What is the best way to deal with DHCP, DNS, WINS and the ISA server
function?
Is it better to switch the roles over manually or through dcpromo.
And
last
but not least when is the best time to put the microsoft managment
tools
on
the new domain controller
I answered this in an earlier post, except for th ISA and
part about DCPromo.
You cannot use DCPromo to transfer any of these -- only
a new DNS setup works with DCPromo (for new domains
is where it makes sense) automatically.
DHCP must be done entirely manually.
WINS is mostly manual but you can replicate (manual setup)
the old database to the new server easily.
DHCP can be (manually and tediously) migrated but if you
have enough addresses it is usually easier to just switch.
If short on addresses then you can move the DHCP database
from one server to another -- search Googgle against Microsoft
site for this procedure:
[ site:microsoft.com DHCP migrate | move server ]
ISA is complete a manual process, but you might ask in the
ISA newsgroups for any (manual) procedures for moving the
current configuration. (I don't know if such exist but imagine
it is a bit of a mess if you config is complex....)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Janelle
:
I have one global catalog and on dc in my child domain. The reason
that
I
am
taking the original domain controller out is due to a failing
controller
card. I want to put the new server add the correct roles,take the
other
one
off line have it repaired and reintroduce it as an additional DC.
If it were only going to be gone a few days I might leave it a DC.
I would definitely switch all roles and special jobs to another DC.
I figured out how to transfer the PDC, RID and infrastructure
roles to
the
new domain controller, but what other two roles do I need to add
and
how.
You only need to transfer the other two roles from the ROOT domain
original
DC if you are moving that one -- you said you are only messing with
a
child
domain DC which won't have those.
NTDSUtil is the general tool for all five roles.
But since you asked: AD Domains and Trusts for Domain Naming Master
and the Schema Editor for moving the Schema master.
BTW with a reasonably small forest it is perfectly reasonable to
make
every
DC into a GC (in Sites and Services on the Server "NTDS" settings")
So do the additional roles on the server make it the "primary"?
Nope. All DCs are equal. (Some are more equal than others due to
the FSMO roles but it is best not to think of ANY DC as "the
primary".)
Also what is
the best way to deal with the changing of the DHCP, DNS and WINS
functions?
If your DHCP lease period is LONG go reduce that IMMEDIATELY
and first on all "scopes". (An hour or two is probably short enough
to
keep you from being irritated in later steps.)
ADD DNS, DHCP, and WINS to the other (replacement) server.
Configure the zones for DNS on new server as a Secondary unless
you are using AD Integrated (which is better) where the zones should
just show up automatically on a new DNS-DC.
Get that right. Test (DCDiag, and a sample client etc.)
Change ALL of the clients and DHCP to reflect the new DNS and WINS
server addresses. (Aren't you glad the lease period is short now?
<Grin>)
Replicate the new WINS server from the old one.
Turn off the original DHCP server.
Wait for refresh or manually refresh all DHCP clients and/or reboot.
Test again. Sample clients etc.
Remove any (remaining) references to the old DNS and WINS server.
Optionally take ownership by new WINS server of all replicated
records from the old one.
Turn off old DNS and WINS services and test again.
DCPromo the old DC.
And remember that "DNS client" and "WINS Client" above means
EVERY MACHINE, even DCs and other 'servers' !!!
I think that is pretty much it but that was just off the top of my
head
by thinking it through logically.
You should start with this. Make sure you understand it, and try to
think up anything else that can go wrong or delay you....
Remember to test (DCDiag etc.) both BEFORE and after.
If you don't know about current problems you make be chasing ghosts
(of the old setup) if things seem funky or really go bad later.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Janelle
:
So if I want to introduce another DC into the domain to replace
the
current
one that is acting as the "PDC" what steps are necessary to do
this?
DCPromo a member server as an additional DC.
Transfer the roles you wish to move to the new DC.
For transferring 1-3 domain roles the usual tool
is AD Users and Computers (right click on Domain).
For transferring all five roles it is usually easier to use
NTDSUtil but be sure to NEVER "seize" a role unless
you have NO choice and are forced to do so. ('Transfer'
and 'Seize' are two distinct technical terms: Transfer is
good; seize is BAD.)
Be sure to arrange for DNS and GCs before you remove
the original DC (since frequently people only have the one
GC or forget to either setup DNS correctly or to change the
clients to match the new DC.)
When your domain can function without the original DC then
turn it off briefly (to check this) and then DCPromo to non-DC.
How may DCs do you have? You should generally have AT
LEAST TWO per domain and more are frequently better,
especially if you have WAN locations.
[Many people are too quick to retire older DCs, overlooking
the fact that it requires very little CPU and other horsepower
to be ONLY a DC.]
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
:
I am adding an additional domain controller to my active
directory
child
domain for fault tolerance. I know that there are no longer
PDC's
and
BDC's.
But I also know that two domain controllers in the same
domain
have
different
functions. Are the FSMO roles the only things that make a
difference
between
being a member server and being the primary domain
controller?
No. First you have members servers which are NOT DCs at all
but merely offer non-domain services such as file, print,
email,
DNS, DHCP etc.
Every DC has Active Directory and functions as both an
authentication and ldap server for domain data.
You may DCPromo a member server to DC in which case
it will have none of the FSMO roles (by default) unless it
were
the very first one which created the domain. Neither would it
be a GC or Global Catolog Server or DNS server automatically.
The three domain specific FSMO roles are on the first DC by
default but may be moved: PDC Emulator, RID Master, and
Infrastructure Master.
There are two more FSMO masters for the FOREST, but they
only exist on the first DC on the first DOMAIN of the forest.
Any DC in a domain may be made a GC, as many as you like.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
