How to Decommission an Old Domain Controller and Set Up a New One on AWS EC2

You might eventually need to swap out an old Domain Controller (DC) for a new one when maintaining a network architecture. Decommissioning an outdated DC and installing a new one with DNS capability may be part of this procedure. The procedure is simple for those using AWS EC2 instances for this purpose, but it needs to be carefully planned and carried out. A high-level method to successfully managing this shift can be found below.

1. Install the New Domain Controller (DC) on a New EC2 Instance

In order to host your new Domain Controller, you must first establish a new EC2 instance.

• EC2 Instance Setup: Begin by starting a fresh Windows Server-based EC2 instance. For ease of communication, make sure this instance is within the same VPC or subnet as your present DC and is the right size for your organization's needs.

• Install Active Directory Domain Services (AD DS): Use the Server Manager to install the AD DS role after starting the instance.

• Promote to Domain Controller: After the server has been promoted to a Domain Controller, the AD DS role must be installed. You will have the opportunity to install the DNS server as part of this promotion procedure. In order to manage the resolution of your domain name, this is essential.

2. Replicate Data from the Old DC to the New DC

Making ensuring all of the data from the old DC is copied onto the new server is the next step once the new DC is promoted.

• Enable Replication: Active Directory will automatically replicate the directory objects, such as users, machines, and security policies, while the new Domain Controller is being set up. If DNS is set up on the old server, this will also include DNS records.

• Verify Replication: Ascertain whether replication was successful. Repadmin and dcdiag, two built-in Windows utilities, can be used to monitor and confirm that the data has been fully synchronized between both controllers.

3. Verify the Health of the New DC

Before decommissioning the old Domain Controller, it is imperative to make sure the new one is completely functional.

• Use dcdiag: This utility examines the domain controller's condition. It will confirm that the DC is operating as it should.

• To make sure no data or DNS entries are missing, use the repadmin utility to verify Active Directory replication between the new and old DCs.

4. Update DNS Settings

You must update the DNS settings throughout your network after making sure the new DC is stable and replicating correctly.

• Update VPC/DHCP DNS Settings: If you're using DHCP, make sure that the new DC's IP address is pointed to by updating the DNS settings in your AWS VPC or any other DHCP servers. This enables clients on your network to resolve domain names using the new DNS server.

• Update Manually Assigned DNS: Make sure that any computers or programs that have manually set up DNS are updated to resolve DNS using the new Domain Controller's IP address.

5. Decommission the Old Domain Controller

It is safe to start decommissioning the old DC when the new Domain Controller has been validated and DNS settings have been changed.

• Demote the Old Domain Controller: To demote the old server, use the dcpromo command. With this command, the server no longer serves as a Domain Controller in the network and is removed from the domain.

• Verify Decommissioning: After demotion, examine the AD structure and replication status to make sure the previous server is no longer operating as a DC.

6. Clean Up and DNS Updates

With the old DC decommissioned, there are some final cleanup tasks to ensure smooth operation.

• Tidy Up DNS and AD: Delete from both DNS and Active Directory any last traces of the previous Domain Controller. DNS entries and metadata are examples of this.

• Verify Client DNS Settings: Verify that every client computer is correctly referring to the updated DNS server.

Assigning IP Addresses to the New EC2 Instance

You must make sure that your new DC has a stable IP address because your previous DC was probably linked to a particular one.

• Elastic IP Assignment: The new EC2 instance can be given an elastic IP address, which will guarantee that it stays the same IP throughout reboots and session restarts. By doing this, DNS resolution and domain service interruptions are prevented.

• Update Routing if Needed: Verify that the new Elastic IP is accessible and correctly routed both inside your VPC and on any other networks that communicate with your domain.

  Additional Considerations

• Networking Configuration: Ascertain that your EC2 instances are correctly networked within the same VPC and that the security groups are set up to permit the traffic required for AD DS and DNS functions.

• DNS Propagation: The time it takes for DNS to propagate may vary depending on the size of your network. Maintain network monitoring and confirm that all DNS modifications have been properly distributed to clients and external dependencies.

Conclusion

You can completely decommission your old Domain Controller located on an EC2 instance and install a new one with a DNS server by following these instructions. This procedure permits the replacement or enhancement of your underlying hardware and software infrastructure while guaranteeing little downtime and preserving the integrity of your Active Directory system. Your new EC2 instance can be given a static Elastic IP address, which will guarantee DNS resolution stability even when the server restarts.

For further reading and detailed guidance, explore these resources:

• Amazon EC2 Documentation
• AWS VPC Documentation
• Configuring DHCP Options in AWS
• Elastic IP Addresses in Amazon EC2
• Dcdiag Command Reference
• Networking and Security Groups in AWS