| Author |
 Topic  |
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
 Posted - 05/23/2012 : 11:43:23 AM
|
I consult for a school district that originally had one forest/domain with 35 DC's in 31 sites. We have slowly demoted/decommissioned the school DC's and by the end of next week I will be left with the 4 Server 2008 DC's we maintain at the district. Three out of the 4 DC's hold the FSMO's, one DC runs the time service which is synced to an authoritive time server, and one DC is basically a spare. We are at Server 2003 FFL/DFL. DNS is AD-integrated and we run WINS on all 4 DC's.
I have 4 new servers to replace these machines. Ideally, I would like to upgrade to Server 2008 R2, raise the FFL/DFL to 2008 and eventually 2008 R2, keep the same server names and IP's. My questions are these:
1. Should I raise the FFL/DFL to 2008 as a first step after I finish demoting all the current 2003 R2 DC's?
2. Would I be better off performing an in-place upgrade of one of 4 DC's to Windows Server 2008 R2 rather than using ADPREP for the forest and domain?
3. Would it be better to demote one DC and eliminate it from DNS and then promote a new server with the original name or should I add the new servers to the domain, demote the old servers and then rename the new machines to the old server names?
Any advice would be appreciated.
|
|
|
Jazzy
Administrator
Netherlands
1949 Posts
Status: offline |
Posted - 05/23/2012 : 11:50:30 AM
|
2. In place upgrade is pretty decent these days, if you don't run third party software on the servers you might consider this. Have you seen this page? http://technet.microsoft.com/nl-nl/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
With all other scenarios it's the IP addresses you should worry about, not the server names. The reason is that many devices (workstations, servers, appliances, routers) use the current IP addresses for DNS, when you deploy new DC/DNS servers with new IP addresses you need to change the DNS settings of all devices accross the network. Some people recommend to reuse the old IP addresses for the new servers but I'm not sure if that's the best solution. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
 |
|
|
Jazzy
Administrator
Netherlands
1949 Posts
Status: offline |
|
|
chamezzzz
Honorable But Hopeless Addict
United Kingdom
2301 Posts
Status: offline |
|
|
bgetreu
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
Posted - 05/23/2012 : 8:20:28 PM
|
| The 4 2008 Servers currently in use are all 64-bit. Since I have 4 new 64-bit servers to replace them, virtualizing is not an option. My question is whether it would be easier to do an in-place upgrade to 2008 R2 on one of the existing 2008 DC's or use Forest/Domain Prep to extend the Schema. I'm also concerned with raising the FFL/DFL and the timing of that action. Also, while I could probably live with the new DC's using different names than the current DC's, the IP's must be the same. However, how dangerous is renaming a DC? Should I add the new DC's with new names, transfer the FMSO's, demote the old DC's and then rename the new servers to the old names? Or, should I demote one DC and make sure all of its DNS entries are gone and then add a new DC with that name? |
Edited by - bgetreu on 05/23/2012 9:14:18 PM |
|
|
|
Jazzy
Administrator
Netherlands
1949 Posts
Status: offline |
Posted - 05/24/2012 : 01:45:07 AM
|
quote:
My question is whether it would be easier to do an in-place upgrade to 2008 R2 on one of the existing 2008 DC's or use Forest/Domain Prep to extend the Schema.
Extending the schema is no rocket science, you can do that manually.
About the timing of raising the DFL/FFL, I see no advantage in doing that either before or after you finished replacing domain controllers. Do it afterwards so you can raise the levels to Server 2008 R2 in one step. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
Endaar
Old Timer
USA
576 Posts
Status: offline |
Posted - 05/30/2012 : 11:37:35 AM
|
I replaced our (2) 2003 DCs with new 2008 R2 DCs last summer. This is what I did as best I recall:
* Extended schema
* Built new DCs, with new names and IP addresses
* DCPromo'd the 2008 boxes
* Transferred FSMO roles to 2008 DCs
* Demoted the 2003 servers
* Disjoined the 2003 servers and retired them
* Added the old DCs' IP addresses to the new 2008 DCs; i.e. the 2008 DCs have two IP addresses
* Added DNS entries aliasing the old DCs' names to the new DCs
* Raised DFL/FFL to 2008 R2
* Changed settings on our DHCP servers (also on the DCs) to hand out the new server IP addresses for DNS
I'm not saying this is the best way to do the migration, but it worked flawlessly for us. Most if not all of our references to DCs or DNS have since been changed to point to the new server names and IPs, but the aliases and secondary IP addresses ensure any old entries still find a DC.
