Advice on Replacing First Domain Controller in Forest/Domain

100 pts.
Active Directory
Microsoft Windows
Networking services
We are planning to replace the original domain controller that was the first dc to be set up when we first set up our domain. We have a single forest, single domain, with 20 domain controllers (17 of which are global catalogs) all running Windows 2003 Server with Service Pack 1. The server to be replaced holds the PDC Emulator, Rid Pool, and Infrastructure FSMO roles, which we plan to move to another domain controller ahead of time. There are two global catalog servers running in the same site as the domain controller that we will be replacing. We are running Active Directory Integrated DNS on all domain controllers. All servers in our domain use the PDC Emulator as their Primary DNS server in their TCP/IP settings, and a local dc or gc as their Alternate DNS server. We would like to keep the same server name and IP address for the new server that will be replacing the old server. Are we asking for trouble? Has anyone tried this and regretted it? I found information on the Microsoft site regarding restoring a failed domain controller (on original or new hardware) using the same server name. The instructions included procedures for cleaning up part of the metadata to remove the NTDS Settings object of the failed domain controller. It seems like we could use the same procedures for building a new domain controller with the same name. I'm interested in hearing advice from others who have been through the process of replacing an original domain controller in their domain. Thanks in advance for any suggestions or warnings!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Removing the original DC is easy and it seems like you’ve done your homework so you know how to move all the roles, etc. I would just use a different name for the DC to avoid trouble and then just create another static DNS A record that points the old DC name as well as the new to the same IP. No problem there- any host looking for the old name will still hit it just fine.

If you want to use the same name, you do need to make sure that all the objects are out of AD and again, it looks like you’ve done your homeword on this. Just run ADSI edit and make sure it’s 100% clean, the check DNS (And WINS if you have it) and make sure every trace of the old server name is gone then bring up the new server with the same name.

The DNS server settings in the other DCs and DNS servers don’t really matter so much as long as they have one working DNS server. The DNS server search order is determined by which DNS responds quickest over time by an algorithm on the DNS client.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Serendipity
    That's the second reply (there was a private one) advising that we use a different name for the new server, so I'm starting to doubt our plan. Check out this information from Microsoft, which is from an appendix to the AD Operations Guide. It specifically says not to completely remove everything about the domain controller from AD if you're using the same name, and only to do that if you are using a different name. Sounds kind of backwards and contradicts what PDMeat said, so I'm getting more confused.
    100 pointsBadges:
  • Mortree
    Which entry of the Ops Guide were you look at? Sounds like you may be looking at an entry for restoring a DC from backup. The reason you don't delete everything in that case is you are actually being the same machine account with SID and GUIDs. Clarify. Are you planning to simply move the software and logical DC by restoring onto the new hardware? This is different and more dangerous than cold installing a new server. Dangerous if your backup was made before the FSMO roles are moved and well propagated. You could end up with the restored DC competing for FSMO roles with the machines you moved those roles to. Oh sure it should self heal eventually. But the opertional words are "should" and "eventually" not a good prime time event in the business world as thing might get crazy busy between DCs and slow for users. While 2003 SP1 does support creating new DCs from backups, I'd play with that in your lab forest first. It is new tech and we know MS doesn't always figure out all limits in the first year. The known safe, if longer process, says you would install as an ordinary member server and then promote during less busy user hours (late night and weekend nights). It sounds as if it should go without mentioning but - (1) the safest most relaxed way to do this is to give your DCs a full day to stablize on FSMO roles before a full backup of all DCs on the day after that. (2) Check DNS for all role name records changing before the final backup. ALso make sure all old references to the server going offline are gone.
    0 pointsBadges:
  • Serendipity
    Here is a better link to what procedures we were following. The link is also to an appendix, but if you select the link in it called "Process: Recovering a Domain Controller Through Reinstallation" you'll see the procedure we were looking at. From that link, we followed the link to the information on cleaning up the metadata. This procedure does not include restoring from backups, which is why I was surprised that it said not to completely remove the entries from Active Directory. Thanks very much to all who responded. It's very nice to know that there is a great network of support out there. We actually did the server replacement this past weekend, and it went very smoothly. I guess the main reason we wanted to keep the same server name and IP address, and we didn't want to remove the old server from the domain first, was the fact that all servers in the domain point to this server's IP address as their Primary DNS server. We didn't want to have to update all the other servers first, and we were under a short time schedule for getting this done. After seeing the Microsoft information on how to do this if a server fails, we just crossed our fingers and hoped it would go well. If we have to do another domain controller and have more time, we will probably follow advice to take the old server off the domain for a couple of days before bringing up a new server with the same name and address. Or, just use a new name and address. So far, we have had no problems related to the server replacement we did following the procedure in the link above, but if something turns up later, I'll update this question to let everyone know. Thanks again for the support.
    100 pointsBadges:
  • JeffinLV
    After completing your upgrade did any of your other servers or workstations display any strange authentication errors which could be tracked to the new sid or machine account of the new DC?
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: