Solved

Migrating Windows 2008dc to W2012R2 dc and keeping same name and ip address

Posted on 2014-02-25
7
1,967 Views
Last Modified: 2014-05-06
Hi all,
As the title says I would like to migrate a Windows 2008 dc to a Windows 2012 R2 dc and keep the same name and ip address , I have found this article
http://msmvps.com/blogs/acefekay/archive/2010/10/09/remove-an-old-dc-and-introduce-a-new-dc-with-the-same-name-and-ip-address.aspx
This w2008 dc is our main dc and is also our certificate authority, I know that i cant change the name of a dc after certificate authority is installed, so will do this step of installation just before the steps of changing the name and ip to the same as the old dc.
Can anyone please tell me if there are anything I should look out for or changes if I follow this guide? or any other information would be great.
0
Comment
Question by:padiap
  • 3
  • 3
7 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 400 total points
ID: 39888729
The guide is really very good
There are many ways to achieve this
However i am just outline high level steps here

1st check if your AD replication \ ad health is working fine by running below commands
repadmin /syncall
repadmin /showrepl
dcdiag /v /q
Resolve any errors you found
Check if DNS is configured correctly (it should not have stale DC server entries)
Also check for any stale DC entries in active directory

Then Just extend your active directory schema 1st to prepare it for 2012 \ 2012 R2 DC
This includes:
adprep /forestprep
adprep /domainprep /gpprep
if you have 2003 Dc in domain, then also run dcpromo /rodcprep
Ensure that you are doing this commands from 2008 primary domain controller
http://msmvps.com/blogs/mweber/archive/2012/07/27/upgrading-an-active-directory-domain-from-windows-server-2008-or-windows-server-2008-r2-to-windows-server-2012.aspx

Then promote new 2012 DC (you can promote it directly without going through above steps, but then you will not come to know if critical errors are there)
Check AD replication , DNS name resolution is working fine
Then transfer FSMO roles to 2012 ADC
if you have dhcp server running, ensure that you added new server to dns servers list in DHCP lease as primary
If you have static ip addresses then ensure that 2012 server is mentioned as primary dns server on clients
Ensure all of your application servers, firewall device, logon scripts are pointing to 2012 server in DNS and in DC entries in advance
Once everything is working smoothly with 2012 server as primary then you can proceed with below

Once you done that just backup your certificate authority completely
This includes database and registry
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

Then uninstall CA server role from 2008 server
Then point 2008 server primary dns to 2012 server in tcp/ip settings and reboot once
The you could simply demote the server to member server
Then shutdown the server
Now delete its computer account from active directory
If you face any issues with demotion of server, then you need to run dcpromo /forceremoval switch to force remove the server from active directory and then need to cleanup metadata for failed server from active directory
http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Then rename 2012 DC to match with old server name (2008 DC) with some simple steps as mentioned din below article
http://technet.microsoft.com/en-us/library/cc816601(v=ws.10).aspx

Also you need to follow steps in below article on 2012 DC post successful rename operation to correct FRS \ DFSR object references
http://technet.microsoft.com/library/cc794759(v=ws.10).aspx

Mahesh
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39888756
After you done all above, you need to install certificate authority from CA backup above on 2012 DC so that your existing issued certificates will remain intact
Follow steps in below sections in below base url to restore existing CA database and certificate on 2012 DC server with CA server role

Adding the CA role service to the destination server

Restoring the CA database and configuration on the destination server

Granting permissions on AIA and CDP containers


Base Article for above topics
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_AddCA

Mahesh
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39889228
Some basic tips: create your certificate authority root enterprise in a virtual machine. It is only used for creating a certificate for your issuing authority.  You have to set up your online responders and other items like crl web address here..  also your issuing policies and your hsim's as well... once you generate the issuing authorities certificate the virtual machine can be turned off.

Setting up a Certificate Authority is more than just clicking next next next.  How Not to Screw up your PKI Infastructure
0
 

Author Comment

by:padiap
ID: 39890542
One thing I forgot to mention is that some bright spark before my time installed a dc and exchange on the same box on Windows 2003 so i am unable to raise the domain level functionality until this box is gone, which will be after the dc migration. Will this affect anything?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39891194
So you mean to say that 2003 DC, with Exchange remains on same server, in the present environment ?
Are you talking about old environment that is not exists now or what ?

In that case you need to move Exchange server 1st to another member server,
then only you can demote DC role on same box
If you try to demote the DC server role 1st, it will break the exchange
Once you demote the DC server role you can raise the functional level

Not sure how this question is related to Certificate authority

Even If your DC, Exchange and CA are on the same server, still you need to move exchange on to another server 1st, demote CA server role, demote DC and then rename 2008 \ 2012 DC to same as old one and then you can migrate CA role from previous backup. Also then you can raise functional levels

Mahesh
0
 

Author Comment

by:padiap
ID: 39933040
Thank you Mahesh for your expertise, I did the migration on Friday night but I hit a snag when migrating the CA, I have been reading up for hours on how to verify the CA is set up correctly and I dont want our LYnc 2013 environment to just stop working, The steps from the document http://technet.microsoft.com/library/cc794759%28v=ws.10%29.aspx didnt work at all and the first one made the server crash so i just continued. Any help much appreciated how to test the CA is running correctly.
0
 

Author Closing Comment

by:padiap
ID: 40045891
Thank you all good now
0

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now