Taking over Operations Master / DC roles

[Sonny]

Hello,

I am a new network admin to a company. I did not get to setup the domain
here, so i don't have 100% of the backround knowledge that makes jobs like
this one easy.

What i was asked to do, is to setup a machine to replicate data to for a
'backup' per se... i did this months ago, the machine is a server, online,
replicating AD and we are manually replicating using Robocopy some info... i
was asked to plan out and configure this backup as my production DC.

My boss suggested that he wanted it to be fast and complete, without too
much work. His plan was to down the current DC, start up the other DC and
rename it to that of the old DC, statically setting the name, IP's, DNS,
DHCP of the other box.

In my mind i would never migrate the Operations Master this way.

I was wondering if anyone had some writeups on changing from one DC / logon
server to another.

all that is really run on this box is AD, user's roaming profiles, one
mapped install directory, and a time server.

I was going to change the role of the Operations Master to that of the other
DC while both servers were live... i was also going to swap over RID and PDC
roles.

Thanks for any input!

 

[Guest]

Assuming that your AD infrastructure was setup with the basic (default)
parameters, and that the new DC will be located in the same AD site as the
present one, the easiest and safest way is (brief overview):

- add the new DC (DC02) to the AD domain
- allow AD replication to complete
- seize the FSMO roles (from old to DC02)
- decommission the old DC (recommended to keep as 'backup')

Unless there is a dependancy on computer names, in this case the old DC (say
DC01), there is no real need to reuse the name. You can use the old IP
address though, as DNS client on DC02 will update DNS to reflect this change
(and other AD attributes such as SRV records). Remember to point DNS to
itself in the IP settings, if it is the DNS Server as well.

Do let us know if this helps.

 

[Herb Martin]

Hello,

I am a new network admin to a company. I did not get to setup the domain
here, so i don't have 100% of the backround knowledge that makes jobs like
this one easy.

What i was asked to do, is to setup a machine to replicate data to for a
'backup' per se... i did this months ago, the machine is a server, online,
replicating AD and we are manually replicating using Robocopy some info... i
was asked to plan out and configure this backup as my production DC.

Read what Desmond wrote also.

My boss suggested that he wanted it to be fast and complete, without too
much work. His plan was to down the current DC, start up the other DC and
rename it to that of the old DC, statically setting the name, IP's, DNS,
DHCP of the other box.

That is not (usually) a realistic strategy and fights the
way that AD actually works.

For instance, it is non-trivial (and most times impossible)
to rename a DC.

The fact that you have TWO DCs IS A BACKUP. They
should both be treated as NEARLY equal.

All DCs are equal, some are more equal than others....

In my mind i would never migrate the Operations Master this way.
I was wondering if anyone had some writeups on changing from one DC / logon
server to another.

Don't even think of it this way.

What you might need to do however is SEIZE the
Operation Master roles if the other DC cannot be
returned to the network expeditiously.

Once you SEIZE roles however you CANNOT (must
not) return the original role holder to the network for
longer than it takes to DCPromo it to a non-DC.

The gaol is to always TRANSFER the roles when
working on a DC which holds them -- this solves all
but the unexpected catastrophic crash (ie., hard drive
stops spinning.)

all that is really run on this box is AD, user's roaming profiles, one
mapped install directory, and a time server.

What about DNS? Probably should be included and
the other DC should run it as well (both AD integrated
and both set in every CLIENT NIC->IP properties.)

Same for GC. (Sites and Services)

There is no reason the second DC cannot do ALL of
that with the exception of the Single Master Roles.

In a true emergence you seize those roles -- and keep
on working.

If you have to seize any roles -- you perform a DCPromo
cycle (i.e., DCPromo to non-DC then back to new DC)
on the repaired machine when it works again.

I was going to change the role of the Operations Master to that of the other
DC while both servers were live... i was also going to swap over RID and PDC
roles.

That is the right way to TRANSFER roles BEFORE
you do something to the role holder (if you can.)

Remember that every domain has 3 single master roles,
and the forest (usually the first domain first dc) has
2 more of these for the whole forest.

Forest wide:
Schema and Domain Naming Masters

Domain specific:
PDC Emulator, RID and Infracture Masters

 

[Sonny]

Thanks for the help Desmo,


"> The fact that you have TWO DCs IS A BACKUP. They

should both be treated as NEARLY equal."

what do you mean? i just installed the OS on one machine 3 days ago... it
doesn't have updated tables for dns, no dhcp is being served, ad is
installed and replicated, but no user profiles or install directories are
loaded / active. the second dc IS GOING TO BE the backup... thus, the
reasoning for the post!


