Swapping Out Domain Controllers

[Alan Coleman]

I have a domain with 2 (and only 2) active domain controllers, both of which
I am about to swap out. I need some guidance in the best way to do this
with the least disruption on my network.

The First Domain controller is SJV-DC-1 in addition to being an active
directory domain controller:

It is the primary DNS server
It is the DHCP server
It is the RADIUS server

The second domain controller is SJV-DC-2 and in addition to being an active
directory domain controller,

It is the global catalog
It is the secondary DNS server

I need to transfer all of these roles and functions over to the two new
servers in the exact same division. I'm wondering what the best course of
action is or if there is anything I should definitely do first (or pitfalls
I should avoid). I already know the basic steps of adding and removing
active directory services and promoting/demoting controllers.

Some of my concerns are, since I'm replacing both DNS servers, will my two
new servers have to end up with the same IP address as the old servers, to
avoid having to change a lot of records around. Do the new domain
controllers have to be named the same as the old ones (I'd like them to be
but it's not something that has to happen).

Right now, my thinking is that I install DNS services on one of the new
servers, and work on that until I have successfully made the new server the
DNS primary for all domains AND switched it to the correct IP address
(changing the old server's IP in the process). Then I bring the first
server up as a domain controller and then switch over DHCP/RADIUS to the
first new server. Then I bring up the second new server, install DNS and
make it a secondary AND switch it's ip to the correct ip (changing the old
server's IP in the process, then bring it up as a domain controller and make
it a global catalog. Then after doing all of that demote the two older
servers one at a time, and then remove them from the domain entirely.

Does this sound correct.

 

[Guest]

Since you are not constraint to use the same names for the new DCs, the
easiest approach is as follows, briefly:

1. convert existing DNS Servers to Active Directory Integrated
2. add a new server (DC03) with new IP, point DNS to itself
3. run dcpromo on DC03, allow DNS to be installed (as AD-integrated)
4. make DC03 a "Global Catalog". Confirm that DC03 is a functional DC in
domain (check Event Viewer, SYSVOL, etc.).
5. Transfer FSMO roles from DC01 to DC03. Check Event Viewer to confirm.
6. Install and configure DHCP and/or RADIUS services.
7. repeat #2 to #4 (and #6 if needed) for DC04 (the other new Server)

There is also no need to have the new Servers take on the same IP as the old
(to be removed) Servers, as DNS records would be correctly registered for
clients to locate network services in the AD domain.

If the 2 Servers reside in the same AD domain, making them both GC is
recommended.

Once you are confident that everything functions to your expectations, you
can run dcpromo on the old Servers one by one to remove them from the AD
domain.

Do let us know if this helps.

 

[Alan Coleman]

I have a couple of questions.

1) My DNS servers have more than just domain information for the active
directory domain. They have domain information for 2 other active directory
domains (1 child and one separate domain in the same forest) and then 8
other domains that are just regular DNS domains. Do I make ALL of these
domains Active Directory integrated. Also there is a 3rd DNS server that is
not a domain controller... do I need to promote it so that I can enable
active directory integration for all of them (I've actually been meaning to
promote that server anyway so it would actually be a good thing).

2) Just out of pure (and perhaps morbid) curiosity. If I did want the new
servers to keep the same name and IP address as the old servers what would I
have to do (or is it too much to even conceive?). I am actually genuinely
interested in keeping at least the IP addresses because I have other devices
that point to these servers and I'd rather not have to change all of them
(but then again it may not be worth it to try and keep them depending on
what I would have to do). I would just like to know what my options are.

3) What is the name of the tool that allows me to change roles from one
server to another... I always forget the name... once I have it I will know
how to use it. I just forgot the actual name.

Thanks

 

[Guest]

Answers in order posted. Hope they are helpful.

1. Making DNS AD-integrated is for convenience and added security. However,
DNS must reside on a Win 200x DC in the same AD domain to enable this feature.

Having said that, different DNS zone types can be simultaneously hosted on a
Win 200x DNS Server - AD-integrated, primary, secondary.

2. changing DC name is not recommended, although netdom (from W2k3 Support
Tools) does facilitate this.

For IP address, it is a simple matter changing it in NIC > Properties >
Internet Protocol (TCP/IP). Run "net stop netlogon" and "net start netlogon"
to allow the new IP info to be correctly registered in DNS though.

3. Active Directory Users & Computers (ADUC) > highlight AD domain >
Properties > RID / PDC / Infrastructure FSMO roles can be transferred.