Server 2012 upgrade

Steve Harris
Steve Harris used Ask the Experts™
on
I came across an issue while trying to do Always On VPN. I noticed my DC for the organization is Server 2012 (I have never looked into this, I was told everything was 2012r2 already)

I have verified it is 2012, and now I am at the point I need it 2012r2 at bare standard. I have license for 2016 and 2019 server editions.

Should I run the upgrade or migrate over. Any thoughts
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Mike SchrockIT Operations Manager

Commented:
I wouldn't do an OS upgrade on a DC, stand up a new one and go from there.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Why would you EVER Upgrade? Upgrades are NEVER as stable as clean installs.
Steve HarrisIT Analyst

Author

Commented:
The downside is no one in the organization knows what's tied to what. Hence why upgrade is in the table. Migration is preferred but I'm worried about downing some other system that relied on that DC. Also we have replication to another facility out of state that is intermittent
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
No, that's the opportunity to CLEAN UP the mess that was created.  That doesn't mean being unwise about it.  But you create another DC (if necessary) and then you start testing what happens by turning OFF the 2012 DC.  Any problems?  Turn it back on.  No?  Turn it on after a week and demote it.  Then get rid of it.  Don't perpetuate the chaos of a poorly designed/setup environment, FIX IT!
Sr. Systems Administrator
Commented:
The only thing that would be dependent on a DC itself would be is someone hard-coded the name in a LDAP connection or if it is a Main DNS server. Either way, Lee has given you the best advice and you should follow it. Make sure you have another DC in the site and it is a GC, then turn it off for a week. If nothing breaks, get rid of it.  Never upgrade a DC.
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

Commented:
Migration is preferred but I'm worried

You should be.

As Per Microsoft Microsoft Best practice for all Versions of Windows to date:

The recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server and demote older domain controllers as needed. That method is preferable to upgrading the operating system of an existing domain controller.

That said, you CAN get away with upgrading some DCs so long as you're good about it and ALL they were doing was being a DC.

However the process requires making them member servers prior to upgrading them which may defeat the purpose as it sounds like you may only have 1 DC?

N
worried about downing some other system that relied on that DC.

You should now build a second one right away anyway regardless of upgrade.

Things which might have only had one entry before that would need to be addressed:

  • Firewall rules (add a second object to all existing rules for your DC so that it goes to both)
  • DHCP - assign both DCs as DNS
  • Statically assigned Systems - Add both DCs as DNS
  • All Systems - make sure NTP is using /DomHier
  • Move DHCP to a separate server from your DCs if currently on one.

Assuming thats all in place you would:

  1. Confirm AD is replicating well and Sysvol is replicated over.
  2. Move all FSMO roles to the new AD Server.
  3. Confirm Replication is good.
  4. Demote the Windows 2012 System to a Member Server.
  5. Upgrade the system to 2016 or 2019.
  6. Reboot check secure channel
  7. Rejoin the Domain id needed
  8. DCPromo the DC back into the domain as a domain controller again.
Steve HarrisIT Analyst

Author

Commented:
@Ben, we do have 2 DC's and its replicated over to another office out of state. Granted replication has been not 100% functional ,but working on it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial