Domain Controller upgrade - Radius / Licensing
We are going to run domain upgrade task on the weekend, from 2008 to 2012. We are single domain, single forest. The DC has role of Radius server and licensing.
I have put together steps in sequence, kindly go through and let me know if I have to amend anything or something is missing.
Thanks.
b) https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
c) https://technet.microsoft.com/en-us/library/dn486797(v=ws.11).aspx
I have put together steps in sequence, kindly go through and let me know if I have to amend anything or something is missing.
Thanks.
- Take Snapshot and full backup of DC.
- Backup CA database and private key
- Backup CA registry settings
- Backup CAPolicy.inf
- Remove the CA role service from the DC
- Remove the DC from the domain
- Join new server to the domain
- Add CA role service to the new server
- Import CA certificate
- Add CA role service
- Restore CA database and configuration on new server
- Restore source CA registry settings on the new server
- Restore certificate templates list
- Grant permissions on AIA and CDP containers
- Grant permissions on public key containers
- Verifying certificate enrollment
- Steps to install CA
b) https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
c) https://technet.microsoft.com/en-us/library/dn486797(v=ws.11).aspx
Bawer
Though all written is proper however before removing the domain its better you create another server and transfer all the roles and then remove the DC from the domain.
just to add wot Bawers comment.
why remove old DC before upgrading? is this a physical server and you have only one?
Also - it's generally not a good idea having CA on a DC server. - but again, if you have no virtual environment, then this might be how you need it to be
why remove old DC before upgrading? is this a physical server and you have only one?
Also - it's generally not a good idea having CA on a DC server. - but again, if you have no virtual environment, then this might be how you need it to be
ASKER
We have 3 DCs, all servers run on VMWare, so all servers are virtual.
So I should power this DC off first and then create new DC with same name and IP address?
So I should power this DC off first and then create new DC with same name and IP address?
Following are steps;
First create a new server 2012 with different name but same network
join that to Domain
When you promote the same to DC meanwhile you need to upgrade Domain levels too
DNS should be also part of this promotion
Once completed transfer all the roles 5 FSMO Roles
Then one by one you may demote the older 2008 servers and install 2012 accordingly
As Jakob mentioned, its better to put the CA on separate server
First create a new server 2012 with different name but same network
join that to Domain
When you promote the same to DC meanwhile you need to upgrade Domain levels too
DNS should be also part of this promotion
Once completed transfer all the roles 5 FSMO Roles
Then one by one you may demote the older 2008 servers and install 2012 accordingly
As Jakob mentioned, its better to put the CA on separate server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys.
I have decided to keep the roles separate, means put CA and Radius server on a different server not on DC.
With new server name and different IP, would it impact on Exchange Server, WAPs, and other devices which have obtained there certificate from old Domain controller CA?
Thinking of one more option, would inplace upgrade would work? reason why I am thinking for this, because it will be same server name, and then I don't have to worry about local Certificate authority and radius clients.
I have decided to keep the roles separate, means put CA and Radius server on a different server not on DC.
With new server name and different IP, would it impact on Exchange Server, WAPs, and other devices which have obtained there certificate from old Domain controller CA?
Thinking of one more option, would inplace upgrade would work? reason why I am thinking for this, because it will be same server name, and then I don't have to worry about local Certificate authority and radius clients.
Your WAPs are coded to look at RADIUS server by IP address. If need to either use same IP address on the new RADIUS server, or reconfigure everything to point to new IP.
Changing IP for certificate server will have zero impact. I think my certificate server is on DHCP.
Changing IP for certificate server will have zero impact. I think my certificate server is on DHCP.
ASKER
Thanks, in case of new IP address for DC can you please highlight where do I have do configuration in Radius server so that it can see new DC IP?
Leo, I somehow missed your reply.
Do you still need advice?
Radius server won't need the new DCs IP.
Radius clients will need to have the new RAdius (NPS) IP. configuration will depend on the specific client.
Kevinhsieh is referring to Wireless Access Points (WAP) which you don't necessarily have. If you do, you have to change their IP server configuration pointing to the new radius server.
Ciao!
Do you still need advice?
Radius server won't need the new DCs IP.
Radius clients will need to have the new RAdius (NPS) IP. configuration will depend on the specific client.
Kevinhsieh is referring to Wireless Access Points (WAP) which you don't necessarily have. If you do, you have to change their IP server configuration pointing to the new radius server.
Ciao!
ASKER
"Kevinhsieh is referring to Wireless Access Points (WAP) which you don't necessarily have. If you do, you have to change their IP server configuration pointing to the new radius server."
We do have WAPS, kindly let me know the steps on how to do it.
thanks.
We do have WAPS, kindly let me know the steps on how to do it.
thanks.
Leo, configuration will depend on the specific client. Basically You Will find IP of the previous radius which Will have to be replaced by the IP of the new radius.
ASKER
Thanks.
Where i will find the IP of old radius server?
Would it be easier to give new DC same IP of old DC? then i dont have to change things around.
Where i will find the IP of old radius server?
Would it be easier to give new DC same IP of old DC? then i dont have to change things around.
Leo,
Wireless access points (WAP) configuration depends on your WAP specific model .
Yes reusing the IP should make things easier.
Wireless access points (WAP) configuration depends on your WAP specific model .
Yes reusing the IP should make things easier.
ASKER
Thanks.
One thing I noticed that when I turn off the old DC 2008 server, we lose access for our VCentre.
How can I find out what to check in DC2008?
One thing I noticed that when I turn off the old DC 2008 server, we lose access for our VCentre.
How can I find out what to check in DC2008?
ASKER
would it be because this server holds CA role?
Does 'Lose access' mean errors when logging in with your domain credentials ? If so, your vcenter probably points to a DC ip. In vcenter, just replace your LDAP server IP with one of a working DC.
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-33ED845B-6310-4B4E-A704-8DAD26074320.html
and
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E.html
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-33ED845B-6310-4B4E-A704-8DAD26074320.html
and
https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E.html