looks good to me.
I'm going to replace an ageing 5 years + domain controller soon and was wondering just what procedure you guys use (I mean in what order). This is how I usually do things, but just curious if people do things differently
1. Firstly install Server 2003 SP2 and/or R2 then join the existing domain as a member server.
2. Export DHCP from existing DC and import DHCP onto member server.
3. Promote new member server to a domain controller
4. Transfer FSMO Roles by GUI as described here
5. Create a new Global Catalog
6. Create a Secondary DNS Zone
7. Unauthorise old DHCP database
8. Remove old Global Catalog
9. Change the role of the new DNS server to Primary DNS
10. Remove the old domain controller from the network and change the new domain controller IP address
11. Rename the domain controller so it's the same as the old domain controller
The question I've often asked though is "how long is enough" for replication to take place between two domain controllers? Many thanks!
looks good to me.
You don't really need to do anything with dhcp other than create the range and reservations, everything else will recreate itself.
You also dont really need to use the same IP address for the domain controller, just create a new one and point the clients(using dhcp) to the new DNS server. This might be a lot cleaner than trying to replicate the old setup.
You're right about DHCP, but as for DNS I suppose I like to keep things simple. Keeping the same IP and servername can save a lot of time too
It sounds like you're only using a single DC? If I were you I'd strongly consider having a second DC, even if it's the old one. If your DC goes down you'll be in a much better position to recover from.
I do generally stick to single domain controllers, but I normally implement RAID1 on the system drive for redundancy.
Don't forget Certificate Services and possibly IIS settings and IAS (Radius) if you have it installed.
If your DNS is AD-integrated you don't need to do anything with primary and secondary servers, it just works. (If it's not already integrated, now is a good time.)
What would Certificate Services typically be used for?
I do run IIS just for WSUS 3.0 which is straight forward. Just a case of re-installing WSUS 3.0 on the new server, then exporting and re-importing the database and the files themselves
DNS is AD integrated already. I see no reason for it not to be!
Good, just make sure you install DNS on the new one and AD will take care of copying the zones for you.
Certificate services is for issuing (usually) SSL certificates and RADIUS certificates, but also X.509s for encryption etc. If you don't know about it, it's almost certainly not on there.
Of course silly me! All AD integrated DNS servers are essentially primaries anyway. Just as well I do a checklist before starting!Good, just make sure you install DNS on the new one and AD will take care of copying the zones for you.
I've never had the need to issue SSL certificates in a domain but just for websites, like for payment gateways. I suppose it's something that could be used with Exchange servers I presume?
Normally if it's a service you're going to expose, you'll get an SSL certificate from Verisign/Comodo/similar because it'll be trusted by a browser at home, for example. But if you're going to issue internally only, you can configure your clients to trust your certificate server in the same way.
It does lots of other things too: EFS is based on certificates; so is RADIUS; they can be used for two-factor authentication; etc etc etc.
Well, kind of... they're not really primaries, they're just equal. It's a bit like the move from an NT4 PDC/BDC to Windows 2000 domains where all DC's are born equal (but under the hood, some not actually quite so equal).All AD integrated DNS servers are essentially primaries anyway. Just as well I do a checklist before starting!
Last edited by powdarrmonkey; 27th January 2009 at 04:06 PM.
While you are at replacing all your servers you should look into virtualising all your servers on to one or two high spec servers with a SAN.
Transfer of DHCP, I would suggest when you put it onto the new box you look at using reservations to help with easy tracking of clients. It is not as if you are likely to run out of IPs and it is good for providing an audit trial too.
Can I just say "thanks" for the guide and everyone's comments.
It's something I haven't got much of a clue on, but it looks as if I'll have to do sometime in the next few months.
There are currently 1 users browsing this thread. (0 members and 1 guests)