11

I have a network of around 70 machines, currently with two DCs both running Windows Server 2003 (DC0 & DC1). DC0 is a five year old Poweredge 1850 and has recently become increasingly flakey, and in the past fortnight has fallen over twice.

I want to replace this machine, but I'm cautious as there is huge scope for this sort of thing to go wrong. The way I imagine doing this is building a new machine then doing a DCPROMO and running three domain controllers for a month or so until I'm happy that everything is working as it should be before retiring the old machine.

Particular areas of concern are the replication of roles from the current controllers (GP settings for instance) and the ramifications of switching off the machine that has, up until now, been the 'primary'.

If there are compelling reasons to use Server 2008 I'm willing to do so, however I don't know if this would cause problems with my exisiting 2003 machines.

Any advice on best practice or previous experiences would be most welcome.

Marko Carter
  • 4,092
  • 1
  • 29
  • 38

5 Answers5

6

Replication is totally automatic between domain controllers in the same domain, so you shouldn't need to worry at all about it, unless something goes wrong; all AD content (users, computers, OUs, GPOs, etc.) will be replicated to any new DC you add to the domain, and each DC will always store a full copy of the domain database.

There are two things you should care about (apart from any other application that may be running on the server, of course): FSMO roles and DNS.

If you DC is a DNS server, you should take care to enable that service on other DCs and have all your domain member computers (client and servers) point to them instead of the one you're retiring; in a standard AD setup, installing the DNS service on a DC is enough: you don't need to define and populate DNS zones, as the main domain zone will be AD-integrated and thus replicated to all DNS servers which are also DCs.

FSMO roles are special roles which can be held only by a single DC at a time, and they're usually owned by the first DC created in the domain; they will be automatically moved to another one if you demote the DC that owns them, but you'll have no control over their placement, so it's always better to move them manually; you can do that using the various AD tools (Users & Computers, Sites & Services, Domain & Trusts, Schema), or by using NTDSUTIL.

Also, be careful to actually demote the old DC (using dcpromo) before retiring it; this will ensure all informations concerning its previous role as a DC get properly removed from Active Directory.

Massimo
  • 68,714
  • 56
  • 196
  • 319
5

Microsoft has a wealth of articles regarding moving roles and service from one server to another. With DC's you do need to be particularly careful in order for things to happen gracefully and you are well guided to post the question here, because it isn't a simple power off or delete the server from AD Users and Users and computers.

If you are going to build a new server - at this point I'd need a compelling reason not to base it on 2K8 R2. Be sure your supporting applications support 2K8 R2 also - AntiVirus, Backup, etc. If the cost of the OS and Cals isn't an issue, I guess I wouldn't see the reasoning to stand up a long term system based off a 7 year old OS? I think the reqs for 2K8 R2 to exist in a 2K3 domain are it must be in 2K3 Native mode and the 2K3 DC's may need to be SP2 or later.

First build up your new server, add it to the domain and dcpromo it - no reason to wait on this. Make sure either the new server or the remaining old server are set to be Global Catalog Servers: http://support.microsoft.com/kb/313994

Your primary area of concern needs to be about ensuring the FSMO roles are properly handed over to another DC. This article will tell you the exact what and how of every step you will need to perform: http://support.microsoft.com/kb/324801 .

The replication of GPO's is handled automatically by the FRS on the Sysvol tree - so you shouldn't have any worries there.

You'll likely also need to handle DHCP and DNS services as well. Here's a good article on moving your DHCP database if need be: http://support.microsoft.com/kb/962355 . Be sure to disable the DHCP service after you move the dhcp database to a new server and fire it up there. It's important to move the dhcp database rather than just stop the service on the old server and start it on another - you'll have client systems all over the place with duplicate IP addresses.

I always prefer to move the FSMO and DHCP roles off and wait several days before removing the system as a DC.

When you have your FSMO roles and DHCP moved (and any other software) run dcpromo from the command line to remove it as a DC. Then use Add/Remove Programs -> Windows Components to uninstall the DNS service. Lastly - remove the system from the domain and power it off.

Good Luck!

Jeff Hengesbach
  • 1,762
  • 10
  • 10
0

If you are not planning on migrating to 2008 I wouldn't bother upgrading. There are soe caveats dependnig on what other apps you have. If you plan on upgrading to 2008 then the first thing you need to do is an schema update. You also need to ensure that your applications are compatible with 2008 domain controllers (in particular you need to ensure that if you have RODCs in the environment or plan to that the applications know how to get to a writeable GC or DC should it be required). As an example it was only since last feburary that exchange 2008 r2 was supported with exchange.

Check this link for domain preparations and this link for forest preparations

Jim B
  • 23,938
  • 4
  • 35
  • 58
0

I would agree to what Jeff said. To add, DNS records replicate between DNS servers its just the DHCP database that you can backup and restore among different DHCP servers. With just manaing the lease duration you can make this change smooth. Just dont tie all the screws until you are sure everything is set. The way I've done it, it takes 2-3 days max to cover all the (FSMO) roles and (DNS/DHCP) records.

user44304
  • 41
  • 3
0

As has been said, ensure all old roles are removed from the old server and migrated to the other / or new one. you wont be able to run DCPROMO until its not longer a global catalogue server. Give it a bash - whats the worst that can happen ? kittens wont get hurt if it all goes wrong.