Move Domain Controllers to an isolated site

Garima Das 981 Reputation points
2020-10-06T14:43:46.133+00:00

Hello Experts,

We are in the process of Active directory modernization where we are upgrading our active directory from 2012 R2 to 2019...part of this exercise is to also find the static IP address that are reaching to the legacy domain controllers before demoting them. The logic behind this is to find the servers which are only reaching out to a single domain controller and update there DNS settings to point to the new 2019 domain controllers...Before doing the demotion we wanted to suppress the DC and check if there are application or services in the environment which are getting effected by it...One way of doing this is to suppress the srv record of the domain controllers but we don't want to do this as we have faced issue with this practice before....The other option that we got to know was about moving the domain controller to an isolated site which will do the replication but will stop the client/server traffic to the domain controller....What we wanted to know was how can we isolate a site and make this happen without firewall or vlan or re-IPing the domain controllers...Please, suggest.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,543 questions
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. Dave Patrick 426.1K Reputation points MVP
    2020-10-06T14:46:06.51+00:00

    How long is your testing going to last? The much simpler method is to just power off the domain controller to check the effect. These tools may also be useful.
    https://learn.microsoft.com/en-us/sysinternals/downloads/adinsight
    https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Garima Das 981 Reputation points
    2020-10-07T16:00:39.407+00:00

    We don't wanted to shutdown the DC and wanted to move it to another site for achieving this. It should be like the replication should work fine, after the movement

    0 comments No comments

  3. Dave Patrick 426.1K Reputation points MVP
    2020-10-07T17:51:11.793+00:00

    It may be doable with some work. At a bare minimum you'll need these ports open between domain controllers.
    389/TCP/UDP LDAP
    636/TCP LDAP SSL
    3268/TCP LDAP GC
    3269/TCP LDAP GC SSL
    53/TCP/UDP DNS
    445/TCP SMB

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Garima Das 981 Reputation points
    2020-10-08T03:38:19.977+00:00

    Are you asking to use firewall for this?

    0 comments No comments

  5. Vicky Wang 2,636 Reputation points
    2020-10-08T07:13:08.707+00:00

    According to your description, our original purpose is to find out those clients whose DNS server points to the DC that will be demote. Because we are worried that the client cannot complete the DNS query normally after the DC is demote.

    In response to this original problem, there are two situations:

    To If we are using a static DNS server, we can promote a new DC and use the IP address of the old DC, so that we can ensure that the client's DNS server is always in a working state. We can test one before proceeding with a broader upgrade. The steps refer to the following connections:

    https://serverfault.com/questions/675329/reuse-old-domain-controller-ip-addresshttps://redmondmag.com/articles/2019/06/24/replace-aging-domain-controller.aspx

    If we are using DHCP, refer to the last step described in the following connection step 20

    https://learn.microsoft.com/zh-cn/archive/blogs/canitpro/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-server-2003-network?WT.mc_id=CANITPRO-blog-abartolo

    Finally, for how can we isolate a site, I don’t know what your definition of isolate is. It can be manually moved to the corresponding site in AD sites and services. After the client is restarted or the cache is cleared, the client of the original site will no longer Initiate verification and query requests to this DC. They will relocate other DCs in the original site

    0 comments No comments