none
Promote and demote a domain controller windows server 2008

    Question

  • Hello everyone.

    I have read the information in the TechNet library about promote and demote domain controllers, however, is the first time I'll do it in a production environment and want to make sure that everything will work properly.

    I have in my organization a single site and a single domain, I have 2 servers running as domain controllers both windows server 2008, both global catalog. They are not really servers one is a conventional PC and the other a workstation. The PC is the primary domain controller. I have now the opportunity to place a hp server to replace this pc because is not very reliable.

    From what I understand I must use dcpromo.exe in this new server and put it as a secondary domain controller. After completing this process, I should move the operations master role to the new server and then use dcpromo.exe in the pc and remove the active directory and that's it.

    Is this all I need to do, how long after configure the new server I can demote the pc, how long it takes the correct replication and transfer of roles and what test can I can perform to verify that everything is running well.

    What about DHCP and DNS settings. There is any other role I need to transfer.


    Any help is welcome.

    Thanks.


    Johan C
    Wednesday, March 23, 2011 7:27 PM

Answers

  • So you want to add just another 2008 DC...you don't want it to be 2008 R2.  Steps will be different.

    I'll go with just adding 2008 per the question.  So yes you would dcpromo it and make it an additional DC in the current domain. 

    During the dcpromo process you should select the box to be a DNS server and a global catalog.  Then after the promotion you will have a new DC/DNS/GC.   

    Update clients (static and DHCP) to use the new box for DNS.

    You can then transfer the FSMO roles to the new box.

    use these procedures to move the DHCP database   http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx

     

    One you are confident that everything is transferred check the health of the new DC using tools like dcdiag/repadmin/event logs.  When things look ok then use dcpromo to demote the old DC

     

    Thanks

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Wednesday, March 23, 2011 7:47 PM
  • For DHCP, proceed like Mike said.

    For AD and DNS, you can proceed like that:

    • run netdom query fsmo to determine if the DC to demote is holder of FSMO roles
    • If it is holder of FSMO roles then transfer these roles to the second DC
    • If you are unable to transfer then: isolate the DC, run dcpromo /forceremoval, perform a metadata cleanup and resize the FSMO roles that this DC was holder to the second DC
    • Install Windows Server on your new server
    • promote the DC and make sure that it uses the second DC as primary DNS server
    • Install the DNS service on it: at the next AD replication, your domain zones will be create on the new DC and will be AD-integrated ones
    • Make sure that the new DC point to itself as primary DNS server and also, make sure that it has a GC

    By proceeding like that. All should be okay.

    For the CA, on which server is it installed? Is it a root CA or a secondary one?

    Have a look to this Microsoft article about how to move a CA to another server;

    http://support.microsoft.com/kb/298138

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 23, 2011 8:50 PM
  • Hello,

    the new server should also be DNS server and Global catalog server. For DNS i suggest to use AD integrated zones, if not already done, then installing the DNS server role is enough as all DNS information are replicated from an existing DC.

    During promotion of the new DC configure the preferred DNS on it's NIC to use only ONE existing DC/DNS server, after complete replication configure itself as preferred and another domain DNS as secondary,

    Additional all domain machines must be configured to use this also on the NIC as DNS server.

    Please forget the primary/secondary DC terms, all DCs are the same, just the FSMO roles are different. Any new DC is additional or second, third etc.

    Transfer of FSMOs: http://support.microsoft.com/kb/324801 applies also to higher OS versions.

    Move a CA: http://support.microsoft.com/kb/298138 http://technet.microsoft.com/en-us/library/cc742515(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, March 23, 2011 11:33 PM
  • Regarding replication, since you have dc's in same site, the replication interval for intranet(same site) is 5 min & you can also force replication using below cmd.

    repadmin /syncall /APed

    Once you make sure you have got all the roles & services transferred to another DC, you can demote the old DC using dcpromo or dcpromo/forceremoval, force removal requires an additional step i.e metadata cleanup along with few manual cleanup from all the folder in _msdcs folder in DNS, name server tab, ntds object in ADSS.

    Make sure all the DC's are DNS, GC are too & all the systems & DC point to local dns server no public or external IP address.

    Take a look at DNS best practices from DS team.

    http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

    Metadata cleanup

    http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

    You can transfer CA to another server & using auto enrollment in GPO, you can install on all the systems.

    Migrate/Upgrade CA from windows 2003 to windows 2008/R2

    http://awinish.wordpress.com/2011/02/05/migrateupgrade-ca-from-one-2003-to-2008r2/

    Auto enrollment of CA's.

    http://technet.microsoft.com/en-us/library/dd379539%28WS.10%29.aspx

    You can use nslookup to verify, dns is working proper, you can use dcdiag diagnostic log by running this cmd dcdiag /v /c /d /e >>c:\dcdiag/log


    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

    http://awinish.wordpress.com/2011/03/04/upgrade-from-windows-2003-to-20082008-r2-domain-controllers/

     

    Regards  


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, March 24, 2011 4:13 AM

All replies

  • So you want to add just another 2008 DC...you don't want it to be 2008 R2.  Steps will be different.

    I'll go with just adding 2008 per the question.  So yes you would dcpromo it and make it an additional DC in the current domain. 

    During the dcpromo process you should select the box to be a DNS server and a global catalog.  Then after the promotion you will have a new DC/DNS/GC.   

