question about setting up a new domain controller
-
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
-
@tim_g said in question about setting up a new domain controller:
I see, having Server 2016 is fine, however, Domain functional level can't be.
Right, which is all that we were ever discussing. We were never saying he should raise the functional level, only install the current OS. Since he is going to have a mix of servers for a while, raising the functional level isn't even an option.
-
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
-
@tim_g said in question about setting up a new domain controller:
Find out 100% first.
Only a lab can tell you that.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
-
@scottalanmiller said in question about setting up a new domain controller:
@tim_g said in question about setting up a new domain controller:
Find out 100% first.
Only a lab can tell you that.
yeah I do have a lab that I wanted to try all this in first.. I guess I will go ahead and do that.
-
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
Bottom line, MS isn't an IT company, they are a software company. They can't even document this issue internally - they literally don't know the answer here. MS Support is famously incompetent - but they give you your money back if they can't do anything. But that's their mode of operation, charge you when the work was easy, refund your money so you don't sue them if they can't support their own stuff (which is really common.) MS is famous for not having a good ability to provide support for their own products, that's why internal MS support teams in companies are so important. That's your only line of reliable support.
This is one of the reasons that MS products have such a poor reputation at enterprise level; there is no reliable vendor support behind them. Their products are decent, but their support is somewhere between a joke and "doesn't exist."
-
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
No, it won't. That was my point, it would keep working. DNS has protections from that. If 10.0.0.10 went away as well, only then would it stop working.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
The main thing I'm wondering about is if I can simply set up the new 2012 R2 server, promote it to domain controller, and then one by one point my servers and all the other statically mapped systems to it, without experiencing any disruptions.
You can have all three, or more, running at once, you disruptions. The only thing that gets repointed, static or dynamic, is the DNS settings, not the AD ones. DNS handles AD transparently.
I don't understand..
AD DCs run in clusters. You can have as many as you like, they are one single pool. So you can add as many as you want, and they all get used, live.
You never point to AD. There is no setting for that on Windows. The clients request AD information from DNS, DNS points them to the AD DC that is best for them at the time (or just round robin.)
ok. Let me explain my reasoning a bit better since I am clearly not doing a good job.
DC1: 10.0.0.9
DC2: 10.0.0.10
New DC: 10.0.0.11Right now, ALL my static mapped servers, printers and appliances point to 10.0.0.9 as primary DNS and 10.0.0.10 as secondary. If I am introducing a new DC that will eventually REPLACE DC1, then I need to REPLACE all entries that look at 10.0.0.9. Does that make sense? That's what I'm worried about, that I don't miss anything or mess something up during the span of time that I am making the change.
That agrees with what I said. It's the DNS entries that you are changing. That the DNS runs on the same servers as AD DC is coincidental. It's normal and the right thing to do, but it's not a requirement nor actually relevant here. It feels like it's tightly connected, but it just feels that way because of the coincidental deployment.
You don't actually need to replace the 10.0.0.9 entries for things to work. You'll lose DNS round robin redundancy, but things will still work. If you added 10.0.0.11 and didn't remove 10.0.0.9 things would work, and have redundancy. You should remove 10.0.0.9, but it would work if you didn't.
But the important piece here is that you are only talking about a DNS change, not an AD change, at this point. This is purely "how do I replace one DNS server with another."
but... when 10.0.0.9 goes away, it will stop working.
No, it won't. That was my point, it would keep working. DNS has protections from that. If 10.0.0.10 went away as well, only then would it stop working.
How?? If 10.0.0.9 is OFFLINE then things looking to it will not resolve unless they have 10.0.0.10 as secondary.
-
It specificially mentinos Functional Level:
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
I might just open a case with Microsoft and have help with this. I've asked about this about 10 different times over 2017 (just to mull it over) and everytime I get a huge mix of seemingly contradicting information/advice. This is why I haven't done anything yet.
How would that help? MS doesn't know. MS aren't the experts on Windows.
What? ?
Bottom line, MS isn't an IT company, they are a software company. They can't even document this issue internally - they literally don't know the answer here. MS Support is famously incompetent - but they give you your money back if they can't do anything. But that's their mode of operation, charge you when the work was easy, refund your money so you don't sue them if they can't support their own stuff (which is really common.) MS is famous for not having a good ability to provide support for their own products, that's why internal MS support teams in companies are so important. That's your only line of reliable support.
This is one of the reasons that MS products have such a poor reputation at enterprise level; there is no reliable vendor support behind them. Their products are decent, but their support is somewhere between a joke and "doesn't exist."
Right but I've opened about 5 support tickets with them and they've helped solve my issues all but one of those times. And I got a refund. Eventually figured out the issue and it wasn't even MS related.
-
That table talks about communication, that Exchange 2010 cannot communicate to 2016 AD servers.
But that other linked comment contradicts this... so who knows.
-
Another conflicting post.
The PFEs recommend going by that chart, I would too. Just consider this a sunk cost of not keeping your Exchange environment up to date.
-
Just keep in mind Exchange 2010 support is over, and 2012 is soon over.
