have a very unique scenario I'm working with. Here are the
details:

AD Domain - W2K Domain
1 DC - Let's call it DC1
DC1 is running Windows 2000 Server


What we need to do is build a new domain controller with same name,
without removing the existing server. In other words, I need to be
able to turn off the existing domain controller without removing it as
a DC (long story).


To make matters more complicated, the new server will have W2K3 R2
instead of W2K. Here's what I am planning on doing:


1. Run Forestprep / domainprep on DC1 to allow for W2K3 R2 DC (yes
I'll run it from Disc 2)
2. Install a new DC with W2K3 R2 - let's call it DC2.
3. Make DC2 a GC Server
4. Take DC2 off the existing network physically and connect it to
another physical network (new switch)
5. Sieze FSMO roles on DC2
6. Clean up AD as per MS AD Backup / Restore Guide (http://
technet2.microsoft.com/windowsserver/en/library/f66ee9e4-96d7-4f74-
a2fe-d669194bf5a21033.mspx?mfr=true)
7. Install W2K3 R2 on new hardware and give same name as DC1
8. Promote DC1 to Domain Controller
9. Make DC1 GC Server
10. Transfer FSMO Roles to DC1
11. Remove DC2 as a GC Server
12. Demote DC2 to member server
13. Remove DC2 from domain


Will this work?


Regards,


Vinod

 

[Clowntrigger]

Must you absolutely use the same name? I would recommend bringing the 2nd DC online, moving all the roles to it, then demoting the current DC. Much less fuss.

 

[vkalra]

Unfortunately, yes. I have to use the same name and IP do to some legacy apps that were coded with the name and/or IP.

 

[bookouri]

Even if you name the new machine with the same name, IP address etc. the machines will have different SID numbers. I dont know what kind of problems that could cause in Active Directory.

 

[58sniper]

And turning off an existing DC without properly removing it from the domain is asking for all kinds of problems.

You can rename Domain Controllers after they are in production.

Pat Richard
Microsoft Exchange MVP

 

[vkalra]

Hmm... can you rename a server to the name of an existing DC without demoting the existing DC first? I may not be able to demote the existing DC, as there are some regulatory requirements (can't decommission the server until everything is fully up and running).

 

[58sniper]

No. You can't have two DCs with the same name.

You're going to have to bring the new DC up under another name, and under another IP address.

At that point, you'd be better off just rehoming your other apps and leaving it that way. Then decommission your existing DC.

Pat Richard
Microsoft Exchange MVP

 

[vkalra]

Can't rehome the apps... they are proprietary legacy apps that nobody has the source code for. Whoever wrote the critical apps had hard coded the server name / IP, which is why the name and IP have to be the same.

 

[Roadki11]

Tell you what i would do. I would bring up a nice new 2k3 server, add it to the domain, and dcpromo it. Move the FSMO roles, CG, dhcp, dns, printers, blah blah and whatever else from the 2k server to the 2k3 server. I would then demote the 2k server to a member server. If the 2k hardware is fine i would just leave it and let it chug along with its goofy software running. If the 2k server hardware is suspect i would download the free VMWare server and virtualize it and dump the hardware.

Just my 2 cents.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[vkalra]

I thought of leaving the machine online. Server is on very old hardware, and we aren't too sure how long it's gonna last. VMWare won't work. They won't pay for it.

Further, I cannot demote the old DC until the new DC is online. This is a regulatory requirement. That's why I was thinking of building a second DC, and then doing the rest of the build off the network on an isolated switch.

 

[vkalra]

Also, I would turn off the existing DC before putting the new DC (with same name / ip) onto the network

 

[Knackster]

The thing is, the SID will not be the same. You WILL have to remove the old server from AD in order to run the new server with the same name.



Chris
IT Manager
Houston, Texas

 

[vkalra]

That's why I was thinking of building a second DC on the production network, making it a GC, DNS, etc.. Then, take that server offline to an isolated network (not connected to main network). Seize FSMO roles.

After this, clean up metadata on the AD for the existing DC that is on the production network.

Then, build my new DC with the same name and IP as the DC on production network. Make it a GC, DNS and transfer FSMO roles.

Turn off the DC on the production network. Move the new DC to the production network.

 

[Roadki11]

I really think you are way over complicating this project. Lets take a step back and get some more information.

1st - Are you even sure this custom app will run/function on a 2k3 server?

2nd - Are willing to buy 2 new servers? 1 to be a new DC and 1 to serve up that app.

3rd - How many users use this app at any given time, how much of a load is it on the server?

4th - Do you think this app could run a server with only 2gig of RAM?

5th - VMWare Server is free. With that knowledge would you entertain buying 1 server making it the new DC and run a virtual server on it that also serves up this app?

I dont know how big your organization is, 1 server may not be practical if you have 100's of users. Somehow i dont get the feeling thats the case though.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[vkalra]

unfortunately, due to government regulations we have to follow, VMWARE is not an option. It actually complicates things more, believe it or not.

To answer questions:

1. Yes, apps will run under W2K3
2. We can't buy 2 new servers.. not budget
3. Company has less than 20 users, so no major load
4. Yes, apps will run with only 2 Gig RAM (current server only have 640MB)
5. VMWARE is not an option, unfortunately.

 

[TNGPicard]

I have a question - on your legacy apps that are hard coded with the name - can they be fooled? bring up your new DC "normally" and give it a new IP address. Get all your roles and everything without seizing anything. On your end user machines what if you go into their hosts file (%systemroot%\system32\drivers\etc\hosts) put in the hard coded name of the server and the IP address it looks up from. Move the app from one server to another......and then bind a 2nd IP address on your new server while at the same time just unplug the network cable from the known to be working one, see if your apps work and will do their lookup of name and IP out of the hosts file.

I'd say maybe just do the fooling of the app with WINS and DNS entries but somethign makes me want to think if it is hard coded then that may nto work.......but the few similar things I've had with this problem I've been able to trick it with the hosts file without problems.

TNG / Mark

 

[vkalra]

I labbed out the scenario, and it seems to have worked without hitch. Because we have not other DCs in the domain, I am not concerned too much with the GUID changing. I'll keep you guys posted on how the production environement fairs out.

 

[ArizonaGeek]

One thing you could do is get a trial of Double Take software. Probably not in your budget to buy since it is VERY expensive, however they'll give ya a 30 day trial for free. You might be able to use it to "crash" the first server and fail over to the new one which would move ALL information including SID. The fail over, in all my testing, was less than 15 minutes for a half way decent sized server. It also doesn't destroy the original server so if something goes bad, shut off the second server and turn on the first. The network wont see any difference.

I am sure there is other "fail over" software that would do the same thing, but I used a trial of Double Take and it worked flawlessly.

Just a suggestion...

Cheers
Rob

The answer is always "PEBKAC!