Windows Server 2019/2016 AD Directory

cmp119
cmp119 used Ask the Experts™
on
We currently have a AD domain with two replicating 2012 Server DCs. Domain Functional level is at 2012.  

The Primary DC is a physical server with Windows Server 2012 Standard, and will be (7) years old.  

The other replicating DC is a Windows Server 2012 DC that's a VM.  The Hyper-V server that hosts this VM and another VM that is an Exchange 2010 Standard server is Windows Server 2012 Standard and is also close to (7) years old as well.

Overall, AD is healthy without issues.   At the end of this year we will retire the existing Exchange 2010 server and move to O365 hosted mailboxes.

I am getting ready to purchase a Dell R440 that will serve as a Hyper-V server.  Will purchase Windows Server 2019 Standard.  I will install a new VM that will replace the primary 2012 DC that's on the physical server.

I also have an existing Dell R440 server that is a Hyper-V Server with Windows Server 2016 Standard.  I have one VM that is a Windows Server 2016 that serves as a Storage server.
I plan on spinning up a second VM on the server to serve as a new replicating DC server.

When I purchase the new Dell R440 server along with Windows Server 2019 Standard, should I go ahead and install the Hyper-V Host with Windows Server 2019 Standard, and then also install the new primary DC that will hold all FSMO roles as a Windows Server 2019 Standard VM or downgrade it to Windows Server 2016 Standard?

I already have 25 Windows Server 2016 CALS.  I can go ahead and bite the bullet and acquire the necessary 2019 CALS.  The plan is to decommission the existing 2012 DCs with newly created DCs.

I just want to make sure if I have a 2019 DC operating with 2016 DC that I do not have issues.  2019 Server is still relatively new, and I do not want incur AD issues because of it.  So that is why I am thinking of downgrading the os for the DC to 2016 server instead, but that might not be necessary.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Systems Administrator
Commented:
I already have 25 Windows Server 2016 CALS.

if you have the CALs for 2016 but not 2019, you could just stay at 2016
from an AD standpoint, there are no changes between the 2 versions; a 2019 domain controller can go to 2016 functional level because there is no 2019 functional level

What’s new in Active Directory 2019? Nothing.
https://blogs.technet.microsoft.com/389thoughts/2018/12/02/whats-new-in-active-directory-2019-nothing/

I just want to make sure if I have a 2019 DC operating with 2016 DC that I do not have issues.

if you did run both together, it would be just fine
cmp119IT Manager

Author

Commented:
Thank you for the quick reply!!!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
DO NOT buy the server WITH 2019.  Buy 2019 separately as a volume license.  You don't want to limit your options by using slightly cheaper OEM software.  The flexibility (media, versions you use, hardware transfer) is worth the extra $100-300 considering how much you're otherwise spending on the server.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
The host OS is bound by the OEM license. The guests are transferable so long as the destination host has the correct licensing in place.

See Eric's explanation here which is about the best I've seen.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I know - so long as you use OEM on everything... but you can't transfer the license when the system dies.  I really don't view OEM as a good thing - it's something many people get caught with, then want to buy a new server and transfer the license but can't.  A 2019 license may prove useful years after the server's aged out... but it's a waste of money to buy it at the start - "penny wise, pound foolish" in my opinion.  Rarely would I consider it a good idea... because things change...
kevinhsiehNetwork Engineer

Commented:
I have Windows 2008 R2 DCs in the same domain as 2012, 2012 R2, 2016, and 2019 DCs. They all are playing together very nicely.
cmp119IT Manager

Author

Commented:
I presume you had to update your replication topology to DFSR as FRS then.  I am currently reviewing Philip Elder's link on this topic.  I have never done this before and do not want to screw AD either, so I reviewing before doing anything.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
System State backup of the PDCe/FSMO Role holders is mandatory.

If cautious, take it one step at a time.

We've done a lot of the FRS to DFSR migrations for AD replication here and nary an issue to date.
cmp119IT Manager

Author

Commented:
Okay I just finished migrating the replication topology to DFRS from FRS.  I used the article link that Philip Elder provided above.  I carefully followed each step as dictated within the article.  I followed the Quick Migration steps accordingly.  Each step completed without error.

As you can see below, it shows Redirected and Elimination states completing fine.  The Prepared state completed fine, its just not list within the screenshot.

Dsfs Migration Results
Afterwards I rebooted both DCs to ensure there were no boot errors to contend with.  They booted fine.  Afterwards, I installed (2) Windows Security Updates that just came out, and rebooted both DCs once again.

However, after checking the event viewer logs on both DCs I am now seeing Event ID:  5014 (DFSR) & 5008 (DFSR) errors as displayed within the below screenshots.

Event log of primary DC with all FSMO Roles.

DC With all FSMO Roles Event Log
Event log of replicating DC.

Replication DC Event Log.
I will continue monitoring the event logs to see if these errors persist.  I also ran the AD Replication Status Tool, and it all checks out in that no replication failures are noted.

I found the following article referencing DFSR Event ID 5008, but I am not sure whether its necessary update the TCP Off-Load registry settings on both DCs as specificied.  Can you let me know if you ran across the same issue, and if it simply went away or if you needed to do anything to correct this issue?

https://social.technet.microsoft.com/Forums/en-US/24c820da-960a-4ebd-8892-8fc291393543/dfsr-event-id-5008?forum=winserverfiles
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
It's amazing how something at the "hardware" level, in this case network acceleration features, can impact the actual services running on top of them. :S

There's no loss to run the changes. Take a backup of the indicated registry key set and import it back if the change does not improve things. I suspect it will.
cmp119IT Manager

Author

Commented:
I updated the registry on both DCs the other day, and it made no difference in that when backups run at four intervals the following event viewer entry appear:

Event ID 5014, DFSR indicates Error:  9036 (Paused for backup or restore).

I will leave the registry entries as is and not revert them back since it made no difference.

This morning I found the following article that indicates this warning message is normal and can be ignored.

https://social.technet.microsoft.com/Forums/en-US/af89b4e2-ad28-4978-8355-3973cc476dfe/dfs-replication-issue-in-secondary-ad?forum=winserverDS
cmp119IT Manager

Author

Commented:
I am hoping I will be able to cleanly introduce a new Windows Server 2019 DC and move all the FSMO roles, add a new replicating Windows Server 2016 DC, and then demote/decommission the existing Windows 2012 DCs cleanly.  Meaning the demotions properly cleanup all remnants within AD.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
It should not be a problem. We've done it many, many times.

If the errors are happening while the backup is running then the backup is probably constraining things.
kevinhsiehNetwork Engineer

Commented:
DFSR paused for backup notifications are normal and to be expected when a DC is being backed up.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial