Re: How will changing office IP Range impact on Active Directory????

From: Dana Brash (dbrash_at_gmail.com)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 12:34:02 +0800

WHY? is a really good question.

Actually just went through this recently. Needed to add an ISA server into
an existing environment with the corporate stipulation that the internal IP
of the most external FW not change. In other words, bad planning....

I embarked on this project, spent about 3 days in the lab before being
pulled off to other projects, and here are my notes (and they are notes). I
got damn close, but I WAS NOT 100% successful. (my only remaining error was
the BITS error. Seemed harmless, but still flagged red...)

To my knowledge this has not been implemented onsite to date. Note also
that my Exchange test environement started as a base install, but was not a
functioning environment, so I didn't have a reliable way to test through any
issues there.

I provide these notes NOT as a PROCESS DOCUMENT, but only so that you may
learn from it. Please check it out and make any changes that you think are
appropriate, but don't follow exactly....

Enough disclaimer? How 'bout: Don't blame me when this doesn't work...

;-)

Do Until Problems = 0
    research, plan, test
loop

NOTE: the Event Descriptions are copied from EventID.net... 

-- 
HTH,
=d=
Dana Brash
MCSE, MCDBA, MCSA
dbrash@gmail.com
Change IP Testing
Document Purpose:
Develop a process by which we can change the Subnet configuration of an 
existing domain with attention to maintaining the function of network 
services.  These services include DNS, DHCP, AD, Exchange and Veritas.
Steps:
1.     Change Gateway IP address (In our Case ISA Server)
a.      Changed IP and DNS to use 172.16.1.0/24 subnet
b.     In ISA Server, Changed Internal Network Subnet configuration from 
172.16.0.x/24 ? 172.16.1.x/24
c.      Reset ISA Services
DC
2.     Change the IP Information
a.      Changed IP and DNS to use 172.16.1.0/24 subnet
3.     DNS
a.      Change the Reverse Lookup Zone IP Info (delete and re-create)
b.     Changed the Host (A) Records, made sure that the PTR records got 
created
c.      Walk through the entire Forward lookup zone and confirm the correct 
subnet.
                                          i.     gc._msdcs.lab.local
                                        ii.     Domain.DnsZones.Lab.Local
                                      iii.     Forest.DnsZones.lab.local
d.     Check the Server level for Forwarders to make sure they point at the 
right place if anywhere.
4.     DHCP ~~ Change the Zone Information
a.      On open DHCP, the IP information for the registered servers should 
refresh with the right information.
b.     Un-authorize the old DHCP servers
c.      Change the Scope Information on the General Tab > Range overlap 
errors
d.     Create an Identical Scope in place with the new Subnet info.  Check 
Exclusions, and Scope Options
5.     TEST to ping Google.com to make sure DNS and IP config is working OK
Exchange
1.     Change the IP information
a.      Changed IP and DNS to use 172.16.1.0/24 subnet
b.     Changed the Primary Lookup Zone to have the SOA be the DC
c.      Changed the DC~{!/~}s Host Record to the correct IP address
d.     Confirmed in DNS ON the DC that DNS Zones will replicate to all DNS 
Servers
e.      Rebooted system to populate Zone
f.       Confirmed that it populated
g.      Deleted Stray records
h.      Ran Scavenge Stale Resource Records
i.       Authorized the DHCP Server with the new IP address, and everything 
appears OK now.
Exchange services all started, and everything appears fine.  BUT we should 
develop a better test bed to make sure we don~{!/~}t have a problem.
On Domain Controller, many Userenv: 1058 and 1030 errors indicate problems 
reading GPO~{!/~}s.  Can read, no fruit yet
DNS error 4015
On Exchange Server
NtFrs error 13562 DFS
~{!0~}Following is the summary of warnings and errors encountered by File 
Replication Service while polling the Domain Controller <domain controller 
DNS name> for FRS replica set configuration information. Could not find 
computer object for this computer. Will try again at next polling cycle.~{!1~}
DFS errors on Exchange server:
Ran dfsutil /Clean /Server:lab-ex /Share:Test (name of DFS root share) 
/Verbose
Ran successfully
Ran:
Dfsutil /Clean /Server:lab-dc /Share:Test /Verbose
Ran Successfully
BITS hung on starting, but started briefly after that:
Service Control Manager error 7022
Service: "Background Intelligent Transfer Service" - See Q314862
http://support.microsoft.com/?kbid=314862
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
http://support.microsoft.com/?kbid=823712
CAUSE
This behavior occurs when you restart the server that was promoted to a 
domain controller. In this scenario, the Windows Time service (W32Time) 
tries to authenticate before Directory Services has started. There are no 
adverse effects on computers that experience the warning events that are 
described in the "Symptoms" section.
http://support.microsoft.com/?kbid=824217
CAUSE
This issue may occur if the File Replication Service (Ntfrs.exe) tries to 
authenticate before the directory service has started.
WORKAROUND
To work around this issue, ignore these two warning events if the directory 
service starts successfully. If the events continue to appear after Windows 
has successfully restarted, you may have to troubleshoot the directory 
service.
Dhcpserver error 1059
We had this error while there was a domain controller booted that should not 
have been there. This old machine was installed weeks ago as the domain 
controller with the same domain name but then sorted out because of hardware 
problems. After this old DC was down, restarting the DHCP-Server resulted in 
a clean startup without any error. For hours there were 2 DC's there both 
with global catalogs, etc. but different security ids for the domain.
Un-authorized the OLD dhcp servers~{!-~} should put this step up above, when 
configuring DHCP.
Many issues with GPO~{!/~}s and stuff, removed the GPO and will rebuild
On ISA server:
DnsApi error 11165
This event will appear if the DNS Suffix on the TCP/IP properties on the 
