Improve company productivity with a Business Account.Sign Up


Migrating Windows 2008dc to W2012R2 dc and keeping same name and ip address

Posted on 2014-02-25
Medium Priority
Last Modified: 2014-05-06
Hi all,
As the title says I would like to migrate a Windows 2008 dc to a Windows 2012 R2 dc and keep the same name and ip address , I have found this article
This w2008 dc is our main dc and is also our certificate authority, I know that i cant change the name of a dc after certificate authority is installed, so will do this step of installation just before the steps of changing the name and ip to the same as the old dc.
Can anyone please tell me if there are anything I should look out for or changes if I follow this guide? or any other information would be great.
Question by:padiap
  • 3
  • 3
LVL 41

Accepted Solution

Mahesh earned 1600 total points
ID: 39888729
The guide is really very good
There are many ways to achieve this
However i am just outline high level steps here

1st check if your AD replication \ ad health is working fine by running below commands
repadmin /syncall
repadmin /showrepl
dcdiag /v /q
Resolve any errors you found
Check if DNS is configured correctly (it should not have stale DC server entries)
Also check for any stale DC entries in active directory

Then Just extend your active directory schema 1st to prepare it for 2012 \ 2012 R2 DC
This includes:
adprep /forestprep
adprep /domainprep /gpprep
if you have 2003 Dc in domain, then also run dcpromo /rodcprep
Ensure that you are doing this commands from 2008 primary domain controller

Then promote new 2012 DC (you can promote it directly without going through above steps, but then you will not come to know if critical errors are there)
Check AD replication , DNS name resolution is working fine
Then transfer FSMO roles to 2012 ADC
if you have dhcp server running, ensure that you added new server to dns servers list in DHCP lease as primary
If you have static ip addresses then ensure that 2012 server is mentioned as primary dns server on clients
Ensure all of your application servers, firewall device, logon scripts are pointing to 2012 server in DNS and in DC entries in advance
Once everything is working smoothly with 2012 server as primary then you can proceed with below

Once you done that just backup your certificate authority completely
This includes database and registry

Then uninstall CA server role from 2008 server
Then point 2008 server primary dns to 2012 server in tcp/ip settings and reboot once
The you could simply demote the server to member server
Then shutdown the server
Now delete its computer account from active directory
If you face any issues with demotion of server, then you need to run dcpromo /forceremoval switch to force remove the server from active directory and then need to cleanup metadata for failed server from active directory

Then rename 2012 DC to match with old server name (2008 DC) with some simple steps as mentioned din below article

Also you need to follow steps in below article on 2012 DC post successful rename operation to correct FRS \ DFSR object references

LVL 41

Expert Comment

ID: 39888756
After you done all above, you need to install certificate authority from CA backup above on 2012 DC so that your existing issued certificates will remain intact
Follow steps in below sections in below base url to restore existing CA database and certificate on 2012 DC server with CA server role

Adding the CA role service to the destination server

Restoring the CA database and configuration on the destination server

Granting permissions on AIA and CDP containers

Base Article for above topics

LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 39889228
Some basic tips: create your certificate authority root enterprise in a virtual machine. It is only used for creating a certificate for your issuing authority.  You have to set up your online responders and other items like crl web address here..  also your issuing policies and your hsim's as well... once you generate the issuing authorities certificate the virtual machine can be turned off.

Setting up a Certificate Authority is more than just clicking next next next.  How Not to Screw up your PKI Infastructure
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 39890542
One thing I forgot to mention is that some bright spark before my time installed a dc and exchange on the same box on Windows 2003 so i am unable to raise the domain level functionality until this box is gone, which will be after the dc migration. Will this affect anything?
LVL 41

Expert Comment

ID: 39891194
So you mean to say that 2003 DC, with Exchange remains on same server, in the present environment ?
Are you talking about old environment that is not exists now or what ?

In that case you need to move Exchange server 1st to another member server,
then only you can demote DC role on same box
If you try to demote the DC server role 1st, it will break the exchange
Once you demote the DC server role you can raise the functional level

Not sure how this question is related to Certificate authority

Even If your DC, Exchange and CA are on the same server, still you need to move exchange on to another server 1st, demote CA server role, demote DC and then rename 2008 \ 2012 DC to same as old one and then you can migrate CA role from previous backup. Also then you can raise functional levels


Author Comment

ID: 39933040
Thank you Mahesh for your expertise, I did the migration on Friday night but I hit a snag when migrating the CA, I have been reading up for hours on how to verify the CA is set up correctly and I dont want our LYnc 2013 environment to just stop working, The steps from the document didnt work at all and the first one made the server crash so i just continued. Any help much appreciated how to test the CA is running correctly.

Author Closing Comment

ID: 40045891
Thank you all good now

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question