Forklift Procedure for Replacing a Server 2003 Domain Controller with new hardware running Server 2008 R2 x64.
This document details the procedure for replacing an original domain controller running Windows 2000 Server or higher (referred to in this document as SOURCE) with another server running Windows 2000 Server or higher (referred to in this document as DESTINATION). During this procedure you will need a third server for temporary use (referred to in this document as TRANSITIONAL) – normally, this server is introduced in the form of a virtual machine, but a physical machine is also acceptable.
NOTE: if you experience replication problems you can track replication process using REPLMON
NOTE: this document assumes that all forest operations will be performed by a member of the Schema Admins group, all domain operations will be performed by a member of the enterprise admins group, and that all local operations will be performed by a member of the Administrators group local to the targets in question.
Pre-migration Tasks
· Create a standalone server running the same OS version as the replacement server. This server will be TRANSITIONAL
· On SOURCE server, install the Windows Support Tools from the \SUPPORT\TOOLS folder on the respective operating system CDs.
· Test the SOURCE server for problems
o Click Start, Programs, Windows Support Tools, and click Command Prompt.
o From the command line, enter the command netdiag, and address any problems that are listed
o From the command line, enter the command dcdiag, and address any problems that are listed
· Fill out FILE SHARE and PRINTER worksheets using information from SOURCE
File Shares Worksheet
SHARE PERMISSIONS / NTFS PERMISSIONS
COMMENT / CACHING
SHARE NAME / LOCATION ON DISK
SHARE PERMISSIONS / NTFS PERMISSIONS
COMMENT / CACHING
SHARE NAME / LOCATION ON DISK
SHARE PERMISSIONS / NTFS PERMISSIONS
COMMENT / CACHING
SHARE NAME / LOCATION ON DISK
SHARE PERMISSIONS / NTFS PERMISSIONS
COMMENT / CACHING
Printer Shares Worksheet
IP ADDRESS / PORT
SHARE NAME / COMMENTS
PRINTER OPTIONS
PRINTER NAME / DRIVER
IP ADDRESS / PORT
SHARE NAME / COMMENTS
PRINTER OPTIONS
PRINTER NAME / DRIVER
IP ADDRESS / PORT
SHARE NAME / COMMENTS
PRINTER OPTIONS
PRINTER NAME / DRIVER
IP ADDRESS / PORT
SHARE NAME / COMMENTS
PRINTER OPTIONS
On the SOURCE server, insert the Server 2008 installation media (or browse to the shared files), navigate to the d:\support\adprep folder, and execute adprep32 /forestprep.
Enter “C”
If it has not already been done, use Active Directory Domains and Trusts to raise the forest functional level to Windows Server 2003.
Launch adprep32 /domainprep, followed by adprep32 /gpprep
On SOURCE, perform adprep32 /rodcprep
Join the TRANSITIONAL server to the domain
On the SOURCE server, export the DHCP database using the following Net Shell command:
netsh dhcp server export c:\dhcpdb 192.168.40.0
Shut down DHCP on the SOURCE server
Install DHCP on the TRANSITIONAL server
You will get an error after the selection of Global Catalog prior to the promotion. See http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23473042.html
Copy the DHCP database backup from \\[SOURCE]\c$ to c:\ on the TRANSITIONAL server
Import the DHCP database from the backup
netsh dhcp server import C:\dhcpcb 192.168.40.0
On TRANSITIONAL, net stop dhcpserver
On TRANSITIONAL, net start dhcpserver
Open dhcpmgmt.msc and confirm that your options migrated. If so, set the startup type of the DHCP service on SOURCE to DISABLED
PROMOTE TRANSITIONAL
On TRANSITIONAL, run DCPROMO
Reboot TRANSITIONAL
On TRANSITIONAL, confirm proper active directory operation and allow adequate time for data to replicate
On TRANSITIONAL open NTDSUTIL
Roles
Connections
Connect to domain [domain.fqdn]
Connect to server [transitional.domain.fqdn]
Quit
Transfer PDC
Transfer RID Master
Transfer Intrastructure Master
Transfer Domain Naming Master
Transfer Schema Master
On SOURCE, check directory services logs to confirm that the changes took place as originated from the other server. This step helps prevent you from following false information reported by a server that has fallen out of replication. Initiating the sequence from one server and checking the result from another helps confirm that both servers have a consensus.
On SOURCE, open dssite.msc, navigate to NTDS Settings, and make SOURCE no longer a global catalog server.
On TRANSITIONAL, point the DNS client to itself, by updating the TCP/IP configuration in NCPA.CPL. NOTE: this step will cause inconsistencies for clients that have obtained IP addresses (and DNS client information) by means of DHCP. If you prefer, you may change SOURCE’s IP address to something new, update DNS host records, and add the original IP address from SOURCE to TRANSITIONAL. This guide assumes all operations will be performed in sequence and without significant pauses.
