| Author | Messages | |
favvojohan
Posts:21
 | | 07/05/2010 3:45 PM |
| Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| cmuncy
Posts:13
| | 07/05/2010 4:59 PM |
| You could initially test it by demoting and pointing its name to another dc
and see what happens. I would try that first to make sure your apps work.
Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se>wrote:
> Hi,
>
>
>
> I have one Win2k3 Dc left in the AD and would very much like to get rid of
> it. My first plan was to demote it without replacement, but the problem is
> that we have an application on every computer that use this DC (dns name) to
> get a Kerberos ticket (printing solution). The domain joined computers are
> no problem, we could fix that but we also have 1000+ work grouped computers
> that uses the same application. To avoid having to wait for a new version of
> the app I have some paths to go:
>
>
>
> - Demote the DC and create a CNAME for it and point that to
> another DC (I can’t guarantee that this will work, but it probably will)
>
> - Demote the DC, force full replication on all DCs in all sites
> and carefully check that we have no errors, and install a new DC with the
> same name(!)
>
> - Upgrade the DC to Win2k8R2
>
>
>
> Pros and cons? What would you do?
>
>
>
> Best Regards
>
> Johan Peterson
>
>
>
> ___
>
> Johan Peterson
>
> IT-Architect
>
> Linköping University | LiU-IT
>
> http://www.liu.se
>
>
>
>
>
| | | |
| pinedalw
Posts:2
| | 07/05/2010 5:38 PM |
|
________________________________
From: activedir-owner@mail.activedir.org <activedir-owner@mail.activedir.org>
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Sent: Mon Jul 05 11:57:34 2010
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se<mailto:johan.peterson@liu.se>> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
P Please consider the environment before printing this email.
| | | |
| pinedalw
Posts:2
| | 07/05/2010 5:55 PM |
|
________________________________
From: activedir-owner@mail.activedir.org <activedir-owner@mail.activedir.org>
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Sent: Mon Jul 05 11:57:34 2010
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se<mailto:johan.peterson@liu.se>> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
P Please consider the environment before printing this email.
| | | |
| bdesmond
Posts:977
| | 07/05/2010 6:11 PM |
| If you do option 1 you may need to register some additional SPNs for your app to continue working. Option 2 is pretty common though…
Thanks,
Brian Desmond
brian@briandesmond.com
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 9:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| kevinrjames
Posts:35
| | 07/05/2010 7:07 PM |
| Unless it’s a 64bit OS already, #3 isn’t viable to start with.
/kj
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 7:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
Sent to activedir@mail.activedir.org from Kevin R. James
Virus scanned by GFI MailSecurity 5/7/2010
| | | |
| favvojohan
Posts:21
| | 07/05/2010 9:39 PM |
| Hmm of course! Didn’t think about that, but you’re absolutely right. This isn’t an option!
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kevin R. James
Sent: den 5 juli 2010 20:06
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Unless it’s a 64bit OS already, #3 isn’t viable to start with.
/kj
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 7:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
Sent to activedir@mail.activedir.org<mailto:activedir@mail.activedir.org> from Kevin R. James
Virus scanned by GFI MailSecurity 5/7/2010
| | | |
| favvojohan
Posts:21
| | 07/05/2010 9:45 PM |
| > Option 2 is pretty common though…
Is it? I know that MS doesn’t recommend it (even not support it??). Is there any holes to fall in except if replication doesn’t go through?
There is one big advantage with it. The server I want to get rid of is the very first DC in the domain. I wouldn’t be surprised if there is other systems using only this DC and/or has firewalls opened only to this DC. If I replace it I can use the same IP as well…
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 5 juli 2010 19:09
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
If you do option 1 you may need to register some additional SPNs for your app to continue working. Option 2 is pretty common though…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 9:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| chriss3
Posts:19
| | 07/05/2010 9:49 PM |
| Dose the app really requires it to be on a DC? Other than that I don't see why a CNAME wouldn't work, remember to take care of SPNs
Option 2 is supported and is working fine as long as you ensure full replication coverage of the change.
/C
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 22:40
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
No it is no big thing to promote a member server. If the CNAME thing doesn't work I can always take the next path. That's a good suggestion! 
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris
Sent: den 5 juli 2010 17:58
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se<mailto:johan.peterson@liu.se>> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can't guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| favvojohan
Posts:21
| | 07/05/2010 9:55 PM |
| The app isn't on the DC, it's on all the clients... The app is actually MIT Kerberos and is needed for our printing solution. The problem is that the krb5.ini is pointing directly to this DC!!!
It all happened so fast... I don't want to talk about it... :S
Ok, that's good to know. I think that will be my first choice!
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Christoffer Andersson
Sent: den 5 juli 2010 22:48
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Dose the app really requires it to be on a DC? Other than that I don't see why a CNAME wouldn't work, remember to take care of SPNs
Option 2 is supported and is working fine as long as you ensure full replication coverage of the change.
/C
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 22:40
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
No it is no big thing to promote a member server. If the CNAME thing doesn't work I can always take the next path. That's a good suggestion!
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris
Sent: den 5 juli 2010 17:58
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se<mailto:johan.peterson@liu.se>> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can't guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| gustavo_santos
Posts:1
| | 07/05/2010 9:57 PM |
|
Take the quiz before you can demote the domain controller. Create the CNAME RECORD pointing to another DC and disconnect Win2k3 DC, if not happen no problem you can demote the domain controller and keep this interim solution until you find a definitive solution
From: Christoffer.Andersson@chrisse.se
To: activedir@mail.activedir.org
Date: Mon, 5 Jul 2010 22:47:47 +0200
Subject: RE: [ActiveDir] Replace old DC...
