Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Migrating Windows 2008dc to W2012R2 dc and keeping same name and ip address

Posted on 2014-02-25
Medium Priority
Last Modified: 2014-05-06
Hi all,
As the title says I would like to migrate a Windows 2008 dc to a Windows 2012 R2 dc and keep the same name and ip address , I have found this article
This w2008 dc is our main dc and is also our certificate authority, I know that i cant change the name of a dc after certificate authority is installed, so will do this step of installation just before the steps of changing the name and ip to the same as the old dc.
Can anyone please tell me if there are anything I should look out for or changes if I follow this guide? or any other information would be great.
Question by:padiap
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 38

Accepted Solution

Mahesh earned 1600 total points
ID: 39888729
The guide is really very good
There are many ways to achieve this
However i am just outline high level steps here

1st check if your AD replication \ ad health is working fine by running below commands
repadmin /syncall
repadmin /showrepl
dcdiag /v /q
Resolve any errors you found
Check if DNS is configured correctly (it should not have stale DC server entries)
Also check for any stale DC entries in active directory

Then Just extend your active directory schema 1st to prepare it for 2012 \ 2012 R2 DC
This includes:
adprep /forestprep
adprep /domainprep /gpprep
if you have 2003 Dc in domain, then also run dcpromo /rodcprep
Ensure that you are doing this commands from 2008 primary domain controller

Then promote new 2012 DC (you can promote it directly without going through above steps, but then you will not come to know if critical errors are there)
Check AD replication , DNS name resolution is working fine
Then transfer FSMO roles to 2012 ADC
if you have dhcp server running, ensure that you added new server to dns servers list in DHCP lease as primary
If you have static ip addresses then ensure that 2012 server is mentioned as primary dns server on clients
Ensure all of your application servers, firewall device, logon scripts are pointing to 2012 server in DNS and in DC entries in advance
Once everything is working smoothly with 2012 server as primary then you can proceed with below

Once you done that just backup your certificate authority completely
This includes database and registry

Then uninstall CA server role from 2008 server
Then point 2008 server primary dns to 2012 server in tcp/ip settings and reboot once
The you could simply demote the server to member server
Then shutdown the server
Now delete its computer account from active directory
If you face any issues with demotion of server, then you need to run dcpromo /forceremoval switch to force remove the server from active directory and then need to cleanup metadata for failed server from active directory

Then rename 2012 DC to match with old server name (2008 DC) with some simple steps as mentioned din below article

Also you need to follow steps in below article on 2012 DC post successful rename operation to correct FRS \ DFSR object references

LVL 38

Expert Comment

ID: 39888756
After you done all above, you need to install certificate authority from CA backup above on 2012 DC so that your existing issued certificates will remain intact
Follow steps in below sections in below base url to restore existing CA database and certificate on 2012 DC server with CA server role

Adding the CA role service to the destination server

Restoring the CA database and configuration on the destination server

Granting permissions on AIA and CDP containers

Base Article for above topics

LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39889228
Some basic tips: create your certificate authority root enterprise in a virtual machine. It is only used for creating a certificate for your issuing authority.  You have to set up your online responders and other items like crl web address here..  also your issuing policies and your hsim's as well... once you generate the issuing authorities certificate the virtual machine can be turned off.

Setting up a Certificate Authority is more than just clicking next next next.  How Not to Screw up your PKI Infastructure
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 39890542
One thing I forgot to mention is that some bright spark before my time installed a dc and exchange on the same box on Windows 2003 so i am unable to raise the domain level functionality until this box is gone, which will be after the dc migration. Will this affect anything?
LVL 38

Expert Comment

ID: 39891194
So you mean to say that 2003 DC, with Exchange remains on same server, in the present environment ?
Are you talking about old environment that is not exists now or what ?

In that case you need to move Exchange server 1st to another member server,
then only you can demote DC role on same box
If you try to demote the DC server role 1st, it will break the exchange
Once you demote the DC server role you can raise the functional level

Not sure how this question is related to Certificate authority

Even If your DC, Exchange and CA are on the same server, still you need to move exchange on to another server 1st, demote CA server role, demote DC and then rename 2008 \ 2012 DC to same as old one and then you can migrate CA role from previous backup. Also then you can raise functional levels


Author Comment

ID: 39933040
Thank you Mahesh for your expertise, I did the migration on Friday night but I hit a snag when migrating the CA, I have been reading up for hours on how to verify the CA is set up correctly and I dont want our LYnc 2013 environment to just stop working, The steps from the document http://technet.microsoft.com/library/cc794759%28v=ws.10%29.aspx didnt work at all and the first one made the server crash so i just continued. Any help much appreciated how to test the CA is running correctly.

Author Closing Comment

ID: 40045891
Thank you all good now

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question