Migrating Active Directory Domain Controller from Windows 2016 to Windows 2019

asked 2020-08-27T07:23:17.777+00:00
Anand Franklin 21 Reputation points

Hello there,

We had Windows Server 2012 R2 domain controller with DNS and Active Directory Certificate Services in the past, and we migrated to Windows Server 2016. And, now we have planned to migrate the Windows Server 2016 domain controller to Windows Server 2019.

I would like to know whether it is the same process to 1) Setup a new Windows Server 2019 server as additional domain controller, and 2) transfer the FSMO roles, 3) demote the Windows Server 2016 and 4) replace the IP address on the Windows Server 2019 from the demoted server?

Please advise.

Thank you, Anand

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,595 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
305 questions
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2020-08-27T09:10:30.033+00:00
    Daisy Zhou 12,836 Reputation points Microsoft Employee

    Hello @Anand Franklin ,

    Thank you for posting here.

    According to the description above, we have only one DC (PDC) and we installed the AD CS role on this PDC, if I misunstood you, please correct me.

    I would like to know whether it is the same process, I think the main process is OK.
    1)Setup a new Windows Server 2019 server as additional domain controller (add AD DS and DNS role, also make this DC as GC);
    2)Check new DC is working fine and AD replication is complete. Transfer the FSMO roles
    3)Migrate AD CS from 2016 to 2019 DC;
    4)Demote the Windows Server 2016;
    5)Replace the IP address on the Windows Server 2016 using a idle IP address;
    6)Replace the IP address on the Windows Server 2019 from the demoted server;

    Before migrating AD domain controller, we had better check:

    1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
    2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.
    3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.
    5. Check CA health by opening PKIview.msc to ensure all Status is OK.

    Meanwhile, we recommend the following points:

    1. We had better have at least two DCs in one domain.
    2. We suggest we install /migrate AD CS on one member server.
    3. If we have other roles on the old domain controllers, we should also migrate these roles as needed.
    4. Make the changes during downtime.
    5. Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
      Ideally, a DC should be easy to replace, just by standing up another DC.
      When we put other software and roles on one DC, maybe the DC is harder to replace it.

    For example,

    If we have a DC with AD CS(it is also a CA server), if there is some issues with this DC and we want to demote this DC, we need to remove/migrate AD CS first and then demote this DC.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    No comments

  2. answered 2020-08-27T12:23:24.953+00:00
    Dave Patrick 328.4K Reputation points Microsoft MVP

    Basically yes but check the prerequisites have been met.

    The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR

    and before any changes are made; use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations

    --please don't forget to Accept as answer if the reply is helpful--

    No comments