Mon 8 Oct 2007
How To: Change a Domain Controller IP address: Multi-DCs
Posted by Robert under Domain Controllers , HowTo , Networking[20] Comments
First, reference back to my first post on Domain Controller IP/Subnet changes. The nice thing about changing IP addresses on DCs in a larger environment, is that it’s actually easier. I have to keep this one quick for now, but will expand based on comments, which you all seem pretty good at leaving (and thank you!). Please, PLEASE refer back to the first post – this one is only an expansion on that one.
- Same as before: why are you changing IPs? In larger environments, I do this because of a physical move of just one site. If the networking team doesn’t have the new subnet up and routing, don’t start!
- Make sure the new site (if required) is set up in AD. If I’m moving DCs from one physical location to another, I will build a new site, rather than re-using the old one, because the new site often has better connectivity, so the site link costs are changing.
- Add the new IP to the DC you’re moving (DC01 for this). Same as before: don’t remove the old one, just add the new.
- On DC01, do the following to verify registration worked:
ipconfig /registerdns
Wait a few minutes.
nslookup
server DC01
set type=A
DC01.foobar.local
foobar.local
server DC02
DC01.foobar.local
foobar.local
The answers from DC01 and DC02 should be the same, with possibly different orders. The important thing is that the new IP address and the old IP address show up for both queries on both servers. - Shut down DC01, pack it up and move it. (Or just plug it into the new network.)
- Boot up, verify that DC01 has network connectivity, and that other systems can see that it has the new IP.
- If you haven’t, make the new IP primary (change order in Network settings), make sure the DNS and WINS servers are correct and reachable (Remember that Windows 2003 DNS should point to itself).
- Once verifying that AD is replicating across sites properly (up to 15 minutes in my experience), remove the old IP,
ipconfig /registerdns, and reboot. - When it comes back up re-verify that AD is still replicating, and you should be set.
I would point out that when doing a change this big to your environment, reviewing your AD replication, DNS forwarding, and WINS topology is a good idea.
July 2nd, 2008 at 10:04 am
I have read this article as well as the previous for Changing a DC’s IP address. I love the methodology of adding in before deleting. Two questions (for Now):
I am moving from a class C to a class B structure. The reverse lookup are asking for a three octect rather than two. I assume this is because it is setup class C right now. So how do I setup the reverse zone for class B?
Second- My AD sites and services never had any ranges under subnets. I added the new (no problem) but there won’t be any to delete. Is this a problem and will I need to make other changes?
July 2nd, 2008 at 1:22 pm
Answering in reverse: Having nothing to delete won’t be a problem *now*. But you should always have every network (with AD-joined systems) in your environment in AD Sites and Services, even if it’s assigned to a site that has no DC.
Moving your structure – I hope you mean that in the “Class B” structure (172.16.0.0/16 for example), you’re still going to be using 24-bitmasked networks (172.16.1.0/24) for each of the networks. Putting 65534 hosts in a single broadcast domain will cripple your network responsiveness.
For the reverse-lookup zones in DNS, I actually just put fill in only 1 or 2 of the 3 boxes in your case. If you leave the 3rd octet blank when you create the reverse zone, it’ll create a zone (16.172.in-addr.arpa for example), and clients who register with the server will force the sub-domains (1.16.172.in-addr.arpa) to be automatically created underneath the top level zone, so that the PTR records can be created.
July 15th, 2008 at 6:13 am
Hi Robert
The information above works very well. I tested it about 5 times using two dc’s in vmware.
I did notice however that for some reason the reservations I had in the old scope I made inactive would not lease from the scope until the old reservation is actually deleted. Is it normal for the clients to still try and lease the reserved ip even if that scope is inactive? or do I have to delete all the reservations?
Lastly, I would like to know if you could give some advice as to how I can go about changing the ip of an exchange 2003 server, since our whole subnet is changing?
Thanks for the help, Robert.
Cheers
July 16th, 2008 at 10:16 am
Karl,
Exchange 2000 and 2003 are 100% DNS based applications. Changes of DC addresses are difficult because of the requirements to register so many records in DNS, but Exchange only registers the host name in DNS, and all requests to that server are based on that single “A” record. Therefore, to change an Exchange server IP, just stop the Exchange services, change the IP, run “ipconfig /registerdns” and restart the exchange services, once you’ve verified you can ping the server by name at the new IP.
Pretty simple!
July 17th, 2008 at 1:10 am
Hi
I have another stupid question that has only become an issue now, since the previous admin can’t remember the local admin password on all our servers.
Can I change the IP’s by logging in as myself onto the domain, since I am a domain admin already?
Thanks
July 17th, 2008 at 10:18 am
Anyone who has administrative access to the server can change the IP. On a DC, this, by default, is the Domain Admins group, and also in a default Windows network, the members of “Domain Admins” are administrators on all computers in the domain, so yes, this will work great. I never log in to a computer as “Administrator”, preferring to leave a trail of what I did as myself for auditing purposes.
July 22nd, 2008 at 3:05 am
I have done the switchover and all is fine, but I would like to know if I can manually delete all the A records and PTR records that are referencing the old IP range? Or is it advisable to enable scavenging?
