Announcement

Collapse
No announcement yet.

Domain Controller consolidation

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Controller consolidation

    Hello all, I've been tasked with consolidated some of our domain controllers and wanted to see if I had everything lined up in order to perform this task. Here are the details:

    Location 1 -
    DC01 - AD, DNS, DHCP (global catalog)
    DC02 - AD, DHCP (global catalog)

    Location 2 -
    DC01 - AD, DNS, DHCP (global catalog)

    Location 3 -
    DC01 - AD, DNS, DHCP (holds Schema, Domain Naming, RID, and PDC Roles) (global catalog)
    DC02 - AD (Holds Infrastructure role) (no global catalog)

    Location 4 -
    DC01 - AD, DNS, DHCP (global catalog)

    Now, Location 1 & 2 domain controllers will remain while 3 & 4 domain controllers will be decommissioned. Location 3 & 4 have one active dhcp scope each and I would like to import that into Location 1 & 2. I plan on moving the 4 roles (schema, domain naming, RID, and PDC) to DC01 at location 1. And the infrastructure role to Location 1 DC02 (then uncheck global catalog). Locations 3 & 4 will still be active with end users. All sites are connected via DS3.

    My main question is there anything I need to do specifically for DNS before I shut down DNS at location 3 & 4? I've been trying to find if any of these servers are the "primary" dns server where all others replicate from.

    I appreciate everyones help. If you need me to perform something to help diagnose, just let me know and I'll post back with the info.

    Edit-- all servers are 2003
    Last edited by lzim; 12th August 2011, 21:44.

  • #2
    Re: Domain Controller consolidation

    Assuming all your DNS servers are AD integrated, none is "primary" -- you can remove one without affecting the others.

    Will this leave sites 3 & 4 without any DCs at all? If so, how will clients at those sites manage if WAN links go down?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Domain Controller consolidation

      Originally posted by Ossian View Post
      Assuming all your DNS servers are AD integrated, none is "primary" -- you can remove one without affecting the others.

      Will this leave sites 3 & 4 without any DCs at all? If so, how will clients at those sites manage if WAN links go down?
      Thank you for the response Ossian. I will research to check and make sure all are AD integrated unless you know of an easy way to check.


      Currently, Location 4 only has about 4 users and will be going away within the next 6 months. Location 3 has about 45 users but with redundant WAN links hopefully we shouldn't run into an issue. I presented that same question to upper management but was tasked with still decommissioning these domain controllers.

      Comment


      • #4
        Re: Domain Controller consolidation

        IMHO 45 users is enough to justify at least a RODC if not a full domain controller.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Domain Controller consolidation

          I tend to disagree Tom.
          If the WAN link is down, you're least amount of problems is probably the authentication.
          Secondly you might use Cached Credentials, yet User applications like Outlook and Web traffic is probably more important depending on their job.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Domain Controller consolidation

            I was thinking more for when the WAN link is up and the traffic generated to/from DCs in normal use, particularly for DNS

            What is the DNS fallback plan if all WAN links go down?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Domain Controller consolidation

              Originally posted by Ossian View Post
              I was thinking more for when the WAN link is up and the traffic generated to/from DCs in normal use, particularly for DNS

              What is the DNS fallback plan if all WAN links go down?
              <insert 2p here>

              He's talking about removing his DC from the site - I suspect that will likely leave the site without a server at all, including file servers.

              So, if both WAN links go down, that site has:
              1) no servers to get files from anyway
              2) no internet connection to browse to (Thus no need for DNS)
              3) no connection to the domain, or the file servers (thus no real need for internal DNS, and you'd have cached entries for the local devices and printers anyway)


              So.. if all wan links go down.. bigger problem than DNS
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Domain Controller consolidation

                Usually all the user related traffic including todays applications (Client/Server, Webbased etc) are highly related on the WAN connectivity. Also Mailservers, proxy servers etc are more and more centralized in some form of datacenter which is IMHO great.

                However, if the WAN link isn't redundant in any form, it can create a single point of failure. Most users can do their stuff on maybe a local DFS share, however most users are doing more then using some files on the share.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Domain Controller consolidation

                  Thank you for the responses everybody.

                  I checked the DNS and all zones are active directory integrated except for one zone, and it is listed as a stub zone. I don't think that one is even used anymore.

                  I did have a question about the FSMO roles... is the Domain Naming Master role also referred as the authoritative dns (role) server.

                  I was reading about when you wouldn't want to remove an active directory integrated DNS server from here: can't post url til i've made 5 or more posts. see below...

                  I believe if I move the Domain Naming master role from Location 3 DC1 to Location 1 DC1 then I should be ok to shutdown DC1 at location 1 correct?

                  You can safely remove any DNS server running in your network BUT you should not if the following conditions are true:

                  1. If this DNS server is authoritative for a Active Directory domain or DNS Domain Zone.

                  If you remove any DNS server that is authoritative for any domain zone configured in your network. It will remove the SRV records from zone and connectivity to domain controllers through DNS server.

                  2. If this is the primary DNS Server and you have configured rest of DNS servers on other DCs to work as secondary DNS Servers then you should not remove this DNS server. Doing so will cause replication failures. Secondary servers will be inoperable.

                  3. If any domain is delegated under this DNS server.

                  4. If this DNS server contains the SOA records for other authoritative DNS Server for zone.

                  5. Your clients are configured to use this DNS server. Removing this DNS server from operation will cause problems,

                  clients won't be able to log on to network or find domain controllers.

                  The above are the basic guidelines to consider while removing a DNS server from your network.

                  Comment


                  • #10
                    Re: Domain Controller consolidation

                    Er no, you cannot shut down any FSMO holder without transferring the FSMO first (or letting DCPromo do it, but then you cannot be sure where it will end up)
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment

                    Working...
                    X