"> There is no reason the second DC cannot do ALL of

that with the exception of the Single Master Roles."

i wouldn't understand how the second DC can take role of the logon server
without being operations master... how can i 'force' my users to logon to
the secondary DC (dc02) if the original DC is still up and running?

anyway... my gameplan is to get the server updated and all info copied...
Get the DNS setup and all my other odds and ends to the point that they are
almost identical. I will need to copy all user profiles to DC2 on the night
of the migration so that all roaming profiles are updated on the new server.

Should i assume the old DC1's IP address on the new machine and allow DNS to
make the name changes accordingly? my old DC1 is a DNS server and a WINS
server... so all clients have it's address as the primary dns server as well
as the wins server... to avoid changing those via GP or DHCP, could i simply
assume the IP on the new DC2 and allow DNS to take care of name resolution?

so i can simply change the FSMO roles to DC2 while DC1 is up and then shut
down DC1. should i dcpromo the DC1 so that the network knows it's out of
the picture? After all that is when i should probably make my IP changes.
Any insight?

i do appreciate the help!

 

[Herb Martin]

Thanks for the help Desmo,


"> The fact that you have TWO DCs IS A BACKUP. They

what do you mean? i just installed the OS on one machine 3 days ago... it
doesn't have updated tables for dns, no dhcp is being served, ad is
installed and replicated, but no user profiles or install directories are
loaded / active. the second dc IS GOING TO BE the backup... thus, the
reasoning for the post!

I suggested you replicate the DNS service and zones
as well.

Neither DHCP or User Profiles are a "DC" function
and although I agree you should make arrangements
you indicateed "just a DC."

As a DC it is fully backedup by replication, but I
would personally consdider DNS needs to be part
of that.

There is no perfect DHCP backup method except
perhaps for clustering with shared disc space so
best (IF you have enough IP addresses) is to just
put up two DHCP servers with different available
ranges (on the DC.)

Remember that in DHCP you should OVERLAP the
ranges, and use exclusion to avoid distributing
duplicate IPs, rather than completely separate the
scopes (as many of us were taught years ago.)

This avoids one DHCP NAK addresses of the other.

Profile storage is a File Server function, but the
profiles are backed up on the workstations through
locally cached profiles (don't let this stop you from
making another copy.)

"> There is no reason the second DC cannot do ALL of

i wouldn't understand how the second DC can take role of the logon server
without being operations master... how can i 'force' my users to logon to
the secondary DC (dc02) if the original DC is still up and running?

ANY DC can logon a user or computer -- this is
what DCs to -- even BDCs.

In Native Mode+, it requires a GC but you can have
as many of those as you wish and with one domain
or small forests it is common to make ALL DCs into
GCs.

anyway... my gameplan is to get the server updated and all info copied...
Get the DNS setup and all my other odds and ends to the point that they are
almost identical. I will need to copy all user profiles to DC2 on the night
of the migration so that all roaming profiles are updated on the new

server.

Are you migrating?

I thought you were testing disaster recover?

Should i assume the old DC1's IP address on the new machine and allow DNS to
make the name changes accordingly? my old DC1 is a DNS server and a WINS

No. You will probably screw up more than way than
it will help.

server... so all clients have it's address as the primary dns server as

well

Clients don't understand the concept of "Primary" DNS
server.

They should all have one of the DNS servers as PREFERRED
and the other as SECONDARY.

If one goes down they will use the other.

as the wins server... to avoid changing those via GP or DHCP, could i simply
assume the IP on the new DC2 and allow DNS to take care of name

resolution?

Same for WINS -- give all the clients both WINS server addresses.

so i can simply change the FSMO roles to DC2 while DC1 is up and then shut
down DC1. should i dcpromo the DC1 so that the network knows it's out of
the picture? After all that is when i should probably make my IP changes.

IF DC1 is not expected to return you should DCPromo
it to a non-DC.

(Again, I thought you were testing disaster recovery.)

If you REALLY want to migrate there are better/easier
ways perhaps.

My favorite (for Win2000) is to to do a backup/restore
on the new hardware, followed by a Repair Install from
the OS CDROM to fix hardware differences.

Any insight?

i do appreciate the help!

 

[Sonny]

thank you Herb...

bear with me:

how do you suggest i replicate DNS? my merely setting up DNS and pushing
down the existing tables?