July 23rd, 2008 at 10:29 am
Hi Robert,
Thank you for the articles. I have read both articles and I think I understand but I am not sure. I am changing my subnet as noted in the first article and for the same reasons as you gave. I have two dcs and both are moving to the new subnet along with all the computers. No physical locations are changing. Should I follow the steps for both DCs as noted in the first article?
July 23rd, 2008 at 9:41 pm
Hi Paul,
If you’re just changing subnets, and not moving DCs to a different subnet in the routed network, then the only trick is to make sure that at all times, each DC can ping the other one by name. If they can’t, they’ll fail to connect, and you have the possibility (in your case small, but there) of them never reconnecting when you get them back up and running.
I recall it being against MS Best Practices to have Windows 2003 DCs using anything othr than themselves for primary DNS in an AD-integrated DNS environment (if they’re DNS servers), but in this case it’s sometimes helpful to cross-point one of the 2 at the other temporarily.
July 24th, 2008 at 3:23 pm
Thanks Robert,
Hope I have this straight. Article 1 steps 4-5 detail changes to the DNS and AD. I assume this needs to be done in either case. 14-17 are housekeeping steps. Other than that both articles seem to detail the same thing. I guess where my disconnect is whether these steps (4-5, 14-17) are required in the case of a multi dc environment like mine or one where you are changing one of the dcs to a different subnet in a routed network? Or do you not need to do this and this is what you were referring to when you said it is easier to make this change in this type of environment? I guess it can’t hurt to make these changes in either case?
July 28th, 2008 at 8:13 pm
The cleanup steps are required in a place where you’re removing the old subnet. In my personal experience, removing an old subnet is one of the primary reasons for changing the IP of a DC. If your business is keeping the old subnet, what is the driving motivation to changing the DC address, rather than just adding a new routed subnet to the network, and adding the new subnet to the existing site in AD?
If you need a DC in the new subnet, it’s safe to say that the new subnet is in a new AD site (A site is a network connected to other networks by slow links). If that’s the case, don’t you still need a DC in the old site, and wouldn’t it therefore be better to build a new DC entirely?
So you’re correct – don’t perform the cleanup steps to *AD* if you’re leaving clients in those subnets, but you DEFINATELY want to remove the unused IP addresses from the DC, so that it doesn’t register those IP addresses in DNS, and send clients to an address that doesn’t exist. On that note, i also don’t suggest DCs with multiple bound IPs – buy networking equipment to handle networking and routing, and let your servers and hosts do serving and hosting.
July 29th, 2008 at 5:45 am
Hi Robert
If a client on a network leases an IP and it expires while the client is away, the server will eventually lease it to another client. If the user that leased it in the first place plugs back into the network, will they then get a conflict, since the server has already leased it to another client?
July 30th, 2008 at 10:14 pm
When the client comes back, they’ll remember the last lease (or few, depending on OS) they held (the last one period, whether a coffee shop, or home, or work) for that network card. The client will send a broadcast request to have that IP address again. If the request is invalid for the network, or has been handed out on the network, the DHCP server will send a “DHCPNACK” to the client, and the client will have to do a complete request cycle before an address will be assigned to the adapter.
Some newer OSes will also, if DHCP fails completely, attempt to bind the last leased address to the card and test that configuration, to see if they *happen* to be in the last network, and the DHCP server just *happens* to be down. This is a feature, and not part of the DHCP RFC as I last read it.
August 14th, 2008 at 4:38 am
my server running 4 rolls (dc, dns ,proxy,web). Recently i faced one problem hosts connect any website display authentication required. Please tell my solution.
August 14th, 2008 at 5:06 pm
Likely the proxy server is failing to authenticate your users, but without knowing the proxy product in use, it’s nearly impossible to troubleshoot remotely. However, give us a call or email from the contact page, and we’ll try to help you out!
August 18th, 2008 at 10:56 pm
how can format dc with don’t any change in domain host infrastructure.
August 21st, 2008 at 11:04 pm
If you want to remove a DC (format the HDD), you have to run DCPRomo again, but that will make a change to the whole domain. If it’s a DNS server as well, you can, after DCPromoing it, put a standalone secondary DNS server in it’s place. Otherwise, you’ll have to make some changes to the DNS placement in your environment.
January 8th, 2009 at 11:08 pm
Hi,
I am planning to change the TCP IP address of the Windows 2003 Server Domain Controller having DNS,DHCP,DFS,Print Server. MY DC is replicating with another DC having all the 5 FSMO roles. What effect will it have on DNS and DHCP Scopes and reservation.
January 12th, 2009 at 7:40 pm
the FSMO roles won’t be affected by the change as long as it’s performed according to the instructions. The Print server and DFS functions are also based on DNS (or WINS) name, not direct IP, so will also be unaffected.
Your DHCP scope will have to be updated to reflect the new information, and any DNS client will have to be edited to point to the new IP. If every client is DHCP (printers, linux systems, etc.), then updating the DHCP scope is all you need to do. After you’ve updated the scope (at the end of the DNS change), reboot every device in the network so that it gets the new addresses (or do an “ipconfig /release && ipconfig /renew” on windows systems).
September 16th, 2009 at 1:09 am
Thanks for wonderful post. Please direct me to a link with more information. thankya.