none
DCPROMO (retiring a 2003 Domain Controller)

    Domanda


  • We have five Domain controllers (3 machines with 2003, 2 machines with 2008 R2 Standard).

    We are looking to demo (retired) the domain controllers with 2003 OS.  The FSMO has been moved to the 2008 machine (called AD4). We also did the AD & Forest

    prep to 2008 a few years ago.


    Background:

    1) Most of our servers and workstations reference the DNS of the 2003 DCs (also DNS server).

    2) Our terminal license server is on a 2003 DC (called AD1).  We have built a member server 2008 licensing server that holds the new CALS.  We haven't migrate the CALs from the 2003 machine.


    What do I need to do to demote my server (dcpromo)?  We plan to reuse the IP addresses from the 2003 DC once we demote them and reuse in the two 2008 ADs (the 2008 AD machines will occupy two IP addresses, its current and one from the 2003 DC). Are we going to have issue with current servers & workstation that reference to the DNS servers of the 2003 ADs?

    We also plan to call MS to reissue CALS to the 2008 licensing server and retire the 2003 terminal licensing server (AD1).  We have to manually re-route any terminal server to point to the new licensing server?

    I have done lots of reading but like your feedback. We will retire the 2003 DC on separate weeks.  I also read that it is good practice to shutdown the AD first to see if anything happens for a few days.

    TIA,
    tntrac


     


    • Modificato tntrac martedì 20 marzo 2012 17:01
    martedì 20 marzo 2012 17:00

Risposte

  • I ran a 'dcpromo' test at home tonight.  After completion and restarting, the machine still can access AD (Active Directory Users and Computers via dsa.msc).  Is that normal?

    Inside AD, the retired DC is no longer listed.

    Hello,

    demoting will NOT remove the server from the domain, it just become member server and is moved to the computers container in AD UC. So it is correct that you can use AD UC and also the other adminstrative tools on the server. Also in AD sites and services it must be removed manual, except the server is still used for site aware applications like DFS for example.

    To complete remove it from the domain change the mode to workgroup and delete it from AD UC, AD sites and services and check the DNS zones and zone properties also, name server tab.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    venerdì 23 marzo 2012 08:11
  • It seems that adminpak tool was installed on the server before pormotion and hence you are able to open ADUC even after normal demotion.Anyway, as long as the DCPROMO was successful, you don’t need to concerned too much since the DC is not in Domain Controller OU indicates demotion was graceful.

    You can proceed with removal of other old Win2003 DC from n/w as per your plan.

    However ensure that client/member server dns setting is pointing to online DC once the servers are demoted.You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the online DNS server.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    venerdì 23 marzo 2012 16:58

Tutte le risposte

  • Yes you can assign old DC ip address to Win2008 DC.After doing the same restart the netlogon and dns service and run ipconfig /flushdns,ipconfig /registerdns& dcdiag /fix,if possible after changing the IP address reboot the server.

    If you proceed with removal of old DC,shutdown and test if very thing is working fine.Once testing is completed plan the activity during non business hour for dc removal.

    Also ensure that DNS and GC role is configured on all Win2008 DC.

    Finally once this is all accomplished go ahead and demote the dc to a member server (KB238369)

    http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx (how to demote a DC)

    http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx (how to decommisioning a DC)

    http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx (how to removing a DC from a Domain)


    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    martedì 20 marzo 2012 17:09
  • Before you decom the 2003 DC, it would be a good idea to move it to an isolated site (create a new AD site with the IP of the 2003 DC, with a 32-bit subnet mask - 255.255.255.255). Once the DC is in its own site, load PortReporter (free from MSFT), this will allow you to see what machines are hard-coded (or not AD site aware) to the DC. You can then trace them back to their source and make sure they're updated before you actually power off the box. This is the safest method, although if you're in a rush you can still just power off the box and see what breaks. Whichever route you choose, the size and complexity of your environment will likely dictate the best route.

    Be certain you clean out AD(NTDSUTIL), site and services, AD objects, and DNS/WINS before you bring the new 2008 DC online with the same IP.

