child domain 2003 dc migrate to 2008r2
-
Wednesday, March 20, 2013 2:00 AM
i have several sites that run 2003 as DC. those sites on their own child domain, CHILDDC1.company.com, the parent domain is called company.com.
each of these 2k3 dcs on childc1 has dns and dhcp for their respective dhcpscopes etc.
there are a couple of 2k8r2 DC already brought up in the child domain so all the adprep and forest prep has already been taken care of(along with the parent domain has also already 2k8r2 dc).
these new 2k8r2 DC on the child domain are going to be ROD, but i need to migrate over the dhcp and dns from their old 2003 counterpart.
any good ideas on how to perform this?As far as replication, should these new 2k8r2 DC's on teh child domain have replication site links to the 2k8r2 dc's on teh parent domain?
or do they only have replication links between the DC's on the childDC, and if so how do they replicate information to the parent domain and vise versa?thx for the help!
All Replies
-
Wednesday, March 20, 2013 3:33 AM
Hi OldSchoola,
I'm assuming in your fourth paragraph that you mean a Read-Only Domain Controller (RODC)?
If you did, then you need to know that each child domain that will contain a RODC needs to communicate with a writeable Server 2008 (or later) domain controller. The RODC in the child domain cannot use a domain controller from the parent domain/forest root. So, that means you'd be looking at a minimum of two domain controllers per child domain if you wanted to use RODCs.
It's also important to note that the writeable Server 2008 domain controller must be the nearest replication partner (least replication cost on the site link) as a RODC cannot replicate to or from another RODC.
Cheers,
Lain- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, April 01, 2013 2:39 AM
-
Friday, March 22, 2013 1:25 AM
so for the child dc i need at least 2 writeable DC. yes i mean RODC.
as for replication link, i would link the 2 writeable 2k8r2 dcs on the child domain to DC on the parent domain?
and all the other RODC on the child would link to the writeable 2k8r2 on the child dc?
what about moving over dhcp and dns from the 2k3 on the child domain to the new 2k8r2 rodc on the child domain?
-
Friday, March 22, 2013 2:37 AM
Hi,
Maybe the easier way to look at this is via your site topology.
If you have a head office and all your sites connect directly to your head office (known as a hub and spoke topology), then all you have to remember is that the domain controller(s) in the hub site need to be writable. That way, if you deploy RODCs to each branch office, they should default to connecting to the writable domain controllers in the hub site - which is what you need.
You should not need to manually create any links. The only thing you need to focus on is making sure the sites for the branch offices are created, the correct subnets are associated with those sites, and the RODCs are put into those subnets.
One additional considerations you may want to take on board is turning off automatic site bridging. You can read more about that here. If you do not understand the ramifications of doing this or how to manually design site link bridges, then leave it in it's default state of enabled.
DHCP and DNS can happily exist on an RODC, so there's no issues there, though it's important to keep in mind that with DNS, updates from the clients get redirected through a referral back to the writable domain controllers. This adds traffic over the WAN, so if you have a large branch office (let's say more than 100 clients), you may want to consider placing a writable domain controller there. It's not mandatory, of course, it's just something to think about.
Cheers,
Lain- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, April 01, 2013 2:39 AM
-
Friday, March 22, 2013 5:58 PM
the main office is on our primary domain, the child domain was created for all the branch offices. there is no main office in the child domain so to speak. would i need to just pick one or 2 and make those 2 DCs non RODC?
remember there is already a 2003 child domain in place with 2003 domain controllers for each site in the child. so the ad sites and subnets are already created for each of these branch offices so i don think your 3rd sentence would apply.
also there have been some 2k8r2 DC already brought up in this child domain, and their replication links are to the old 2k3 DC(which is obviously a r/w dc)(i dont see any other links). once we demote the old 2k3 DC, will we need to manually create a replication link to a 2k8r2 dc thats not a rodc in the child domain?
-
Friday, March 22, 2013 6:00 PMalso does this new child domain require its own FSMO role servers? (except for the schema and infrastrcture master which are forest specific)
-
Saturday, March 23, 2013 1:27 AM
Hi,
I need to understand the real physical connectivity layout before I can get into any further details. I know you have this second domain just for the branch sites, but that doesn't categorically dictate that your domain controller placement should exclusively be just at the branch sites.
Again, using the example I used before, if all your branch sites are small and not directly and well connected, yet they are directly and well connected to a hub site, then even if that hub site uses a different domain, you'd be wise to locate your writable domain controllers there. Remember, this is just an example, but it illustrates why we need to know more about the physical layout.
If the third paragraph you're referencing is about the site links, then that's definitely relevant to any design. You may have the sites and subnets defined, but as I just mentioned in the previous paragraph, I know enough about the physical layout to say that putting new domain controllers in exactly where the existing ones already exist is the best thing to do. So just to re-iterate the key point, you should not be creating new site links manually.
You need to keep in mind that because the existing domain controllers are all writable, there is a high degree of fault tolerance at each site and very little planning was required to achieve it. Once you start talking about RODCs, you need to pay more attention to the design so that you ensure things like writable domain controller placement and the Password Replication Policies are correctly designed to not only work well when connectivity is fully available, but when it isn't.
As far as the FSMO roles go, an RODC cannot hold a FSMO role, so the placement of the three domain FSMO roles is going to be governed by the placement of the writable domain controllers.
Cheers,
Lain- Edited by Lain Robertson Saturday, March 23, 2013 1:34 AM Grammatical correction.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, April 01, 2013 2:39 AM
-
Wednesday, April 10, 2013 3:07 AM
when i brought up a new rodc(server A), it created a site link to the old 2k3 dc on the same subnet.
not to the 2k8 r/w child domain dc(located at corporate in a different subnet).
also i noticed that another 2k8 rodc (serverB)that was brought up had a link to one of the primary domain r/w 2k8 DC.
is it ok for these rodc to have these links like that?
what will happen to server A when i demote that old 2k3 server at that branch location??- Edited by OldSchoola Wednesday, April 10, 2013 3:21 AM
-
Wednesday, April 10, 2013 3:41 AM
also im noticing that these RODC are DNS servers, but for some reason their dns entries are not added to the r/w dns servers in teh child domain, or the r/w dns servers in the parent domain.
should i just input them in manually?
-
Wednesday, April 10, 2013 4:23 AM
im also seeing tons of these errors on one of the rodc
The zone x.x.x.n-addr.arpa was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition ForestDnsZones.domain.local. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
is this normal for a rodc?
.png)
