Peterson50
asked on
Migrate AD from Windows Server 2012 to Windows 2019 on new hardware
Getting a new server in (Windows 2019) to replace an aging server with Windows 2012 on it. Will install Hyper-V role on new server and setup Windows 2019 VM. The existing server primarily is a file and share with Quickbooks on it not much of anything else. What is the easiest way to move everything over to new server VM with new server now taking over all roles along with Server name / shares etc in a step by step process
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for great info will create 2 vis (small one with 4gigs for DC) and second member server etc. Join to AD as DC , replicate etc Will follow steps of Arnold and Long tomorrow as starting it up and get back quickly. Only roles on this server is DNS, AD (its not doing DHCP) very small construction office 10 people but lots of files that need to be maintained and drawings.
AD Replication needs to be migrated from FRS to DFS-R (my blog post) prior to introducing a Server 2019 DC.
EDIT: Put ADDS/DNS/DHCP on one VM and File/Print on another then use the Storage Migration Service to move all of the data. It's awesome.
I have two very thorough EE articles on all things Hyper-V:
Some Hyper-V Hardware and Software Best Practices
Practical Hyper-V Performance Expectations
Some PowerShell Guides:
PowerShell Paradise: Installing & Configuring Visual Studio Code (VS Code) & Git
PowerShell Guide - Standalone Hyper-V Server
PowerShell Guide - New VM PowerShell
PowerShell Guide - New-VM Template: Single VHDX File
PowerShell Guide - New-VM Template: Dual VHDX Files
Here are some focused articles:
This one is important for virtualized DCs: Set up PDCe NTP Domain Time in a Virtualized Setting
Slipstream Updates Using DISM and OSCDImg (keep your Windows Desktop/Server .ISO files up to date)
Protecting a Backup Repository from Malware and Ransomware
Disaster Preparedness: KVM/IP + USB Flash = Recovery. Here’s a Guide
EDIT: Put ADDS/DNS/DHCP on one VM and File/Print on another then use the Storage Migration Service to move all of the data. It's awesome.
I have two very thorough EE articles on all things Hyper-V:
Some Hyper-V Hardware and Software Best Practices
Practical Hyper-V Performance Expectations
Some PowerShell Guides:
PowerShell Paradise: Installing & Configuring Visual Studio Code (VS Code) & Git
PowerShell Guide - Standalone Hyper-V Server
PowerShell Guide - New VM PowerShell
PowerShell Guide - New-VM Template: Single VHDX File
PowerShell Guide - New-VM Template: Dual VHDX Files
Here are some focused articles:
This one is important for virtualized DCs: Set up PDCe NTP Domain Time in a Virtualized Setting
Slipstream Updates Using DISM and OSCDImg (keep your Windows Desktop/Server .ISO files up to date)
Protecting a Backup Repository from Malware and Ransomware
Disaster Preparedness: KVM/IP + USB Flash = Recovery. Here’s a Guide
ASKER
Thanks for that step I will do the migrate AD Replication on the 2012 server from FRS to DFS-R first and make sure that is correct prior to anything else. According to the documentation you send Windows Server 2016 will still utilizes FRS but 2019 requires the DFS-R prior to AD replication. Time to read this weekend.
Thanks
Thanks
How many DC's do you have?
if you only have one currently, you can perform the DFSmigrate.
Yes DFS-R was added witn windows 2003R2 though I think the dfsrmigrate of sysvol from FRS to DFS-R waited to windows 2008.
There are many advantages to the DFS-R (no jurnalling corruption, D2/D4 burflags that prevents the sharing of the netlogon/sysvol.
if you only have one currently, you can perform the DFSmigrate.
Yes DFS-R was added witn windows 2003R2 though I think the dfsrmigrate of sysvol from FRS to DFS-R waited to windows 2008.
There are many advantages to the DFS-R (no jurnalling corruption, D2/D4 burflags that prevents the sharing of the netlogon/sysvol.
ASKER
Any different steps to migrate to DFS as opposed to DFS-R
Two different items.
DFS Domain based Flle Share
You always had DFS as an option, the issue was how to get the same files to exist on multiple systems that share the same Name SPace. This is where NTFRS came into play
DFS-R is the replication component of the above, the replacement to the NTFRS.