    Good luck

    martedì 20 marzo 2012 17:16
  • Yes you can assign old DC ip address to Win2008 DC.After doing the same restart the netlogon and dns service and run ipconfig /flushdns,ipconfig /registerdns& dcdiag /fix,if possible after changing the IP address reboot the server.

    If you proceed with removal of old DC,shutdown and test if very thing is working fine.Once testing is completed plan the activity during non business hour for dc removal.

    Also ensure that DNS and GC role is configured on all Win2008 DC.

    Finally once this is all accomplished go ahead and demote the dc to a member server (KB238369)

    http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx (how to demote a DC)

    http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx (how to decommisioning a DC)

    http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx (how to removing a DC from a Domain)


    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    We will be doing the shutdown meth for a day or two before retiring.  We already have 2008 AD machines that has been running for a few years now. We plan to add the additional IPs from the old DC onto the 2008 AD (not replacing the IP addresses, but addition). 

    Manley - your methods sounds good but we don't have the timeline to do it (its been forced ASAP).


    • Modificato tntrac martedì 20 marzo 2012 17:46
    martedì 20 marzo 2012 17:45
  • Hello,

    What do I need to do to demote my server (dcpromo)? 

    Yes, you will need to demote it using dcpromo. Just check that there is at least a healthy DC with GC before demotion. To diagnosis DCs health, use dcdiag /v command on all DCs you have.

    We plan to reuse the IP addresses from the 2003 DC once we demote them and reuse in the two 2008 ADs (the 2008 AD machines will occupy two IP addresses, its current and one from the 2003 DC). Are we going to have issue with current servers & workstation that reference to the DNS servers of the 2003 ADs?

    No. Just note that when changing IP addresses, the old 2003 DC will be temporary not available. So, if it is the primary DNS server for client computers / servers then client computers / servers will use the secondary DNS server for DNS resolution. For that, make sure that each client computer have at least two internal DNS servers in use for DNS resolution.

    We also plan to call MS to reissue CALS to the 2008 licensing server and retire the 2003 terminal licensing server (AD1).  We have to manually re-route any terminal server to point to the new licensing server?

    Ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverTS/threads

    To upgrade to AD DS 2008 / 2008 R2, please refer to this article: http://technet.microsoft.com/en-us/library/cc731188%28v=ws.10%29.aspx

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    martedì 20 marzo 2012 19:39
  • To upgrade to AD DS 2008 / 2008 R2, please refer to this article: http://technet.microsoft.com/en-us/library/cc731188%28v=ws.10%29.aspx


    We already have upgraded to AD DS 2008 R2, just retiring the old DCs that are 2003
    martedì 20 marzo 2012 20:00
  • We will be doing the shutdown meth for a day or two before retiring.  We already have 2008 AD machines that has been running for a few years now. We plan to add the additional IPs from the old DC onto the 2008 AD (not replacing the IP addresses, but addition)?

    ANS.It seems you are not swapping the IP address instead you are adding one more IP address to DC.If this is the case it is not recommended to assign two IP address to DC.Do NOT multihome a domain controller.

    IP configuration best practice on DC:

    -->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
    ------------------------------------
    1. Domain Controllers should not be multi-homed
    2. Being a VPN Server and even simply running RRAS makes it multi-homed.
    3. DNS even just all by itself, is better on a single homed machine.
    4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

    272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    -->> IP configuration on domain controller:
    ------------------------------------------
    1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
    3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
    4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    martedì 20 marzo 2012 20:37
  • We will be doing the shutdown meth for a day or two before retiring.  We already have 2008 AD machines that has been running for a few years now. We plan to add the additional IPs from the old DC onto the 2008 AD (not replacing the IP addresses, but addition)?

    ANS.It seems you are not swapping the IP address instead you are adding one more IP address to DC.If this is the case it is not recommended to assign two IP address to DC.Do NOT multihome a domain controller.

