Hi, We are replacing various 2008 R2 Domain Controllers with new 2016 servers, but we want reuse the 2008’s IPs. The planning we thought of goes like this: 1.- Transfer roles to secondary 2008 DC and demote former 2008 Master.2.- Promote 2016 with demoted 2008DC’s IP and transfer roles to him.3.- Demote secondary 2008DC and promote another 2016 with the former IP.4.- Repeat process with 3rd 2008 DC. is it preferable to reuse the server names and IP addresses - old domain controllers to new - or should we give the new DCs new names and IP addresses?Could it be a problem to use the demoted DCs’ IP? Regards.
Reusing Demoted DC IP
- 539 Views
- Last Post 25 October 2017
I'm in a small environment (just 4 DCs, across three continents - two
in HQ, one each in the foreign offices).
I performed a similar DC demotion/re-implementation a couple of weeks
ago on a Saturday, for a single DC, going from 2012R2 to 2016, reusing
the name and IP address.
I performed the operation because we needed to correct OS licensing,
as the original implementer used Datacenter, and we needed to put it
back to Standard to fulfill our licensing obligations.
I was going to reinstall with 2012R2, but for some reason it wouldn't
install (this was on my single physical DC - the rest are VMs, also
2012R2), so I jumped it up to 2016, which worked out OK.
I demoted, and then forced replication. Once that was happy, I tried
to join the new machine to the domain, but found that the old computer
account was still listed in the DomainControllers OU, protected
against accidental deletion, so I unprotected it and manually deleted
it in ADUC and followed up with metadata cleanup, and then forced
Also, this DC was the bridgehead server in HQ, so I manually created
the links in ADSAS.
I was then able to join the new machine and promote it, and it all looked good.
However, I didn't immediately notice that I had a problem with my GPOs
in the aftermath - about 8-10 of them were emptied/corrupted. This
wasn't diagnosed until the following Monday, so I was scrambling a
bit, because I'd never had this kind of problem before, and I had to
do a restore of all GPOs from the Friday night backup.
It all worked out, but there were some unhappy field staff for a while
- the major GPOs that took the hit were for our DirectAccess server
and clients, and I had to work with those few who got the
updated/corrupted GPOs over the weekend to connect via our backup SSL
VPN so they could perform a gpupdate, and then they were good to go.
yeah it's exactly we were looking for .
check Sysvol replication
the sysvol is not too large but i'll consider pre-seed the database
thanks kevin / Dave and Dhiraj .
Its been a while, but when I have upgraded DC’s I have also re-used names and IP addresses as these the names were often configured into other applications and documentation of the dependencies was incomplete. It is important to allow enough time for the changes to replicate. If sysvol is large that can be the show stopper, as from what I remember the DC won’t come online until this has replicated. Not sure if you can pre-seed the databases if re-using the names to speed the initial database replication. Dave Wade
I’ve re-used IP’s as well as DC names before where ldaps (certs) binds and other DC references were required to be maintained. Just need to ensure replication fully completes and any other DNS cleanup occurs between the removal of the old DC and introduction of the new. Also ensure all SYSVOL replication references are included in the cleanup/verification. /kj
You need to check/cleanup DNS records for 2008 DC before using them on 2016.
I would reuse only IP instead of both IP & hostname.