Announcement

Collapse
No announcement yet.

Removing Windows 2012 DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing Windows 2012 DC

    Hello everyone

    I am kinda new to Windows Server configuration and I hope you can give me some input.

    Currently we have 5 servers in our company, Windows 2003, Windows 2003r2, Windows 2008, Windows 2008r2, Windows 2012. Windows 2008r2 was our Primary DC 6 months ago, and when we purchased a new Windows 2012 server, we have allow this new server to take over the role of a DC.

    Now we encounter some hardware issue on the 2012 server and wanted to reconfigure the server.

    I have read books on Windows 2012 Installation and Configuration etc but I still have 2 confusions.

    1) Can I simply backup and then reformat my Windows 2012? After which I can do apply the AD? I will do it over the weekend.

    2) Since there are different versions of Windows Server OS, what is the forest level and domain level that I should select after reinstalling the 2012 server?

    3) After I had reformatted, and use back the same domain name, do I have to get all my colleagues PC to rejoin back the same name domain?

  • #2
    Re: Removing Windows 2012 DC

    You could try a backup, rebuild and restore but as an alternative:
    1) check functional levels are at 2008r2 (you may not have raised them)
    2) DCPROMO 2008R2 to be additional DC (add DNS, DHCP etc)
    3) DCPROMO 2012 to stop being DC (also remove DNS/DHCP)
    4) remove 2012 from domain and flatten
    5) fix hardware, clean install of 2012, rejoin domain
    6) DCPROMO (new) 2012 server

    Maybe a bit more work, but it keeps your existing domain intact rather than rejoining clients (which can be a real PITA )

    If the current FLs are at 2012, introduce a temporary 2012 server (any spare hardware) and make it a DC as above
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Removing Windows 2012 DC

      Thank you Ossian for your prompt reply.

      I have been following the articles on petri.co.il for a few years for windows issue. I am wondering will you cover an article that deals with complex issue so that we can learn from you?

      Beside the hardware issue, we have files that randomly get wrong permission assigned to it. For example, as a domain user, I have added a new file in the Win2012 DC. When I try to access it again, it shows that I have no permission. When I checked as a domain admin, the file is accessible to domain admin only.

      So if I were to promo Win2008r2, will this issue replicated across?

      Comment


      • #4
        Re: Removing Windows 2012 DC

        Oh the functional level for both domain and forest is still at Windows 2003.

        I am also concern about removing primary DC, will it cause problem?
        How do I deal with the issue of the change in DC IP address?

        The last time I did the DC migration from 2008r2 to 2012, there is the DNS propagation issue. Users were complaining that they have issue accessing network shares, and this last for a week l. I have to manually add in the DNS into their IPv4 settings.
        Last edited by climws; 28th January 2014, 05:14. Reason: more info

        Comment


        • #5
          Re: Removing Windows 2012 DC

          Did you demote the other DC's when you installed the new 2012 server?

          Comment


          • #6
            Re: Removing Windows 2012 DC

            Also for your information, we do not have any VMware and bare metal backup solutions.

            When i issue netdom query fsmo, it has pointed everything to the current Windows 2012. What I did the last round was that I had migrated Windows Standard 2008r2 (DC) to Windows Standard 2012 as the new PDC. Then i had the old DC demoted.

            This main DC server is mainly used for File Sharing, DHCP, DNS, AD, DC. The other servers are used for File Sharing and are joined to the same domain.

            We do not have any redundant DC yet. Only one running now. Of course, after we fixed this Windows 2012, we will make the Windows 2008r2 as the redundancy DC.

            I believe the tricky part will be DNS related. The last time, DNS is not propagated to the whole domain after installing for 3 days. I have to add in the DNS IP address manually to each PC in the domain. Very troublesome. Is there a way out for me to prevent the same thing from happening again?
            Last edited by climws; 28th January 2014, 18:30.

            Comment


            • #7
              Re: Removing Windows 2012 DC

              Originally posted by climws View Post
              Also for your information, we do not have any VMware and bare metal backup solutions.

              When i issue netdom query fsmo, it has pointed everything to the current Windows 2012. What I did the last round was that I had migrated Windows Standard 2008r2 (DC) to Windows Standard 2012 as the new PDC. Then i had the old DC demoted.

              This main DC server is mainly used for File Sharing, DHCP, DNS, AD, DC. The other servers are used for File Sharing and are joined to the same domain.

              We do not have any redundant DC yet. Only one running now. Of course, after we fixed this Windows 2012, we will make the Windows 2008r2 as the redundancy DC.

              I believe the tricky part will be DNS related. The last time, DNS is not propagated to the whole domain after installing for 3 days. I have to add in the DNS IP address manually to each PC in the domain. Very troublesome. Is there a way out for me to prevent the same thing from happening again?
              Easiest thin to do would be as Tom has mentioned.

              You will need to update your DCHP server to reflect the new DNS servers.

              Personally i've never had an issue with DNS in a domain environment.

