: Install 2016 DC (x2) to replace 2008 R2 DC (x2) and raise AD, FFL/DFL to 2016.
Working on adding 2016 DC (x2) to our domain with the intent of retiring our current 2008 R2 DC (x2). Just want to run this past a few experts who have done this to iron out any kinks. Based on what I have read thus far I should be able to move directly to 2016 and thus bypass 2012 altogether.
Environment (right now):
- DFL/FFL = 2008 R2 and two DC 2008 R2
- Exchange is 2013 (cluster of two) is already in place, as is SharePoint 2013 (single farm)
- No WSUS or other role/feature servers. Two MS based file servers running 2012.
- 120 desktops and 15 physical and 15 virtual (3 hosts VMware 6.0) systems
- DSDIAG (DNS, WINS, AD) health check came back okay and replication between current 2008 R2 DC is good
- DFS already replaced by DFSR – done when we went to 2008 R2 FFL/DFL
- We have already purchased 2x HP ProLiant servers and licenses for 2 x 2016 Standard and all required user CALS.
- Send emails to all application vendors to identify any compatibility issues that DC 2016 or FFL/DFL 2016 might cause for their products.
- Replace any/all 2003 o/s member servers with 2012 o/s
- Run full (dcdiag, repadmin) set of health checks for AD and DNS. Assuming they come back without major errors proceed.
- Install 2016 Standard on both new physical servers.
- Consolidate all existing 2008 R2 FSMO roles on primary 2008 R2 DC.
- Remove all roles (WINS, DNS) from the secondary 2008 R2 DC and demote the existing 2008 R2 secondary DC to a member server were it will continue as such since it hosts some DHCP scopes that can stay on it. So DHCP export/import is not needed at this point.
- Rename the DC (without removing it from the domain) we just demoted to another name to reflect its new role as DHCP only.
- Install ADDS role on new DC and promote the first new 2016 DC into the existing forest/domain with same name and IP as the secondary 2008 R2 that I demoted. Same name and IP to avoid having to repoint all the servers DNS/WINS to a new IP. Replication should take care of the DNS on the new DC. Should I delete the computer account from AD after demotion and recreate it when I promote the new 2016 DC?
- From what I read there is no need to run ADprep on Server 2008 R2 prior as the Server 2016 should prompt me if it needs it. The only requirements are that the new 2016 needs access to the Schema Master, etc. which it would have as it will be promoted to the same AD and IP subnet as the existing 2008 R2 DC with the FSMO roles.
- Verify that Group Policy still works and download new Group Policy templates for 2016.
- Transfer the FSMO roles from the existing primary 2008 R2 to the new 2016 DC after the Group Policy and Replication has been working for a few days.
- Turn off the existing 2008 R2 primary DC for a day or so to make sure nothing breaks.
- If everything worked then turn the 2008 R2 DC back on and uninstall AD roles (WINS, DNS, etc.) and demote that server, thus removing the last 2008 R2 DC.
- Replace (same name and IP) the primary 2008 R2 DC we just demoted with the second 2016 server – same procedure as before.
- Run everything for a few days.
- If there are no issues then raise FFL/DFL to 2016 (from 2008 R2).
Thoughts, concerns, issues. All insights greatly appreciated and thank you very much in advance for taking the time to share.