Announcement

Collapse
No announcement yet.

Reinstalling DC, any recommendations?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reinstalling DC, any recommendations?

    In last 6 months I'm experiencing problems on HP ML110 G3, last night I received some errors while running scheduled backup saying that there is problem reading drive C. My guess is that HDD system is failing. So I decided to replace two HDD with new one and reinstall server.

    Current spec od server:
    - DC (no FSMO roles installed)
    - DNS integrated, this is alternative DNS server configured on clients PC's
    - DHCP role for site
    - ISA2004 acting as backup gateway if primary gateway fails

    I backuped everthing... systemstate, full backup, DHCP, ISA. I also collected all media for installation.

    Also is important that IP address is unchanged after reinstalling server!

    My idea is to move DHCP role to another server, restore DHCP configuration on another server to release addresses while I take offline server. Also I plan to make demotion of DC, server is not holding any FSMO roles. Replace HDD drives, make clean install, configure IP address how was before, promote DC, restore roles, install ISA server, restore ISA configuration from backup.

    It seems like a simple task, but I would like to hear if anyone have any recommendations?
    Last edited by alien_ri; 12th November 2008, 21:53.

  • #2
    Re: Reinstalling DC, any recommendations?

    Looks you've pretty much got everything covered there. The most important point is to demote the DC before you flatten it.

    Also, definately worth taking the oportunity to move to RAID if you hadn't already. RAID 5 preferable.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Reinstalling DC, any recommendations?

      Might be worth having a read of this too
      http://www.isaserver.org/tutorials/I...ontroller.html
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Reinstalling DC, any recommendations?

        It isn't recommended to install an ISA server on a DC.
        I really really wouldn't do that.

        Also I think your better of to use an ISA cluster (NLB) then a backup gateway unless your afraid that your internet feed fails.
        However with the current standard of 99,99% uptime I would be afraid for that
        Last edited by Dumber; 12th November 2008, 23:05.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Reinstalling DC, any recommendations?

          Originally posted by Dumber View Post
          However with the current standard of 99,99% uptime I would be afraid for that
          I think the ISP we use (and are migrating away from) for our secondary line is what pulls the average down >.< 6 week outage sound good?
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Reinstalling DC, any recommendations?

            Thank you all. I appreciate it.
            I'll try to seperate DC and ISA role... I need to sit and plan it correctly. I'll update you on this
            In brief, why is not recommended installing DC and ISA together?

            Comment


            • #7
              Re: Reinstalling DC, any recommendations?

              Originally posted by alien_ri View Post
              Thank you all. I appreciate it.
              I'll try to seperate DC and ISA role... I need to sit and plan it correctly. I'll update you on this
              In brief, why is not recommended installing DC and ISA together?
              Marcel can speak more to this but the gateway is your first line of defense and if it's compromised and it's a DC then your whole network is compromised.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Reinstalling DC, any recommendations?

                Hmm I noticed I made a small typo
                However with the current standard of 99,99% uptime I would be afraid for that
                I meant I wouldn't be afraid for that

                JeremyW, I'm still not an expert either but I'm working on it :P
                However a few reasons why I wouldn't place ISA on a DC.

                First of all,
                An ISA server is an edge firewall which is meant to be placed on the edge of the network.
                It doesn't mean it only should be placed between the internet and a network but it can also be used to separate 2 different internal networks.

                Second,
                you need to open all kind of ports to the internal network to allow the communication between your the DC/ISA and the rest of the internal network. This make the ISA server more vulnerable for internal attacks. Don't think that you don't have any fear for any internal attacks. There is more then you think. You only need one smartass or one a really ignorance user.

                Third,
                you don't expose the ISA server only to the Internet but also your DC. When the ISA server get compromised (never seen one before but theoretically it can be done) you also loose your DC. When you loose your DC than your whole network is compromised (this simply about loosing your admin rights). Loosing your ISA server can be done by bad management of the ISA server so make sure you open only the ports which are absolutely necessarily.

                fourth,
                System hardening would be more tough to do due to all those roles the DC/ISA server would have.

                However, all this doesn't say it can't be done. Yes it can be done, but I wouldn't do it.
                Also SBS is something different. It's made for it by Microsoft but IMO I still wouldn't do it
                However Microsoft created it and I assume they thought well about it.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Reinstalling DC, any recommendations?

                  Originally posted by Dumber View Post
                  Also SBS is something different. It's made for it by Microsoft but IMO I still wouldn't do it
                  However Microsoft created it and I assume they thought well about it.
                  FYI, Microsoft have backpedaled and announced that SBS 2008 will not support being placed at the network edge - no proxy server is included in any edition of SBS.

                  SBS 2003 was a great product idea... but I'd always recommend to SBS users that they licence the transition back to allow them to separate ISA from the DC.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Reinstalling DC, any recommendations?

                    Oh well, I don't work a lot with SBS so I don't give it a lot of attention.
                    Thanks for the heads up but ok, It WAS supported
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Reinstalling DC, any recommendations?

                      Don't get me wrong, SBS 2003 was a great product at a great price. It's just that some of what Microsoft called "best practices" were rather questionable. Granted, installing ISA on the DC would save the requirement of another server - obvious cost benefits. Severely limiting the abilities of domain admin accounts other than Administrator? A step backwards. How is there traceability if all of your admins have to share the same account :/
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Reinstalling DC, any recommendations?

                        Anyhow, Microsoft supported it including SBS 2003. I'm not a SBS user (I used it once a year ago and I had to think about Steven's recommendation about UTFW)

                        Anyway, I hope it was informative for Alien_ri.
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: Reinstalling DC, any recommendations?

                          Yup, it was very informative indeed. Thanks guys
                          Explanation of scenario with DC and ISA together was very interesting, thanks Dumber

                          Comment

                          Working...
                          X