PDC restore?

itdaddy

Hey guys
I am in the middle of a crisis. We have a PDC/global catalog server
that is dying. It is an old machine. I have it imaged with storage craft
I know it will restore to another server no problem. But

what am I looking at as far as issues? you know there will be new hardware so register it anew no big deal but what about any tombstoning of the active directory or anything like that or will there be new GUID created for the security of the domain with the workstations attached to the domain. I have done some lab stuff but this is real world.

What do I need to be careful of when migrating a PDC/Global DC to
another machine? with dissimilar hardware? anything you guys can give em would be greatful

vCole

Not recommended to do that, at all.
[FONT=&quot]
Backup AD, [/FONT]clean install a new DC on the new hardware, then perform an authoritative or non-authoritative restore of AD.

undomiel

Bring up the new server, make it a new DC/GC, move the roles over, demote the old server. Assuming it is not dead yet at least, that is. If you can move the roles away sooner then all the better. If the DC is non-recoverable then I'd recommend restoring AD to the new DC as Fade suggested.

crrussell3

If you have any DC available, transfer all FSMO roles to it, promote to GC if need be, then demote old DC while you still have a chance for a clean removal. Install new server, promote to DC, transfer FSMO roles back.

As others have said, doing a backup/restore of the DC to new hardware will bring bad ju-ju to your AD.

blargoe

Fresh install of Windows on the new server. DCPromo. Transfer the PDC and all other roles over to it. DCPromo the old server to uninstall AD from it cleanly.

itdaddy

I assume do this after hours? haa
so I am going to have to even rename the server name and IP address entirely. Yeah I am going tohave to doit fast it is hanging once awhile.
so no imaging huh? so but promoting before dead is the best way.
can i do this maybe

1. promote another server on the network for now
with PDC, GC and FSMO roles

and then demote it and then promote it

and then promote thew new DC in its place with same IP address

I am not going to have to hack out the old DC from AD am I? I mean
will it some be orphaned. I have seen this before??

can I use the same server name and IP Address?
after I demote the bad DC?



Crussell 3 ahhha bad ju ju ju ahahahha I just read you post that is what I am goig to do a clean demote before it dies omg
I am going to do it stat! have to order the server tomorrow yikes over nite it will let you know how it turns out
but will change fsmo roles and make a new GC first thing will let you know how it turns out

crrussell3

As long as you have Server 2008, once you properly demote the failing DC and remove it from the domain, you can just delete the computer object and that will perform the necessary metadata cleanup for you. Verify by running ntdsutil and performing dcdiag tests (and frsdiag if you are still using frs for replication). Also remember to delete the object from Sites and Services.

You can reuse the failing DC hostname and ip address once everything has been properly demoted and metadata cleanup has been performed and verified.

itdaddy

what if I only have 2003 server?
can I still reuse the server name and ip?
also, if the DC dies I can force FSMO roles onto another DC and check Global Cat box right on another DC?



and does this same thing apply to a MS exchange 2003
so is restoring an exchange 2003 to a VM or dissimilar hardware
cause bad ju ju ????since it is AD integrated?

RTmarc

itdaddy wrote: »

what if I only have 2003 server?
can I still reuse the server name and ip?
also, if the DC dies I can force FSMO roles onto another DC and check Global Cat box right on another DC?



and does this same thing apply to a MS exchange 2003
so is restoring an exchange 2003 to a VM or dissimilar hardware
cause bad ju ju ????since it is AD integrated?

How many domain controllers do you currently have?

gorebrush

If his answer is one, then my brown trouser threshold would be lowered.

crrussell3

itdaddy wrote: »

what if I only have 2003 server?
can I still reuse the server name and ip?
also, if the DC dies I can force FSMO roles onto another DC and check Global Cat box right on another DC?



and does this same thing apply to a MS exchange 2003
so is restoring an exchange 2003 to a VM or dissimilar hardware
cause bad ju ju ????since it is AD integrated?

For Server 2003 you will need to manually clean up metadata using ntdsutil (Clean up server metadata: Active Directory).

While you can force fsmo roles onto another DC it is always best for it to not come to that. If you can bring up another dc in the interm until your new server arrives that is best. You do have two dcs for failover already don't you?

As for virtualizing AD, while it is supportted, there are some major "gotcha!" that you have to be aware of (Things to consider when you host Active Directory domain controllers in virtual hosting environments).

