Making another DC the Primary

[Mark]

I have an Windows 2000 native AD and my child domain has two DCs. Actually,
it now has three because I intend to demote the one. The one I want to
demote is the Primary (I'm guessing because it was the first?). What should
I do? If I demote that Primary, will another DC become the Primary or do I
have to do something else?

I've been digging through the MS KB for the past hour or so :-(

Thanks,
Mark

 

[ptwilliams]

You need to transfer the FSMO roles and ensure that there's a DNS server
available. You require a GC too, but this can reside in either domain.
Although I would recommend making all DCs GCs.

Have a look at these articles --they might help a little:

Replacing a DC:
-- http://www.msresource.net/content/view/24/47/

Transferring FSMO roles:
-- http://www.msresource.net/content/view/28/47/

Making a DC a GC:
-- http://www.msresource.net/content/view/25/47/


Post back any additional questions.

Mind you, I'm concerned about what this mean:

has two DCs. Actually, it now has three because I intend to demote the
one.

Can you clarify??

 

[Mark]

Mind you, I'm concerned about what this mean:

Can you clarify??

Hi Paul,

Sorry for the confusion - my child domain had the original domain controller
(that's Primary) and a backup domain controller - that was my original
configuration. But I've been getting some bad vibes from the Primary and
got nervous, so I promoted another server in my child domain. Now I'd like
to demote the original, but I didn't know what would happen to its role as
Primary. All three have global catalogs (needed at least one in the child
domain for my Exchange server). I'm going to remove the GC from that
Primary first.
When I was testing AD, prior to my migration from NT4, I had gone through
the FSMO roles situation, but seemed to remember that a proper demotion
using dcpromo moved those elsewhere? I guess my memory is failing me.

Thanks,
Mark

 

[Herb Martin]

Hi Paul,

Sorry for the confusion - my child domain had the original domain controller
(that's Primary) and a backup domain controller - that was my original
configuration.

First of all they are both "just DCs".

The first one will (be default) hold the specical roles,
including the PDC Emulator but it isn't primary and there
are no Win2000+ Backup DCs.

But I've been getting some bad vibes from the Primary and
got nervous,

What sort of bad vibes? If you have a DNS or other replication
problem you will likely just move that problem around.

...so I promoted another server in my child domain.

That is a good idea -- especially if you are concerned about
hard drives, motherboards, power supplies, and other failures.

You should (practically) always have TWO DCs (or more)
PER DOMAIN if this is at all possible.

Now I'd like to demote the original,

Why? You believed you needed an "extra" so what is better
about the new one over the old one?

What will you do with this server if your retire it as a DC?

Why can't it continue being another DC?

but I didn't know what would happen to its role as
Primary.

The (5 or 3) ROLES are SUPPOSED to transfer if you DCPromo
correctly -- I don't like to trust it and prefer to transfer them myself
using NTDSUtil (see below***).

All three have global catalogs (needed at least one in the child
domain for my Exchange server). I'm going to remove the GC from that
Primary first.

Not necessary. A GC "leaving" is no big deal IF you
have another.

In general, single domains, and small forests with multiple
domains should have ever DC as a GC.

If you don't do that, the GC and infrastructure master should
not be on the same DC.

When I was testing AD, prior to my migration from NT4, I had gone through
the FSMO roles situation, but seemed to remember that a proper demotion
using dcpromo moved those elsewhere? I guess my memory is failing me.

It is supposed to do that -- and it will IF the DNS and other
connectivity are CORRECT.

Most AD problems are really DNS problems though, so if
you DC is shaky, or untrustworthy, I wouldn't trust it to do that
either.

***NTDS roles

Search Google for:

[ NTDSutil "transfer roles" ]

Do NOT use "seize" unless the other DC is gone PERMANENTLY.

No need to add either site:microsoft.com OR microsoft:
since the NTDS and other terms make it Microsoft specific
by itself.

Key points to NOTE when working with NTDSUtil:

You CONNECT to a WORKING DC.

'Connect' (and 'Select') are technical terms in this context.

