Updating/replacing Primary Domain Controller
OK, first and foremost I'm not a networking/hardware specialist, so please be patient :-) Here's my current worry...
For the past four years I've been running a small network with one Windows 2003 Server (with Active Directory, DNS and DHCP services - I'm guessing this is the Primary Domain Controller...) and between three and four attached workstations (Windows XP and Windows Vista) and a couple of network printers. I guess you could call the installation basic, but it does what we want it to do - we're a small web development company so the server provides general data storage and also IIS so we can give our customers extarnal access to 'work in progress' web sites through the development. The server also runs SQL 2000 and SQL 2005.
The time has come to upgrade the physical server (it's 5 years old and realtively low spec. hardware wise) and whilst we're at it would like to update the OS to Windows Server 2008 64-bit edition - seems to make sense, but correct me if you disagree.
My initial thoughts were to build the new server, turn the old server off, attach the new server and then attach the workstations to the new server/domain. Whilst I guess this would work, I do know enough to know it's a bit messy and there's probably a better way to do it.
From searching around (particularly in this forum) I believe you can add a second server to the network, and somehow get it to mirror the services on the original server (the Primary Domain Controller), but I have only a vague idea of how to do this and the one thing I want to avoid is killing the existing functional network - we need to be able to work!
Can anyone point me in the right direction - a step by step guide would be a help as, as I say, I'm no network specialist (as you probably have gathered!).
Thanks - sorry for the tome!
Re: Updating/replacing Primary Domain Controller
Hello Neilski,
Here are my suggestions:
1- Build your new Windows Server 2008, configure the RAID, hard drive etc,
to your needs (Donot add to domain yet) and give it a fix IP address.
2- Make sure you have a current and valid backup for your data, just in case
something goes wrong.
3 -Make sure your current Active Directory Environment is healthy and
functioning right by running a dcdiag /q at the command prompt, look for any
errors.
3- Prepare your current environment for W2K8. On you current Windows Server
2003 Domain controller, logon with an account that is a member of the schema
Admin, insert the W2K8 disk and run adprep /forestprep and adprep
/domainprep. This will upgrade your schema to w2k8 verion 44.
4- Add the new w2k8 machine as a member server to your domain
5- Make the W2K8 a domain controller in your exiting domain by running
dcpromo and follow the prompts, Also recommended to install DNS at this
stage if prmpted to d so, if not then install DNS immediately after DC promo
is complete. After w2k8 have been promoted as a domain controller, wait for
replication to complete, do a dcdiag /q and look for any errors. At this
time, make W2K8 DC to point to itself for DNS
6- Transfer FSMO Roles to W2K8. If no errors, then move all the FSMO roles
from the W2K3 domain controller to the new W2K8 domain controller.
Instructions to do this can be found here:
http://support.microsoft.com/kb/324801
7- Migrate your DHCP from W2K3 to W2K8.
8-Migrate IIS from W2K3 to W2K8 and move web data.
9- personnally, if your old w2k3 server is still functional, I will leave
the SQL 2000 and 2005 on it.IF not then migrate to new w2k8
10- At this time, proceed to demote old w2k3 as a domain controller. ( I
will prefer you do this after about 2 weeks, just to make sure that
everything is working as planned.)
Re: Updating/replacing Primary Domain Controller
Hello Neilski,
!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!
- On the old server open DNS management console and check that you are running
Active directory integrated zone (easier for replication, if you have more
then one DNS server)
- run replmon from the run line or repadmin /showrepl, dcdiag and netdiag
from the command prompt on the old machine to check for errors, if you have
some post the complete output from the command here or solve them first.
For this tools you have to install the support\tools\suptools.msi from the
2003 installation disk.
- run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
the 2008 installation disk against the 2003 schema master, with an account
that is member of the Schema admins, to upgrade the schema to the new version
(44), you can check the version with "schupgr" in a command prompt.
- Install the new machine as a member server in your existing domain
- configure a fixed ip and set the preferred DNS server to the old DNS server
only
- run dcpromo and follow the wizard to add the 2008 server to an existing
domain, make it also Global catalog.
- if you are prompted for DNS configuration choose Yes. If not, install DNS
role after promotion.
