none
Directory services migration, logon server problem

    Question

  • Hi,

    our company is now planning migration of AD to windows 2012R2

    today AD setup looks like this:

    Server1.domain.local windows 2003 (holds all FSMO roles)

    Server2.domain.local windows 2012R2

    Server3.domain.local windows 2012R2

    Server4.domain.local windows 2012R2

    So we plan to move all FSMO roles to Server2 and demote Server1. Domain.local consists of 200-300 servers, inducing SQL server always on availability groups,  web servers, application services. A lot of domain user service accounts are used on servers.

    So what I afraid about is that some servers that used Server1 as DC will require restart. Our operation is 24/7 and we can allow restarts just during planned service window. So for now I need to figure out which servers use Server1.

    I picked up 1 server for test and here what I get:

    echo %logonserver% give result of Server3, but I guess it is for my particular user account

    nltest /dsgetdc:domain.local give result of Server2

    nltest /sc_query give result of Server1

    So my question is how I can make sure the server do/don't require restart after Server1 was demoted?

    Wednesday, February 22, 2017 11:36 AM

All replies

  • Hello,

    Being the logon server fro a user does not mean that the system they are logged in to requires restart after DC demotion. You can easily verify that by temporarily shutting down the Server1 and seeing if anyone experiences problems (you can even just disable the network connection on it to reduce the downtime in case you need to bring it back up fast).

    Normally Windows systems don't require restart if the domain controller they used to authenticate to gets demoted/switched off. 

    /Regards

    Wednesday, February 22, 2017 12:47 PM
  • Hi,

    ok, let's say we can skip that for user. What about server?

    Wednesday, February 22, 2017 2:26 PM
  • Hi

     As mentioned your authentication results related for user accounts.So when a service,app,try to authenticate to AD it uses ldap,dns,etc..(specific config.)so you have other additional domain controllers with dns,GC role??If the sql,exchange does not reach dc1 then they try to reach other avaible DC's.(with have dns,gc role).But if there is an application specially use the dc1 hostname,ip address,etc..there should be a problem.

    Also you should plan all migration scenarios after working hours.So evey time you have a risk with migration and you need enough time to fix the issue,if something goes wrong.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, February 23, 2017 7:38 AM
  • Hi Burak,

    >>As mentioned your authentication results related for user accounts.

    I'm pretty sure that only first method is about user account. Nltest has no relaltionship to users, however I'm also not pretty sure on how it works:

    Here is what description from MS says:

    /dsgetdc Queries the Domain Name System (DNS) server for a list of domain controllers and their corresponding IP addresses. This parameter also contacts each domain controller to check for connectivity.

    Here I'm not sure why it returns only 1 DC name as per description and not 4 of them.

    /sc_query Reports on the state of the secure channel the last time that you used it. (The secure channel is the one that the NetLogon service established.) This parameter lists the name of the domain controller that you queried on the secure channel, also.

    This one looks to be per computer.

    >>If the sql,exchange does not reach dc1 then they try to reach other avaible DC's.(with have dns,gc role).

    For exchange it is true. But SQL does not have own DC locator, so it relies on windows.

    >>Also you should plan all migration scenarios after working hours.

    This is understandable, but if I have to deal with hundreds of servers that have specific restart routines I will never have enough time. Weekends is not an option for us, so only night time is acceptable.

    I'm also worried about NTLMv1. I do not know if it is used anywhere or not and most likely I will not be able to use it when I will have windows 2012R2 DCs. Is there any way to check it?

    Thursday, February 23, 2017 10:36 AM
  • Hi,
    I doubt there is built-in methods to check that, but you could have a try using network monitor tool on DC for days to capture some information and see what servers are talking with DC.
    https://www.microsoft.com/en-sg/download/details.aspx?id=4865
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 27, 2017 8:14 AM
    Moderator
  • It appeared that it is not necessary to do any restart. On some servers we manually did nltest /sc_reset to get another DC. But most of servers worked fine after migrations and we are not receiving incidents about this migration for about a week. We moved IP address of Server1 to Server3, maybe that helped. And the name of Server1 is pointing to Server3 (with IP of Server1) in DNS

    Tuesday, February 28, 2017 1:05 PM
  • Hi,
    Thank you for the share, and if your share is working for you, could you please mark it as answer? It will be greatly helpful to others who have the same question.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 1:59 AM
    Moderator