question

NeverKnow-2832 avatar image
0 Votes"
NeverKnow-2832 asked NeverKnow-2832 answered

Best way to replace a DC with other services on it?

I have 2 AD servers (site1 and site2).
These AD servers are Windows 2012 R2. The unfortunate thing is that these servers have multiple services running on the server (file services, DHCP, DHNS, etc).

I don't really care about keeping the IP address for the new AD servers. They can have new IPs (in fact, probably easier if I do).
The new AD servers will only run AD / DNS. No other services. The schema is already updated to a 2019 schema.

What would be the best way to do this? Here is my thought.... please let me know if not correct.


  1. do a dcdiag and identify any existing issues and fix them

  2. Join new AD server to domain with IP address: 192.168.1.240

  3. Add the AD DC and DNS role - all replication to fully happen

  4. Remove the AD DC and DNS role from server (IP: 192.168.1.180)

  5. Reboot original AD DC/DNS server to ensure complete

  6. Ensure new AD DC server is part of the site (AD Sites & Services)

  7. Update any client PCs that were using old DNS to use new DNS (via DHCP)


Does this look about right?

windows-active-directorywindows-server-2019windows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @NeverKnow-2832,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Hello @NeverKnow-2832,

I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this case, please let me know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @NeverKnow-2832,

Thank you for posting here.

Based on the description "The schema is already updated to a 2019 schema.", do we mean we want to replace Windows server 2012 R2 DCs using Windows server 2019 DCs? If so, from the link below, we can see:

The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

Forest and Domain Functional Levels
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

If we want to add 2019 DCs to the existing domain, we must check functional level (forest functional level should be at least Windows Server 2008 functional level)and SYSVOL replication type (should be DFSR replication).

The method to check functional level (run the following commands):
(Get-ADForest).ForestMode
(Get-ADDomain).DomainMode

The method to check SYSVOL replication type:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.


Check AD environment health:

1.do a dcdiag and identify any existing issues and fix them

1)Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on both DCs, also. If we find any AD replication issue, fix it, too.
2)Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
3)Check we can update gpupdate /force on each DC successfully.
4)Back up all domain controllers if needed.
5)We had better perform the DC migration during downtime.

Add server to domain and promote the server as domain controller:

2.Join new AD server to domain with IP address: 192.168.1.240

3.Add the AD DC and DNS role - all replication to fully happen

Add AD DS and DNS roles on this server 2019 (also as GC).
Promote this server 2019 as a domain controller. During promotion, we should select "add a domain controller to the existing domain" and select the correct site name we want for this DC.

25947-site2.png

25959-site1.png

Check AD environment health again.

Transfer FSMO roles from 2012 R2 to 2019

If everything works fine, we can transfer FSMO roles from 2012 R2 to 2019.

Update DNS server for all the machines that points to the old DC

7.Update any client PCs that were using old DNS to use new DNS (via DHCP)

Because the old DCs is also DNS server, before we demote old DCs, we should:
Update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
Update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the old DC for name resolution.

Demote the old DC if needed.

4.Remove the AD DC and DNS role from server (IP: 192.168.1.180)

5.Reboot original AD DC/DNS server to ensure complete

6.Ensure new AD DC server is part of the site (AD Sites & Services)

Raise the functional level after demoting the old DC if needed.


Tip:
1.If AD replication is working fine, when we add new a DC to the existing domain, after AD replication is complete, all the AD data in all DCs should be the same.
2.If we have installed any other roles in the old Domain Controllers, migrate all the roles if needed.
3.Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
Ideally, a DC should be easy to replace, just by standing up another DC.
When we put other software and roles on one DC, maybe the DC is harder to replace it.

For example,
If we have a DC with AD CS(it is also a CA server), if there is some issues with this DC and we want to demote this DC, we need to remove AD CS first and then demote this DC.

Hope the information above is helpful. If anything is unclear, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



site2.png (217.5 KiB)
site1.png (231.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NeverKnow-2832 avatar image
0 Votes"
NeverKnow-2832 answered

I have followed this, but and while I don't see any errors upon completion, I am getting errors in dcdiag. notably related to DFSR and Advertising.

Any thoughts?

 Directory Server Diagnosis
    
    
 Performing initial setup:
    
    Trying to find home server...
    
    Home Server = TOKYOAD01
    
    * Identified AD Forest. 
    Done gathering initial info.
    
    
 Doing initial required tests
    
       
    Testing server: Default-First-Site-Name\TOKYOAD01
    
       Starting test: Connectivity
    
          ......................... TOKYOAD01 passed test Connectivity
    
    
    
 Doing primary tests
    
       
    Testing server: Default-First-Site-Name\TOKYOAD01
    
       Starting test: Advertising
    
          Warning: DsGetDcName returned information for
    
          \\company-ad-o.domain.local, when we were trying to reach TOKYOAD01.
    
          SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
    
          ......................... TOKYOAD01 failed test Advertising
    
       Starting test: FrsEvent
    
          ......................... TOKYOAD01 passed test FrsEvent
    
       Starting test: DFSREvent
    
          There are warning or error events within the last 24 hours after the
    
          SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    
          Group Policy problems. 
          ......................... TOKYOAD01 failed test DFSREvent
    
       Starting test: SysVolCheck
    
          ......................... TOKYOAD01 passed test SysVolCheck
    
       Starting test: KccEvent
    
          ......................... TOKYOAD01 passed test KccEvent
    
       Starting test: KnowsOfRoleHolders
    
          ......................... TOKYOAD01 passed test KnowsOfRoleHolders
    
       Starting test: MachineAccount
    
          ......................... TOKYOAD01 passed test MachineAccount
    
       Starting test: NCSecDesc
    
          ......................... TOKYOAD01 passed test NCSecDesc
    
       Starting test: NetLogons
    
          Unable to connect to the NETLOGON share! (\\TOKYOAD01\netlogon)
    
          [TOKYOAD01] An net use or LsaPolicy operation failed with error 67,
    
          The network name cannot be found..
    
          ......................... TOKYOAD01 failed test NetLogons
    
       Starting test: ObjectsReplicated
    
          ......................... TOKYOAD01 passed test ObjectsReplicated
    
       Starting test: Replications
    
          ......................... TOKYOAD01 passed test Replications
    
       Starting test: RidManager
    
          ......................... TOKYOAD01 passed test RidManager
    
       Starting test: Services
    
          ......................... TOKYOAD01 passed test Services
    
       Starting test: SystemLog
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   11:57:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0x00002720
    
             Time Generated: 12/13/2020   12:01:45
    
             Event String:
    
             The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
    
          An error event occurred.  EventID: 0xC0001B6F
    
             Time Generated: 12/13/2020   12:12:07
    
             Event String:
    
             The Update Orchestrator Service service terminated with the following error: 
    
    
          A warning event occurred.  EventID: 0x00001796
    
             Time Generated: 12/13/2020   12:17:41
    
             Event String:
    
             Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
    
    
          ......................... TOKYOAD01 failed test SystemLog
    
       Starting test: VerifyReferences
    
          ......................... TOKYOAD01 passed test VerifyReferences
    
       
       
    Running partition tests on : ForestDnsZones
    
       Starting test: CheckSDRefDom
    
          ......................... ForestDnsZones passed test CheckSDRefDom
    
       Starting test: CrossRefValidation
    
          ......................... ForestDnsZones passed test
    
          CrossRefValidation
    
       
    Running partition tests on : DomainDnsZones
    
       Starting test: CheckSDRefDom
    
          ......................... DomainDnsZones passed test CheckSDRefDom
    
       Starting test: CrossRefValidation
    
          ......................... DomainDnsZones passed test
    
          CrossRefValidation
    
       
    Running partition tests on : Schema
    
       Starting test: CheckSDRefDom
    
          ......................... Schema passed test CheckSDRefDom
    
       Starting test: CrossRefValidation
    
          ......................... Schema passed test CrossRefValidation
    
       
    Running partition tests on : Configuration
    
       Starting test: CheckSDRefDom
    
          ......................... Configuration passed test CheckSDRefDom
    
       Starting test: CrossRefValidation
    
          ......................... Configuration passed test CrossRefValidation
    
       
    Running partition tests on : domain
    
       Starting test: CheckSDRefDom
    
          ......................... domain passed test CheckSDRefDom
    
       Starting test: CrossRefValidation
    
          ......................... domain passed test CrossRefValidation
    
       
    Running enterprise tests on : domain.local
    
       Starting test: LocatorCheck
    
          ......................... domain.local passed test LocatorCheck
    
       Starting test: Intersite
    
          ......................... domain.local passed test Intersite
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.