Network card is invalid.  In our case, the PC was setup with domainx in the 
field, rather than domainx.com. Once the DNS Suffix matched the AD or at 
least is a vaild "domain.extension" this error stops.
Changed the setting to register with DNS on the Public NIC
Log:
Step 1
Change Gateway IP address (In our Case ISA Server)
            Changed IP and DNS to use 172.16.1.0/24 subnet
In ISA Server, Changed Internal Network Subnet configuration from 
172.16.0.x/24 ? 172.16.1.x/24
Checked to make sure that WPAD (Firewall Client Publishing settings) are 
hostname based, and not DIRECTLY affected by IP change.
Should work once DNS has the proper subnet info.  Will double check.
Reset ISA Services
Step 2
Change the IP Information on the DC
            Changed IP and DNS to use 172.16.1.0/24 subnet
            Tried reconnecting Firewall Client, failed to detect.
DNS
Change the Reverse Lookup Zone IP Info (delete and re-create)
            Changed the Host (A) Records, made sure that the PTR records got 
created
            Walk through ALL the Forward lookup zone and confirm the correct 
subnet.
                        gc._msdcs.lab.local
                        Domain.DnsZones.Lab.Local
                        Forest.DnsZones.lab.local
Check the Server level for Forwarders to make sure they point at the right 
place if anywhere.
Change the Zone Information in DHCP
            On open DHCP, the IP information for the registered servers 
should refresh with the right information.
            Change the Scope Information on the General Tab > Range overlap 
errors
            Create an Identical Scope in place with the new Subnet info. 
Check Exclusions, and Scope Options
Confirmed that we can reach Google.com
Step 3
Change the IP information on the Exchange Server
            Changed IP and DNS to use 172.16.1.0/24 subnet
            Changed the Primary Lookup Zone to have the SOA be the DC
            Changed the DC~{!/~}s Host Record to the correct IP address
            Confirmed in DNS ON the DC that DNS Zones will replicate to all 
DNS Servers
            Rebooted system to populate Zone
            Confirmed that it populated
            Deleted Stray records
            Ran Scavenge Stale Resource Records
On review of Event Logs, System errors show DHCP NOT AUTHORIZED
            Open DHCPmgmt.msc
            Service is down
           Authorized the DHCP Server with the new IP address, and 
everything appears OK now.
Exchange services all started, and everything appears fine.  BUT we should 
develop a better test bed to make sure we don~{!/~}t have a problem.
On Domain Controller, many Userenv: 1058 and 1030 errors indicate problems 
reading GPO~{!/~}s.  Can read, no fruit yet
DNS error 4015
On Exchange Server
NtFrs error 13562 DFS
~{!0~}Following is the summary of warnings and errors encountered by File 
Replication Service while polling the Domain Controller <domain controller 
DNS name> for FRS replica set configuration information. Could not find 
computer object for this computer. Will try again at next polling cycle.~{!1~}
DFS errors on Exchange server:
Ran dfsutil /Clean /Server:lab-ex /Share:Test (name of DFS root share) 
/Verbose
Ran successfully
Ran:
Dfsutil /Clean /Server:lab-dc /Share:Test /Verbose
Ran Successfully
BITS hung on starting, but started briefly after that:
Service Control Manager error 7022
Service: "Background Intelligent Transfer Service" - See Q314862
http://support.microsoft.com/?kbid=314862
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
http://support.microsoft.com/?kbid=823712
CAUSE
This behavior occurs when you restart the server that was promoted to a 
domain controller. In this scenario, the Windows Time service (W32Time) 
tries to authenticate before Directory Services has started. There are no 
adverse effects on computers that experience the warning events that are 
described in the "Symptoms" section.
http://support.microsoft.com/?kbid=824217
CAUSE
This issue may occur if the File Replication Service (Ntfrs.exe) tries to 
authenticate before the directory service has started.
WORKAROUND
To work around this issue, ignore these two warning events if the directory 
service starts successfully. If the events continue to appear after Windows 
has successfully restarted, you may have to troubleshoot the directory 
service.
Dhcpserver error 1059
We had this error while there was a domain controller booted that should not 
have been there. This old machine was installed weeks ago as the domain 
controller with the same domain name but then sorted out because of hardware 
problems. After this old DC was down, restarting the DHCP-Server resulted in 
a clean startup without any error. For hours there were 2 DC's there both 
with global catalogs, etc. but different security ids for the domain.
Un-authorized the OLD dhcp servers~{!-~} should put this step up above, when 
configuring DHCP.
Many issues with GPO~{!/~}s and stuff, removed the GPO and will rebuild
On ISA server:
DnsApi error 11165
This event will appear if the DNS Suffix on the TCP/IP properties on the 
Network card is invalid.  In our case, the PC was setup with domainx in the 
field, rather than domainx.com. Once the DNS Suffix matched the AD or at 
least is a vaild "domain.extension" this error stops.
Changed the setting to register with DNS on the Public NIC
"Paul" <Paul2@syncpuls.com> wrote in message 
news:10ne119adlgoke2@corp.supernews.com...
> My company needs to change from the 192.168.x.x range to a 10.10.x.x 
> range. We are currently on Win2K and XP clients and are using active 
> directory.
>
> We've got 4 smaller (50 or so people) remote offices where we have DC's, 
> and are using MS DNS.
>
> Since we've never done something like this we are afraid to simply change 
> IP's on the servers etc. This might screw up things for Active Directory 
> we fear, and of course we want as little downtime as possible for the 
> company.
>
> I've tried to find info on what kind of procedures to follow on the web 
> but have unfortunately not been able to find it.
>
> What approach would be best? what Best Practices and procedures should we 
> follow? Who has done this & might have pointers? Any advise, tips or 
> recommended reading?
>
> thanks!
>
> Paul
>

