Promote new server to DC question 2

[pkirill]

We currently have two Windows 2003 servers that are domain controllers. One is also the DNS server. We have two new servers running Windows 2003 R2. I'd like to promote these to Domain controllers as they will replace the existing servers. My question is, do I need to use backed-up AD data to promote the new servers, or will AD data replicate over the network via the dcpromo wizard? Is there an advantage one way or the other?

Thanks in advance!

 

[Davetoo]

Did you run the adprep commands from the 2nd R2 CD yet? If not, you need to run those first.

After that, just DCPROMO it in and the AD info will replicate from the other DC's, which is what you want to happen.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[Roadki11]

You will also want to transfer the FSMO roles and Global Catalog from the old DC to the new DC before you demote the older servers for removal from the network.

RoadKi11

 

[pkirill]

Thanks for the assist. Do I need to "demote" them before removal? I'll have to research the transfer business...

 

[pkirill]

Okay, so let me see if I have the steps correct. In order to add two new DC's (new boxes running R2) to an existing domain and ultimately remove two existing Windows 2003 DC's I need to:

1) run adprep from 2nd CD on all windows 2k3 servers (there are actually two more non-DC servers that will remain).
2) verify/validate DNS settings
3) run dcpromo on the two new servers to make them DC's
4) transer FSMO roles from "PDC" to new "PDC" per this MS article:

http://support.microsoft.com/kb/324801

or this one:

http://technet2.microsoft.com/Windo...bf98-4a80-8718-dd80dc1071fd1033.mspx?mfr=true

5) run dcpromo on two old servers to demote them
6) shut down old servers

 

[Davetoo]

Yes, before you remove the old servers from the domain and after you've transfered the FSMO/GC/DNS/DHCP etc. over to the new servers, then you'll want to run DCPROMO on the old servers to demote them to member servers before turning them off and disconnecting from the network.

To test to ensure you've gotten everything over to the new servers, before DCPROMO'ing the old ones, simply turn them off and see if any problems arise.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[Roadki11]

Lets just say its very good procedure to demote before removing. If you dont you will have to cleanup AD manually because you get replication errors and such from an unclean removal.

RoadKi11

 

[pkirill]

Makes sense...

Thanks for your help on this! It goes a long way to increasing my comfort level.

 

[gregmuir2]

I've been searching through the site here to find a similar explanation to a problem I'm seeing. Sounds like this thread is pretty close to it!

According to the Windows 2003 documentation, the whole idea of primary/backup domain controllers went out the window with Win2K. But regardless of what Microsoft says, people keep using the terminology. According to Windows, the FSMO stuff means that domain controllers will act as coequals until one of them drops offline. Then, because replication was happening in the background, the surviving DC will take care of everything until the other one comes back up.

So, with all that background, here's the situation I'm looking at. We've got one computer called the domain controller and another called backup domain controller. Both are running 2003. When I go into Active Directory Users and Computers on the domain controller, I see both servers sitting there pretty as you please. I can then remote into either machine and check out the AD settings. Yup, they're identical. Yay!

However, when I turn off the primary domain controller, DHCP goes away and login authentication also goes bye-bye. I power the primary back on, everything goes back to normal.

So, are these separate settings that I need to configure to get the backup to take over when the primary goes away?

Sorry for the long and convoluted question. Thanks!

 

[Roadki11]

Make the 2nd DC a 2nd global catalog server should fix you up. The dhcp issue you can fix by making the 2nd DC a dhcp server and keep the scope inactive and turn it on when you need to or you can slit the scope between the 2 dhcp servers so each server is suppling half the address and have both dhcp servers running at the same time.

Roadki11

 

[gregmuir2]

Thanks for replying!

Ok. I checked the backup via the Active Directory Sites and Services console. In the NTDS settings I see that yes, global services has already been checked. So if I'm understanding things correctly, this means that the primary should be able to go offline and users could still authenticate off of the new one? But that's not happening. Hmm.

As for the second suggestion, splitting the DHCP range, that would mean that if a server goes down, only half of the remaining addresses could be served at any one time, correct? Also, with two DHCP servers running on the same subnet, wouldn't that cause things to go all wonky on us?

 

[Davetoo]

You really should have started a new thread.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[Roadki11]

Do you have DNS setup on the 2nd DC?

 

[gregmuir2]

Sorry about that, Davetoo. I'd split it off but I don't have mod powers here.

I have a DNS link on the desktop. I am checking it and it shows info for the primary and secondary computers.

 

[Davetoo]

Anybody can start a new thread. It's no problem to tack on to a thread if it's about the same thing, but really, yours was a separate topic. The issue is if someone looks for the solution presented to your problem in this thread they may not find it because of the topic.

In DNS, do you see both DC's listed as DNS servers?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[gregmuir2]

Yes, I see both servers in DNS. The backup server did NOT have DHCP installed as an option, thus explaining in part why I don't have DHCP working when the primary is offline! I have installed the service but it is not running yet because I haven't yet configured it properly so as to not step on toes.

 

[Davetoo]

You'll need to go to the currrent DHCP and limit it's scope to allow the second server to have some IP's to hand out. Don't let the scopes overrun.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[gregmuir2]

Ok, I shall do that. Thanks!

 

[pkirill]

I've been watching because this may pertain to me too...

Curious about the DHCP - if you split the scope between two servers won't that mean that if one server is down, some logons won't happen, ie some reservations won't be served up? Wouldn't it be better to export reservations from Server A running DHCP server and import to Server 2 which has DHCP server configured but disabled? Then just enable Server 2 DHCP when it needs to be?

 

[Roadki11]

Someone correct me if im wrong here but i think you can setup both servers dhcp to be exactly the same and activate both of them. the first one you activate will authorize and run, the 2nd one you activate will see the other and will not authorize. if the 1st dhcp server fails the 2nd should see its the only dhcp server and will then authorize. never tried it but it sounds good in theory.

RoadKi11