DHCP and user profiles are on this box... this is my main 'file server' ...
my other DC's include a backup (that i recently reformatted to create dc2,
the new fileserver, NOT for failover) and my exchange box.

I run DHCP on my current DC as well as on my SUS server. I do run two
completely different ranges, why should i overlap? or are you suggesting the
overlap + exclusion if two DHCP ranges are on the same box?

I have my exchange box and my file server (dc1) as my current GC's... i can
just make this the case for my new box to allow logons?>!

The box i'm using now, for my NEW fileserver WAS the old failover... the
other admin made the failover (didn't work) and i was asked to format and
make that server the new Fileserver. Sorry for the confusion!!!!!

my clients are setup with a preffered dns and 3 alternates... however, the
preffered is my dc1, the 2 alternates are my 2 other IP's on that same
fileserver, dc1, as well as the fourth alternate being a ghosted IP on my
fileserver. So in essence i only have ONE dns server. So i want to run a
DNS server on another one of my DC's after i get the file server up and
runnign.... this is why i want to ensure that i properly migrate the dc1
DNS, because it's the only source for DNS in the network (i didn't set it up
this way, old admin did, i don't exactly know why)

DC1 will not return to the mix...

---------------

so i am migrating to a new server.

you are suggesting that i should jump on dc1, and do a full backup w/ system
state? ... take that bkf file, plop it on the new box (to be dc2) and
restore it... then reboot into the win 2k server cd and do a repair? can i
restore over the current OS with the dc1 bkf file? i couldn't imagine that
to work.

Herb, thanks a bunch for the replies!

 

[Herb Martin]

thank you Herb...

bear with me:

how do you suggest i replicate DNS? my merely setting up DNS and pushing
down the existing tables?

(It's really a pull <grin>).

Yes. You make the second DNS server a "secondary"
for any zones you hold on the first.

If the second DNS server is a DC, you can even make
it (and the Primary) into "Active Directory Integrated"
DNS server and they can both accept dynamic changes
and replicate to each other.

DHCP and user profiles are on this box... this is my main 'file server' ....
my other DC's include a backup (that i recently reformatted to create dc2,
the new fileserver, NOT for failover) and my exchange box.

DHCP is no big deal if you have enough addresses;
just put it on both boxes and exclude half of the addresses
on each.

You can replicate the profiles with backup or nightly
copies (e.g., RoboCopy) of with enough bandwidth by
using DFS and automatic replication. (Be careful on
this last.)

I run DHCP on my current DC as well as on my SUS server. I do run two
completely different ranges, why should i overlap? or are you suggesting the
overlap + exclusion if two DHCP ranges are on the same box?

No, "same box" is not an issue.

You should overlap -- use the SAME pool of addresses --
on different DHCP servers whenever they service the same
subnet.

There is a poorly understood (by most admins) problem if you
don't do this. #1 will NAK renewals for #2 and vice versa
if you failed to do this.

And it is no real trouble once you know about it:
Same scope on each; exclude different portions of the
address on each to make the ACTUAL distribution
different.

I have my exchange box and my file server (dc1) as my current GC's... i can
just make this the case for my new box to allow logons?>!

Well, now you have introduced trying to make additional
services fault tolerant.

With only a few DCs, all DCs should be GCs. (There is
no reason not to do so when you only have one domain.)

Exchange can be really made fault tolerant through clustering.

The box i'm using now, for my NEW fileserver WAS the old failover... the
other admin made the failover (didn't work) and i was asked to format and
make that server the new Fileserver. Sorry for the confusion!!!!!

It just makes it hard to give specific recommendations
when the requirements change.

my clients are setup with a preffered dns and 3 alternates... however, the
preffered is my dc1, the 2 alternates are my 2 other IP's on that same
fileserver, dc1,

Worthless -- and even counterproductive since the
clients may just take longer to fail and try other
methods when this is down.

There is no value to giving the SAME server under
multiple addresses since if it is down, all are down.

as well as the fourth alternate being a ghosted IP on my
fileserver. So in essence i only have ONE dns server.

Then the clients only need -- and SHOULD ONLY have
one entry.

When you add the 2nd (real) DNS server, you should add
it as the alternate (or add it as preferred on half of your
clients.)

So i want to run a
DNS server on another one of my DC's after i get the file server up and
runnign.... this is why i want to ensure that i properly migrate the dc1
DNS, because it's the only source for DNS in the network (i didn't set it up
this way, old admin did, i don't exactly know why)

It is probably a good idea for all DCs to be DNS servers
when you have only a few DCs.