|
Posted by Meinolf Weber [MVP-DS] on January 1, 2009, 11:28 am
Please log in for more thread options
Hello markm75g,
Make all DC's Global catalog server and aslso use AD integrated zones for
DNS. Hopefully the old certificates from the not longer existing CA will
not create a problem. To make sure you have no problems run the diagnostic
tools replmon from the run line or repadmin /showrepl, dcdiag and netdiag
from the command prompt on the old machine to check for errors, if you have
some post the complete output from the command here or solve them first.
For this tools you have to install the support\tools\suptools.msi from the
2003 installation disk.
2008 includes repadmin and dcdiag. For netdiag you can copy the version form
the 2003 suuport tools to 2008, runs also there.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello markm75g,
>>
>> Again, please WAIT for starting anything new until we hopefully get
>> fixed the domain to a running state before the demoting of the DC/CA
>> started.
>>
>> Just to get you correct, except from the CA on the DC there was NOT
>> another application running on one of them???
>>
>> If i read some FAQ from DPM 2007 is t should be possible to restore
>> an entire server. So check the product documentation if you did the
>> correct backup for this.
>>
>> If it is only the VM file, you will run in USN rollback, because the
>> saved file of the demoted DC ofcourse is older then the running DC.
>>
>> What you can try for this case is, to restore the VM, hopefully no
>> that old from the actual state. Then shut down the running DC VM and
>> startup the restored VM, so that only ONE DC is running. That one
>> with the old status including the CA. Then you can start a test with
>> the domain members to see if every service/application/CA is running
>> as expected.
>>
>> If everything works, you have to recreate all
>> accounts/groups/policies etc. to an actual state, have to rejoin all
>> computers again to the domain when they are not in AD UC listed to
>> get AD back to the actual date. Then you have to cleanup AD database
>> from ALL other DC's listed there. Then you should be able to start
>> again with the installation of 2008 and go on again.
>>
>> For the CA i am not an expert, so BEFORE starting let someone in the
>> microsoft.public.windows.server.security NG read/check this posting
>> about restoring a CA on DC from a backup done with DPM 2007 on a VM.
>> I will crosspost this there.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello markm75g,
>>>>
>>>> If it is now member server you can leave it in the domain. You
>>>> should never seize FSMO roles if the DC is still online which have
>>>> them. Would be nice if you had mentioned before that you also have
>>>> CA installed on the now demoted DC. Upgrading and changing/removing
>>>> DC's should be good planned and if possible also tested before. And
>>>> it should not go with a time pressure you set yourself.
>>>>
>>>> Do you have an actual system state backup from the demoted DC?
>>>>
>>>> Best regards
>>>>
>>> I had been using DPM 2007 to do the backups of the virtual servers,
>>> but from what i'm seeing it didnt capture the system state.. are you
>>> familiar with DPM? In the future would i be better actually
>>> installing a DPM client on the virtual server and backing up system
>>> state in this manner? I believe if i were to restore the VM via the
>>> DPM console, it would restore it, but due to the whole AD
>>> restoration from an image issue, it would do me no good.
>>>
>>> This 2008 box, which was formerly a DC, should i NOT ever use that
>>> box as a DC again, but let the DHCP and DNS on that box for now,
>>> plan on moving those roles to the new VSDCA box?
>>>
>>> Ultimately i'll move all 5 roles onto our one lightweight box, once
>>> i upgrade it from 2003 to 2008 (would i not enable GC on that box,
>>> per the infrastructure rule).
>>>
>>> For now i'm going to create this new 2008 VM, called VSDCA.. ill
>>> move the DNS and DHCP services over to it, then do a dcpromo on it,
>>> then do a demotion on the only existing VSDC02 box, i think this is
>>> right.
>>>
>>> Unfortunately i'm a one man band on our network with some time
>>> restrictions, which i know is not best practice :) Fortunately most
>>> of the users are out today and we have a small domain of about 30
>>> users.
>>>
> I guess that is true, i probably could have done the USN rollback, as
> yes, it did restore the whole VM when i first tried it.
>
> At this point i think i'm ok actually.
>
> As I had transfered the roles over to my other DC..
>
> Even though the upgrade to 2008 was failing on VSDC02, i just went
> ahead and created two fresh boxes that were 2008, calling them VSDCA
> and VSDCB and dcpromo'ing both of these.
>
> Since only one main app was affected by the CA thing, i just created a
> new CA on VSDCA.. I requested a new cert via the Communication VM and
> it is fine now.
>
> I also created a DNS on VSDCA and VSDCB and DHCP I recreated on VSDCA
> (it was formerly on VSDC01, which was demoted and is now offline).
>
> So at this point i have the following:
>
> VSDCA - 2008 server/ CA/ DC/ All 5 roles (not a GC) / DHCP/ DNS
>
> VSDCB - 2008 server/DC/GC/ DNS
>
> VSDC02 - 2003 server, DC/GC
>
> I think the only thing left to do is demote VSDC02, which at that
> point i'll have everything at 2008 level and since there will be no
> 2003 DCs, it can be native.
>
> *Down the road i will take your advice and make one physical machine a
> DC, with all 5 roles (not a GC).. the only thing, was I was planning
> on making this physical machine a MOM machine, as i figured MOM was
> best suited on a physical machine, but i dont think MOM and DC mix, i
> may have to adjust this plan.
>
> Thanks again for the help
>
| 
XML Sitemap