How to remove NIS server role from all domain controllers before upgrading to Windows server 2019

Question

o we are currently have 4 2012R2 domain controllers with IDMU (Identity Management for Unix) and NIS server role installed. For NIS server role, one DC is in master mode, other 3 DCs are in subordinate mode.

We need to upgrade all Windows domain controllers to Server2019, meaning no IDMU and NIS will be supported any more, they have been removed since Windows Server 2016.

To be able to upgrade to Server2019, the NIS server role must be removed.

If you try upgrade to Windows Server 2016 from a Windows Server that runs any of the Identity Management for Unix (IDMU) components, the upgrade will stop and you will be prompted to remove the IDMU components

According to this link When you remove the master NIS server, another subordinate server must be assigned as master

If you remove Server for NIS while it is running on a master server, you must verify that another server is assigned the tasks of the master server. If other Windows-based subordinate NIS servers are in the domains supported by the master server that you remove, you must assign one of these servers the role of master server.

So here the questions come,

1. I can remove 3 NIS subordinate servers first and upgrade them to 2019, but what I do to upgrade the last domain controller? I have no other NIS server in the domain to assign as the master, other 3 domain controllser are now server 2019 which has no NIX server role anymore.
2. what happens to "NIS domain" created in server2012, there is no such attributes in server 2019.
3. I can tell now based on the work I done so far, the IDMUs have been removed from few DCs and I successfully upgraded those DCs from 2012R2 to 2019, the Unix attributes are still there in 2019 DC because RFC2307 is still being supported by server2019. Only thing I dont know what could happen is after I remove the last NIS master server from one of the 2008R2 DC. not sure if that could cause any issue.
4. Is there any office workaround for removing NIS master servers in server2016/2019?

Answer 1

Hi @Root Loop ,

Thanks for posting here.

Below is my response to your questions. Frankly speaking, I am not professional with this issue since I mainly focus on on-premises AD issue. I did some research and hope the findings could be of some help to you.

1. IDMU and NIS will not be supported starting with Windows server 2016. So if we would like to upgrade all our domain controllers to Windows server 2019, IDMU and NIS should be removed.

In our case, there is no server in the domain to assign as the master. We recommend to start planning for alternatives, for example: native LDAP, Samba Client, Kerberos or other non-Microsoft options.

2. Sorry that I have no idea what will happen to NIS domain. Maybe as discussed above, we will need to look for alternatives.
3. If we have concerns, I would suggest you open a case with MS so that we may get a more professional assistance.
   https://support.serviceshub.microsoft.com/supportforbusiness
4. Below are the links I would like to share with you.

https://learn.microsoft.com/zh-cn/archive/blogs/activedirectoryua/identity-management-for-unix-idmu-is-deprecated-in-windows-server

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731178(v=ws.11)?redirectedfrom=MSDN#BKMK_command

Thanks a lot for your understanding and support.

Best regards,
Hannah Xiong

Answer 2

Thanks for your input, I have gone through all those articles before posting here, so far I have not found any official supporting document about my case. worst case, we just have to deal with the consequences after removing NIS servers.....

Answer 3

@Root Loop Are you done with this? How you did it if you can give some detail about it.

When you say upgrading, does this mean that you are upgrading the OS direct rather than installing a new Domain Controller as subordinate?

DC has unix attributes in Attribute Editor that can be used for NIS.