 

[Mark]

First of all they are both "just DCs".

The first one will (be default) hold the specical roles,
including the PDC Emulator but it isn't primary and there
are no Win2000+ Backup DCs.

So, if I demote this, those roles will be transferred to another DC? Is
there any logic to which of my other DCs may be chosen to host those roles?

What sort of bad vibes? If you have a DNS or other replication
problem you will likely just move that problem around.

Hardware - I need to retire that server anyway...

That is a good idea -- especially if you are concerned about
hard drives, motherboards, power supplies, and other failures.

You should (practically) always have TWO DCs (or more)
PER DOMAIN if this is at all possible.

I do keep two in my parent and two in my child. I had a DC in my parent
experience hardware failure and was okay with the second DC.

Why? You believed you needed an "extra" so what is better
about the new one over the old one?

Just in preparation for decommissioning that unit altogether - but it does
host the special roles and I want to make sure that they're transferred.
Would simply running dcpromo to demote it be enough and would those special
roles go to another DC automatically or should I move them myself?

What will you do with this server if your retire it as a DC?

Wanna buy it? ;-)

Why can't it continue being another DC?

Because I'm getting rid of it...

The (5 or 3) ROLES are SUPPOSED to transfer if you DCPromo
correctly -- I don't like to trust it and prefer to transfer them myself
using NTDSUtil (see below***).

Okay, now this is what I'm looking for! It should, but it may not, and I
ought to do it myself. That sounds like a safe thing to do...

Not necessary. A GC "leaving" is no big deal IF you
have another.

Oh, okay - but if I can, I may as well remove it first?

In general, single domains, and small forests with multiple
domains should have ever DC as a GC.

If you don't do that, the GC and infrastructure master should
not be on the same DC.

Good advice... Mine are like this now!

It is supposed to do that -- and it will IF the DNS and other
connectivity are CORRECT.

Great! Thanks! I had remembered that that was the case, but wanted to make
sure...

Most AD problems are really DNS problems though, so if
you DC is shaky, or untrustworthy, I wouldn't trust it to do that
either.

***NTDS roles

Search Google for:

[ NTDSutil "transfer roles" ]

Do NOT use "seize" unless the other DC is gone PERMANENTLY.

No need to add either site:microsoft.com OR microsoft:
since the NTDS and other terms make it Microsoft specific
by itself.

Key points to NOTE when working with NTDSUtil:

You CONNECT to a WORKING DC.

'Connect' (and 'Select') are technical terms in this context.

Thanks for all of your help!
Mark

 

[Herb Martin]

So, if I demote this, those roles will be transferred to another DC? Is
there any logic to which of my other DCs may be chosen to host those

roles?

Yes (it should be transferred) and No there is no trivial
way to predict which DC will receive the roles -- thus
one really should move them manually.

Hardware - I need to retire that server anyway...

Ok, but the "server" could be kept, by moving the disks (or
a backup) to the new machine -- followed by a repair install
if using Win2000. Same thing in Win2003 but ASR is another
choice.

I do keep two in my parent and two in my child. I had a DC in my parent
experience hardware failure and was okay with the second DC.



Just in preparation for decommissioning that unit altogether - but it does
host the special roles and I want to make sure that they're transferred.

I thought you only have one (plus a new one).

Would simply running dcpromo to demote it be enough and would those special
roles go to another DC automatically or should I move them myself?

Both. They should go to another DC, but YOU SHOULD move
them to make sure.

Wanna buy it? ;-)

No, I just wondered if it was good enough for X, it was

Because I'm getting rid of it...

Some of my favorite DCs fit that description.

Okay, now this is what I'm looking for! It should, but it may not, and I
ought to do it myself. That sounds like a safe thing to do...

And you get to PICK the "correct" DC when you move them.

Oh, okay - but if I can, I may as well remove it first?

No real reason. DCPromo will include that in the discard.

 

[Guest]

So, if I demote this, those roles will be transferred to another DC?

Correct.

Is there any logic to which of my other DCs may be chosen to host those roles?

