Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2005-11-24) How To Move A DC To Another AD Site?

Posted by Jorge on 2005-11-24


In this case you need to change the IP of a DC and move it to another AD site

–> Assuming it only has the DC/GC role…. <–

(steps with a @ are not mandatory but is just a safe measure as I have seen some occasions where those steps were needed…)

Steps to change the IP of a DC AND move the DC to another site:

  1. @ Create a copy of the NETLOGON.DNS in %WINDIR%system32config and rename it to NETLOGON.DNS.TXT and move to another machine or print it (when done you can delete the .OLD file) (also see for an explanation of SRV RRs: http://www.petri.co.il/active_directory_srv_records.htm)
  2. @ Deregister the SRV RR for the DC that is going to be moved into another AD site
    1. NLTEST /DEDEREGDNS:<FQDN DC TO BE MOVED> (e.g. NLTEST /DEDEREGDNS: DCNAME.DOMAIN.COM)
  3. @ Stop the NETLOGON service on the DC
    1. Use services.msc
      OR
    2. Use a command prompt with: NET STOP NETLOGON
  4. @ Cleanup the SRV RRs that are mentioned in NETLOGON.DNS.TXT but still exist in DNS (scavenging, if enabled, will remove the records but that could take some time and some old records will be replaced by new records)
  5. Move the server object of the DC to the other site. Make sure the AD site exists and that the subnets that exist are also defined in AD and assigned to that AD site!
    1. Start AD Sites and Services from the command line like: DSSITES.MSC /SERVER:<FQDN DC TO BE MOVED>
    2. For other steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/17af6280-573e-4043-9bd9-96fe3d13f4df.mspx)
  6. @ Force OUTBOUND AD replication on the DC that is going to be moved
    1. From the command line (options are case sensitive!): REPADMIN /SYNCALL <FQDN DC TO BE MOVED> /A /e /d /q /P
  7. Change the TCP/IP settings (IP address, DNS IP, WINS IP, etc)
  8. Shutdown the DC
  9. @ Cleanup connections objects on another DC the moved DC has with other DCs and other DCs have with the moved DC (after some time the KCC will do this as it checks it replication topology each 15 min.)
  10. @ On each DC where you removed the connection objects run "Check Replication Topology"
    1. For steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bb462fa2-a889-47f2-869c-2aeb06cfc5bf.mspx and/or http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/f30e2a81-4e9a-454b-9fb5-20f70f6dae10.mspx)
  11. Move the DC physically to the other site and turn it on
  12. @ Wait at least 5 min. (the KCC runs 5 min. after the DC starts and from that point on it runs each 15 min.) or force the DC to check the replication topology
    1. From the command line: REPADMIN /KCC <FQDN DC MOVED>
  13. @ Force the registration of its DNS records
    1. From the command line: IPCONFIG /REGISTERDNS
    2. From the command line (options are case sensitive!): NBTSTAT -RR
    3. From the command line: NLTEST /DSREGDNS
  14. @ Force INBOUND AD replication on the DC that was moved
    1. From the command line (options are case sentive!): REPADMIN /SYNCALL <FQDN DC TO BE MOVED> /A /e /d /q
  15. @ Force OUTBOUND AD replication on the DC that was moved
    1. From the command line (options are case sentive!): REPADMIN /SYNCALL <FQDN DC TO BE MOVED> /A /e /d /q /P
  16. @ Check the health of the DC that was moved
    1. From the command line:
      1. DCDIAG /V /C /D > DCDIAG_OUTPUT.TXT
      2. NETDIAG /V /DEBUG > NETDIAG_OUTPUT.TXT
    2. Open DCDIAG_OUTPUT.TXT and NETDIAG_OUTPUT.TXT and check for errors and if any troubleshoot and solve them
    3. Also check the event logs

 

–> Assuming it also has the DNS server role…. <–

If it also has the DNS server role you might need to change:

  1. The forwarding configuration of DNS servers that forward DNS requests to the moved DNS server
  2. DNS zone delegations from other (parent) DNS servers to the moved DNS server for it DNS zones
  3. If applicable don’t forget DNS zone specific configurations set by DNSCMD.EXE
  4. Etc. etc….

 

–> Assuming it also has the DHCP server role…. <–

If it also has the DHCP server role you might need to change:

  1. Unauthorize it before shutting the server down
    1. For steps see: http://technet2.microsoft.com/WindowsServer/en/library/b3a60969-541e-412f-95b9-d609d863039c1033.mspx?mfr=true
    2. Additional info:
      1. http://support.microsoft.com/?kbid=306925
      2. http://support.microsoft.com/?kbid=303351
      3. http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true
  2. Authorize it after booting it up again
    1. For steps see: http://technet2.microsoft.com/WindowsServer/en/library/9f713d6c-d7e5-42a0-87f7-43dbf86a17301033.mspx?mfr=true
    2. Additional info:
      1. http://support.microsoft.com/?kbid=306925
      2. http://support.microsoft.com/?kbid=303351
      3. http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true

 

–> Assuming it also has the WINS server role…. <–

If it also has the WINS server role you might need to change:

  1. You might need to change the replication partners that replicate with the moved DC for WINS, etc.

 

–> Other considerations…. <–

Other changes that might be needed:

  1. You might also need to change things on other servers like DNS/WINS IPs in TCP/IP settings of those servers if the moved DC hosts DNS/WINS
  2. You might need to adjust DHCP scopes if those scopes reference the moved DC if it hosts DNS/WINS

 

–> In short ;-))…. <–

What I really mean is that you need to look at it from a relation perspective. In other words: what and how is the relation of other servers with the moved server and what and how is the relation of the moved server with other servers.

 

REMARK:

  • this is also a good reference when just changing the IP of the DC!

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

4 Responses to “(2005-11-24) How To Move A DC To Another AD Site?”

  1. I’m not sure about this DNS cleanup thing. In my experience, a w2003 DC will do this properly.

    Nice point about the DHCP by the way. You might want to explain to the unitiated why there is a problem here.

  2. Willem,
    Thanks for your post!

    Concerning the DNS thing…
    I once was called by a collegue and he told me people were being authenticated by (W2K3) DCs in remote sites that had in the HQ site previously when being installed. That is why I added that step.

    Concerning the DHCP thing…
    When a DHCP server is authorized in AD it is registered by its IP address. If the IP address changes the authorization is not valed anymore. That is the reason why I say to unauthorize it first, move it and authorize it again.

    Jorge

  3. is it not possible for us to authorize DHCP by editing
    CN=NetServices,CN=Services,CN=Configuration,DC=DomainName,DC=com ?

    -Jagadeesh

  4. is it not possible for us to authorize DHCP by editing
    CN=NetServices,CN=Services,CN=Configuration,DC=DomainName,DC=com ?

    -Jagadeesh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: