I have a 2012 DC with these roles
WSUS
DHCP
DNS
DFS
Certificate Authority
Network Policy Server
The plan is to replace this server hardware with new server. I would like to keep the same name and IP.
Ive done it once before but at that time I didnt have all these new roles.
- I plan to rename DC1 it to DC-old, but keep the IP
- Build the new DC1 with temp IP
- Setup all same roles on new DC1
- Transfer original IP to new DC1 and update the DNS records.
This way I dont need to change all the server and device settings that are referencing the IP
I guess to get to my question, I am not sure what affect renaming the DC will have on the Certificate Authority, will the workstations generate a new certificate with the new CA server once they connect to it for the first time?
The main reason we use the CA is in conjunction with NPS for wifi and LAN authentication for workstations.
As for the other roles, im confident I can replicate the settings on the new DC.
for WSUS I found this guide, unless someone has a better one?
http://www.vkernel.ro/blog/migrating-wsus-from-one-server-to-another
Ive done several dc renames and IP changes with no issues.
I guess I could do a workaround where I move all the non AD services WSUS, DHCP, NPS, CA...etc to the new server (just a joined machine)
Then demote old DC1 and free up IP
Rename the new Standalone server to DC1 and give it old IP
Then promote it to AD DC
The main issue will be the time between when I demote the old and promote the new, the other servers will still be pointed to it as primary DNS, and I dont want to go around and change them all, but during that time, DNS resolution might fail if the IP is accessible but DNS is not working.
I noticed when I do monthly updates on the server, each time during the reboot there is a 1 min window when the server responds to pings, but DNS is not initialized yet and all the other servers cant get to internet during that time due to DNS down.
This time that window will be much longer.