RE: Provide feedback to DC promotion/replacement

Read carefully the 2 articles: one of the is reffering to a Windows 2000
domain controller and the other one is reffering to a Windows 2003 domain
controller. As i sad in the previous posts, to rename a domain controller
using the Netdom tool, the domain functional level must be set to Windows
Server 2003. Or if you have a Windows 2000 domain controller, you can' raise
the level to Windows 2003 because to be capable to do that all domain
controllers in the domain must be running Windows Server 2003.
No, you will not have any problems with Wins. However, you can install Wins
service on a dc and so you will centralize all your naming services (dns and
wins).
If you demote dc1, the most important thing you should verify is that dc2 is
a global catalog (exchange server needs to have a gc on its site).

"tnt" wrote:


Masterplan,

I went through the process and everything looks good in the test environment.

I am just confused with two different articles below:

On this article here it says that you have to demote it first using the same
step as a single domain controller in a domain.

http://technet2.microsoft.com/windowsserver/en/library/aad1169a-f0d2-47d5-b0ea-989081ce62be1033.mspx?mfr=true

But on this article it said you can rename it using NETDOM.

http://support.microsoft.com/kb/296592

I do have a few more questions. We have WINS server running on a different
machine. Nobody here knows the history of it. So as long as it is not on
the DC that I am replacing, I shouldn’t have any problems with it?

I have looked at the WINS property on that server and nothing is pointing to
the DC I am working with.

Also, on Week 3 (see first post), am I expecting any downtime on the
current environment as far as Exchange goes (sorry if it out of the scope).
Right now, the RUS is pointing to DC2. DC1 is the one I am demoting.

My guess is that if the exchange server that is authenticating through that
domain controller, it will be affected.


Thanks again for your help.

Tnt.




"Masterplan" wrote:

Yes, of course. This is a way to force replication.

"tnt" wrote:

Masterplan,

Thank you for your response.

I did look at the live production domain controllers and noticed both have
GC enable.

On my test lan that I went through, I had only one GC enable on DC1 than
unchecked it. After that I checked GC (to enable on) on DC2. Thats when I
got that message. I should have enable GC on DC3 and kept DC1 as a GC too
(Global Catlalog) until I retired DC1.

Also, for your comment on part 1, can I force a replicate by right-clicking
the object under NTDS to expediate the process?


Thanks,
Tnt

"Masterplan" wrote:

1. First of all, you should wait for the information to replicate.
2. You should have these two domain controllers for redundancy, and one
global catalog. A global catalog server is a domain controller that, in
addition to its full, writable domain directory partition replica, also
stores a partial, read-only replica of all other domain directory partitions
in the forest. You should have at least on global catalog in each AD site.
The more domains and global catalogs you'll have, you'll see an increase of
replication traffic on your network.
3. The infrastructure masters job is to compare objects of the local domain
against objects in other domains of the same forest. If the server holding
the infrastructure master is also a global catalog it won't ever see any
differences, since the global catalog holds a partitial copy of every object
in the forest itself. So:
-the Infrastructure Master is not allowed to run on a Global Catalog Server if
there are multiple Domains in the Forest or there are Domain Controllers in
the same Domain which are not Global Catalog Servers.
-the Infrastructure Master is allowed to run on a Global Catalog Server in a
Domain if
there's only one Domain in the Forest or every Domain Controller in the
Domain in question is Global Catalog Server.

"tnt" wrote:

Masterplan/Anybody,

I ran a test through the GC (Global Catalog) and FSMO roles transfer.

I unchecked the GC on the first DC1 and then checked GC on DC2. After doing
this, I run dcdiag and noticed my fsmo test was failing until I rebooted the
all the domain controllers. So is this the correct way or do I just need to
wait longer for it to replicate?

I am trying to plan for the least downtime possible. Should I check a
second GC server first then uncheck the first one later. I read somewhere MS
recommends one GC.


Next I peformed the FSMO roles transfer. All went fine until I got the
"Infrasture Master role, where I got the message "DC2 is a global catalog
(GC) server. The infrastruture operations master role should not be transfer
to a GC Server".

I am ok with this? Is this MS way of saying to put the GC on a different
server?

Thanks,
Tnt


"Masterplan" wrote:

Go to Add/remove Windows components and see if you have Certificate services
checked. If it is, it means that is installed. Also, if it is installed you
have a service named Certificate services in Windows services console.

