Taking over Operations Master / DC roles

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I am a new network admin to a company. I did not get to setup the domain
here, so i don't have 100% of the backround knowledge that makes jobs like
this one easy.

What i was asked to do, is to setup a machine to replicate data to for a
'backup' per se... i did this months ago, the machine is a server, online,
replicating AD and we are manually replicating using Robocopy some info... i
was asked to plan out and configure this backup as my production DC.

My boss suggested that he wanted it to be fast and complete, without too
much work. His plan was to down the current DC, start up the other DC and
rename it to that of the old DC, statically setting the name, IP's, DNS,
DHCP of the other box.

In my mind i would never migrate the Operations Master this way.

I was wondering if anyone had some writeups on changing from one DC / logon
server to another.

all that is really run on this box is AD, user's roaming profiles, one
mapped install directory, and a time server.

I was going to change the role of the Operations Master to that of the other
DC while both servers were live... i was also going to swap over RID and PDC
roles.

Thanks for any input!

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Assuming that your AD infrastructure was setup with the basic (default)
parameters, and that the new DC will be located in the same AD site as the
present one, the easiest and safest way is (brief overview):

- add the new DC (DC02) to the AD domain
- allow AD replication to complete
- seize the FSMO roles (from old to DC02)
- decommission the old DC (recommended to keep as 'backup')

Unless there is a dependancy on computer names, in this case the old DC (say
DC01), there is no real need to reuse the name. You can use the old IP
address though, as DNS client on DC02 will update DNS to reflect this change
(and other AD attributes such as SRV records). Remember to point DNS to
itself in the IP settings, if it is the DNS Server as well.

Do let us know if this helps.


"Sonny" wrote:

> Hello,
>
> I am a new network admin to a company. I did not get to setup the domain
> here, so i don't have 100% of the backround knowledge that makes jobs like
> this one easy.
>
> What i was asked to do, is to setup a machine to replicate data to for a
> 'backup' per se... i did this months ago, the machine is a server, online,
> replicating AD and we are manually replicating using Robocopy some info... i
> was asked to plan out and configure this backup as my production DC.
>
> My boss suggested that he wanted it to be fast and complete, without too
> much work. His plan was to down the current DC, start up the other DC and
> rename it to that of the old DC, statically setting the name, IP's, DNS,
> DHCP of the other box.
>
> In my mind i would never migrate the Operations Master this way.
>
> I was wondering if anyone had some writeups on changing from one DC / logon
> server to another.
>
> all that is really run on this box is AD, user's roaming profiles, one
> mapped install directory, and a time server.
>
> I was going to change the role of the Operations Master to that of the other
> DC while both servers were live... i was also going to swap over RID and PDC
> roles.
>
> Thanks for any input!
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Sonny" <turbovw18@hotmail.com> wrote in message
news:#P$5UzE7EHA.1452@TK2MSFTNGP11.phx.gbl...
> Hello,
>
> I am a new network admin to a company. I did not get to setup the domain
> here, so i don't have 100% of the backround knowledge that makes jobs like
> this one easy.
>
> What i was asked to do, is to setup a machine to replicate data to for a
> 'backup' per se... i did this months ago, the machine is a server, online,
> replicating AD and we are manually replicating using Robocopy some info...
i
> was asked to plan out and configure this backup as my production DC.

Read what Desmond wrote also.

> My boss suggested that he wanted it to be fast and complete, without too
> much work. His plan was to down the current DC, start up the other DC and
> rename it to that of the old DC, statically setting the name, IP's, DNS,
> DHCP of the other box.

That is not (usually) a realistic strategy and fights the
way that AD actually works.

For instance, it is non-trivial (and most times impossible)
to rename a DC.

The fact that you have TWO DCs IS A BACKUP. They
should both be treated as NEARLY equal.

All DCs are equal, some are more equal than others....

> In my mind i would never migrate the Operations Master this way.
> I was wondering if anyone had some writeups on changing from one DC /
logon
> server to another.

Don't even think of it this way.

What you might need to do however is SEIZE the
Operation Master roles if the other DC cannot be
returned to the network expeditiously.

Once you SEIZE roles however you CANNOT (must
not) return the original role holder to the network for
longer than it takes to DCPromo it to a non-DC.

The gaol is to always TRANSFER the roles when
working on a DC which holds them -- this solves all
but the unexpected catastrophic crash (ie., hard drive
stops spinning.)

