@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

How I'd handle it....

Well, I'd not do it if possible and fix things pointing to something that they shouldn't here. That's the root level fix.

To go after a proximate fix...

1. Set up the new DC. Do NOT use the old IP or hostname.
2. Get it all working with the old machines in place.
3. Create a CNAME to point the old name to the new server's A record. Remove the old machine.
4. If you must, change the new IP to the old IP.

Ok, let's scratch everything I mentioned. If I were to do this the best practice way, would I simply:

1. Set up the new 3rd domain controller new name (DC3) and IP address
2. Pass the roles from DC1 to DC3
3. Finally, go through and point all "primary DNS" entries on Exchange and EVERYTHING else to the new DC3

If I perform the above steps, I am assuming no systems will have issues authenticating since they will all be reaching out to one of the three DCs, right? Therefore, I can gradually point systems to the new DC as needed.

Otherwise, please help me understand what I should do. I am going to spend my day tomorrow researching this stuff so I'm better educated on what I'm doing and can come up with an action plan.

Thank you

The above is the correct way to handle it. You can export your DHCP and import it on the new DC. The same goes for the print server settings, they can be exported and imported. DNS self replicates.

It is also why you never use static IP addressing in a Windows AD network, IMO. I mean I never use it on any type of network, but in the AD world, this makes shit a pain in the ass.

Everything, except the DC and router get DHCP reservations. When Exchange was on site, I would give that a static IP also, just because Microsoft.

This means you only need to modify your DHCP scope to hand out the new info and you are done once everything renews.

omg yes, that makes total sense!! That would make updating the DNS entries SO MUCH EASIER... I'm actually pissed I didn't realize this earlier. We currently have all our static addresses set on the host side, not via reservation. This was done by previous administrators. When I came on board I suggested reservations (as I had been reading up on DHCP stuff). We never implemented it and I just forgot about it, but I'm going to now that I see what you're saying makes total sense.

Thanks JB

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

How I'd handle it....

Well, I'd not do it if possible and fix things pointing to something that they shouldn't here. That's the root level fix.

To go after a proximate fix...

1. Set up the new DC. Do NOT use the old IP or hostname.
2. Get it all working with the old machines in place.
3. Create a CNAME to point the old name to the new server's A record. Remove the old machine.
4. If you must, change the new IP to the old IP.

Ok, let's scratch everything I mentioned. If I were to do this the best practice way, would I simply:

1. Set up the new 3rd domain controller new name (DC3) and IP address
2. Pass the roles from DC1 to DC3
3. Finally, go through and point all "primary DNS" entries on Exchange and EVERYTHING else to the new DC3

If I perform the above steps, I am assuming no systems will have issues authenticating since they will all be reaching out to one of the three DCs, right? Therefore, I can gradually point systems to the new DC as needed.

Otherwise, please help me understand what I should do. I am going to spend my day tomorrow researching this stuff so I'm better educated on what I'm doing and can come up with an action plan.

Thank you

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

Keeping the same name and IP is a recipe for disaster.

I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?

It's bad to do, but can be done.

And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?

Except, you know, the keys

What do you mean the keys? Registry keys?? Wouldn't they be cleaned up during proper decommission?

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@dave247 said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

Keeping the same name and IP is a recipe for disaster.

I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?

It's bad to do, but can be done.

And what about if I were to completely de-commission DC1, then remove it from the domain the right way, then set up the new 2016 to be the same as DC1 was. In that way, wouldn't it be like setting up a new DC since there wouldn't be a trace of the old one?

@scottalanmiller said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

Keeping the same name and IP is a recipe for disaster.

Agreed, take this as a time to fix this rather than doing extra work now to maintain it. Clean up two things at once.

How would you go about fixing it?

@dashrender said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

The first 2016 DC would be named like DC-temp. It is only there so you always have Two DCs online.

If you are OK with only your second DC being online, then you start by the sporting printer settings, the decom current DC1, then build new VM as DC1 promo to AD, restore printers and go.

ooh, I see. Basically, move the FSMO roles to BDC1 and make it the only DC, then completely decomission DC1 and remove it from the domain and everything. Then set up the new 2016 server completely as DC1 used to be and the send the FSMO roles back? That seems a bit safer.

I think only a handful of things only point to DC1 for DNS because their settings only allowed for a single DNS entry instead of the usual multiple fields options..

@dashrender said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

Is renaming a DC allowed? I didn’t think windows allowed this.

My thinking is a staged approach.
Install and configure 2016 DC, unless you are ok running temp with second DC only.
Migrate roles and make sure all checks are clean.
Use MS tool to make backup of printers.
Demote old DC, then remove from domain and turn off.
Build second VM with name and IP of old DC1, add AD.
Restore printers
Decom temp 2016 DC.

This whole thing is a bit unclear, and then you completely lost me at "Decom temp 2016 DC"

@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:

Keeping the same name and IP is a recipe for disaster.

I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?

((Please read my entire post before rushing to reply))

I just watched Scott's YT video about virtualizing domain controllers and it reminded me that I need to take care of this project I've been putting off for some time.

