Here's my current environment
Approximately 300 Users
Single domain, 2003 functional level forest and domain
DC1 = 2003 Server, GC, CA, all FSMO roles
DC2 = 2003 Server, GC, DHCP, DNS, TS Licensing
DC3 = 2008 R2 Server Core, GC, DHCP, DNS
I want to be on a 2008 R2 domain and forest functional level and only have 2 DCs when I'm done. I've already migrated DC3 to 2008 R2. My plan from here is this:
1. Move the FSMO roles off of DC1 to DC3
2. Setup a new DC2 and migrate all of the current roles on DC2 to the new DC2
3. Decommission the old DC2
4. Move the CA from DC1 to the new DC2
5. Decommission DC1
6. Raise forest and domain functional levels
Ending up with this configuration:
2008 R2 domain and forest functional level
DC2 = 2008 R2 Server, GC, DHCP, DNS, RDS/TS Licensing, CS
DC3 = 2008 R2 Server Core, GC, DHCP, DNS, all FSMO roles
I started reading the AD CS upgrade and migration guide (link below) and came across this point on page 12:
"If a CA service was installed on a domain controller, it is a good practice to transfer the CA to a dedicated server. In this case, a domain role change would apply"
Does that mean that CA/CS should only be installed on a member server?
Reading that got me doubting my entire plan. I'm really looking for some guidance on best practices, especially for moving CA/CS.
Thanks for the advice