question about setting up a new domain controller
-
@scottalanmiller said in question about setting up a new domain controller:
Hey, Microsoft support disagrees with the matrix and says that it DOES work.
Why am I not surprised that Microsoft's own documentation can't make up it's mind?
-
@tim_g said in question about setting up a new domain controller:
Exchange 2010 is the old style Exchange, so it makes perfect sense it wouldn't work with Server 2016.
It doesn't make any sense at all as the AD is supposed to be absolutely identical regardless of the OS version it is running on. If the OS version changes anything as far as support, AD isn't stable and their versioning is broken.
-
@scottalanmiller said in question about setting up a new domain controller:
Hey, Microsoft support disagrees with the matrix and says that it DOES work.
Yeah, I can have Exchange 2016 with 2008 R2 domain controllers, but I can NOT have 2016 domain controllers with a Exchange 2010 SP3 server
-
I see, having Server 2016 is fine, however, Domain functional level can't be.
-
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
-
At least according to that linked reply.
I'd play it safe though, breaking Exchange sucks.
Find out 100% first.
-
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
-
@tim_g said in question about setting up a new domain controller:
I see, having Server 2016 is fine, however, Domain functional level can't be.
Right, which is all that we were ever discussing. We were never saying he should raise the functional level, only install the current OS. Since he is going to have a mix of servers for a while, raising the functional level isn't even an option.
-
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
-
@tim_g said in question about setting up a new domain controller:
Find out 100% first.
Only a lab can tell you that.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
-
@scottalanmiller said in question about setting up a new domain controller:
@tim_g said in question about setting up a new domain controller:
Find out 100% first.
Only a lab can tell you that.
yeah I do have a lab that I wanted to try all this in first.. I guess I will go ahead and do that.
-
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
Bottom line, MS isn't an IT company, they are a software company. They can't even document this issue internally - they literally don't know the answer here. MS Support is famously incompetent - but they give you your money back if they can't do anything. But that's their mode of operation, charge you when the work was easy, refund your money so you don't sue them if they can't support their own stuff (which is really common.) MS is famous for not having a good ability to provide support for their own products, that's why internal MS support teams in companies are so important. That's your only line of reliable support.
This is one of the reasons that MS products have such a poor reputation at enterprise level; there is no reliable vendor support behind them. Their products are decent, but their support is somewhere between a joke and "doesn't exist."
-
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
No, it won't. That was my point, it would keep working. DNS has protections from that. If 10.0.0.10 went away as well, only then would it stop working.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
No, it won't. That was my point, it would keep working. DNS has protections from that. If 10.0.0.10 went away as well, only then would it stop working.
How?? If 10.0.0.9 is OFFLINE then things looking to it will not resolve unless they have 10.0.0.10 as secondary.
-
It specificially mentinos Functional Level:
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
Bottom line, MS isn't an IT company, they are a software company. They can't even document this issue internally - they literally don't know the answer here. MS Support is famously incompetent - but they give you your money back if they can't do anything. But that's their mode of operation, charge you when the work was easy, refund your money so you don't sue them if they can't support their own stuff (which is really common.) MS is famous for not having a good ability to provide support for their own products, that's why internal MS support teams in companies are so important. That's your only line of reliable support.
This is one of the reasons that MS products have such a poor reputation at enterprise level; there is no reliable vendor support behind them. Their products are decent, but their support is somewhere between a joke and "doesn't exist."
Right but I've opened about 5 support tickets with them and they've helped solve my issues all but one of those times. And I got a refund. Eventually figured out the issue and it wasn't even MS related.
-
That table talks about communication, that Exchange 2010 cannot communicate to 2016 AD servers.
But that other linked comment contradicts this... so who knows.
-
Another conflicting post.
The PFEs recommend going by that chart, I would too. Just consider this a sunk cost of not keeping your Exchange environment up to date.