    IP configuration best practice on DC:

    -->>MULTIHOMING Domain controllers is not recommended, it always results in multiple problems.
    ------------------------------------
    1. Domain Controllers should not be multi-homed
    2. Being a VPN Server and even simply running RRAS makes it multi-homed.
    3. DNS even just all by itself, is better on a single homed machine.
    4. Domain Controllers with the PDC Role are automatically Domain Master Browser. Master Browsers should not be multi-homed

    272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    -->> IP configuration on domain controller:
    ------------------------------------------
    1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
    3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
    4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sandesh,

    Ok.  I was thinking inside the box.  Swapping the IP addresses would be much easy since it doesn't affect the servers & workstations referencing the DNS.

    I just never thought about changing IP addresses on a DC.  I am assuming once the DC has been demoted, removed from AD, and DNS has been cleanup. The ip addresses of the old ADs can be swapped?

    My previous thinking was to add the retiring DCs IP addresses to the 2008 AD machines (still using one network adapater, but add a second IP).

    I confirmed all my DCs are Global Catalog server.

    Reading this resource plus others..

    http://technet.microsoft.com/en-us/library/cc755937%28d=printer%29.aspx 

    • Modificato tntrac martedì 20 marzo 2012 22:34
    martedì 20 marzo 2012 22:23
  • Hi Tntrac,

    Yes, the IP addresses of the old DCs can be swapped after we demote the DCs and removed them from AD.

    We should not add a second IP address to the Server 2008 DC as MULTIHOMING Domain controller will cause problem.

    Regards

    Kevin

    mercoledì 21 marzo 2012 05:34
  • I would like to highlight one more point which people tend to miss it during FSMO role transfer to the new DC is the movement of the time server role to the new DC holding PDCEmulator role.

    Windows Time Server Role in AD Forest/Domain

    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/

    Changing the IP of the DC is not a big deal, you can swap it once you demote the DC. Post changing IP on the DC run ipconfig /registerdns or restart netlogon service. You can also run nltest /dsregdns and dcdiag /fix.

    http://technet.microsoft.com/en-us/library/cc794931%28v=ws.10%29.aspx

    You can refer below article as an reference to remove the remnants post demoting the DC becasue when DC is demoted few records are still left in AD which requires manual cleanup.If you demote the DC forcefully you need to perform metadata cleanup too.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    mercoledì 21 marzo 2012 06:01
    Moderatore
  • Hello,

    demoting a DC is as easy as installing, run dcpromo, reboot, done. If the server should still be used as member server, fine you are done. If it was DNS server either stop the DNS server service or uninstall DNS server role or still use it as secondary DNS.

    If the server should be complete removed from the domain, delete it from AD UC, AD sites and services(not done during demotion process), cleanup DNS zones and zone proeprties and DHCP scopes where it may is listed as DNS server.

    Of course you can reuse the ip address of the retired machine, but i cannot see a reason. Vefore reusing it make sure replication has occcured and all DNS servers and DCs are up to date with the removed account and DNS records etc.

    Do NOT retire the old TS licensing server until you are sure the new one is working as expected. Therefore stop the old TS licensing server and work as before.

    Also shuting down the DCs to retire for 1-2 days is a good idea to see if still everything is working.

    IMPORTANT is that after transferring the FSMO roles the time service must be reconfigured, more details in:

    http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    mercoledì 21 marzo 2012 06:55
  • Thanks guys for the topic of time server.  We did the time server move a while back we first brought the 2008 DC online.

    We plan to retire the entire server.  Therefore, removing DNS too.  I thought part of the dcpromo, it asks to remove DNS (its been a while since I did a demotion).

    One thing I notice on our first 2003 DC under Active Directory & Services, it has Exchange Settings folder. 

    MyDomain/Configuration/Sites/Default-First-Site-Name/Servers/AD1/Exchange Settings

    Drill down, I see a "Active Directory Connection" under Name and "ADC Service" under Type.  Not sure what that is?  Don't see any relevant information on that if I right click.