Relevant Pages

  • Re: How will changing office IP Range impact on Active Directory????
    ... These services include DNS, DHCP, AD, Exchange and Veritas. ... Change Gateway IP address (In our Case ISA Server) a. ... On Domain Controller, many Userenv: 1058 and 1030 errors indicate problems reading GPO~s. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How will changing office IP Range impact on Active Directory????
    ... These services include DNS, DHCP, AD, Exchange and Veritas. ... Change Gateway IP address (In our Case ISA Server) a. ... On Domain Controller, many Userenv: 1058 and 1030 errors indicate problems reading GPO~s. ...
    (microsoft.public.win2000.advanced_server)
  • Re: SBS 2003 and Replication Errors with Remote DC
    ... alpha server as soon as you can to get things going. ... A simple DNS replication test is to create a host record in the SBS server ... Domain Controller Diagnosis ...
    (microsoft.public.windows.server.sbs)
  • Re: Issues migrating SBS 2003 domain to Server 2008 Standard
    ... One thought, when you introduced the Windows Server 2008 and before making them DC's, did you extend the schema on the SBS 2003 server? ... Event String: ... Verify your Domain Name Sysytem (DNS) is ... network connectivity to a domain controller. ...
    (microsoft.public.windows.server.sbs)
  • Re: Big trouble with DC in China
    ... > Since then, this server has so may errors in the event logs (KCC, ... > DNS, FRS) that I wouldnt know where to start. ... > Source domain controller address: ...
    (microsoft.public.windows.server.active_directory)