Solid reference to Glenn LeCheminant. http://blogs.technet.com/b/*glennl* /archive/2010/08/13/minimizing-risk-during-ad-upgrades.aspx <http://blogs.technet.com/b/glennl/archive/2010/08/13/minimizing-risk-during-ad-upgrades.aspx>
-- Espi On Thu, Apr 30, 2015 at 6:44 PM, Free Jr., Bob <[email protected]> wrote: > I find it very useful for testing in isolated sites as well. > > > > We used it extensively for isolated testing the introduction of up level > DCs based on some guidance Glen L gave us years ago > > > > *Systematically test computers/application usage and coexistence with W2K8 > DCs.* > > 1) For applications running on Windows that find DCs through DCLocator > <http://msdn.microsoft.com/en-us/library/ms675983(VS.85).aspx>, move the > application servers into the temporary site....during a maintenance window > of course. > > a) Add *SiteName* string value to netlogon\parameters registry key > on the application servers and set it to the temporary site name. SiteName > overrides *DynamicSiteName* written by the dclocator algorithm. > Basically you are telling the computer what site it belongs to without > having to change/create subnet configuration in AD. > > b) change the secure channel of the application server to the W2K8 > DC using *nltest /sc_reset:domain\dcname* > > c) wait until Kerberos tickets expire, or reboot the application > server, then have the application owner perform functionality testing. > > 1) now if the scenario is more complex...client connects to > application, which impersonates client to access resources on backend > servers, then you will want to do a,b,c on client and backend systems to > make the testing as realistic as possible. > > 2) For LDAP applications running on Windows that use the domain A record > to find a DC, add a host file entry on the application server pointing the > domain A record to the W2K8 DC > > a) wait until kerberos tickets expire, or reboot the application > server, then have the application owner perform functionality testing. > > 3) For LDAP applications not running on Windows, identify the mechanism > they use to find a DC/LDAP server...probably configured in the application > itself...then provide it with the DC A record or domain A record, or SRV > record to be used to find the W2K8 DC. > > a) execute on a test matrix to ensure application functionality. > > 4) General authentication and ticket processing through the W2K8 DC. Work > with business unit managers (aka..guinea pigs) to put their machines into > the temporary site (SiteName reg value) and have them perform their normal > business functions for a while....tests their machine and locally > installed apps ability to use the new DC for auth and queries. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Wednesday, April 29, 2015 5:49 PM > *To:* [email protected]; [email protected] > *Subject:* [NTSysADM] OT: Forcing a Server's AD Site > > > > You may find this helpful: > > > > New blog post: Forcing a Server's Active Directory Site > > http://bit.ly/1OGb4OK > <https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_1OGb4OK&d=AwQFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=AjnGBQswDZDW-ydu_VSqmfRJV4UjrIdU6tt4DFfMPsw&s=zFyDI2TVoGrBtCKNOp4hiMAnw2wWj6yvJcpTaNhlOJc&e=> > > > http://theessentialexchange.com/blogs/michael/archive/2015/04/29/forcing-a-server-s-active-directory-site.aspx > <https://urldefense.proofpoint.com/v2/url?u=http-3A__theessentialexchange.com_blogs_michael_archive_2015_04_29_forcing-2Da-2Dserver-2Ds-2Dactive-2Ddirectory-2Dsite.aspx&d=AwQFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=AjnGBQswDZDW-ydu_VSqmfRJV4UjrIdU6tt4DFfMPsw&s=TT9pdy20fdCilZcWYmBsffjohp6Lxspl0UO6nHIWqec&e=> > > ------------------------------ > PG&E is committed to protecting our customers' privacy. > To learn more, please visit > http://www.pge.com/about/company/privacy/customer/ > ------------------------------ >