    • Modificato tntrac mercoledì 21 marzo 2012 16:22
    mercoledì 21 marzo 2012 16:15
  • If your DNS is AD-integrated, then you can simply uninstall DNS service from the DC you want to demote, but make sure DNS zones and its records appear on the existing DC with DNS.You can leave it or delete ADC(Active directory connector), since it looks to be it is used in the past and wasn't removed. 

    http://forums.msexchange.org/m_1800544122/mpage_1/key_/tm.htm#1800544251

    http://www.msexchange.org/tutorials/overview-active-directory-connector.html


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    mercoledì 21 marzo 2012 16:36
    Moderatore
  • If your DNS is AD-integrated, then you can simply uninstall DNS service from the DC you want to demote, but make sure DNS zones and its records appear on the existing DC with DNS.You can leave it or delete ADC(Active directory connector), since it looks to be it is used in the past and wasn't removed. 

    http://forums.msexchange.org/m_1800544122/mpage_1/key_/tm.htm#1800544251

    http://www.msexchange.org/tutorials/overview-active-directory-connector.html


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    DNS is AD-integrated.  All other DCs have DNS.

    I am shutting one DC tonight ...


    • Modificato tntrac mercoledì 21 marzo 2012 18:22
    mercoledì 21 marzo 2012 18:22
  • If DNS is AD integrated all the dns zone will be replicated to all DC.You can safely remove the DNS role from old DC this will not remove dns record from other DC.Uninstall DNS from the control panel->Add/Remove Programs->Add/Remove Windows Components->Networking Services uncheck dns and click next.

    Regarding the configuring authorative time configure the same on PDC role holder sever below is the KB article for the same.
    http://support.microsoft.com/kb/816042

    Please also make sure that port 123 which as direction the chosen NTP server is not blocked.

    For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    giovedì 22 marzo 2012 00:02
  • I ran a 'dcpromo' test at home tonight.  After completion and restarting, the machine still can access AD (Active Directory Users and Computers via dsa.msc).  Is that normal?

    Inside AD, the retired DC is no longer listed.

    venerdì 23 marzo 2012 07:56
  • I assume you can not access ADUC using DSA.MSC command line.

    what is the error message you are encountering when to try to access dsa.msc from run?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    venerdì 23 marzo 2012 08:03
  • You need to verify which working DC console ADUC is working and i'm sure its not the demoted/shutdown DC.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    venerdì 23 marzo 2012 08:06
    Moderatore
  • I ran a 'dcpromo' test at home tonight.  After completion and restarting, the machine still can access AD (Active Directory Users and Computers via dsa.msc).  Is that normal?

    Inside AD, the retired DC is no longer listed.

    Hello,

    demoting will NOT remove the server from the domain, it just become member server and is moved to the computers container in AD UC. So it is correct that you can use AD UC and also the other adminstrative tools on the server. Also in AD sites and services it must be removed manual, except the server is still used for site aware applications like DFS for example.

    To complete remove it from the domain change the mode to workgroup and delete it from AD UC, AD sites and services and check the DNS zones and zone properties also, name server tab.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    venerdì 23 marzo 2012 08:11
  • Before you decom the 2003 DC, it would be a good idea to move it to an isolated site (create a new AD site with the IP of the 2003 DC, with a 32-bit subnet mask - 255.255.255.255). Once the DC is in its own site, load PortReporter (free from MSFT), this will allow you to see what machines are hard-coded (or not AD site aware) to the DC. You can then trace them back to their source and make sure they're updated before you actually power off the box.

    Instead of moving the system to separate site, I just stop netlogon service - that unregisters DNS records and effectively prevents native clients from connecting to the DC. I also enable LDAP logging to know exactly what are the LDAP clients accessing the DC. I also prefer powering off to orderly demotion - that gives the quickest backout plan (power the system back on), and cleaning out AD metadata is easy enough.

    -= F1 is the Key =-

    venerdì 23 marzo 2012 08:58
  • Were you able to demote the DC gracefully or forcefully? Are you using the server as a member server if its a graceful demotion or its been removed from the domain?


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    venerdì 23 marzo 2012 09:19
    Moderatore
  • I ran a 'dcpromo' test at home tonight.  After completion and restarting, the machine still can access AD (Active Directory Users and Computers via dsa.msc).  Is that normal?

    Inside AD, the retired DC is no longer listed.

