none
Best practices planning for IP address selection for replacement domain controllers

    Question

  • Hi

    I'm starting this discussion to establish best practices for IP address selection for new domain controllers that are replacing existing domain controllers.

    I am quite often doing implementations where I'm putting in new DCs running Windows Server 2008 R2 and retiring old DCs running Windows Server 2003 after successful transition of all services. However, for this successful transition of services, all devices that have static IP addresses and are configured to use the old Windows Server 2003 DCs as their DNS servers need to be updated manually to use the new Windows Server 2008 R2 DCs as their DNS servers. This can be a fair bit of work and on some occasions, it is possible that one or more devices may be missed and not have their DNS server addresses updated.

    One way around it is to change the IP addresses of the new DCs to what the IP addresses of the old DCs would have been while they were alive. This eliminates the need to update any static IP configurations but I want to see if anyone can bring up any negatives or no-go reasons against this approach.

    The process I would use to update DC IP addresses is explained below with an example scenario.

    SCENARIO:
    The client has 2 DCs running Windows Server 2003 which are used as DNS servers by all devices on the network.

    LegacyDC1: 10.0.1.11 (primary DNS server)
    LegacyDC2: 10.0.1.12 (secondary DNS server)

    Then we build 2 new DCs running Windows Server 2008 R2 and assign them IP addresses as below and complete all AD replication, FSMO transfer etc.

    NewDC1:  10.0.1.13
    NewDC2: 10.0.1.14

    Then we demote LegacyDC2 from its DC role and assign its IP address to NewDC2 so we have the below:

    LegacyDC1: 10.0.1.11 (primary DNS server)
    NewDC2: 10.0.1.12 (secondary DNS server as it stole LegacyDC2's IP after it was decommissioned)
    NewDC1: 10.0.1.13

    Then we demote LegacyDC1 from its DC role and assign its IP address to NewDC1 so we have the below:

    NewDC1: 10.0.1.11 (primary DNS server as it stole LegacyDC1's IP after it was decommissioned)
    NewDC2: 10.0.1.12 (secondary DNS server as it stole LegacyDC2's IP after it was decomissioned)

    The above process ensures that a DNS server is available at all times during this transition from old DCs to new ones.

    Also, to ensure the IP address change on the DCs does not cause a problem, we ensure the below:

    1. Change the IP of the DC.
    2. Delete the A record for the DC's name from the forward lookup zone in DNS.
    3. Restart the DC or if this is not possible, flush the DNS cache (ipconfig /flushDNS), restart the DNS service, restart Netlogon service and register with DNS (ipconfig /registerDNS).

    I would be much obliged if others can share their experience and views about this.

    Many thanks

    Mohsin Abbas.

    Monday, June 18, 2012 10:29 AM

Answers

All replies

  • Hello,

    your way sounds ok and is the option i would use also. Do not forget the reverse lookup zone when eleting the old DCs A records and Nameserver records.

    As you are transferring FSMO roles do not forget to reconfigure the time service on the new PDCEmulator DC.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 18, 2012 10:45 AM
  • Hi Meinolf

    Thanks for the quick and helpful response on this. Yes, PTRs for old DCs will need to be deleted, thanks for pointing out.

    Also, yes, transferring the FSMO roles in most cases, so good advice about the time service as well.

    Thanks

    Mohsin.


    A little information is more dangerous than no information.

    Monday, June 18, 2012 10:50 AM
  • This is well (Changing the IP of the DC) documented here apart from the steps provided by Meinolf.

    http://technet.microsoft.com/en-us/library/cc794722%28v=ws.10%29.aspx

    You can refer below article to make new DC with PDC role to be the new time server.

    Windows Time Server Role in AD Forest/Domain

    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 18, 2012 11:07 AM
    Moderator
  • Thanks Awinish, most helpful.

    Regards

    Mohsin.


    A little information is more dangerous than no information.

    Monday, June 18, 2012 11:11 AM
  • Hi again

    Just to add, I don't believe anything needs to be updating for changing the IP address of a server that's running DHCP. Is there anything I am missing and you could point out?

    Thanks

    Mohsin.


    Best regards Mohsin Abbas MCP, MCTS My Blog: http://blog.mohsinabbas.com/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 18, 2012 3:00 PM
  • Make sure IP is updated in the DNS that is it.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 18, 2012 3:05 PM
    Moderator