Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP
-
((Please read my entire post before rushing to reply))
I just watched Scott's YT video about virtualizing domain controllers and it reminded me that I need to take care of this project I've been putting off for some time.
My Environment:
- DC1: 2008 R2 domain controller (physical, holds FSMO roles)
- BDC1: 2008 R2 backup domain controller (virtual, for AD redundancy)
- Exchange 2010 SP3 (psychical, on-prem)
Goal: I would like to replace my physical DC1 with a virtual Server 2016 domain controller. I would also like this new DC to have the same name and IP address as DC1, mainly because we have so many printers, servers and appliances that either point to "DC1" or it's IP address. I merely want to "swap" domain controllers and end up with a virtual 2016 DC1 of same IP, without breaking Exchange, or numerous other things.
To execute my plan, these are the steps I assume I would take, and this is one area where I need guidance:
- Install new virtual Server 2016 named DC3
- Promote DC3 to domain controller
- Pass FSMO roles from old DC1 to DC3
- Decomission DC1
- Rename DC3 to DC1 and change IP to that of old DC1
- Run DC diagnostic commands to make sure things are still working
I understand that this may be bending or breaking best practice a little, but I would still like to get close to achieving this or something similar with out breaking things. I am the only IT guy at my company and I've done a good job at keeping everything running while fixing/updating/upgrading/replacing/etc. I really don't want to damage our DC with this project but I don't want to wait too long to make this change either.
Additionally, I do believe I have set up time correctly on DC1, but could you guys help me verify this? I suspect I am having time related issues sometimes, for reasons currently unknown..
w32tm /query /peers
#Peers: 1
Peer: pool.ntp.org
State: Active
Time Remaining: 357.8628266s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0499886s
Root Dispersion: 0.0557726s
ReferenceId: 0x60F46013 (source IP: 96.244.96.19)
Last Successful Sync Time: 11/19/2017 3:39:27 PM
Source: pool.ntp.org
Poll Interval: 10 (1024s)Notes:
- Virtual BDC1 replaced a virtual DC2 which was lost due to corruption a year ago (I had just started and didn't get the story) - it has the same IP as DC2 used to. I have noticed some errors here such as DCOM errors that say "DCOM was unable to communicate with the computer DC2.[domain].com using any of the configured protocols."
- Yes, I am aware that we are no longer doing the backup domain controller thing, as all domain controllers are "equal"
- Yes, I know Exchange should also be virtualized and/or hosted - that's another project for another day
- I just want to know the simplest way to do this without having to update a bunch of things as they are revealed through failure to function during business hours
-
Keeping the same name and IP is a recipe for disaster.
-
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
-
Is renaming a DC allowed? I didn’t think windows allowed this.
My thinking is a staged approach.
Install and configure 2016 DC, unless you are ok running temp with second DC only.
Migrate roles and make sure all checks are clean.
Use MS tool to make backup of printers.
Demote old DC, then remove from domain and turn off.
Build second VM with name and IP of old DC1, add AD.
Restore printers
Decom temp 2016 DC. -
@dashrender said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Is renaming a DC allowed? I didn’t think windows allowed this.
My thinking is a staged approach.
Install and configure 2016 DC, unless you are ok running temp with second DC only.
Migrate roles and make sure all checks are clean.
Use MS tool to make backup of printers.
Demote old DC, then remove from domain and turn off.
Build second VM with name and IP of old DC1, add AD.
Restore printers
Decom temp 2016 DC.This whole thing is a bit unclear, and then you completely lost me at "Decom temp 2016 DC"
-
The first 2016 DC would be named like DC-temp. It is only there so you always have Two DCs online.
If you are OK with only your second DC being online, then you start by the sporting printer settings, the decom current DC1, then build new VM as DC1 promo to AD, restore printers and go.
-
@dashrender said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
The first 2016 DC would be named like DC-temp. It is only there so you always have Two DCs online.
If you are OK with only your second DC being online, then you start by the sporting printer settings, the decom current DC1, then build new VM as DC1 promo to AD, restore printers and go.
ooh, I see. Basically, move the FSMO roles to BDC1 and make it the only DC, then completely decomission DC1 and remove it from the domain and everything. Then set up the new 2016 server completely as DC1 used to be and the send the FSMO roles back? That seems a bit safer.
I think only a handful of things only point to DC1 for DNS because their settings only allowed for a single DNS entry instead of the usual multiple fields options..
-
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
Agreed, take this as a time to fix this rather than doing extra work now to maintain it. Clean up two things at once.
-
@dashrender said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Is renaming a DC allowed? I didn’t think windows allowed this.
It really does not like it, that's for sure.
-
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
It's bad to do, but can be done.
-
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
Agreed, take this as a time to fix this rather than doing extra work now to maintain it. Clean up two things at once.
How would you go about fixing it?
-
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
It's bad to do, but can be done.
And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?
-
How I'd handle it....
Well, I'd not do it if possible and fix things pointing to something that they shouldn't here. That's the root level fix.
To go after a proximate fix...
- Set up the new DC. Do NOT use the old IP or hostname.
- Get it all working with the old machines in place.
- Create a CNAME to point the old name to the new server's A record. Remove the old machine.
- If you must, change the new IP to the old IP.
-
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
It's bad to do, but can be done.
And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?
Except, you know, the keys
-
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
It's bad to do, but can be done.
And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?
Except, you know, the keys
What do you mean the keys? Registry keys?? Wouldn't they be cleaned up during proper decommission?
-
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
Exactly. Never do that. Just add a new one, demote the old.
-
Changing the IP on a DC as the very last step is fine. It'll change everything automagically, such as the DNS records and such.
It's always better not to do it, but if you MUST, then it should be fine.
-
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
It's bad to do, but can be done.
And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?
Except, you know, the keys
What do you mean the keys? Registry keys?? Wouldn't they be cleaned up during proper decommission?
Identity keys. And no, it's not the same machine. The issue here is that you are trying to have one key masquerade as if it is another when it is not.
-
What do you have that's relying upon AD? other than windows logon and Exchange? You can change Exchange to use another GC as it's catalog.
-
@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
How I'd handle it....
Well, I'd not do it if possible and fix things pointing to something that they shouldn't here. That's the root level fix.
To go after a proximate fix...
- Set up the new DC. Do NOT use the old IP or hostname.
- Get it all working with the old machines in place.
- Create a CNAME to point the old name to the new server's A record. Remove the old machine.
- If you must, change the new IP to the old IP.
Ok, let's scratch everything I mentioned. If I were to do this the best practice way, would I simply:
- Set up the new 3rd domain controller new name (DC3) and IP address
- Pass the roles from DC1 to DC3
- Finally, go through and point all "primary DNS" entries on Exchange and EVERYTHING else to the new DC3
If I perform the above steps, I am assuming no systems will have issues authenticating since they will all be reaching out to one of the three DCs, right? Therefore, I can gradually point systems to the new DC as needed.
Otherwise, please help me understand what I should do. I am going to spend my day tomorrow researching this stuff so I'm better educated on what I'm doing and can come up with an action plan.
Thank you