I am unsure how exchange would react so won't even venture a guess, I will leave that to an exchange expert. I would suggest researching disaster recovery for exchange to get an idea.

unnamedplayer

When restoring exchange, you'll want to make sure you are restoring to the same OS level. IE, same version, service pack, etc. Restoring to dissimilar hardware shouldn't be a problem. If you have another Exchange server in your organization it'd probably be a lot easier to just move everything over there before your first Exchange server dies (same as with your DCs). However, if your hardware is already dead and there was no seconday Exchange server, when you reinstall Exchange on the new hardware, use the /disasterrecovery switch. This alerts Exchange setup that the AD forest already has an Exchange organization in place and to use that configuration.

Definitely do your research to make things easier (and less nerve racking) for yourself!

itdaddy

Okay guys here it goes.

1. change fsmo roles to a good working DC
2. change good working DC to GC
3. TEST email see if working after GC promotion
4. Demote old dying PDC
5. remove old dying DC from domain
6. clean meta data from new PDC/GC with tool
7. change name and IP address to be same as old PDC
8. promote new DC with DCPROMO
9. place FSMO roles back to new DC if desired?

what about VMs can you make a Virtual Machine into a DC?
and what about moving it around ? what does that do
or making backup copies of it? has anyone had experience with
doing this?


I have done this before but like years ago just want to make sure I have
my ducks in a row and get some wisdom from you experts who have gone thru the fire..dont want any ju ju!


we have 4 Domain Controllers so I can transfer FSMO roles to one of our newer DCs which I am going to

if you guys can bless my list above I can do some more research and then
get my 2003 server builts STAT! for a weekend of fun
Thanks alot for your guy's help. I have done it once before years ago but a guy can get rusty!

RTmarc

You may need to bounce Exchange after changing the other DC to a GC. You can usually handle that by bouncing services but it can be flaky at times. A reboot and you're set.

There is no need to do metadata cleanup provided you do a graceful remove of the DC from the domain (dcpromo + remove from domain).

Virtual machines can be made DCs. In fact, all but one of ours is with another physical box acting as the PDC emulator for time purposes.

RobertKaucher

undomiel wrote: »

Bring up the new server, make it a new DC/GC, move the roles over, demote the old server. Assuming it is not dead yet at least, that is. If you can move the roles away sooner then all the better. If the DC is non-recoverable then I'd recommend restoring AD to the new DC as Fade suggested.

itdaddy wrote: »

I assume do this after hours? haa
so I am going to have to even rename the server name and IP address entirely. Yeah I am going tohave to doit fast it is hanging once awhile.
so no imaging huh? so but promoting before dead is the best way.
can i do this maybe

1. promote another server on the network for now
with PDC, GC and FSMO roles

and then demote it and then promote it

and then promote thew new DC in its place with same IP address

I am not going to have to hack out the old DC from AD am I? I mean
will it some be orphaned. I have seen this before??

can I use the same server name and IP Address?
after I demote the bad DC?



Crussell 3 ahhha bad ju ju ju ahahahha I just read you post that is what I am goig to do a clean demote before it dies omg
I am going to do it stat! have to order the server tomorrow yikes over nite it will let you know how it turns out
but will change fsmo roles and make a new GC first thing will let you know how it turns out

There is just one thing that I want to point out to help manage stress in situations like this. Some times we get caught up in the details of what will happen if/when. But in some cases, like this where your choice is limited to one thing (you have to add the new server, dc promo, xfer roles, etc) it does not matter what you have to do after - this move is forced. You can stop stressing about the clean up until after the situation is contained. Having to clean AD metadata is a big deal, for sure. But you have to do the other steps anyway. So leave that to worry about until it is time to worry about it. When moves are forced - make the move. Only worry about what comes next when it actually comes. Worrying in chunks will help you manage the stress and stay focused.

itdaddy

Ooops what if all the sites have Global catalog checked??

I looked in sites and services and clickedon the NTDS settings properties.
every site has the Global Catalog checked so does that mean they are all Global catalogs?
thanks Robert and RTMarc and everyone for your help..


but the mail server needs srv1 if it goe off line then the email server doesnt work,
so what does the mail server need? is it schema master? since they are all check(sites checked) global catalog
then what? I dont need to change srv1 to srv2 to be global catalog if is already checked right? all Dcs are
checked global catalog so need to move the global catalog. I just need t move the 5 fsmo rules only right?

blargoe

If all your dc's have the Global Catalog box checked, then they are all global catalogs.

