Domain Controller replacement procedure.

[SlickRoenick]

Currently i have 2 domain controllers, let's call them AD1 and AD2. AD1 is the schema master, global catalog, etc. AD2 is the Certificate Authority master. Both of them are still running Win2000 server, but i have 2 new HP DL380 servers that are going to replace these DL360s.

What is the proper procedure for *replacing* them?

Here is what i have thought up, but i'd like some more opinions. Move the Certificate Auth
ority to AD1 (however that is done?), and copy the MSI folders to the new server. MSIs are used for pushing applications via group policy throughout the organization. Once the Cert Auth is moved and the software is transferred, i assume it will be safe to run dcpromo and demote AD2. Then run adprep /domain and /foreset on AD1 to get Active Directory ready for a new 2003 server. Once it runs then promote the new server to join an existing domain so that it copies everything from AD1. Once promoted, change the Cert Auth back to the new AD2 (again, however that is done i'm not sure the process) and hopefully that half will be good.

Then repeat the procedures for schema and global catalog master transfer the roles to the new AD2, demote the current AD1, replaced with the new AD1. Also running is Novell DirXML which syncs NDS with Active Directory so that will then be installed on AD1 and then transfer the schema roles back to AD1.

Sound good or am i gonna ruin the domain?

 

[Brazen]

Just keep in mind there are 5 FSMO roles that need to be transferred. Schema Master and Global Catalog are just 2 of those. Google to find the others.

 

[KB]

The domain upgrade process sounds good. I have no idea about the certificate authority part. I am unsure why you would need to move it back and forth so much?

 

[SlickRoenick]

Yes, part of the "etc" was saying that AD1 holds the PDC Emulator, Infrastructure master, RID, and Domain Name Master.

But does all the other stuff sound pretty solid?

 

[spyordie007]

Sounds like you're on the right track however a thought for you...
The only reason you would need to take the route you've outlined is if you *must* use the same hostnames; if there are no problems using new host names you can make your life much easier by just bringing your 2 new servers online side-by-side with the existing ones.

After promoting the 2 new ones and transfering FSMO, GC and CA roles demote the old.

Also just thought I would post this article, might be helpful on your CA move(s):
http://support.microsoft.com/?id=298138

Cheers :beer:

 

[RebateMonger]

n.m.

 

[NogginBoink]

Do a full backup of AD1, including a system state backup.

Install W2K on new hardware. Install latest service packs and hotfixes.

Restore backup.

Upgrade to W2K3.

This is the Microsoft Approved Way of doing this.

However, Spydordie has a much better approach. Just bring the new servers in as additional DC's, then demote unneeded ones and retire them.

I'm not sure about certificate server issues, however, and how your CA might cause problems with this approach.

 

[SlickRoenick]

Originally posted by: spyordie007
Sounds like you're on the right track however a thought for you...
The only reason you would need to take the route you've outlined is if you *must* use the same hostnames; if there are no problems using new host names you can make your life much easier by just bringing your 2 new servers online side-by-side with the existing ones.

Yes we have to use the same host names for both servers. Reason being that the MSI software is pushed from AD2 and some of the older MSIs require connectivity to AD2 to run certain programs.

I'm feeling more confident about doing this now. Thanks everyone.