3

My current problem is the following migration scenario:

Existing domain:

Domain-Controller (Windows Server 2003 x86) named "W2003SRV" with domain DOMAIN.LOCAL
Terminal-Server 1 (Windows Server 2008 R2 x64)
Terminal-Server 2 (Windows Server 2008 R2 x64)
Client computers

Now we need to replace the Domain Controller with a new machine which will run Windows Server 2008 R2 x64 as well. Normally I would add the new DC to the domain, promote it to new DC, transfer Active Directory FSMO roles, demote the old one and be done with it.

However, the proprietory software that we use prohibits any change of the computer name. Adding the new DC to the domain first would mean that I have to give it another name, as the old one is still in use by the existing DC.

If I don't migrate the domain at all and create a new domain DOMAIN.LOCAL with the new server only (named W2003SRV like the old one) I would fullfil the criteria of keeping the name. As I would left with a completely new domain all my User SIDs would change, though, and even after recreating the Users and Computers in the Active Directory, a new profile would be forced on every user (with its new SID) and I would spend at least a day setting the new profiles up.

What other possibility do I have?

I thought about doing it that way and - after the new server has been promoted to DC - changing the name of the new DC to the one of the old DC. However changing the name of the (only) Domain-Controller in the domain doesn't seem that wise... Or am I worrying to much here?

I am grateful for every piece of advice!

Update:

ADMT (Active Directory Migration Tool) from Microsoft (as suggested by TheCleaner) seems to be the way to do it. It keeps the old SIDs in the SID history and thus the profiles would be reusable. I've looked into it and have downloaded the documentation. My only problem with that would be that it transfer AD objects from one Domain to another. I do have 2 domains but as both the server name as well as the domain name would be the same I think that is going to be a problem. Has anybody experiences with ADMT in such a case?

LumenAlbum
  • 527
  • 2
  • 5
  • 15
  • 1
    How big a company? How many client computers/profiles? – TheCleaner Aug 13 '13 at 14:20
  • The Active Directory contains 24 Computer objects and 59 Users. Our company has 1 main office and 4 branch offices but those connect via remote desktop to the Terminal Servers (so we only have that 1 Domain-Controller in our forest) – LumenAlbum Aug 13 '13 at 15:26

2 Answers2

4

Add a second server that only runs the software in question. Think of the lifecycle of a domain controller - it will be replaced at some point. This is one of the many reasons why it's a worst practice to install any business software on a domain controller.

Alternatively, you could add a new DC, and then dcpromo down the old DC and keep the application on it.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • The business software does not run on our Domain-Controller, however it has a separate configuration database which is bound to the server name of it. Changing the server name would necessitate a reinstall of all our business software on the 2 Terminal Servers. I know that that is crappy design but I can't change that. – LumenAlbum Aug 13 '13 at 15:31
  • As for the alternative, the old server has to go. It has already shown some malfunctions and probably won't last much longer. Also, management wants it gone (power consumption etc.) – LumenAlbum Aug 13 '13 at 15:33
  • My point stands. You don't want any *business dependencies* on a named server that is a domain controller. You can always migrate the software or database to another machine with the same name, or do a P2V. You can't juggle that stuff with having a single DC though, because the whole domain depends on it. – mfinni Aug 13 '13 at 15:39
  • Upvoted this answer: the "configuration database" should be moved to a non-DC server. Promote a new DC with a different name, demote the old W2003SRV and unjoin it from the domain, and then set up a new member server with the name W2003SRV -- set up the database on that. – Artomegus Aug 13 '13 at 16:18
  • I hear you and I agree that a separate server is the best choice, however the management isn't willing to pay for setting up and maintaining another server. We can shake heads together but for this questions those just are the requirements – LumenAlbum Aug 14 '13 at 08:40
2

I would consider two approaches here, with #2 being my first choice. You could always get the domain and forest level up to 2008 R2 and then look at renaming the domain at that point if needed. I would also recommend that if possible you go with a 2012 server, but that might not be possible in your environment.

  1. If you think there is good reason to create a new domain, then I would consider going that route and using something like Forensit Profile Wizard to move the profiles over from the old domain to the new one on the computers/TS. Look at using ADMT as well to swing the users over from the old domain.
  2. Keep the existing domain and use the advice I was given when I had to do something very similar. See here: Windows 2003 DC to Windows 2008 R2 DC with same name and same IP This worked well for me, and allowed me to keep the name and IP without any issues.
Community
  • 1
TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Thanks, I will look into ADMT. I know about Forensit Profile Wizard, however that one is only free for personal use and management won't pay for a tool which we will need only once in 3 years :( – LumenAlbum Aug 14 '13 at 08:44
  • I've also had a closer look to your #2. Do you know how to make sure that any changes have been replicated to the swing server and later to the new DC before you disconnect each server? Is there a way to force replication or some indicator? – LumenAlbum Aug 14 '13 at 09:34
  • 1
    repadmin and dcdiag will help with this. – TheCleaner Aug 14 '13 at 13:15
  • 1
    Thank you for your help! I have played around with the mentioned tools and your approach #2 in my test lab and it seems to work just fine. – LumenAlbum Aug 15 '13 at 18:17