Changing PDC servers

F

Fran

I have added a BDC to our domain several weeks ago. Now we want to
promote this to PDC roll and remove the old AD server. What do I need
to do to make sure this runs smoothly? I need to demote the existing
primary controller, I'm sure but how do I make sure all the rolls from
the primary controller make it to the now secondary controller?

-Fran-
 
D

Denis Wong @ Hong Kong

Hi Fran,

In AD domain (2000/2003) there is no PDC/BDC. All DCs are domain
controllers. So what are you asking for?

br,
Denis
 
M

Mike Shepperd

Hi Fran,

Assuming that we're talking about Windows 2000 and/or 2003 DC's, they don't
hold the traditional PDC and BDC roles as in NT 4.0, but your first server
will host all five Flexible Single Master Operations (FSMO) roles. As long
as the new DC and the existing DC are able to communicate with each other
and DNS is working properly (both dc's pointed to one of them is the most
likely scenario), then running dcpromo to demote the existing DC will not
succeed unless all of the FSMO roles are transferred successfully.

You will want to make the new DC a Global Catalog (GC) before performing the
domotion by clicking the checkbox in the properties of the new DC's NTDS
Settings object under AD Sites and Services.

Hope that covers the bases for you. If you have more questions, please be
clearer about the environment with your follow-up.

Thanks,


Mike Shepperd
 
F

Fran

Mike,

That's exactly what I needed to know. I remembered there were a few
things I had to check before demoting what was the primary DC (or
initial DC as things would have it.)

The new server has been attached for a week. They were both pointing
to the initial DC at first (the DNS server). Now I have the new DC
pointing to itself but the original DC points to ITSELF (can this be a
problem?) All the workstations use the new DC for DNS, storing
profiles, etc. The ONLY things I have the original DC doing (as far as
I know) is the FMSO roles and the global catalog.

Can I change the GC role while the server is in use (i.e. during
business hours while users are connected) or is this best done after
hours or low time usage? Also, how to I check the FSMO issue on the
new machine (or does MS verify this when I demote the old server?)

I'm going out of town this week and I want to make sure the new server
is responsible for EVERYTHING and I'd like to just turn the old one
off but I really need to make sure the new server is doing everthing
it needs to do before I feel comfortable.

THanks again, Mike!
 
M

Mike Shepperd

Fran,

The DC's pointing to themselves can create a situation where they're like
two separate islands. If the records become stale they could each
essentially lose track of the other and stop replicating. In a small
environment it is best if two DC's point to the same one for DNS. That
said, you could leave it like it is an may never have a problem with it,
just not a best practice.

As for the GC promotion, it's pretty simple and straightforward and can be
done during production hours, but I would hold off on making any significant
changes to your AD while the promotion is happening. Once you check the box
to make the new server a GC, it will write an event log entry (I'm thinking
1119, but I might be off by a number or two) that basically says it has to
wait for five minutes to secure the directory. Once it's done with the
promotion it'll log an 1120 (again, the number might be reversed or off by
one or two).

You can check to see who holds the FSMO roles by running the following
command on any DC "netdom query fsmo" it will show all five roles and who
holds them. To transfer the roles, you can follow this Microsoft KB
article:
Windows 2000: http://support.microsoft.com/kb/255690/EN-US/
Windows 2003: http://support.microsoft.com/kb/324801/EN-US/

Or, if you really want to demote the existing server, running DCPROMO to
demote it will initiate the transfer of each FSMO role to any available DC.
I would caution you about running a domain with only one DC. It leaves you
with no form of online backup for your AD and provides no redundancy for
authentication of users if your DC fails. Worst case, if the old DC is in
bad shape, rebuild it from scratch, give it a new name and then promote it
back into the domain as a new DC.

Let the new one do all the work, but have some kind of backup online.
 
F

Fran

Good advice. Thanks, Mike. I'll do that to our DC and rebuild the old
one as a backup.

I'll do the GC change tonight. WIll that essentially change where
users get authenticated first?
 
M

Mike Shepperd

Not until you've demoted the original DC... The Global Catalog role doesn't
actually do the authentication but rather the Directory Service, so any DC
can authenticate users and in a small environment I think it usually ends up
being the first one to respond to the request... Haven't looked at a network
trace of a logon attempt in a long time so it's pretty foggy in my head the
exact process...
 
J

Jorge_de_Almeida_Pinto

I have added a BDC to our domain several weeks ago. Now we
want to
promote this to PDC roll and remove the old AD server. What do
I need
to do to make sure this runs smoothly? I need to demote the
existing
primary controller, I'm sure but how do I make sure all the
rolls from
the primary controller make it to the now secondary
controller?

-Fran-

Presuming the following:

The old PDC is a AD DC (2000 or 2003) (not NT4!)
The new BDC as you say is also an AD DC (2000 or 2003) (not NT4!)
The old PDC is still available on the network

Transfer the PDC FSMO role (and maybe even other FSMO roles) to the
new AD DC with NTDSUTIL
(http://support.microsoft.com/default.aspx?scid=kb;en-us;324801 and/or
http://www.petri.co.il/transferring_fsmo_roles.htm and/or
http://support.microsoft.com/kb/255504)

If the old PDC FSMO is not available anymore seize the FSMO roles
(http://www.petri.co.il/seizing_fsmo_roles.htm and/or
http://support.microsoft.com/kb/255504)

I’m not sure if it is needed but don’t forget to make the new DC a GC

Cheers,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top