Yes, it first tries to find a DC in the same site, then the closest DC, and
then any.

 

[Guest]

I have the same exact question, execpt my W2k AD is still in mixed mode. Does
this fact make any difference.

Thanks in advance,

Joe

First of all they are both "just DCs".

The first one will (be default) hold the specical roles,
including the PDC Emulator but it isn't primary and there
are no Win2000+ Backup DCs.

So, if I demote this, those roles will be transferred to another DC? Is
there any logic to which of my other DCs may be chosen to host those roles?

What sort of bad vibes? If you have a DNS or other replication
problem you will likely just move that problem around.

Hardware - I need to retire that server anyway...

That is a good idea -- especially if you are concerned about
hard drives, motherboards, power supplies, and other failures.

You should (practically) always have TWO DCs (or more)
PER DOMAIN if this is at all possible.

I do keep two in my parent and two in my child. I had a DC in my parent
experience hardware failure and was okay with the second DC.

Why? You believed you needed an "extra" so what is better
about the new one over the old one?

Just in preparation for decommissioning that unit altogether - but it does
host the special roles and I want to make sure that they're transferred.
Would simply running dcpromo to demote it be enough and would those special
roles go to another DC automatically or should I move them myself?

What will you do with this server if your retire it as a DC?

Wanna buy it? ;-)

Why can't it continue being another DC?

Because I'm getting rid of it...

The (5 or 3) ROLES are SUPPOSED to transfer if you DCPromo
correctly -- I don't like to trust it and prefer to transfer them myself
using NTDSUtil (see below***).

Okay, now this is what I'm looking for! It should, but it may not, and I
ought to do it myself. That sounds like a safe thing to do...

Not necessary. A GC "leaving" is no big deal IF you
have another.

Oh, okay - but if I can, I may as well remove it first?

In general, single domains, and small forests with multiple
domains should have ever DC as a GC.

If you don't do that, the GC and infrastructure master should
not be on the same DC.

Good advice... Mine are like this now!

It is supposed to do that -- and it will IF the DNS and other
connectivity are CORRECT.

Great! Thanks! I had remembered that that was the case, but wanted to make
sure...

Most AD problems are really DNS problems though, so if
you DC is shaky, or untrustworthy, I wouldn't trust it to do that
either.

***NTDS roles

Search Google for:

[ NTDSutil "transfer roles" ]

Do NOT use "seize" unless the other DC is gone PERMANENTLY.

No need to add either site:microsoft.com OR microsoft:
since the NTDS and other terms make it Microsoft specific
by itself.

Key points to NOTE when working with NTDSUtil:

You CONNECT to a WORKING DC.

'Connect' (and 'Select') are technical terms in this context.

Thanks for all of your help!
Mark

 

[Mark]

Yes (it should be transferred) and No there is no trivial

way to predict which DC will receive the roles -- thus
one really should move them manually.

That's what I'll do then - I'll feel empowered

Ok, but the "server" could be kept, by moving the disks (or
a backup) to the new machine -- followed by a repair install
if using Win2000. Same thing in Win2003 but ASR is another
choice.

It's an old Prosignia (300MHz) that has had so many parts replaced that it's
not even the same machine anymore. It houses my Symantec Antivirus
Enterprise service, but I can move that to a new box.


Hardware reliability - this isn't a question based on AD or Microsoft or
domain controllers, it's a more practical view of the condition of the
server itself.

I thought you only have one (plus a new one).

Nope, it originally had two and I've just added a third in anticipation of
removing the one in question - leaving me once again with two.

No, I just wondered if it was good enough for X, it was
likely good enough for an Xtra DC. <grin>

I may use it as a nightstand ;-)

 

[Mark]

Yes, it first tries to find a DC in the same site, then the closest DC,
and
then any.

Thanks Paul...

Mark

 

[ptwilliams]

None whatsoever.

 

[Guest]

I didn't think so but just wanted to be sure.

Thank you very much for your help!!!

Joe

 

[ptwilliams]

No problem!

All the best.