My Environment:

• DC1: 2008 R2 domain controller (physical, holds FSMO roles)
• BDC1: 2008 R2 backup domain controller (virtual, for AD redundancy)
• Exchange 2010 SP3 (psychical, on-prem)

Goal: I would like to replace my physical DC1 with a virtual Server 2016 domain controller. I would also like this new DC to have the same name and IP address as DC1, mainly because we have so many printers, servers and appliances that either point to "DC1" or it's IP address. I merely want to "swap" domain controllers and end up with a virtual 2016 DC1 of same IP, without breaking Exchange, or numerous other things.

To execute my plan, these are the steps I assume I would take, and this is one area where I need guidance:

1. Install new virtual Server 2016 named DC3
2. Promote DC3 to domain controller
3. Pass FSMO roles from old DC1 to DC3
4. Decomission DC1
5. Rename DC3 to DC1 and change IP to that of old DC1
6. Run DC diagnostic commands to make sure things are still working

I understand that this may be bending or breaking best practice a little, but I would still like to get close to achieving this or something similar with out breaking things. I am the only IT guy at my company and I've done a good job at keeping everything running while fixing/updating/upgrading/replacing/etc. I really don't want to damage our DC with this project but I don't want to wait too long to make this change either.

Additionally, I do believe I have set up time correctly on DC1, but could you guys help me verify this? I suspect I am having time related issues sometimes, for reasons currently unknown..

w32tm /query /peers
#Peers: 1
Peer: pool.ntp.org
State: Active
Time Remaining: 357.8628266s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0499886s
Root Dispersion: 0.0557726s
ReferenceId: 0x60F46013 (source IP: 96.244.96.19)
Last Successful Sync Time: 11/19/2017 3:39:27 PM
Source: pool.ntp.org
Poll Interval: 10 (1024s)

Notes:

• Virtual BDC1 replaced a virtual DC2 which was lost due to corruption a year ago (I had just started and didn't get the story) - it has the same IP as DC2 used to. I have noticed some errors here such as DCOM errors that say "DCOM was unable to communicate with the computer DC2.[domain].com using any of the configured protocols."
• Yes, I am aware that we are no longer doing the backup domain controller thing, as all domain controllers are "equal"
• Yes, I know Exchange should also be virtualized and/or hosted - that's another project for another day
• I just want to know the simplest way to do this without having to update a bunch of things as they are revealed through failure to function during business hours

Thanks again for the awesome help guys!

@tim_g said in Looking for a very basic solution for building/maintaining company intranet:

@dave247 said in Looking for a very basic solution for building/maintaining company intranet:

@dave247 said in Looking for a very basic solution for building/maintaining company intranet:

@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:

For static internal pages, very little will compete with Wordpress.

Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..

ooh looks like I'm going to get to set up a Linux server with LAMP... fun

@scottalanmiller has you covered!

https://mangolassi.it/topic/13112/using-saltstack-to-install-high-performance-lamp-on-fedora-25

https://mangolassi.it/topic/13115/installing-wp-cli-the-wordpress-command-line-with-saltstack

https://mangolassi.it/topic/13177/deploying-an-nginx-reverse-proxy-with-ssl-on-a-lamp-server-with-saltstack

Awesome. I don't get to touch Linux too much at work, so this will be a fun project. Thanks!

@dave247 said in Looking for a very basic solution for building/maintaining company intranet:

@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:

For static internal pages, very little will compete with Wordpress.

Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..

ooh looks like I'm going to get to set up a Linux server with LAMP... fun

@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:

For static internal pages, very little will compete with Wordpress.

Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..

@zachary715 said in Looking for a very basic solution for building/maintaining company intranet:

Following. I looked for a basic solution like this for a while and wasn't easy. I looked at Wordpress since I had some experience but ultimately settled on Sharepoint Foundation (free). We didn't need any bells and whistles. We have external links to particular websites or resources, internal links via UNC path to our file shares, and then there are easy web parts for announcements, calendars, etc. Pretty simple to setup and maintain.

With Sharepoint Foundation no longer being offered beyond 2013, I'll likely have to go a different route in the future.

Yeah I know about the Sharepoint Foundation thing not being offered anymore so I forgot about it after I saw that..

I am on the hunt for a VERY BASIC web-based application that I can use to build and maintain static web pages for my company's intranet.
We previously had a product that included help desk, time and attendance, and basic information and document presentation (among other things), which made up our intranet.

Now we've gone with different vendors for the help desk and time and attendance parts and now all we are left with is to find something that can essentially allow specific users to create and manage static web pages, for the purpose of displaying announcements, news and links to local and exteral resources and documents.
This is something pretty basic that I could probably build myself in PHP and PostgreSQL or something but I honestly don't have the bandwidth for a project like that right now.

I'm hoping someone can provide some suggestions for any products that might meet that description. Again, it doesn't need to be very complex at all and I know a lot of solutions have a lot of extra stuff jammed packed into them. I'm just looking for something really lightweight and simple to deploy and manage.

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?

Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?

Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?

The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?

This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

I feel like you've missed everything I've ever said.

First of all, UTM never means Firewall. Those are two different things.

Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.

Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.

Where did you get the impression that I ever said anything of the sort?

I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.

I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

This is exactly how it is for me too.

I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.

Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.

You wouldn't treat your database or even your website this way, why your security system?

By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Also, for what it's worth, the SonicWall's GMS Analyzer is on a separate virtual machine.

@tim_g said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

This is exactly how it is for me too.

I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?