Upcoming Job couple thoughts on DC demotion
-
OK Guys,
I started writing this on my phone last night but it was a bit much.
So this is my first time on ML with my laptop.Anyways I have a job coming up later this week and I want to make sure I do this right.
I have a company they have 2 servers and 6 workstations onsite.
*Server 1 is a physical 2008R2 hosting AD\DNS, roaming profiles, and File shares. Raid 10
*Server 2 is a VM of 2008R2 hosting AD\DNS secondary
The owner is migrating his Database to the Cloud with the software vendor. (I'm not involved)
He wants me to:
*demote\decommission the #2 server
*Enable Bitlocker on Server #1 for data security while at rest.
*demote this system as he just wants to shut it down. Where it can be powered up to access to the "Archives" from the network.My thoughts are to move the pertinent software and data to the VM and mothball the physical server. As this will help us with future OS access in the event of hardware failure.
Or
Maybe perform a P2V on server#1 but may take longer?
I haven't used Bit-locker ever so I don't have experience to pull from, I have some thoughts about it.
-
The software vendor said "not to use encryption" on the server as it will cause problems. He didn't know why, he just repeated it to me.
*Question
With Bit-locker the data is encrypted while the machine is off. So the data is only protected as long it is off. Correct?
I'm not sure why this is an issue. If the data remains where it belongs and is unencrypted (while running) then the program should be able to access the data base without issues. -
What kind of logon is there to access the server with Bit-locker.
- I have used Symantec PGP FDE, with that you have to authenticate to PGP before the OS will load. I get that, I just haven't seen anything else.
I have several Network Shares on Server 1 with permissions for just the domain admin, and the creator to be able to access it. (Roaming Profiles) With that said I believe I would need to change all file permissions before any changes are made to the primary DC So that they would have continued access in the future. I believe all access might be lost if I "Forget this step, and then "DCPROMO."
Ultimately I will have to migrate everyone back to local profiles. So I guess this doesn't matter so much. I just wanted to know more for my mind on what would happen.
I have been interrupted so many times now (The kids) that I can't think anymore.
I'm going to wrap this up I have to head to work. Thank you for your thoughts.
Chad
-
-
@prcssupport Yes, for sure, P2V server#1. Even if it's just one guest OS.
- The vendor most likely has encryption running either at the application or database level. Adding another layer of encryption on top should only slow things down, but I've seen poorly written apps not handle it properly. You are correct in that the data is never encrypted while in use, just at rest on the drive.
- BitLocker is the thing built into the Windows OS, so just logging into the system like normal.
-
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
-
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Listen to @dafyre, I don't do Windows Server currently.
-
@travisdh1 At least not until he's decommissioned server 2. 8-)
-
For an office that small, just demote and power off the second DC. Then P2V the remaining DC to get easier backups and faster recovery (assuming you use a good solution like Veeam or Unitrends).
There is certainly no need for a second DC at that scale.
-
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Order is not relevant.
-
@JaredBusch said in Upcoming Job couple thoughts on DC demotion:
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Order is not relevant.
I guess if you are decommissioning one, I could agree. But generally doesn't P2Ving a Domain controller cause issues?
-
@dafyre said in Upcoming Job couple thoughts on DC demotion:
@JaredBusch said in Upcoming Job couple thoughts on DC demotion:
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Order is not relevant.
I guess if you are decommissioning one, I could agree. But generally doesn't P2Ving a Domain controller cause issues?
Never has for me, but if you are worried about it, then simply shutdown DC 2 during the P2V. Then there is no other DC for things to get out of sync with.
But most SMB environments do not have that much AD traffic for it to matter.
-
@JaredBusch said in Upcoming Job couple thoughts on DC demotion:
@dafyre said in Upcoming Job couple thoughts on DC demotion:
@JaredBusch said in Upcoming Job couple thoughts on DC demotion:
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Order is not relevant.
I guess if you are decommissioning one, I could agree. But generally doesn't P2Ving a Domain controller cause issues?
Never has for me, but if you are worried about it, then simply shutdown DC 2 during the P2V. Then there is no other DC for things to get out of sync with.
But most SMB environments do not have that much AD traffic for it to matter.
I mean don't change password or make new users during the P2V.
