Remove an Old DC and Introduce a New DC with the Same Name and IP Address

Remove an old DC and Introduce a new DC with the Same Name and IP Address


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer


Original Publication: 10/9/2010
Edited 10/19/2010 – Added an additional step in case you are introducting a new 2008 or 2008 R2 DC into a 2003 environment



Applies to Windows 2000, 2003, 2003 R2, 2008, 2008 R2



Preface


This question has arisen time to time in the Microsoft Public NNTP Newsgroups and Microsoft Social Forums. I’ve put together a set of steps over the years. Each time I post the steps, I’ve found I’ve needed to refine it, or explain certain steps. As time’s gone by, and questions have arisen on some of the steps, I’ve tried to add that information intot the steps. This procedure has grown to the point where I believe I’ve covered most of what’s involved and needed in most scenarios.


Comments, suggestions and corrections are more than welcomed. If I’ve missed something, based on your feedback, I will promptly add them to the list.



Scenario:


6 DCs, 2 in SiteA, 4 in SiteB
One of the DCs in SiteA will be replaced with a DC with the same name and IP.
DHCP installed and needs to be migrated to new DC.
All DCs are DNS servers.
All DCs are GCs.



Basic Steps are:


1. If this you are replacing the DC with new hardware but keeping with your current Windows 2003 DCs and not introducing a Windows 2008 or WIndows 2008 R2 DC into the environment, you can skip this step and go to Step 2.


Otherwise, if you are introducing a 2008 or 2008 R2 DC into your current 2003 environment, please see the following links (one has a step by step with screenshots). You must await replication if you need to do this step. To quicken replication after this step, do Step #2, then Step #12.


Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx


Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm


2. Optional – Drop the default intrasite DC to DC notification time from the default 5 minutes to 30 seconds. I normally don’t do this change and simply wait around 10 minutes. This is part of what you can call the “patience” factor. If you want to force the intrasite intervals, here how.


There are two settings you can change, the notification interval, which is 5 minutes by default, and the time to pause between notifications, which is 30 seconds by default. If you want, you can alter the notification interval down to 30 seconds, but leave the time to pause as default, since that’s fine. 


Keep in mind, this is a registery setting change. Remember to have a backup prior to this, as well as export the portion of the registry you’re modifying so you have a copy of it.


You can use the following article to show you how to change these settings.


How to Modify the Default Intra-Site Domain Controller Replication …This article describes how to modify the default intra-site domain controller replication interval.
http://support.microsoft.com/kb/214678


3. If you have a number of locations and you’ve defined and created AD Sites to optimize replication and logon/authentication traffic, you would want to drop intersite link replication interval to 15 minutes. That’s performed in AD Sites & Service on the Site Connector’s properties. The following shows you how.


How to change the interSite Replication Interval (with screenshots):
http://windowspeople.com/index2.php?option=com_content&task=emailform&id=159&itemid=1


4. Make sure all of your DCs (this site and all other sites, whether a single domain or multi-domain forest) are all GCs. Making all DCs GCs alleviates the IM-GC conflict as well as provides better GC availability for services that use it such as for the logon and other processes, etc, especially services that use it heavily such as Exchange.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, check the Global Catalog checkbox
Check each DC in the site to make sure they are all GCs


5. Install the new server. Get the machine up to date with the latest SP, hotfixes and updates.


6. If this is Windows 2003, copy the i386 folder to C: drive. Integrate the latest SP into the i386 folder. If this is 2008, 2008 R2, or newer, it’s not necessary, and you can skip this step.


This step helps if adding new Windows 2003 services through Add/Remove Windows Components. Simply point to this folder for the source files, and you won’t need to re-run the SP to get the new services up to date.


Example: C:\SP2\i386\update\update /s:C:\ (this command assumes the i386 is on C: drive. If it’s under another folder, you must specify the parent folder after the /s switch.


How to integrate Windows XP Service Pack 2 files into the Windows XP installation folder
(Same exact steps for Windows 2003)
http://support.microsoft.com/kb/900871


7. Set new server to use the other DC in SiteA as DNS and WINS.


If WINS is installed, you’ll need to migrate it to another server.   Read more in this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419


8. Change the DC’s DNS settings on the DC another DC in the same Site.


9. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.


If Exchange is installed on the DC, this introduces a  huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following for more information:


Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx


10. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.


How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473


How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q


11. Transfer FSMO roles to another DC in the same Site, or to a DC of your choosing, preferrably in the same site.


How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504


How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690


Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm


12. Run dcpromo and demote the DC choosing this is not the last DC in the domain. Then Restart.


Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx


Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx


13. Allow replication to occur. If your site links are still default (180 min), wait at least 3 hours, otherwise wait about 20 minutes if you had previously changed it to 15 minutes (first step). You can also force replication using repadmin if you want:


Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)


Also, to check replication status:


To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”


Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”


Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx


You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx



14. Rename the now demoted DC to something else, or keep it unplugged.


15. Check DNS to make sure it’s references (LdapIpAddres and GC) are gone.


16. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.


Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)


17. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.


18. Rename the new server to the old DC’s name.


19. Change the new server’s IP to the old DC’s IP.


20. Run dcpromo. Select to install DNS (if not already installed).  Then Restart.


How do I install Active Directory on my Windows Server 2003 server?
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm


How to Install Active Directory on Windows Server 200, 3May 19, 2005
http://technet.microsoft.com/en-us/…/aa998088(EXCHG.65).aspx


When you run Dcpromo.exe to create a replica domain controller …When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe: Error message 1 Error …
http://support.microsoft.com/kb/232070


If you are introducing a newer Operating System version, you’ll need to run ADPREP:


Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx


Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm



21. Allow it to come up. Wait about 5 – 10 minutes after it has restarted and logged in.


22. Check DNS to make sure that the LdapIpAddress registered and a Nameserver entry was created.


23. Go into AD Sites and Services and make sure you see the new DC in your Site and there are connection objects to another DC that the KCC created.


24. While in AD Sites and Services, make it a GC. It’s the preferred method now to make all DCs GCs in an infrastructure, whether there is one domain or multiple domains in the forest. This will alleviate the well-known Infrastructre Master and Global Catalog contention issue.


Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox


25. Run ipconfig /registerdns, restart netlogon service. Wait 5-10 minutes, then check DNS for the _gc._msdcs.OTEC-DC.domain.com records to see if it registered as a GC. If it’s not there yet, wait a few more minutes. Be patient. Hit F5 to refresh the console until you see it.


26. Check ADUC, look in the Domain Controllers OU for the new DC’s entry.


27. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.


28. If any Forwarders were configured in DNS, you will need to manually re-enter them.


29. If applicable, revert back any and all changes you made earlier regarding Site replication settings and intrasite DC to DC settings.


30. If you haven’t done so already, go have a cold or hot beverage of your choosing. You should be good to go.


 


 


All Comments, Suggestions or Corrections are welcomed!
Ace Fekay

Leave a Reply