- for DNS give the server time for replication, at least 15 minutes. Because
you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear
- if the new machine is domain controller and DNS server run again replmon,
dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
both domain controllers
- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801
applies also for 2008)
- you can see in the event viewer (Directory service) that the roles are
transferred, also give it some time
- reconfigure the DNS configuration on your NIC of the 2008 server, preferred
DNS itself, secondary the old one
- if you use DHCP do not forget to reconfigure the scope settings to point
to the new installed DNS server
- export and import of DHCP database for 2008 choose "netshell dhcp backup"
and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/l.../cc772372.aspx)
- for printer migration see here: http://support.microsoft.com/default...N-US;938923and
http://technet.microsoft.com/en-us/l.../cc722360.aspx
- for moving IIS see here: http://technet.microsoft.com/en-us/l.../cc754138.aspx
and http://technet.microsoft.com/en-us/m.../cc424869.aspx
- for the SQL part, maybe post to SQL newsgroups, also see here: http://msdn.microsoft.com/en-us/library/bb677619.aspx
and http://www.microsoft.com/Sqlserver/2...migration.aspx
Re: Updating/replacing Primary Domain Controller
And it was all going so well! Windows Server 2008 - 64 bit running nicely, but I have run into a couple problems.
To be fair, I've been a complete idiot, I should have checked compatability much more closely. I still need to be able to run Windows SQL 2000 and ASP.net 1.1 on this server, and of course, it won't at least not easily, if at all. The stupid thing is that it never ocurred to me to check, I just thought that it would, well, work.
I think I now have three options:
1) Install Windows Server 2003 32-bit on the new hardware (same as the old server).
2) Buy a second, lower-spec server and run Windows Server 2003 32-bit on that.
3) Install VMWare ESXi and run two guest servers - this sounds good (but what do I know), but am concerned how possible/practical this is with my networking experience.
I could do with some pointers if possible.
Thanks.
Re: Updating/replacing Primary Domain Controller
Hello Neilski,
We all sometime get caught in the compartibility issues, so don't blame
yourself too bad on that. Before you start thinking of addittional hardware,
here are some other options.
I know you can run ASP 1.1 on w2k8 but SQL2000 is a no no. So how about you
still run your web using asp 1.1 on w2k8 and leave the sql2000 on your
existing hardware(I am not sure about the condition of the old w2k3, but if
you migrate everything but the sql2000 that mayreduce the workload on that
server for it to be able to handle just sql200 stuff) .
Option 2: If you have enough hard disk space and memory on your new w2k8,
you can use virtualization with Hyper- V (new feature in w2k8) and install
w2k3 and sql2000 on it. That way you don't have to buy any new hardware. You
can read more on Virtualization here:
Re: Updating/replacing Primary Domain Controller
4) Install the already included Hyper-V role on your (hopefully)
Hyper-Vcapable server and install a Virtual Machine running Server 2003 with
the SQL and ASP.net
You didn't mention, but if you had bought the Enterprise version of Server
2008, you get up to four full licensed versions of Sever 2008 to run in
virtualization.
Re: Updating/replacing Primary Domain Controller
Thanks Guys,
I had not heard of Hyper-V so will investigate - presumebaly it's another package I need to buy. I had been looking at VMWare ESXi, but I like the idea of keeping the same family of products. I only have the Standard Edition Windows Server 2008.
I don't think keeping the old machine in service is practical. I think it has a 'mechanical' problem on the Motherboard, as it can be fine for weeks and then suffers a complete hard disk read/write failure (as a result I have become quite good at restore and rebuild!).
The new machine is an HP ML350 G5 (quad-core Xeon with 10GB of RAM) and 4 x 250GB SATA drives running as a logical pair in RAID 1+0 configuration.
Thanks again.
Neil.
Re: Updating/replacing Primary Domain Controller
Server 2008 *Standard* Edition does come with 1+1 licensing. But the first
"one" must be for virtualization services and manageing the virtual machines
only. The second "one" is a license for installing a full function instance
of Sevrer 2008 in a Virtual Machine.
With the first instance already running AD and other roles *not* just
limited for Hyper-V services and VM management, he'd still need another
license for his 2003 SQL and IIS VM instance. If the original licensing
allows, he could move it from physcial to virtual though.
Re: Updating/replacing Primary Domain Controller
I a nutshell use steps below as guidelines
Step 1
Purchase new HW and OS license windows 2008
configure RAID per your requirements
Install the OS on the new HW and name the server as you wish , Assign static
IP to the new server
Add server to existing domain ( now you have member server)
reboot log into domain ( not to local Server) with correct privileges
click run, type DCpromo and start promoting this server to be the second
domain controller, finish the DCPromo process and reboot
make sure this is DC/GC/DNS ( use AD integrated DNS) and configure the
server TCP/IP correctly. DG/DNS servers to be the
Start transferring all roles from DC one to new 08DC, this includes, DHCP,
WINS, and other services running on top of the fist DC
I don't like the idea installing anything on the DC such as SQL to be honest
if budged is allowing you use member server for SQL and leave DC alone by
itself, if not
go for it )-:
Step 2
After moving all the services from old DC to newDC you will be ready to run
DCpromo on the old server to "un-install" active directory.