> all that is really run on this box is AD, user's roaming profiles, one
> mapped install directory, and a time server.

What about DNS? Probably should be included and
the other DC should run it as well (both AD integrated
and both set in every CLIENT NIC->IP properties.)

Same for GC. (Sites and Services)

There is no reason the second DC cannot do ALL of
that with the exception of the Single Master Roles.

In a true emergence you seize those roles -- and keep
on working.

If you have to seize any roles -- you perform a DCPromo
cycle (i.e., DCPromo to non-DC then back to new DC)
on the repaired machine when it works again.

> I was going to change the role of the Operations Master to that of the
other
> DC while both servers were live... i was also going to swap over RID and
PDC
> roles.

That is the right way to TRANSFER roles BEFORE
you do something to the role holder (if you can.)

Remember that every domain has 3 single master roles,
and the forest (usually the first domain first dc) has
2 more of these for the whole forest.

Forest wide:
Schema and Domain Naming Masters

Domain specific:
PDC Emulator, RID and Infracture Masters


--
Herb Martin


> Thanks for any input!
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Sonny" <turbovw18@hotmail.com> wrote in message
news:O6KRMLQ7EHA.1596@tk2msftngp13.phx.gbl...
> thank you Herb...
>
> bear with me:
>
> how do you suggest i replicate DNS? my merely setting up DNS and pushing
> down the existing tables?

(It's really a pull <grin>).

Yes. You make the second DNS server a "secondary"
for any zones you hold on the first.

If the second DNS server is a DC, you can even make
it (and the Primary) into "Active Directory Integrated"
DNS server and they can both accept dynamic changes
and replicate to each other.


> DHCP and user profiles are on this box... this is my main 'file server'
....
> my other DC's include a backup (that i recently reformatted to create dc2,
> the new fileserver, NOT for failover) and my exchange box.

DHCP is no big deal if you have enough addresses;
just put it on both boxes and exclude half of the addresses
on each.

You can replicate the profiles with backup or nightly
copies (e.g., RoboCopy) of with enough bandwidth by
using DFS and automatic replication. (Be careful on
this last.)

> I run DHCP on my current DC as well as on my SUS server. I do run two
> completely different ranges, why should i overlap? or are you suggesting
the
> overlap + exclusion if two DHCP ranges are on the same box?

No, "same box" is not an issue.

You should overlap -- use the SAME pool of addresses --
on different DHCP servers whenever they service the same
subnet.

There is a poorly understood (by most admins) problem if you
don't do this. #1 will NAK renewals for #2 and vice versa
if you failed to do this.

And it is no real trouble once you know about it:
Same scope on each; exclude different portions of the
address on each to make the ACTUAL distribution
different.

> I have my exchange box and my file server (dc1) as my current GC's... i
can
> just make this the case for my new box to allow logons?>!

Well, now you have introduced trying to make additional
services fault tolerant.

With only a few DCs, all DCs should be GCs. (There is
no reason not to do so when you only have one domain.)

Exchange can be really made fault tolerant through clustering.

> The box i'm using now, for my NEW fileserver WAS the old failover... the
> other admin made the failover (didn't work) and i was asked to format and
> make that server the new Fileserver. Sorry for the confusion!!!!!

It just makes it hard to give specific recommendations
when the requirements change.


> my clients are setup with a preffered dns and 3 alternates... however, the
> preffered is my dc1, the 2 alternates are my 2 other IP's on that same
> fileserver, dc1,

Worthless -- and even counterproductive since the
clients may just take longer to fail and try other
methods when this is down.

There is no value to giving the SAME server under
multiple addresses since if it is down, all are down.

> as well as the fourth alternate being a ghosted IP on my
> fileserver. So in essence i only have ONE dns server.

Then the clients only need -- and SHOULD ONLY have
one entry.

When you add the 2nd (real) DNS server, you should add
it as the alternate (or add it as preferred on half of your
clients.)

> So i want to run a
> DNS server on another one of my DC's after i get the file server up and
> runnign.... this is why i want to ensure that i properly migrate the dc1
> DNS, because it's the only source for DNS in the network (i didn't set it
up
> this way, old admin did, i don't exactly know why)

It is probably a good idea for all DCs to be DNS servers
when you have only a few DCs.


> DC1 will not return to the mix...