Dose the app really requires it to be on a DC? Other than that I don’t see why a CNAME wouldn’t work, remember to take care of SPNs
Option 2 is supported and is working fine as long as you ensure full replication coverage of the change.
/C
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 22:40
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
No it is no big thing to promote a member server. If the CNAME thing doesn’t work I can always take the next path. That’s a good suggestion!
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris
Sent: den 5 juli 2010 17:58
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
| | | |
| favvojohan
Posts:21
| | 07/05/2010 10:04 PM |
| Well the problem is, what should in that case do with all other (than the A- and AAAA-record) for the DC? I'm afraid that this doesn't give the test accuracy I'd like... Please prove me wrong
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gustavo Santos
Sent: den 5 juli 2010 22:55
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Take the quiz before you can demote the domain controller. Create the CNAME RECORD pointing to another DC and disconnect Win2k3 DC, if not happen no problem you can demote the domain controller and keep this interim solution until you find a definitive solution
________________________________
From: Christoffer.Andersson@chrisse.se
To: activedir@mail.activedir.org
Date: Mon, 5 Jul 2010 22:47:47 +0200
Subject: RE: [ActiveDir] Replace old DC...
Dose the app really requires it to be on a DC? Other than that I don't see why a CNAME wouldn't work, remember to take care of SPNs
Option 2 is supported and is working fine as long as you ensure full replication coverage of the change.
/C
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: den 5 juli 2010 22:40
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
No it is no big thing to promote a member server. If the CNAME thing doesn't work I can always take the next path. That's a good suggestion!
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris
Sent: den 5 juli 2010 17:58
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Replace old DC...
You could initially test it by demoting and pointing its name to another dc and see what happens. I would try that first to make sure your apps work. Promoting a member server once demoted is not big thing.
Chris
On Mon, Jul 5, 2010 at 9:43 AM, Johan Peterson <johan.peterson@liu.se<mailto:johan.peterson@liu.se>> wrote:
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can't guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se<http://www.liu.se/>
________________________________
Hotmail: Trusted email with Microsoft's powerful SPAM protection. Sign up now.<https://signup.live.com/signup.aspx?id=60969>
| | | |
| bdesmond
Posts:977
| | 07/05/2010 11:05 PM |
| Having done this hundreds if not thousands of times I’ve yet to encounter a problem that was the fault of the product…
Thanks,
Brian Desmond
brian@briandesmond.com
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 3:45 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
> Option 2 is pretty common though…
Is it? I know that MS doesn’t recommend it (even not support it??). Is there any holes to fall in except if replication doesn’t go through?
There is one big advantage with it. The server I want to get rid of is the very first DC in the domain. I wouldn’t be surprised if there is other systems using only this DC and/or has firewalls opened only to this DC. If I replace it I can use the same IP as well…
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 5 juli 2010 19:09
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
If you do option 1 you may need to register some additional SPNs for your app to continue working. Option 2 is pretty common though…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 9:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| favvojohan
Posts:21
| | 07/05/2010 11:14 PM |
| Thank you Brian,
That feels encouraging. Do you think repadmin /syncall /Ae will do the trick?
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 6 juli 2010 00:02
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Having done this hundreds if not thousands of times I’ve yet to encounter a problem that was the fault of the product…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 3:45 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
> Option 2 is pretty common though…
Is it? I know that MS doesn’t recommend it (even not support it??). Is there any holes to fall in except if replication doesn’t go through?
There is one big advantage with it. The server I want to get rid of is the very first DC in the domain. I wouldn’t be surprised if there is other systems using only this DC and/or has firewalls opened only to this DC. If I replace it I can use the same IP as well…
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 5 juli 2010 19:09
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
If you do option 1 you may need to register some additional SPNs for your app to continue working. Option 2 is pretty common though…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 9:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
| bdesmond
Posts:977
| | 07/05/2010 11:53 PM |
| Sure … Personally I don’t usually do much other than make sure the DNS/WINS records are cleaned up and repl is running. Pretty straight forward.
Thanks,
Brian Desmond
brian@briandesmond.com
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 5:12 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Thank you Brian,
That feels encouraging. Do you think repadmin /syncall /Ae will do the trick?
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 6 juli 2010 00:02
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
Having done this hundreds if not thousands of times I’ve yet to encounter a problem that was the fault of the product…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 3:45 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
> Option 2 is pretty common though…
Is it? I know that MS doesn’t recommend it (even not support it??). Is there any holes to fall in except if replication doesn’t go through?
There is one big advantage with it. The server I want to get rid of is the very first DC in the domain. I wouldn’t be surprised if there is other systems using only this DC and/or has firewalls opened only to this DC. If I replace it I can use the same IP as well…
/J
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: den 5 juli 2010 19:09
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Replace old DC...
If you do option 1 you may need to register some additional SPNs for your app to continue working. Option 2 is pretty common though…
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c – 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Monday, July 05, 2010 9:44 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Replace old DC...
Hi,
I have one Win2k3 Dc left in the AD and would very much like to get rid of it. My first plan was to demote it without replacement, but the problem is that we have an application on every computer that use this DC (dns name) to get a Kerberos ticket (printing solution). The domain joined computers are no problem, we could fix that but we also have 1000+ work grouped computers that uses the same application. To avoid having to wait for a new version of the app I have some paths to go:
- Demote the DC and create a CNAME for it and point that to another DC (I can’t guarantee that this will work, but it probably will)
- Demote the DC, force full replication on all DCs in all sites and carefully check that we have no errors, and install a new DC with the same name(!)
- Upgrade the DC to Win2k8R2
Pros and cons? What would you do?
Best Regards
Johan Peterson
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se
| | | |
|
|