Migrating services from old 2012R2 Domain Controller to new 2019 servers (AD-DNS/CA/DHCP/Print Management) , avoiding dns ip change as well? dc demote fail/ca remove fail

markm75 21 Reputation points
2021-12-15T21:38:39.657+00:00

I'm trying to make sure i have the proper understanding of how to proceed with this migration.

Currently our old DC also (incorrectly) has DHCP, CA, and Print Services /management.

So not only do most static machines already have a dns entry that points to the old DC server, but i have this mess of services that need to go elsewhere.

Its my understanding from going from 08 to 12 way back when, i just need to move the (5?) ad roles to the new member server? I thought i read something about FSR sysvol issues as well?

Beyond this, once they are on the new 2019 server, i guess i just run the domain and forest upgrades to 2019 level after the fact?

Is there some way to avoid changing the dns ip of the new dc? How messy is it to transfer roles from the old, shut down old, then change the new's ip address back to what the old one had? THis way no static hardware or vm's need their dns entry changed?

Final question is that another server also does ad sync with office 365, i assume thats tied directly to AD and not the name of the old dc specifically ? (I cant find the setting to show otherwise)

Is it also best to have a second DC server? If so which roles do i assign/split, in the past i had some issues with splitting this up.

Any thoughts on all of this? As of now i have a new DC called for this example.. VSDC21 and a new server called VSServices21 (for CA/DHCP, print)

Thanks in advance

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,748 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,575 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
404 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 426.1K Reputation points MVP
    2021-12-28T18:29:49.83+00:00

    Yes, that should be enough as far as active directory is concerned. After cleanup dcdiag should return clean.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

16 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.1K Reputation points MVP
    2021-12-15T22:25:47.49+00:00

    The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one, then re-ip if needed.

    Yes, at least two domain controllers are always recommended for high availability and disaster mitigation. You can split roles if desired but there's really no need for this.

    The product group for Office 365 actively monitors questions over at
    https://techcommunity.microsoft.com/t5/office-365/ct-p/Office365

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. markm75 21 Reputation points
    2021-12-16T18:38:37.5+00:00

    Thanks for these tips.
    I ran dcdiag, im seeing gpo install errors, but i think they are non critical (from an old package that is remnant in gpo).

    So im pretty sure at this point im at 2012 domain/forest level.
    I guess i need to do that sysvol frs migration to DFSR, would that happen BEFORE moving any services to 2022 on the new DC?
    Any concerns on down times

    After that on the DC promo stuff for the new 2022 dc, how is that i dont need to transfer fsmo roles over or the pdc emulator role over? Wouldnt those have to go at first to the new DC?

    And on a second DC, not splitting roles, which would the second one have, just another GC?

    As far as the remaining things i had on the original old dc, CA/Printers/DHCP, i guess dhcp is easy to move, unsure on the CA part, that concerns me. Ill have the new server called vsservices21 for these and i'm assuming i can just move those over Before doing any of the above steps (basically step 1)?

    0 comments No comments

  3. Dave Patrick 426.1K Reputation points MVP
    2021-12-16T18:53:53.113+00:00

    I guess i need to do that sysvol frs migration to DFSR, would that happen BEFORE moving any services to 2022 on the new DC? Any concerns on down times

    No downtime.

    After that on the DC promo stuff for the new 2022 dc, how is that i dont need to transfer fsmo roles over or the pdc emulator role over? Wouldnt those have to go at first to the new DC?

    The FSMO roles can be on any domain controller.

    And on a second DC, not splitting roles, which would the second one have, just another GC?

    Yes, I'd make it a GC

    For the CA migration you can follow along here
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v%3Dws.11)
    and also ask for more specifics here
    https://learn.microsoft.com/en-us/answers/topics/46447/windows-server-security.html

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. markm75 21 Reputation points
    2021-12-20T23:03:26.3+00:00

    Ok thanks for all the above info, so this is my generic summary, just double checking again, i can do the frs to dfsr migration first and it can sit for a day or more post migration as is till i get to the other steps without harm?

    Does my overall plan seem accurate? Do i have the CA migration in the right order, ie: dont migrate until AFTER i have the new DC fully in operation and roles transferred or can it occur before?

    I'm also unsure on the timing of moving the old dns ip on the old dc to the new dc (if thats the right spot in the timeline) to minimize any dns downtime

    1. Check ad is healthy and repl and sysvol/netlogon, gpuupdate test, ca health pkiview.msc
    2. FRS to DFSR SYSVOL migration first
    3. DHCP from VSDC01 old DC to the new VSServices21 2022 VM
    4. Setup the new VSDC21 2022 server (add ADDS /DNS roles, GC)
    5. Migrate AD CA (CS) from old DC to VSDC21
    6. Transfer 5 roles (incl PDC emulator) to VSDC21
    7. Demote old VSDC01
    8. Put old VSDC01 ip address on new VsDC21
    9. Raise domain/forest functional levels to 2022
    10. Create new second VsDC21B DC Core only
    11. Assign AADS and GC to the VSDC21B
    0 comments No comments