    Hello,

    demoting will NOT remove the server from the domain, it just become member server and is moved to the computers container in AD UC. So it is correct that you can use AD UC and also the other adminstrative tools on the server. Also in AD sites and services it must be removed manual, except the server is still used for site aware applications like DFS for example.

    To complete remove it from the domain change the mode to workgroup and delete it from AD UC, AD sites and services and check the DNS zones and zone properties also, name server tab.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    I was able to demote gracefully.  Server is still a member server.  In the domain controller OU, its not listed there any more.  This is a test run at home.  I am going to demote one domain controller at work tonight :)

    venerdì 23 marzo 2012 15:56
  • It seems that adminpak tool was installed on the server before pormotion and hence you are able to open ADUC even after normal demotion.Anyway, as long as the DCPROMO was successful, you don’t need to concerned too much since the DC is not in Domain Controller OU indicates demotion was graceful.

    You can proceed with removal of other old Win2003 DC from n/w as per your plan.

    However ensure that client/member server dns setting is pointing to online DC once the servers are demoted.You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the online DNS server.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    venerdì 23 marzo 2012 16:58
  • Just an update.  We were able to demote a domain controller (AD3) succesfully.  We intend to demote another domain controller (called AD1) this week.   I have a few questions from the previous postings above. 

    Please note we have many member servers pointing to the DNS of AD1 & AD2 as the primary/secondary.

    This is my plan, please advise.

    1) Shutdown AD1 and swap ip addresses with AD4 (another domain controller). Clean up DNS.

    2) Then reboot AD4

    3) Bring AD1 up using the ip address of AD4.

    4) Next day, shutdown AD1 for a day to see if anything is broken

    5) Wait a day and bring AD1 online for a few hours and demote it the (same day)


    • Modificato tntrac lunedì 16 aprile 2012 19:16
    lunedì 16 aprile 2012 19:13
  • Hello,

    i would use a free address instead shutting down AD1, as if you reboot it connected to the network you'll get an ip conflict. After using a free address run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service, NO reboot is required.

    Then check all DNS servers for the changes and make sure replication has occured BEFORE changing the next one with the now frre address from AD1.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    lunedì 16 aprile 2012 19:19
  • Meinolf,

    Thank you for your quick response.  My concern with your suggested steps would be the member servers having issues with the DNS since it will be down longer?

    For example, if my MEM_SERV1 points to AD1 & AD2 and if I change ip addresses on AD1, would MEM_SERV1 have any issues or it will just resolves to AD2?  I am more concern with servers such as Exchange looking for DNS servers.

    lunedì 16 aprile 2012 21:02
  • Hello,

    as the DCs will replicate the changes intrasite within short time, 30 seconds, there shouldn't be a problem as long as the machines have at least one available DNS server. You can also use repadmin command to initate replication, so basically the updates to DC/DNS sholdn't take a day as your planning goes, much faster.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    lunedì 16 aprile 2012 21:06
  • Hello,

    as the DCs will replicate the changes intrasite within short time, 30 seconds, there shouldn't be a problem as long as the machines have at least one available DNS server. You can also use repadmin command to initate replication, so basically the updates to DC/DNS sholdn't take a day as your planning goes, much faster.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Followed you suggestion, it worked great!!  We did not demote & retire the server yet as our programming team will look over to make sure some applications are not pointing to it.

    On the same date, we did reboot a few Exchange 2003 servers hours later (our monthly routine).  On the Exchange servers, we removed the DNS entry pointing to AD1.  Upon doing a "nestat -a".  We see a few different entries such as below which I assumed are normal.

    TCP    ExchangeServer1:59366           AD1.MyDomain.com:msft-gc  ESTABLISHED
    TCP    ExchangeServer1:54553           AD1.MyDomain.com:1029  ESTABLISHED

    venerdì 20 aprile 2012 23:49
  • This looks ok to me, since you have not demoted the DC it can connect to any DC based on round robin DNS query.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    sabato 21 aprile 2012 06:53
    Moderatore
  • Thank you.

    lunedì 23 aprile 2012 23:10