"tnt" wrote:

Masterplan,

I was worry for a second. Anyways, our domain are at Windows 2003 already
so I am ignoring this part.

Also, since I am installing the new DC (DC3), I wouldn't install anything
besides DNS and promote it.

How do I tell which of my currrent DCs has the CA installed?

Thanks,
Tnt

"Masterplan" wrote:

To be able to raise domain functional level to Windows Server 2003, all the
domain controllers in the domain must be Windows Server 2003. To raise it, go
to Active Directory Users and Computers. In the console tree, right-click the
domain node and then click Raise Domain Functional Level.
By default, the CA is not installed after a clean Windows installation or
after a domain controller promotion. You can install a CA at any time from
add/remove Windows components.

"tnt" wrote:

Masterplan,

Can you elaborate what the functinal level must be set to Windows Server
2003 mean?

I read it in the article too.

Are you saying all servers should be windows 2003 or just that server cannot
provide any more services than it needs?

By default, does the CA intalled?

Thanks,
Tnt

"Masterplan" wrote:

To rename a domain controller using the Netdom.exe tool, the domain
functional level must be set to Windows Server 2003. Take care if you have
certificate authority on a dc, because domain controllers running Certificate
Authority services (CA) can never be renamed.

Good luck!

"agt" wrote:

You might run into few problem there.
1. Once promote DC3 into DC. You can not rename.
2. Make sure DC3 has GC enable.

"tnt" wrote:

Guys,

I posted this question a while back, but never had time to run through the
test. Anyways, here is the info:

We have DC1 & DC2 (domain controller & DNS). My goal is to replace DC1 in
the near future since the raid 1 controller failed on us (no more raid). On
DC1, we also have the TS Licensing Server.

Part of the goal is to add DC3 (domain controller) into the domain and then
in the long run demote DC1 (retire for good) and rename DC3 to DC1. Right
now DC1 has all the master operation roles.

Here is what I like to do in different timeframe (the week sequence is just
an example that I like to do in different time):

Week 1

1) Join DC3 to domain.
2) Install DNS and do nothing since it will replicate from AD
3) Promote to DC
4) Netdiag/dcdiag tests

Week 2

1) Transfer FSMO roles from DC1 to DC2
2) Netdiag/dcdiag tests


Week 3

1) Demote DC1 and bring it offline.
2) Rename DC3 to DC1 and reuse old IP address of DC1 (using
netdomcomputername).
3) Reinstall TS Licensing Server on the new DC1 (Call MS to reactivate
licenses)
4) Netdiag/dcdiag tests
5) Pray (joke).


Questions:

1) What else do I have to do besides the FSMO roles transfer? Also, during
this procedure, would it affect live production-meaning any users/clients?

2) On week 1, client workstation still use DC1 & DC2 as their DNS, so
nothing will change with them.

Please provide feedback. I will post more questions as I go.

Thanks,
TNT



.

Relevant Pages

  • Site-tosite VPN Issue
    ... Windows Server 2003 domain controller ... Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP ... the VPN to the Windows Server 2003 domain controller. ... 12.7MB file from the server to the client PC. ...
    (microsoft.public.windows.server.networking)
  • RE: Provide feedback to DC promotion/replacement
    ... "Masterplan" wrote: ... When I promote my dc3 to a domain controller, the first step is to enable GC ... the infrastructure master is also a global catalog it won't ever see any ... -the Infrastructure Master is not allowed to run on a Global Catalog Server ...
    (microsoft.public.windows.server.active_directory)
  • RE: Provide feedback to DC promotion/replacement
    ... When I promote my dc3 to a domain controller, the first step is to enable GC ... the infrastructure master is also a global catalog it won't ever see any ... -the Infrastructure Master is not allowed to run on a Global Catalog Server ... "Masterplan" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • RE: Provide feedback to DC promotion/replacement
    ... "Masterplan" wrote: ... When I promote my dc3 to a domain controller, the first step is to enable GC ... the infrastructure master is also a global catalog it won't ever see any ... -the Infrastructure Master is not allowed to run on a Global Catalog Server ...
    (microsoft.public.windows.server.active_directory)
  • RE: splitting network between sbs 2003 and server 2000
    ... > windows 2000 server from the existing SBS 2003 domain. ... > access the window 2000 server, you need to promote the window 2000 server ... > to domain controller and configure it as global catalog as well. ...
    (microsoft.public.windows.server.sbs)