The mail server must have access to global catalog in the same site. If you have no other GC's in the same site as your Exchange server, it will stop functioning when you take that GC offline (unless you make another one available).

itdaddy

blargoe
when you say same site? you dont mean same say branch office?
when you say site you mean as long as they can access the GC on the
wan it is okay right. all the DCs are GCs so that means if a DC goes down
then it can find another one? I changed FSMO roles today and made one of our brand new server DCs the 5 FSMO roles all were success ful
and email is still working good. I guess the 4 DCs having GC confused me
but when you say site you mean Domain/Forest right?

undomiel

Sites & Services, he is referring to an AD Site. They're different from a domain or a forest. They're a logical grouping of subnets. For some more info check: Sites overview: Active Directory

They're especially important in how authentication works, which would be why blargoe was bringing it up.

Fugazi1000

If DNS is fully functioning, then most of the concerns go away. Adding and removing DCs, GCs, etc is just the norm and the way the multimaster topology was designed. Unless you have WINS or hosts files, then life gets more complicated. But use this as the opportunity to get them out of your network!

netdiag and dcdiag (support tools) are your friends.

Devilsbane

itdaddy wrote: »

Okay guys here it goes.

1. change fsmo roles to a good working DC
2. change good working DC to GC
3. TEST email see if working after GC promotion
4. Demote old dying PDC
5. remove old dying DC from domain
6. clean meta data from new PDC/GC with tool
7. change name and IP address to be same as old PDC
8. promote new DC with DCPROMO
9. place FSMO roles back to new DC if desired?

Sounds like you have a good plan in place, I don't see where you add a new DC into the mix (is this just implied to go in with step 8?). I'm curious why you want to have the new DC have the same name as the old one.

what about VMs can you make a Virtual Machine into a DC?
and what about moving it around ? what does that do
or making backup copies of it? has anyone had experience with
doing this?

You can. A lot of places are moving all of their servers into VM's to reduce hardware cost. You do want to be careful with this though, because you are creating a single point of failure. Where I work, we have most of our servers in VM's that use clustering to spread them across different boxes.

I have done this before but like years ago just want to make sure I have
my ducks in a row and get some wisdom from you experts who have gone thru the fire..dont want any ju ju!

Measure twice, cut once.

we have 4 Domain Controllers so I can transfer FSMO roles to one of our newer DCs which I am going to

Just be aware of which roles should be on the same box and which ones shouldn't be.

itdaddy

you guys are awesome...thank you very much...I changed all master roles to the newer DC we have and emails works great. thank you so much
for all your help and skills, because of you guys I will be as good as you atyour jobs (not) haha thanks I appreciate my brothers in IT you are freaking awesome..

I even like it when yuo make fun of me! haaahha

crrussell3

Question though, why do you have all 5 fsmo roles on the same server, especially when you have multiple dc's available?

gorebrush

Because he enjoys a low brown trouser threshold too?

In all seriousness though - Why do you have all 5 on 1 box...

itdaddy

you know what would be the benefit. I have them on our newest server.
I can see for subfunctions but we use AD for the domain and for some RADIUS functions. We have 1 exchange server 2003. It is hard coded in our routers and switches 1 DC for communictation with our proxy email server on the public sector (internet).. I guess I could spread them out but can you explain how I spread them out. All DCs are GC servers.
And the newest server (1 year old) is the 5 fsmo roles.

how would you suggest I scatter them and why? thanks appreicate your help..

undomiel

I'd recommend taking a read over this and draw your conclusions of FSMO placement: FSMO placement and optimization on Active Directory domain controllers

RobertKaucher

How is this situation progressing?

itdaddy

well. I change the fsmo roles to another DC that is a new machine.
but when I turn the old DC off the email server is affected.

This is due to a proxy email server out on the public network being hard configured to the old dc on the inside of our lan. The outside proxy sends and received email to our internal email server and he old DC is used for ldap and freakin radius crap! I have to get some network engineer savvy with ASA firewalls to help me with this. there are tons of polcies it looks like dealing with this. so if the old dc dies i am screwed because of the hard coding on our ASA with the old DC in relation to the email server on the inside and its relatoin to the radius server old dc with outside vpn remote usage yikess!.

so situation is bleak until I hired a CCSP dude. which I willl soon. haha
thanks guys for all your help...

undomiel

Quick work around would be to add the ip address of the old dc as an additional address on the new dc. Or if it is just working by DNS just point the old record to the new server as well.

itdaddy

you know that is very true I can see how that would work;
thanks man...I will report back one day how it is configured.
but it is like a puzzle..and I am probably going to hire a ccsp
to come in an explain the configurations to me because I can now as IT manager haahah it is so cool now that I can just hire somone to come in and teach me what is going on; they get paid and I get a great lesson.

thanks guys for all your help..you guys are very smart, and I hope it rubs off on me