James
|
|
|
|
Isaac
Here To Stay
USA
209 Posts
Status: offline |
Posted - 05/31/2012 : 09:35:13 AM
|
quote:
Originally posted by Endaar
I replaced our (2) 2003 DCs with new 2008 R2 DCs last summer. This is what I did as best I recall:
* Extended schema
* Built new DCs, with new names and IP addresses
* DCPromo'd the 2008 boxes
* Transferred FSMO roles to 2008 DCs
* Demoted the 2003 servers
* Disjoined the 2003 servers and retired them
* Added the old DCs' IP addresses to the new 2008 DCs; i.e. the 2008 DCs have two IP addresses
* Added DNS entries aliasing the old DCs' names to the new DCs
* Raised DFL/FFL to 2008 R2
* Changed settings on our DHCP servers (also on the DCs) to hand out the new server IP addresses for DNS
I'm not saying this is the best way to do the migration, but it worked flawlessly for us. Most if not all of our references to DCs or DNS have since been changed to point to the new server names and IPs, but the aliases and secondary IP addresses ensure any old entries still find a DC.
James
Doesn't second IP(same/different network) on the DC cause any problems ?
By "DNS entry alias" do you mean "oldDC CNAME NewDC" ?
I was under impression that stuff like that a big No NO for DCs.
|
|
|
|
Endaar
Old Timer
USA
576 Posts
Status: offline |
Posted - 05/31/2012 : 09:41:20 AM
|
Yes, the DNS entry is a CNAME as you describe.
The old and new IPs are on the same subnet. I haven't seen any problems. Any idea what the potential issues would be?
James |
|
|
|
Isaac
Here To Stay
USA
209 Posts
Status: offline |
Posted - 05/31/2012 : 10:14:36 AM
|
I had a similar setup a few years ago. I had to move a DC role from a server that was used as a file share, print server, some RDP sessions (thank fully default 2 sessions, and no TS) and bunch of other things. I ended up assigning the IP address as secondary to a new DC as in your case. But DNS would constantly complain (Event Logs) on packets coming from itself to itself and dcdiag/netdiag were giving some errors -unfortunately cant recall what the errors were or even related to it.
But no serious problems/consequences. Once the DNS records were updated on all the workstations (network was using static IPs, this case helped me convince the management to move to DHCP), I removed the secondary IP address. |
|
|
|
feeblebob
Welcome Newcomer
2 Posts
Status: offline |
Posted - 12/10/2012 : 06:47:11 AM
|
Gents,
Apologies for the late resurrection of this thread, but it's pretty pertinent for my question. The secondary address temp fix above won't help in this scenario.
I'm upgrading DC's from 2003 to 2008 R2, the 2008 boxes are built and are to be dcpromo'd. FSMO roles will then be sorted and the 2003 boxes demoted and removed etc. It's now become a major priority to change the IP address of the new DC's to what the old ones were (2x 2k3 DC's out, 2x 2k8R2 DC's in). They currently have free addresses next in the range, but after the 2003 boxes are removed, the 2008R2 DC's will assume those same IP addresses that the 2k3 DC's had. This is due to loads of old stuff pointing to the DC's as DNS servers by hard-coded IP and not hostname. For a reason I can't immediately put my finger on, this sounds like trouble.
Has anyone come across this situation before with any gothcha's/things to watch out for/specific steps to take? |
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 12/10/2012 : 07:10:05 AM
|
> For a reason I can't immediately put my finger on, this sounds like trouble.
Should not be a problem, as long as your DC's have just one IP address at the time. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
chamezzzz
Honorable But Hopeless Addict
United Kingdom
2301 Posts
Status: offline |
Posted - 12/10/2012 : 08:06:17 AM
|
| and documented here |
James |
Edited by - chamezzzz on 12/10/2012 08:08:41 AM |
|
|
|
feeblebob
Welcome Newcomer
2 Posts
Status: offline |
Posted - 12/10/2012 : 08:31:33 AM
|
| Good news then, I'm just thinking about things referencing the old DC (and therefore GUID etc.) by that address and causing problems. I've not got time to lab it this time, so can't really test out the effect. If I'm worrying about nothing then all good. Many thanks all. |
|
|
| |
Topic |
|
Domain Controller Hardware Refresh and Upgrade