Make sure you change the DHCP scope options, reflecting with new DC IP
address and DNS WINS etc.
Move al the FSMO roles , it is very easy and being done from GUI
when you are done first thing you need to do is shut down old DC to make
sure nothing is complaining, broke etc.
Turn the DC back and allow the replication to catch up
Run DCPromo uninstall the AD from old server, delete the server object for
the old server from site and services.
reboot the old DC , now it is member server disjoin from domain and do
whatever you want with it.
Re: Updating/replacing Primary Domain Controller
At last I have my Windows Server 2008 64 bit operating system running as a Domain Controller on my network. It is actually installed as a virtual machine on my server running VMWare ESXi.
By following all of your helpful advice and suggestions, the process was fairly painless. This morning I ran DCPROMO on the new 2008 server and all seemed to go well, but it I did notice a message that said something about not having an 'authoratative DNS'. The process completed and I assumed that since I only had one previous DNS server (running on the old 2003 server it must be ok - wrongly I suspect!).
After the DCPROMO completed, I opened the DNS manager and noted that the domains appear to have replcated from the w2k3 server. I than ran DCDIAG and DCDIAG /q as suggested in your comments, and I appear to have some problems. I am hoping that someone might steer me in the right direction. The logs are listed below.
Thank you.
DCDIAG /q
Warning: DsGetDcName returned information for \\primus.abl.local, when
we were trying to reach ZEUS.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... ZEUS failed test Advertising
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=abl,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=abl,DC=local
......................... ZEUS failed test NCSecDesc
Unable to connect to the NETLOGON share! (\\ZEUS\netlogon)
[ZEUS] An net use or LsaPolicy operation failed with error 67,
Win32 Error 67.
......................... ZEUS failed test NetLogons
DCDIAG
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Zeus
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\ZEUS
Starting test: Connectivity
......................... ZEUS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\ZEUS
Starting test: Advertising
Warning: DsGetDcName returned information for \\primus.abl.local, when
we were trying to reach ZEUS.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... ZEUS failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ZEUS passed test FrsEvent
Starting test: DFSREvent
......................... ZEUS passed test DFSREvent
Starting test: SysVolCheck
......................... ZEUS passed test SysVolCheck
Starting test: KccEvent
......................... ZEUS passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZEUS passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZEUS passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=abl,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=abl,DC=local
......................... ZEUS failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ZEUS\netlogon)
[ZEUS] An net use or LsaPolicy operation failed with error 67,
Win32 Error 67.
......................... ZEUS failed test NetLogons
Starting test: ObjectsReplicated
......................... ZEUS passed test ObjectsReplicated
Starting test: Replications
......................... ZEUS passed test Replications
Starting test: RidManager
......................... ZEUS passed test RidManager
Starting test: Services
......................... ZEUS passed test Services
Starting test: SystemLog
......................... ZEUS passed test SystemLog
Starting test: VerifyReferences
......................... ZEUS passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : abl
Starting test: CheckSDRefDom
......................... abl passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... abl passed test CrossRefValidation
Running enterprise tests on : abl.local
Starting test: LocatorCheck
......................... abl.local passed test LocatorCheck
Starting test: Intersite
......................... abl.local passed test Intersite
*** End ***
Re: Updating/replacing Primary Domain Controller
Hello Neilski,
The complete error message would be fine. Additional post an unedited ipconfig
/all from the new DC and the old one. And please post an unedited dcdiag,
netdiag and repadmin /showrepl from both DC's.
Best regards
Re: Updating/replacing Primary Domain Controller
I've attached to zip files with the requested log files from each machine:
W2k3.zip - contains the log files from the original Windows 2003 Server (32-bit)
W2k8.zip - contains log files from the new, virtual Windows 2008 Server (64-bit)
Re: Updating/replacing Primary Domain Controller
Hello Neilski,
As you can see in the error from netrdiag and dcdiag your new DC is not working
properly in the domain. It has connectivity problems with "primus".
Can you ping the existing DC/DNS with ip address, computer name and FQDN?
Before promoting it, did you add the 2008 as member to the domain?
Did you only use the existing DC/DNS as the preferred DNS on the NIC during
promotion?
Is the server listed correct in the DNS zones? When running ipconfig /registerdns
does it succeed, or do you get any kind of error message?
Are the sysvol and netlogon shares existing and can you access them, content
should be the same as on the existing DC?
Best regards