Tuesday, April 29, 2008

Moving a Domain Controller to a Different Site



Moving domain controllers from one site to another one will require to re-IP the new domain controllers. What are the possible setbacks for this operation? The answer to this question become easy for us since we are in the middle of huge AD migration and have done it several times in production.

Here is the bullet point to consider when it comes to identify the existing services on the infrastructure domain controllers and decommissioned the old domain controllers.

  1. Identify the FSMO roles on each domain
  2. Distribute the FSMO roles according to MS best practices

    The schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled.

  • The infrastructure master should not be located on the same domain controller holding the RID master and PDC emulator roles if it is also a GC server.
  1. Identify the services running from each domain controller such as
  • DNS
  • DHCP, DHCP scope portions
  • WINS ( I hate WINS)
  • CA ( certificate Authority)
  • Web related services
  • Terminal server (licensing server)
  1. Application dependencies, relaying to existing domain controllers
  • LDAP
  • SLDAP
  1. Make sure you plan the proper backup for active directory

    Use System stage backup or equivalent backup system to backup AD database and related files. Flat windows and file system backup is not proper backup for active directory. At least use scheduled NT backup, on the 2 or 3 DC's trough out the enterprise (there is no need to backup every single domain controller, simply this would be a redundant afford (multi master replication). The proper backup of AD, (system state backup) allows authoritative restore. If you can $$$ use third party tools for fast recovery and backup.

  2. If you move paging file from C to another drive, remember a paging file equal to or larger than RAM size should be placed on the same partition as the operating system to allow crash dumps to be recorded.
  3. Add the /DEBUG switch to the Boot.ini file to enable post-mortem debugs of your servers. Adding the debug switch causes a 2-3 percent decrease in server performance but allows a debugger to be hooked up once a crash has occurred for post-mortem debugging
  4. Disable Unnecessary Services

    This is one of my favorite; I wish there were clearer instruction came with defaults installation.

  • Disable Windows updates (Assuming you are using WSUS)
  • Disable Wireless zero service
  • Print spooler service, every enterprise at least one DC must be running it.

Domain controllers will re-register dynamic record in DNS, claiming to be the domain controller with the new IP address. Make sure all the name servers for each domain (in case child domains exist) got updated in DNS. IF you a have child domains exist make sure all name server have been exist

I never did understand why windows media player comes with default installation windows. If you are going to promote it to be a domain controller, who cares about windows media player running on a DC? Or the games. Windows 2008 server should have clear base line installations.

The IP addresses of existing Domain controllers might be used by several components on the production servers and there might be a dependency for these IP addresses, so keeping the existing IP addresses and transferring them to the new build Domain controller might be necessary or smart move to lessen the possible breakage on the production network.

Best practice methods for Windows 2000 domain controller setup

Size the server and the hard drive as mentioned in the previous posts I did while ago. The point is to understand what kind of operations the OS and the database operate under and how to improve the performance and redundancy.

At the basic with decent server (64BIT preferred)

FYI:

When you split the AD files across the disks as we have done, the following are the recommended exclusions; normally you'd have to figure these locations out via registry settings. Keep in mind these ONLY apply when you've split the AD files the way we've done.

C Drive ( 64 Bit windows 2003 SP2)

8 Gig memory

OS & Logs

RAID 1 + 0

D Drive ( NTDS)

SysVol & .DIT database

RAID 1 + 0

H Drive CD-Room



Best regards

Oz ozugurlu,

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com

No comments: