Share via

Adding first 2019 DCs to AD: Any Gotchas?

Dane Briggs 281 Reputation points
2021-08-10T14:47:08.913+00:00

I am currently on 2012 DFL and FFL. I currently have Server 2012, 2012 R2 and 2016 DCs in my environment. I'm in the process of removing all 2012 and 2012R2 DCs. I have migrated to DFSR and I will be performing the Forrest prep and Domain prep. I know there has been some security updates with 2019. Has anyone seen any gotchas, or things to watch out for, when adding your first server 2019 Domain Controllers?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-08-10T14:54:42.443+00:00

    Should not be a problem.

    The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  2. Anonymous
    2021-08-12T12:47:11.777+00:00

    Just checking if there's any progress or updates?

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  3. Dane Briggs 281 Reputation points
    2021-08-12T16:32:07.69+00:00

    Thank you for your time and quick response.

    However, I was thinking more around any "hidden" gotchas. Any issues anyone may have seen after adding a Server 2019 Domain Controller.

    For Example:

    I know Server 2019 Domain Controllers handles kerberos a bit different than 2016. Server 2019 returns the kerberos service ticket encrypted by the highest level encryption key supported by the service account, no matter what level of encryption key that the client claims to support or what encryption type is in client’s msDS-SupportedEncryptionTypes attribute. Could be specifically problematic if someone mitigated for Kerberoasting by setting user accounts with SPNs “This account supports Kerberos AES 256 bit encryption”. Has any one seen issues with applications due to the increased security?

    Things like that

    0 comments
  4. Anonymous
    2021-08-12T17:27:27.51+00:00

    Sounds good,

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.