Migrating Windows 2008dc to W2012R2 dc and keeping same name and ip address

padiap used Ask the Experts™
Hi all,
As the title says I would like to migrate a Windows 2008 dc to a Windows 2012 R2 dc and keep the same name and ip address , I have found this article
This w2008 dc is our main dc and is also our certificate authority, I know that i cant change the name of a dc after certificate authority is installed, so will do this step of installation just before the steps of changing the name and ip to the same as the old dc.
Can anyone please tell me if there are anything I should look out for or changes if I follow this guide? or any other information would be great.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
The guide is really very good
There are many ways to achieve this
However i am just outline high level steps here

1st check if your AD replication \ ad health is working fine by running below commands
repadmin /syncall
repadmin /showrepl
dcdiag /v /q
Resolve any errors you found
Check if DNS is configured correctly (it should not have stale DC server entries)
Also check for any stale DC entries in active directory

Then Just extend your active directory schema 1st to prepare it for 2012 \ 2012 R2 DC
This includes:
adprep /forestprep
adprep /domainprep /gpprep
if you have 2003 Dc in domain, then also run dcpromo /rodcprep
Ensure that you are doing this commands from 2008 primary domain controller

Then promote new 2012 DC (you can promote it directly without going through above steps, but then you will not come to know if critical errors are there)
Check AD replication , DNS name resolution is working fine
Then transfer FSMO roles to 2012 ADC
if you have dhcp server running, ensure that you added new server to dns servers list in DHCP lease as primary
If you have static ip addresses then ensure that 2012 server is mentioned as primary dns server on clients
Ensure all of your application servers, firewall device, logon scripts are pointing to 2012 server in DNS and in DC entries in advance
Once everything is working smoothly with 2012 server as primary then you can proceed with below

Once you done that just backup your certificate authority completely
This includes database and registry

Then uninstall CA server role from 2008 server
Then point 2008 server primary dns to 2012 server in tcp/ip settings and reboot once
The you could simply demote the server to member server
Then shutdown the server
Now delete its computer account from active directory
If you face any issues with demotion of server, then you need to run dcpromo /forceremoval switch to force remove the server from active directory and then need to cleanup metadata for failed server from active directory

Then rename 2012 DC to match with old server name (2008 DC) with some simple steps as mentioned din below article

Also you need to follow steps in below article on 2012 DC post successful rename operation to correct FRS \ DFSR object references

Distinguished Expert 2018

After you done all above, you need to install certificate authority from CA backup above on 2012 DC so that your existing issued certificates will remain intact
Follow steps in below sections in below base url to restore existing CA database and certificate on 2012 DC server with CA server role

Adding the CA role service to the destination server

Restoring the CA database and configuration on the destination server

Granting permissions on AIA and CDP containers

Base Article for above topics

Top Expert 2016

Some basic tips: create your certificate authority root enterprise in a virtual machine. It is only used for creating a certificate for your issuing authority.  You have to set up your online responders and other items like crl web address here..  also your issuing policies and your hsim's as well... once you generate the issuing authorities certificate the virtual machine can be turned off.

Setting up a Certificate Authority is more than just clicking next next next.  How Not to Screw up your PKI Infastructure
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


One thing I forgot to mention is that some bright spark before my time installed a dc and exchange on the same box on Windows 2003 so i am unable to raise the domain level functionality until this box is gone, which will be after the dc migration. Will this affect anything?
Distinguished Expert 2018

So you mean to say that 2003 DC, with Exchange remains on same server, in the present environment ?
Are you talking about old environment that is not exists now or what ?

In that case you need to move Exchange server 1st to another member server,
then only you can demote DC role on same box
If you try to demote the DC server role 1st, it will break the exchange
Once you demote the DC server role you can raise the functional level

Not sure how this question is related to Certificate authority

Even If your DC, Exchange and CA are on the same server, still you need to move exchange on to another server 1st, demote CA server role, demote DC and then rename 2008 \ 2012 DC to same as old one and then you can migrate CA role from previous backup. Also then you can raise functional levels



Thank you Mahesh for your expertise, I did the migration on Friday night but I hit a snag when migrating the CA, I have been reading up for hours on how to verify the CA is set up correctly and I dont want our LYnc 2013 environment to just stop working, The steps from the document http://technet.microsoft.com/library/cc794759%28v=ws.10%29.aspx didnt work at all and the first one made the server crash so i just continued. Any help much appreciated how to test the CA is running correctly.


Thank you all good now

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial