|
Often, there comes a time where you need to replace an
existing Domain Controller, with a completely new box running
new hardware. This can seem like a challenging and difficult
task involving lots of downtime, however, this is a
misconception and the task itself is actually fairly simple.
Detailed below are the steps for replacing a Domain Controller
with the least administrative effort and almost no downtime.
These steps are aimed at standard and enterprise editions of
2000, 2003 and 2008 Server and not SBS. SBS is a completely
different kettle of fish.
Adprep /Forestprep and /Domainprep are tools available from
Microsoft which are used to extend the windows 2000
schema to cope with 2003 Functionality. 2003
Introduces a whole new set of features and functionality which
are foreign to the Windows 2000 platform.
Adprep /Forestprep Needs to be run on the Schema Master and /Domainprep
need to be run on the Infrastructure master (If a single DC
environment then this obviously be held on your only DC).
Forestprep is run once and will propagate its changes throughout
the forest, and Domainprep needs to be once per domain. If you
are in an environment that contains child domains, then you will
need to run Domainprep on one DC on each domain.
The Adprep tools can be found on the I386 folder of your windows
2003 CD
Server 2003 R2 also has an extended schema, which is
foreign to both Server 2000 and Server 2003
Release one. The ADPREP tools again need to be run to extend the
schema, but this time they need to be run from the second CD in
the R2 set, and they need to be run from the \COMPNENTS\R2\ADPREP
directory.
More Info on the 2003 R2 Schema Modification
http://www.microsoft.com/downloads/details.aspx?familyid=5B73CF03-84DD-480F-98F9-526EC09E9BA8&displaylang=en
What’s R2 all about?
http://www.microsoft.com/windowsserver2003/r2/whatsnewinr2.mspx
Of course with the introduction of Windows Server 2008,
there is a new generation of ADPREP tools that need to be
applied.
http://technet2.microsoft.com/windowsserver2008/en/library/1d502209-cdb9-4e13-9a6c-57ad6c9d1e8b1033.mspx?mfr=true
Join your clean install of 2003 to the domain the same way
you would a workstation or client machine. This makes it a
member server. (Right Click My Computer, Computer Name, Domain)
On your current Domain controller, make your DNS zones Active
Directory Integrated. This allows for DNS to be replicated with
Active Directory as discussed in the next paragraph, giving you
a complete replica and a redundant set of zones in case of
failure.
Now that you have completed the ADPREP tools, you can now
promote your new server to a Domain Controller using the DCPROMO
wizard. When running the wizard, you need to select the option
to “Add as an additional domain controller in an existing
domain”. Add your appropriate credentials and follow the
wizard.
This process will replicate your Active Directory structure to
the new server, giving you two DC’s running on your domain.
Every Forest contains 5 FSMO roles which are crucial to the
operations of Active Directory.
Schema Master, Infrastructure Master, PDC Emulator, RID
Master, & Domain Naming Master
These roles by default are held on the first Domain Controller
in the forest however, they can be dispersed amongst multiple
DC’s in the Domain.
I mentioned that there are 5 roles. In an environment where you
run child domains, this statement is true yet slightly different
as well. Every domain within the forest contains its own set of
PDC Emulator, RID Master & Infrastructure Master roles.
The Schema and Domain Naming Master roles
are held only on the root domain.
An example:
| |
Domain Root (James.com) |
|
| |
Schema Master |
|
| |
Domain Naming Master |
|
| |
Infrastructure Master |
|
| |
PDC Emulator |
|
| |
RID Master |
|
| |
|
|
Child Domain (Sub.James.com) |
|
Child Domain
(Sub2.James.com) |
PDC Emulator |
|
PDC Emulator |
RID Master |
|
RID Master |
Infrastructure Master |
|
Infrastructure Master |
You can query Active Directory on any domain controller to
find out where the FSMO roles are store by using the “netdom
/query fsmo” command
When removing a Domain Controller from the domain it is best
practice to transfer the FSMO roles to another DC before using
DCPROMO again to demote and remove the old DC. For the record,
the DCPROMO wizard is indeed designed to move the roles
automatically when demoting a DC, but it’s not a very reliable
tool and the manual approach ensures that you have no issues at
demotion time.