Open REPLMON on SOURCE to monitor both SOURCE and TRANSITIONAL to follow replication during procedures that occur during changed IP addressing. To do this, navigate to CN=Schema,CN=Configuration,DC=[domain],DC=[tldn]
NOTE: replmon is no longer available on 2008. http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx
If both servers are replicating properly, and there are no significant DNS or Directory Services problems, demote SOURCE. NOTE: DO NOT check the “this is the last server in the domain” option.
Restart SOURCE and monitor logs to confirm that SOURCE is no longer participating in the DOMAIN
Disjoin SOURCE from the domain, restart, and then shut SOURCE down.
Rename DESTINATION to the name of the ORIGINAL server (in this example, DATASERVER)
Reboot the new server
Just a quick check of the domain
Join the domain and reboot the NEW server
Log on to the DOMAIN after the reboot.
Configure the NEW server using the ORIGINAL server’s IP address, but point DNS to the TRANSITIONAL server
Promote the NEW server to a domain controller
Note the warnings here. See MS KB article 942564 for further details:
http://go.microsoft.com/fwlink/?LinkId=104751
Don’t forget this password. It’s important and you’ll need it to restore AD if necessary at a later time.
Add the DHCP role to the NEW server
Accept the defaults on all options. We will be replacing the configuration options soon.
On TRANSITIONAL SERVER, export the DHCP database to a file, and shut down DHCP Services
Copy the backup file from \\TRANSITIONAL\c$\dhcpdbNew to c:\ on the NEW server
NOTE: in this step, for me the process kept erroring out. I had to use the CLI to get the operation done.
netsh
dhcp server
import c:\dhcpdNew 192.168.40.0
Point DNS client on NEW server to itself
On the NEW server, execute ipconfig /flushdns and ping vmdomain.local. Check Director Services log for any problems.
Transfer roles to the NEW server using NTDSUTIL
Issue NETDOM QUERY FSMO on both NEW and TRANSITIONAL servers to confirm consensus
Check Directory Services logs for any errors before proceeding
Confirm that the NEW server is a Global Catalog. It should be if you selected that option during DCPROMO
NOTE: If you are enabling this for the first time, wait at least 5 minutes before proceeding to the next step.
On TRANSITIONAL, uncheck the box shown to remove the global catalog function from the TRANSITIONAL SERVER. Perform this action from the NEW server, and confirm it from the TRANSITIONAL server. This helps confirm that replication is working properly.
Confirm in the Event log as well as in Active Directory Sites and Services
Configure the TRANSITIONAL server to point to the NEW server for DNS. We will begin backing TRANSITIONAL out of the domain now
Ipconfig /flushdns and ping vmdomain.local
If it resolves to the TRANSITIONAL server, we need to update DNS records
On NEW server, issue ipconfig /registerdns.
On TRANSITIONAL server, issue ipconfig /flushdns, and ping the FQDN of the domain again. It should resolve to the IP address of the NEW server. If it does not, you can manually update DNS records from dnsmgmt.msc. At this point, we just need to get the DOMAIN resolving properly and make sure the involved domain controllers resolve propelry. We will be returning to dnsmgmt.msc to clean up DNS after demoting TRANSITIONAL.
Choose a local administrator password (you’ll need it to log in locally after disjoining from the domain.
Complete the wizard and reboot.
From Server Manager, click Remove Roles, and deselect DNS Server and DHCP Server.
Reboot TRANSITIONAL when prompted.
Wait for configuration changes to complete on TRANSITIONAL, and reboot TRANSITIONAL again
Disjoin TRANSITIONAL from the domain and reboot.
Shut down TRANSITIONAL server.
On NEW server, open dssite.msc and remove reference to TRANSITIONAL
In dnsmgmt.msc, make remove references to TRANSITIONAL in all zones, including the _msdcs zone.
Check DNS and Directory Services logs for problems.
You’re almost done! At this point you should have a server on new hardware, running a new operating system, with the same domain you had before you started. Group Policy Objects, Usernames, Groups, and most other Active Directory elements should have remained intact. Additionally, you should have NO NEED to visit workstations. The last steps you need to perform are to follow the worksheets and install your system applications and services, restore your data, shares, and printers. Then start up all services and make sure you can reboot.
Things to fix:
Printing. Server 2008’s printing will work differently, and it would be a good idea to set up scripts to remove the old printer connections from your workstations, and to add the new printer connections to them so you don’t have to visit any more workstations than necessary for the purposes of setting up printers. I believe printing should be one of the only things to require a visit to a workstation.
Shares and permissions. If you used backup software, restoring permissions is easy. If you manually printed out ACLs then you’re in for a long night, but you should be able to duplicate your file structure exactly.
Desktop applications
Roaming profiles. This is a dodgy one. Profiles changed dramatically in the new OS and behaviors may change when you log on for the first time.
SMB packet signing and encryption settings. This is especailly important when dealing with older workstations running Windows XP.
Virus Protection
Backup – make sure you get a backup of your server from this point forward!