Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier)

dave247

Where I work, we have about 30 servers, 70 workstations, 20 printers, and several networking appliances and other apps and devices that look to our primary and secondary domain controllers. Everything except the 70 workstations have statically mapped IP addresses.

Our primary DC which has the FISMO roles is like pushing 10 years old. I want to replace both of our DC's it with 2016 DC's. The main issue here is that (aside from updating the DC info in the DHCP scope) I am going to have to go around and MANUALLY point everything to the new DC's addresses. It seems like a huge pain in the butt to have to potentially do this every time a DC is replaced, and I have heard that DC's are commonly often replaced (at least more often that we have done it where I work).

I was wondering, is there an easier way to do this, such as to put all the domain controllers behind a name-space or address pool or something? So like, all machines would point to 10.0.0.15 and sitting behind that IP would be 10.0.0.20 (DC1) and 10.0.0.21 (DC2). So in this way, it would be much easier to swap out domain controllers while always keeping things looking at the 10.0.0.15 IP. Basically it would just be a pointer.. Is that a thing?

scottalanmiller

This is what DHCP is for. In a typical environment you have to update almost nothing when replacing a DC.

scottalanmiller

For machines where you have set things to be static, you have a couple of options. A really common one is to not give new IP addresses for new DCs, but to have new DCs use the IP addresses of the old ones. In that case, nothing changes anywhere.

Or you can use a state management system like Salt or Ansible and then the static DNS entries on your statically assigned machines can be updated in an automated way very easily.

Or you can script the update and it would only take a few seconds anyway. Just loop through the server names and update their DNS that way.

Dashrender

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

This is what DHCP is for. In a typical environment you have to update almost nothing when replacing a DC.

To expand upon this, use DHCP reservations on almost anything, printers, servers, switches (if able), etc.

Use static IPs on:
DNS servers
DHCP servers
Firewalls
AD servers
VM hosts

dave247

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

This is what DHCP is for. In a typical environment you have to update almost nothing when replacing a DC.

So would you typically put your servers on DHCP reservation? Also, I thought you once told me about the very thing I am asking about in my OP.. I just forgot the details

scottalanmiller

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

This is what DHCP is for. In a typical environment you have to update almost nothing when replacing a DC.

So would you typically put your servers on DHCP reservation? Also, I thought you once told me about the very thing I am asking about in my OP.. I just forgot the details

Typically, yes, DHCP Reservations are ideal. The power of static but with central control. I'm fine with static when they make sense, but DHCP gives you a lot of important flexibility.

JaredBusch

@dashrender said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

Use static IPs on:
DNS servers
DHCP servers
AD servers

These are typically all on one server (or one per site) SO not as many servers as it sounds like.

Also random AD file servers are all DHCP reservations , not static. Just because it has a role, does not mean it is an AD server that needs a static IP.

JaredBusch

Seriously, very little of anything needs to be a static IP.

Almost everything works on DNS. Even SQL servers. No one has an app that connects to SQL by IP. They use DNS names.

scottalanmiller

@jaredbusch said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

Seriously, very little of anything needs to be a static IP.

Almost everything works on DNS. Even SQL servers. No one has an app that connects to SQL by IP. They use DNS names.

Basically, in a normal network, you can have your default gateway be static and nothing else.

dave247

So basically, what I should do, is swap as much of my manual static to DHCP reservation that I possibly can. Then I can update DNS in the DHCP scope and all should be well... sounds like a good plan.

scottalanmiller

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

So basically, what I should do, is swap as much of my manual static to DHCP reservation that I possibly can. Then I can update DNS in the DHCP scope and all should be well... sounds like a good plan.

Correct. This will make things easier and easier over time.

dave247

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

JaredBusch

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

I assume you have a Windows 2012 R2 or newer AD serve rthat is your DHCP server? If so, you can make a secondary.

If not, with any version back even to Server 2003, you can export your scope and reimport it on a new server.

scottalanmiller

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

DHCP Reservations are like normal DHCP Leases, so if you have them for, say 48 hours, you will likely have quite some time before things start to lose their leases. You have several choices...

1. Have failover DHCP so that you are not dependent on a single once.
2. Recreate everything by hand, for even 100 machines, this is trivial amounts of work as long as you document it.
3. Take a backup and restore.
4. Set the reservations programtically like through a script or state system.

dave247

@jaredbusch said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

I assume you have a Windows 2012 R2 or newer AD serve rthat is your DHCP server? If so, you can make a secondary.

If not, with any version back even to Server 2003, you can export your scope and reimport it on a new server.

2008 R2. But, what I will probably do is set up the new 2016 DC and then move DHCP role to that and set up the reservations and things. Then, when the time is right, I will point everything from old DC to new DC

dave247

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

DHCP Reservations are like normal DHCP Leases, so if you have them for, say 48 hours, you will likely have quite some time before things start to lose their leases. You have several choices...

1. Have failover DHCP so that you are not dependent on a single once.
2. Recreate everything by hand, for even 100 machines, this is trivial amounts of work as long as you document it.
3. Take a backup and restore.
4. Set the reservations programtically like through a script or state system.

nice, thanks!

scottalanmiller

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@jaredbusch said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

I assume you have a Windows 2012 R2 or newer AD serve rthat is your DHCP server? If so, you can make a secondary.

If not, with any version back even to Server 2003, you can export your scope and reimport it on a new server.

2008 R2. But, what I will probably do is set up the new 2016 DC and then move DHCP role to that and set up the reservations and things. Then, when the time is right, I will point everything from old DC to new DC

Don't forget those 2016 CALs (inside joke for those that saw the guy freak out about having to get CALs when updating Windows today.)

JaredBusch

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

1. Have failover DHCP so that you are not dependent on a single once.

Until he moves to 2016 he cannot have it "automagic" inside Windows Server. But he can manually have a backup made.

dave247

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@jaredbusch said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@dave247 said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

@scottalanmiller

One last question... and I plan to look into reservation tomorrow.. but what happens with the reservations in the event that the DHCP server goes down and, say, is un-recoverable? I mean, sure it would be trivial to fire up a new server, but you'd still have all the reservations to rebuild, unless they were exported as backup and then you could import or something.. and this is worst-case. DHCP would probably never go down, except for that one time....

I assume you have a Windows 2012 R2 or newer AD serve rthat is your DHCP server? If so, you can make a secondary.

If not, with any version back even to Server 2003, you can export your scope and reimport it on a new server.

2008 R2. But, what I will probably do is set up the new 2016 DC and then move DHCP role to that and set up the reservations and things. Then, when the time is right, I will point everything from old DC to new DC

Don't forget those 2016 CALs (inside joke for those that saw the guy freak out about having to get CALs when updating Windows today.)

Oh for sure. I already have them set up in our budget (thanks to help I got from you guys on here)

JaredBusch

@scottalanmiller said in Using name-spaces or address pools for domain controllers? (things to make replacing DC's easier):

DHCP Reservations are like normal DHCP Leases, so if you have them for, say 48 hours, you will likely have quite some time before things start to lose their leases. You have several choices...

I typically set my lease time to 8 hours. I want things to break during the business day whenever possible.
Machines should renew ever 4 hours with that setting. So if shit hits the fan, someone should fail to renew before you go home and clue you in to an issue.