A guide on transferring the FSMO roles:
http://www.petri.co.il/transferring_fsmo_roles.htm
http://support.microsoft.com/kb/255690
The global catalog basically holds a partial replica of every
object within the Active Directory forest. Without the GC, you
would not be able to search the directory efficiently,
especially in Forests that contain multiple domains. With a
Global Catalog, you don’t need to know where the object
physically resides as the GC holds that information
automatically for you.
You need to ensure that there is at least one GC per site (in
multi site domains) and that if replacing a DC, you make the new
DC a GC.
How to create or move the global catalog in windows 2003:
http://support.microsoft.com/kb/313994
Deactivate DHCP on the old DC (if used) and recreate the
scope on the new DC, note if you have a fairly complex or large
DHCP scheme you may want to export and import the database
http://support.microsoft.com/kb/325473/
DCDIAG is a crucial tool for diagnosing and ensuring there
are no issues with your active directory infrastructure
especially in multi DC environments. It can be found in the
resource kit of downloaded direct from Microsoft. Run DCDIAG and
make sure that there are no errors. If there are errors then you
should resolve them before continuing.
DCDIAG
http://technet2.microsoft.com/windowsserver/en/library/f7396ad6-0baa-4e66-8d18-17f83c5e4e6c1033.mspx?mfr=true
NETDIAG is another crucial diagnostic tool which focuses more on
the network side of things and the communications between sites
NETDIAG
http://technet2.microsoft.com/windowsserver/en/library/cf4926db-87ea-4f7a-9806-0b54e1c00a771033.mspx?mfr=true
There are a couple of ways of doing this depending on the
complexity of your structure. Often if it’s a small environment
it’s easiest to create the shares again and editing logon
scripts etc to point to the new DC.
You can use a backup program to backup shares and restore them
to a new location
You can also use robocopy from the resource kit to copy the data
in bulk or there are options such as Teracopy to allow you to do
this via a GUI interface.
http://www.codesector.com/teracopy.php
The choice is really left up to you and the nature of your
structure
This is a pretty self explanatory step…however if you have a
large amount of printers installed you may want to have a look
at the printer migration tool from MS
http://www.microsoft.com/downloads/details.aspx?FamilyID=9B9F2925-CBC9-44DA-B2C9-FFDBC46B0B17&displaylang=en
Once your replication and migration of Active
Directory has occurred, and you have pulled your
data across to the new server, You will need to
change the DNS settings at a client level. If
you are running DHCP these changes are easy to
make, but any statically assigned devices will
need to have the changes made manually. You now
need to point the client machines to the new
Server for DNS. Depending on the choice you make
in the below step, you may also want to leave
the old server as a secondary DNS entry. Ensure
that there are no External DNS server entries on
your client machines, any external DNS entries
should be configured as forwarders within DNS
Now that you have confirmed that your new server is now
acting and functioning as a DC, you have transferred the roles,
confirmed that DNS has replicated, ensured it is a Global
Catalog Server and have transferred the FSMO roles, it’s time to
demote the old server.
Run DCPROMO on the old DC and select the option to remove AD
from this machine. Follow the wizard and when complete reboot.
You have no removed Active Directory from this server and it is
no longer a Domain Controller.
For the record, It is always best to have more than one DC. If
you are replacing the DC because it is old and due for
replacement, but the machine itself still functions, then I
heavily recommend using this Server as a replica DC. A format to
clean it up and then adding it back in as an additional domain
controller gives you redundancy and a failsafe in case of
failure. It doesn’t have to contain any other roles besides that
of a Domain Controller and DNS server.
|
