No announcement yet.

Active Directory - Replacement Advice

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory - Replacement Advice

    Hi All,

    I'm quite new to AD design and would like some advice on how best to do the below.

    Currently my network is setup with 1 server running active directoy / DNS/ DHCP/ file / print etc for around 35 users. I recently took over in the job so it wasn't configured by myself.

    What I would like to do is replace this server as its quite out of date. Also the company has changed name so i would like to name the domain to be inline with the company name change.

    My initial thought is to redo active directory setup so its a fresh install.

    The DC currently serves to authenticate people when they access shares on the server - computers are not joined to the domain at the moment, people simply have local profiles on their machines where the password matches the DC - this allows them to browse shares - permissions groups are configured in AD to allow / disallow access to different shares.

    The DC also has IAS RADIUS accounts to allow authentication to CISCO routers / switches / firewalls.

    The DC is used for linux authentication.

    How should I tackle this? Should I configure the new DC to be a new domain in a new forest but use the existing DC's DNS? then migrate over user accounts and shares, then reconfigure DNS?

    I guess my other option would be to configure the new DC / AD, mirroring the existing AD setup inc users / groups / shares / IAS RADIUS details / DHCP then power down the existing DC and bring the new one up?

    Sorry for the length of this post, Thanks, R

  • #2
    Re: Active Directory - Replacement Advice

    since we are talking about 35 users only and if there are not many share and NTFS permissions to play with I would just build a fresh clean AD 2003 w/SP1 or above and start creating the users there , then join the server to the new domain and assign permissions to those Shares and Folders.
    I would also recommend using a fresh DNS/WINS/DHCP on that new DC, then decommission the old DC/AD
    what I would also do is join all those Workstations into the new domain and eliminate the need for local users and Sync the Passwords between Local to domain Users.
    Build the new AD side by side with the Old AD and start creating the resources there (Users/Groups/etc), once you done configure the Workstations to work with the new DNS/WINS/DHCP
    and join them to that new AD domain.
    after that demote the old DC and remove DNS/DHCP/WINS and join that machine to the new domain (since it is a file server as well)

    I would not even bother going through a Migration process.
    Last edited by Akila; 5th September 2008, 09:33.


    • #3
      Re: Active Directory - Replacement Advice

      Thanks for your reply Akila.

      A few questions.

      will having 2 servers, running 2 domains each with their own DNS/DHCP cause problems? will there be conflict between who issues IP addresses etc?

      Clients at the moment aren't configured to look at DNS I think it just auto finds it?



      • #4
        Re: Active Directory - Replacement Advice


        Since machines are only 35 why not creating a new domain in same subnet, once the activity/project complete change the domain IP with your desire one.



        • #5
          Re: Active Directory - Replacement Advice

          You cannot run two DHCP servers on the same network. Well you can but... for what your talking about no you can't. Like you say, conflicts will happen as each workstation will not know what DHCP server they should really be talking to.

          All Windows clients should be looking at the DNS running on the DNS server for your Windows domain. Typically this would be configured as an option in DHCP.

          Completely rebuilding a network is never a straight forward task and from reading your above post the only reason is for a domain name change? My recommendation would be to leave the current domain name as is (if you really must then rename it, but that would depend on what version of Windows your server is since you haven't said). You can now simply join a new server to the domain and slowly transfer things across rather than having to bite the bullet and move it all at once. Users can still work apart from whatever you are working on at the time.

          It's not like its as simple as just move data, users and then turn off the old server. If it was... then hell, my choice would also be this method.
          Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.


          • #6
            Re: Active Directory - Replacement Advice

            Originally posted by rapid View Post

            A few questions.

            will having 2 servers, running 2 domains each with their own DNS/DHCP cause problems? will there be conflict between who issues IP addresses etc?
            1) as for DNS , it is possible and recommended running 2 servers serving as DC/DNS and there would be no conflict since they replicate the same zone between each other.
            all you got left to do is configure the clients Primary/Secondary DNS respectively.

            2) As far as DHCP it is actually a good Idea as well having 2 DHCP servers, but as stated before you should avoid conflicts of IP address despensions.
            In order having 2 DHCP servers in one environment for redundancy you should divide the IPs of every Scope/VLAN/Subnet between both or more servers.
            the best practice that I been reading so far and that is how we implement it is by having one DHCP server having 70% of the IP Addresses (e.g. from and the other server should be configured having the remaining 30% of the IPs (e.g. that way you got 2 DHCP servers that handle IPs at the same time and if one Server is off line clients should still get service from the other DHCP server until you bring the faulty DHCP back up online.
            you can play with the Ratio of IPs between servers as you wish.
            if you have more then one DHCP server you should make sure adding the other DHCP server's IP in the routers IPHELPER table as well as the 1st server's IP (unless you don't have VLANS, then you don't need to do anything - which I think this is your case).
            Last edited by Akila; 12th September 2008, 17:15.


            • #7
              Re: Active Directory - Replacement Advice

              When running multiple DHCP servers, make sure to set the reservations on both.

              That way, if the server serving up the first segment goes down and you know it will be down for a while, you can just extend the scope on the remaining one.
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah