Migrating from Windows 2012 STD R2 to Windows 22 STD

Question

Hi everyone.

Could anyone please advise migrating from Windows 2012 STD R2 to Windows 22 STD with the following situation?

We have 3 remote locations with 3 Windows 2012 R2 Virtual Domain Controllers (DC1, DC2, DC3) running with Windows 2008 R2 functional level schema. (Still under 2008 schema because a Windows 2003 VM legacy ERP System for historical purposes).

I guess that switching to Windows 22 schema will cause the old Windows 2003 VM ERP system to stop authenticating with the Active Directory, so I'm planning to remove that Windows 2012 R2  host from the domain, then import the main domain controller and the ERP to that host, isolate them into a private virtual switch without access to the outside world so it won’t affect the network changes, the accounting user will have to physically login to that server to seek any historical records).

All replications are fine at this point, no errors at all on the existing domain controllers.

This is my plan for migration, I’m open to suggestions, thanks.

-        Add the 3 new Windows 2022 STD hosts at each location to the existing Windows 2012 R2 domain.

-        Create 3 brand new Windows 2022 VM Domain Controllers (W22-DC1, W22-DC2, W22-DC3) at each host and let them synchronize for several days.  (I’m pretty concern that the schema is still Windows 2008 R2. Will it work? Or should I raise the schema to Windows 2012 R2 first before creating the new virtual machines?).

-        Only DC1 has DHCP, ADD DHCP to W22-DC1, the other ones get DHCP from the firewalls. So, add DNS to the new VMs as well.

-        Transfer all the Roles to the New Primary Domain Controller W22-DC1.

-        Demote ALL Old Windows 2012 R2 domain controllers.

-        Raise functional level to Windows 2022 and reboot all servers, I guess the users will have to reboot as well.

-        DHCP and Firewall DHCP will point to the new VMs at each location.

Answer 1

Hello

Thank you for your question and reaching out.

It is good idea to Place new 2022 Server instead of In-Place upgrade.

You can introduce new Domain controllers with Server 2022 then let AD sync and sysvol sync happen for some days.

Then Turn Off old DCs for some days ( Not Demote )

If everything is working fine then you can Promote FSMO roles to 2022 then Demote Old 2012 DCs.

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Thanks for your responses.

I created W22-DC1 as a virtual machine but is not added to the domain yet.

I ran the following commands from one of the existing Windows 2012 R2 domain controllers.(all 3 domains are Running under Windows 2008 schema)

See attached dcdiag

dcdiag /v /c /d /e /s: corp-dc> c:\dcdiag.txt

repadmin /showrepl

repadmin /replsum

repadmin /syncall /aped

After running the commands I saw a couple of errors, but the one that worries me most is the following. I don't know how to fix it.

Error: The Kerberos Key Distribution Center lacks strong keys for account krbtgt.

You must update the password of this account to prevent use of insecure cryptography.

Nobody has complained yet, people are able to login the the Kerberos tickets has been created.

Warning: Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.

I'm don't know if with those errors I should proceed adding W22-DC1 to the domain.

Can anyone help please.