Migrating DC from 2012R2 to 2016
I will soon be migrating our AD domain controllers to Server 2016. We have a few DC's in the 1 forest but the one that holds the FSMO also has a lot of other services like DHCP and its a certification authority. I've come up with a very high level list of the process involved, id like to see if I am on the right track by the experts on here. My main concerns are over keeping the same IP and Name as the old DC and moving the certification authority.
The server I'm looking to migrate initially is ADC1
1. Move services to ADC2
a. Move RD Licensing Server
b. Move DHCP (or test if we can use the failover DHCP (ADC3) server)
c. Migrate FSMO roles
2. Backup Certification authority on ADC1
3. Find out what KMS keys are used on ADC1
4. Remove Certification authority services from ADC1
5. Turn off ADC1 and test connectivity and logons.
6. Turn ADC1 back on.
7. Demote ADC1
8. Remove all entries for ADC1 from DNS and AD schema
9. Create new 2016 server (with same IP and name as removed DC) and promote to DC
10. Upgrade forest schema to 2016
11. Install certification authority on new DC and restore from backup
12. Reinstall KMS and keys on new server
13. Move DHCP back to ADC1 and ensure failover is still working to ADC3
14. TEST DNS and AD replication.
The server I'm looking to migrate initially is ADC1
1. Move services to ADC2
a. Move RD Licensing Server
b. Move DHCP (or test if we can use the failover DHCP (ADC3) server)
c. Migrate FSMO roles
2. Backup Certification authority on ADC1
3. Find out what KMS keys are used on ADC1
4. Remove Certification authority services from ADC1
5. Turn off ADC1 and test connectivity and logons.
6. Turn ADC1 back on.
7. Demote ADC1
8. Remove all entries for ADC1 from DNS and AD schema
9. Create new 2016 server (with same IP and name as removed DC) and promote to DC
10. Upgrade forest schema to 2016
11. Install certification authority on new DC and restore from backup
12. Reinstall KMS and keys on new server
13. Move DHCP back to ADC1 and ensure failover is still working to ADC3
14. TEST DNS and AD replication.
Instead of #8, I would just reset the machine account in AD. When you join the new server to AD it can use that account and keep any ACEs.
ASKER
Thanks for the comments and confidence boost folks. Ive cloned the dc's and a test client in VMWare on an isolated network, ill report back with results soon.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I'd test it in a lab though to make sure.
Use either Hyper-V or VMware workstation.