    Update clients (static and DHCP) to use the new box for DNS.

    You can then transfer the FSMO roles to the new box.

    use these procedures to move the DHCP database   http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx

     

    One you are confident that everything is transferred check the health of the new DC using tools like dcdiag/repadmin/event logs.  When things look ok then use dcpromo to demote the old DC

     

    Thanks

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Wednesday, March 23, 2011 7:47 PM
  • Thank you very much.

    The information is great.

    How can I transfer the FSMO roles, I know that when you demote the old domain controller it automatically transfer this roles to other server but I would like to transfer it to this new server and not to the workstation.

     

    Thanks.


    Johan C
    Wednesday, March 23, 2011 8:20 PM
  • I like to transfer manually myself too, Daniel has a good step by step on the transfers here:

    http://www.petri.co.il/transferring_fsmo_roles.htm

    Thanks

     

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Wednesday, March 23, 2011 8:43 PM
  • Thanks,

    what about certificates, we use our own CA, will this be affected?

     


    Johan C
    Wednesday, March 23, 2011 8:49 PM
  • For DHCP, proceed like Mike said.

    For AD and DNS, you can proceed like that:

    • run netdom query fsmo to determine if the DC to demote is holder of FSMO roles
    • If it is holder of FSMO roles then transfer these roles to the second DC
    • If you are unable to transfer then: isolate the DC, run dcpromo /forceremoval, perform a metadata cleanup and resize the FSMO roles that this DC was holder to the second DC
    • Install Windows Server on your new server
    • promote the DC and make sure that it uses the second DC as primary DNS server
    • Install the DNS service on it: at the next AD replication, your domain zones will be create on the new DC and will be AD-integrated ones
    • Make sure that the new DC point to itself as primary DNS server and also, make sure that it has a GC

    By proceeding like that. All should be okay.

    For the CA, on which server is it installed? Is it a root CA or a secondary one?

    Have a look to this Microsoft article about how to move a CA to another server;

    http://support.microsoft.com/kb/298138

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 23, 2011 8:50 PM
  • The CA is installed in the pc that I'm using now as a server. It is a root CA.

    I have read the article is the same procedure for windows server 2008, the article is for 2003 or 2000. There is a problem if the new server does not have the same name as the old one when moving the CA.

     

    Thanks.


    Johan C
    Wednesday, March 23, 2011 9:48 PM
  • You said that the root CA is installed on the PC that you are using so you don't have to move it (normally your PC is not a DC :) ).

    Remark: For security reasons, you should use scondary CAs and keep offline your root CA.

    If you proceed like mentioned in the article I gave, all should be okay. It is mentioned in the article that it applies on 2k and 2k3 but it should be a similar thing on 2k8.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 23, 2011 10:02 PM
  • Hello,

    the new server should also be DNS server and Global catalog server. For DNS i suggest to use AD integrated zones, if not already done, then installing the DNS server role is enough as all DNS information are replicated from an existing DC.

    During promotion of the new DC configure the preferred DNS on it's NIC to use only ONE existing DC/DNS server, after complete replication configure itself as preferred and another domain DNS as secondary,

    Additional all domain machines must be configured to use this also on the NIC as DNS server.

    Please forget the primary/secondary DC terms, all DCs are the same, just the FSMO roles are different. Any new DC is additional or second, third etc.

    Transfer of FSMOs: http://support.microsoft.com/kb/324801 applies also to higher OS versions.

    Move a CA: http://support.microsoft.com/kb/298138 http://technet.microsoft.com/en-us/library/cc742515(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, March 23, 2011 11:33 PM
  • Regarding replication, since you have dc's in same site, the replication interval for intranet(same site) is 5 min & you can also force replication using below cmd.

    repadmin /syncall /APed

    Once you make sure you have got all the roles & services transferred to another DC, you can demote the old DC using dcpromo or dcpromo/forceremoval, force removal requires an additional step i.e metadata cleanup along with few manual cleanup from all the folder in _msdcs folder in DNS, name server tab, ntds object in ADSS.

    Make sure all the DC's are DNS, GC are too & all the systems & DC point to local dns server no public or external IP address.

    Take a look at DNS best practices from DS team.

    http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

    Metadata cleanup

    http://technet.microsoft.com/en-us/library/cc816907%28WS.10%29.aspx

    You can transfer CA to another server & using auto enrollment in GPO, you can install on all the systems.

    Migrate/Upgrade CA from windows 2003 to windows 2008/R2

    http://awinish.wordpress.com/2011/02/05/migrateupgrade-ca-from-one-2003-to-2008r2/

    Auto enrollment of CA's.

    http://technet.microsoft.com/en-us/library/dd379539%28WS.10%29.aspx

    You can use nslookup to verify, dns is working proper, you can use dcdiag diagnostic log by running this cmd dcdiag /v /c /d /e >>c:\dcdiag/log


    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

    http://awinish.wordpress.com/2011/03/04/upgrade-from-windows-2003-to-20082008-r2-domain-controllers/

     

    Regards  


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, March 24, 2011 4:13 AM
  • Thanks Mr X. But I said the Root CA is installed in the pc that I'm using as server, not in my personal pc.
    Johan C
    Thursday, March 24, 2011 2:34 PM