Link to home
Start Free TrialLog in
Avatar of Steve Harris
Steve HarrisFlag for United States of America

asked on

Server 2012 upgrade

I came across an issue while trying to do Always On VPN. I noticed my DC for the organization is Server 2012 (I have never looked into this, I was told everything was 2012r2 already)

I have verified it is 2012, and now I am at the point I need it 2012r2 at bare standard. I have license for 2016 and 2019 server editions.

Should I run the upgrade or migrate over. Any thoughts
Avatar of Mike Schrock
Mike Schrock
Flag of United States of America image
I wouldn't do an OS upgrade on a DC, stand up a new one and go from there.
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image
Why would you EVER Upgrade? Upgrades are NEVER as stable as clean installs.
Avatar of Steve Harris
Steve Harris
Flag of United States of America image

ASKER

The downside is no one in the organization knows what's tied to what. Hence why upgrade is in the table. Migration is preferred but I'm worried about downing some other system that relied on that DC. Also we have replication to another facility out of state that is intermittent
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image
No, that's the opportunity to CLEAN UP the mess that was created.  That doesn't mean being unwise about it.  But you create another DC (if necessary) and then you start testing what happens by turning OFF the 2012 DC.  Any problems?  Turn it back on.  No?  Turn it on after a week and demote it.  Then get rid of it.  Don't perpetuate the chaos of a poorly designed/setup environment, FIX IT!
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ben Personick (Previously QCubed)
Ben Personick (Previously QCubed)
Flag of United States of America image
Migration is preferred but I'm worried

You should be.

As Per Microsoft Microsoft Best practice for all Versions of Windows to date:

The recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server and demote older domain controllers as needed. That method is preferable to upgrading the operating system of an existing domain controller.

That said, you CAN get away with upgrading some DCs so long as you're good about it and ALL they were doing was being a DC.

However the process requires making them member servers prior to upgrading them which may defeat the purpose as it sounds like you may only have 1 DC?

N
worried about downing some other system that relied on that DC.

You should now build a second one right away anyway regardless of upgrade.

Things which might have only had one entry before that would need to be addressed:

  • Firewall rules (add a second object to all existing rules for your DC so that it goes to both)
  • DHCP - assign both DCs as DNS
  • Statically assigned Systems - Add both DCs as DNS
  • All Systems - make sure NTP is using /DomHier
  • Move DHCP to a separate server from your DCs if currently on one.

Assuming thats all in place you would:

  1. Confirm AD is replicating well and Sysvol is replicated over.
  2. Move all FSMO roles to the new AD Server.
  3. Confirm Replication is good.
  4. Demote the Windows 2012 System to a Member Server.
  5. Upgrade the system to 2016 or 2019.
  6. Reboot check secure channel
  7. Rejoin the Domain id needed
  8. DCPromo the DC back into the domain as a domain controller again.
Avatar of Steve Harris
Steve Harris
Flag of United States of America image

ASKER

@Ben, we do have 2 DC's and its replicated over to another office out of state. Granted replication has been not 100% functional ,but working on it.