-
@dafyre said in Upcoming Job couple thoughts on DC demotion:
@JaredBusch said in Upcoming Job couple thoughts on DC demotion:
@dafyre said in Upcoming Job couple thoughts on DC demotion:
It should be noted that when there's two domain controllers involved, P2V is rarely a good idea from what I understand.
If you're going to decommission the second VM, then demote it and turn it off.... and then P2V Server 1 seems like a more viable solution to me...
Order is not relevant.
I guess if you are decommissioning one, I could agree. But generally doesn't P2Ving a Domain controller cause issues?
No, restoring from backups is what messes up Pre Windows Server 2012 R2 DCs. 2012R2 and newer all understand VMs now and are able to compensate for an old version being restored.
-
Did I read this right, when all is said and done, you will have no continuously running servers at this site?
instead they will power on the server only when they need to look for archived data?
Also where is the DB now? I didn't see that in the OP.
-
@Dashrender said in Upcoming Job couple thoughts on DC demotion:
Did I read this right, when all is said and done, you will have no continuously running servers at this site?
instead they will power on the server only when they need to look for archived data?
Also where is the DB now? I didn't see that in the OP.
Thank you for the replies everyone!
Yes that is correct. The servers
will be down.The application and database will be moved to the cloud.
The server will exist only for access if needed. But will remain off at all other times.
-
I am going to address the elephant in the room here.
- DCs should only only be DC, DNS, and possibly DHCP
- Separate the file server role to a new server (vm)
- Why the hell do you need roaming profiles or even active directory for a network with 6 workstations. Everything should be cloud based. They certainly don't need AD.
-
I would:
- create a Server 2012 core vm (use barebone core install and no extra resources. You won't need them)
- Promote it to DC, add DNS, and DHCP
- Transfer the roles to it
- Demote the file server and the other DC
- Work on creating a new vm for a file server or consider a NAS with cloud backup.
-
@IRJ said in Upcoming Job couple thoughts on DC demotion:
I am going to address the elephant in the room here.
- DCs should only only be DC, DNS, and possibly DHCP
- Separate the file server role to a new server (vm)
- Why the hell do you need roaming profiles or even active directory for a network with 6 workstations. Everything should be cloud based. They certainly don't need AD.
I was brought into this work after they had it all set up and running for years. I did way more than initally asked. Right or wrong, it is where it is.
Everything at the beginning was virtual and server 2003, the owner demanded an all physical design. He was 100% against all cloud.
I merely did the best as I could and as close to how they wanted. The AD had already been set up as well as the file shares where they were.
I tried very hard to help them move from premise based "physical" but he was having non of it.
I chose to move them to roaming profiles because I observed how the staff worked.
They all desk jump and will use a different workspace multple times during the day.
But they desktops were never exactly the same and data was always somewhere on another system. So it sped them up once I gave them roaming profiles.
Once they saw how the workspace was the same in the entire network they were much happier.
I also implemented user profiles as apposed to a universal single login at each computer where they shared all credentials between.
-
@prcssupport said in Upcoming Job couple thoughts on DC demotion:
I did way more than initally asked. Right or wrong, it is where it is.
I merely did the best as I could and as close to how they wanted. The AD had already been set up as well as the file shares where they were.As a consultant your job is to do what is best for the network, not what some CEO of a tiny company thinks he wants. If I just kept networks the way they were and didn't make any major changes during my career, I wouldn't be where I am at now. Be careful not to get caught up in what works today. You need to recommend what works in the future.
-
@prcssupport said in Upcoming Job couple thoughts on DC demotion:
Everything at the beginning was virtual and server 2003, the owner demanded an all physical design. He was 100% against all cloud.
Is he paying you to do exactly what he says or is he paying you for your IT knowledge?
-
@prcssupport said in Upcoming Job couple thoughts on DC demotion:
They all desk jump and will use a different workspace multple times during the day.
But they desktops were never exactly the same and data was always somewhere on another system. So it sped them up once I gave them roaming profiles.
Sounds like they aren't properly licensing their software. I can't think of another reason to jump workstations throughout the day. They may initially save money, but all that desk jumping is going to cost them in the long run. More IT tickets and less productivity
-
I've V2V'd one of our DC's (it was also our on-site exchange) it was rather painless once it was understood on the process to get it done.
Disable AD replication functions, export and import into it's new home. I would imagine the same thing would have to occur with a physical.
Disable the AD functions, P2V and import.