You may want to rethink this whole thing.
Personally, I'd migrate to O365, then upgrade DCs to 2016 with 2012 functional level (for now).
If you'd be on O365, you'd never have to worry about upgrading Exchange again.
-
Someone else as I stated on my previous post have 2016 DCs and are working:
https://community.spiceworks.com/topic/1882796-exchange-is-crashing-our-domain-controller
-
@tim_g said in question about setting up a new domain controller:
Just keep in mind Exchange 2010 support is over, and 2012 is soon over.
You may want to rethink this whole thing.
Personally, I'd migrate to O365, then upgrade DCs to 2016 with 2012 functional level (for now).
If you'd be on O365, you'd never have to worry about upgrading Exchange again.
My original plan was to deploy a new on-site, virtual Exchange 2016 server. Then afterwards, I was going to replace the old 2008 R2 DCs with 2016 DCs.
Maybe I will re-consider O365 though.
-
@dave247 said in question about setting up a new domain controller:
@tim_g said in question about setting up a new domain controller:
Just keep in mind Exchange 2010 support is over, and 2012 is soon over.
You may want to rethink this whole thing.
Personally, I'd migrate to O365, then upgrade DCs to 2016 with 2012 functional level (for now).
If you'd be on O365, you'd never have to worry about upgrading Exchange again.
My original plan was to deploy a new on-site, virtual Exchange 2016 server. Then afterwards, I was going to replace the old 2008 R2 DCs with 2016 DCs.
Maybe I will re-consider O365 though.
O365 should be the only thing considered (for Exchange) unless you have a blocking issue. Onsite is fine, if there is a reason that you can't be hosted. but if you can be hosted, you should be hosted (as as web servers, DNS, etc.) It's a commodity service that can't be done in house on par with lower cost hosted services. It's all about scale with commodity services.
If you are going to run Exchange in house, it needs to be maintained. Honestly, if I was in a company running Exchange 2010 today, I'd take that as a sign that they can't afford or manage to properly handle the needs of running Exchange and move to something else. Doesn't matter if it is a lack of money, skill, or just political problems - something is causing Exchange to not be able to be maintained and indicates that Exchange isn't a good choice for the environment.
But in any case, your plans are to either move to proper hosted, or a properly updated on premises. Whatever you are going to do, do it before making other changes because you are going to be forced to make other compromises to maintain the outdated on premises Exchange in the interim.
-
@scottalanmiller said in question about setting up a new domain controller:
@dave247 said in question about setting up a new domain controller:
@tim_g said in question about setting up a new domain controller:
Just keep in mind Exchange 2010 support is over, and 2012 is soon over.
You may want to rethink this whole thing.
Personally, I'd migrate to O365, then upgrade DCs to 2016 with 2012 functional level (for now).
If you'd be on O365, you'd never have to worry about upgrading Exchange again.
My original plan was to deploy a new on-site, virtual Exchange 2016 server. Then afterwards, I was going to replace the old 2008 R2 DCs with 2016 DCs.
Maybe I will re-consider O365 though.
O365 should be the only thing considered (for Exchange) unless you have a blocking issue. Onsite is fine, if there is a reason that you can't be hosted. but if you can be hosted, you should be hosted (as as web servers, DNS, etc.) It's a commodity service that can't be done in house on par with lower cost hosted services. It's all about scale with commodity services.
If you are going to run Exchange in house, it needs to be maintained. Honestly, if I was in a company running Exchange 2010 today, I'd take that as a sign that they can't afford or manage to properly handle the needs of running Exchange and move to something else. Doesn't matter if it is a lack of money, skill, or just political problems - something is causing Exchange to not be able to be maintained and indicates that Exchange isn't a good choice for the environment.
But in any case, your plans are to either move to proper hosted, or a properly updated on premises. Whatever you are going to do, do it before making other changes because you are going to be forced to make other compromises to maintain the outdated on premises Exchange in the interim.
Well I've gone back and forth on this a few times, not sure what to do. We have fiber internet, but we are out in the country and at least 3 times a year it goes out because something somewhere cuts a fiber line. We have a lot of users that send emails internally to other departments, like a lot. So having that channel of communication up is very important. Currently, we have a lot of services on-site which can sometimes slow internet.
I don't mind having Exchange on-site and I would kind of prefer it because it gives me a chance to learn all about it. We also have a 3rd party hosted application which is for spam filtering and email archiving, plus I have great backups. So there would be minimal risk involved, I think..
That being said, I would still do what's best for the company, which is to probably go O365 for Exchange, as well as our other Office products. We are still on 2010 Standard!! It will probably come down to cost though. Not my decision.
-
@dave247 said in question about setting up a new domain controller:
Well I've gone back and forth on this a few times, not sure what to do. We have fiber internet, but we are out in the country and at least 3 times a year it goes out because something somewhere cuts a fiber line. We have a lot of users that send emails internally to other departments, like a lot.
Keep in mind that if your fiber is cut, users can still work from home, work from phones, work from a backup ISP, work from a branch office, etc. if you use hosted; but lose all of these things if you go internal only.