              Comment


              • #8
                Re: Removing Windows 2012 DC

                Originally posted by climws View Post

                I believe the tricky part will be DNS related. The last time, DNS is not propagated to the whole domain after installing for 3 days. I have to add in the DNS IP address manually to each PC in the domain. Very troublesome. Is there a way out for me to prevent the same thing from happening again?
                If DNS addresses are being supplied by DHCP, nothing will happen until clients attempt to renew their lease - 50% of lease age IIRC

                Good practice before any major change is to reduce lease times to say 1 hour a long time in advance
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Removing Windows 2012 DC

                  Originally posted by Ossian View Post
                  If DNS addresses are being supplied by DHCP, nothing will happen until clients attempt to renew their lease - 50% of lease age IIRC

                  Good practice before any major change is to reduce lease times to say 1 hour a long time in advance
                  FWIW:
                  Windows 7 changes this - the presence of a DHCP server is checked every time the computer starts and the client will attempt to renew the lease.

                  If a DHCP server cannot be found, the client pings the gateway address. If the ping is successful the client continues to use the configured address until the lease is 50% expired after which it attempts to contact a DHCP server.

                  If the gateway ping is not successful the client assumes it is on another network and the APIPA address kicks in.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: Removing Windows 2012 DC

                    Thank you Blood for the extra Information.

                    Following Ossian and wullieb1 thread, I have already

                    1) Promote the Windows 2008 to a DC with DHCP, DNS set. I didn't promote Windows 2008r2 because it is running some critical application and I cannot touch it for a week.

                    2) Transfer the FSMO from 2012 to 2008.

                    3) Leave the forest and domain level at 2003.

                    4) Also have made a backup of the files and folders of 2012.

                    Come tomorrow, the 2 last things to do were to,

                    5) Demote 2012 DC

                    6) Fix, Reformat 2012 and promote it back to PDC.



                    I have another concern.

                    Actually the 2nd reason to redo the 2012 server was, the domain users complaint that there are permissions issue on some folder and files. When I checked the ownership, it is listed as unknown. When I checked the permission, it is set to 'Domain Admins' and 'Administrators'. Even though I had logged in as domain administrators, i cannot open the folder or copy the files (permission denied).
                    Now my question is, since I have backup the files and folders to a Synology NAS, if i were to copy them back to the re-done Windows 2012, will this issue get fixed?

                    I have backed up using the FreeFileSync opensource software.
                    Last edited by climws; 30th January 2014, 17:25. Reason: More information

                    Comment


                    • #11
                      Re: Removing Windows 2012 DC

                      Okay the files are not affected.

                      But I have a bigger problem.

                      After following ossian suggestion, everything seem smooth, but I guess we might have some old replication issue.

                      Now my domain PCs cannot get DHCP IP and the DNS is also unable to get. What do I need to provide you guys to help me with this issue?

                      Comment


                      • #12
                        Re: Removing Windows 2012 DC

                        IPCONFIG/ALL from the new DC and from a problem client will be a good start

                        Also confirm DHCP is authorised in Active Directory
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Removing Windows 2012 DC

                          Originally posted by Ossian View Post
                          IPCONFIG/ALL from the new DC and from a problem client will be a good start

                          Also confirm DHCP is authorised in Active Directory
                          The ipconfig for the domain pc shows it cannot IP address,
                          169.254.x.x

                          The DHCP is authorized in the DHCP role. I have tried to unauthorize and reauthorize.
                          Nothing works.

                          I didn't promote the win2012 back to DC because I want to solve this old problem first.

                          What I have done as a temporary measure to give all workstations fixed IP and DNS, but my bosses are using laptop and they travel to client place so i can't do that to them.

                          Comment


                          • #14
                            Re: Removing Windows 2012 DC

                            Still need an IPCONFIG/ALL from the DC

                            Is the DHCP service running?

                            For your travelling clients, an "alternative configuration" would work, so DHCP first, then a "proper" IP address when it can't get one.

                            IMHO do get the 2012 DC up and running, make it a DHCP server and see if that works - the present one is temporary so don't put much effort into fixing it
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: Removing Windows 2012 DC

                              Originally posted by Ossian View Post
                              Still need an IPCONFIG/ALL from the DC

                              Is the DHCP service running?

                              For your travelling clients, an "alternative configuration" would work, so DHCP first, then a "proper" IP address when it can't get one.

                              IMHO do get the 2012 DC up and running, make it a DHCP server and see if that works - the present one is temporary so don't put much effort into fixing it
                              My current DC is set to static IP with static DNS. When I change it to DHCP mode, I lost the connection and currently cannot access it. It is night time here in Asia, so I have to do it tomorrow.

                              =========================================
                              When I try to promote the 2012 server, I get the following

                              The authorization of DHCP server failed with Error Code: 20070. The DHCP service could not contact Active Directory.

                              Failed to open registry key on target computer to set the status of post configuration task. Error: WinRM cannot process the request. The following errorcode 0x80090311 occurred while using kerberos authentication: There are currently no logon servers available to service the logon request.

                              Verification of replica failed. An Active Directory domain controller for the domain could not be contacted.

                              Comment

                              Working...
                              X