Look at the administative tools on your win2k12 and see the DFS Management interface.
sysvol is just a special/restricted shared resource.
resolve the issue with the migration of ntfrs as the data replication mechanism to the dfs-R. and another/followup question we could help with the other questions you might have.
DFS Domain based Flle Share
You always had DFS as an option, the issue was how to get the same files to exist on multiple systems that share the same Name SPace. This is where NTFRS came into play
DFS-R is the replication component of the above, the replacement to the NTFRS.
Look at the administative tools on your win2k12 and see the DFS Management interface.
sysvol is just a special/restricted shared resource.
resolve the issue with the migration of ntfrs as the data replication mechanism to the dfs-R. and another/followup question we could help with the other questions you might have.
Yes. Server 2019 and up require DFSR for AD Replication. The process is really simple.
We've not had any issues.
I do suggest taking a System State Backup of the FSMO Role holder prior to starting the process.
We've not had any issues.
I do suggest taking a System State Backup of the FSMO Role holder prior to starting the process.
ASKER
Ran checks on current server AD no issues. Ran AD replication status no errors. Then started with Dfsrmig /setglobalstate 1 and got the following
Current DFSR global state: Eliminated
new DFSR global state: Prepared
Invalid state change requested
What causes this error
Current DFSR global state: Eliminated
new DFSR global state: Prepared
Invalid state change requested
What causes this error
Run dfsrmig /GetMigrationState
to see what the state first.
Did you confirm that NTRS is what handles your sysvol replication?
to see what the state first.
Did you confirm that NTRS is what handles your sysvol replication?
ASKER
I ran dfsrmig /GetMigrationState and get the following:
All domain controllers have migrated successfully to the Global state ('Eliminated') Migration has reached a consistent state on all domain controllers
Succeeded
All domain controllers have migrated successfully to the Global state ('Eliminated') Migration has reached a consistent state on all domain controllers
Succeeded
ASKER
Ran ADSI Edit and looking at the msDFRS-Flags set to 48 indicates it is migrated properly. Ran Dcdiag and passed all tests no errors. Will start second step and add the 2019 server to domain and promoting it should take place properly. Going well at this point!!
I think this suggests that your setup was already using DFSR for sysvol.
ASKER
Connection of first VM running AD went fine. Connected to AD and everything replicated fine no errors in the database. Getting ready to create second VM for file share and print. It needs about 2.5TB of space. The question is should the vhdx be fixed disk or dynamic? Is their a huge performance difference between the two and what issues are there with power outages etc? Microsoft best practices recommends fixed disk over dynamic.
Thanks Much
Thanks Much
2.5TB Max size
An fixed allocation consumes the entire resource. A fina ic vhdx will consume fewer storage resources from the begining, but will consume computing resources everytime it approaches and needs to expand.
How much data is currently on the 2012 that you would use dfsr to copy?
If your current space is 75% of the 2.5TB use fixed.
An fixed allocation consumes the entire resource. A fina ic vhdx will consume fewer storage resources from the begining, but will consume computing resources everytime it approaches and needs to expand.
How much data is currently on the 2012 that you would use dfsr to copy?
If your current space is 75% of the 2.5TB use fixed.
ASKER
The Raid on New Server is at 5.45TB (8GB Raid), the current amount of actual data on old server to copy is is 2.1TB, I was considering making a 4TB fixed VHDX. So your suggestion is right on spot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I read the Best Practices and Hyper-V Performance Expections in entirety and followed the suggestions (including NIC and memory). first two volumes which are small are fixed vhdx and last one is dynamic vhdx as having to move it around it around would be easier. When the original server crashed, I had to download 1.7TB of data on makeshift server as immediate access was needed to some files, that took time. If it was a 4TB vhdx file that would have been a longer time and running around for drive for temporary storage so your suggestions work. Both VM servers are up and running fine, no AD issues or errors. Shares are created with proper permissions now will need to copy shares data using DFS (or sometimes I like to use beyond compare)
Final steps before decommissioning old server (may still use it as backup for Hyper-V)
Move 5 FSMO roles over
Schema
Domain Master
Infrastructure
RID
PDC
After this I can successfully remove active domain controller from old server and decommission it correct?
Thanks for all the help much appreciated.
Final steps before decommissioning old server (may still use it as backup for Hyper-V)
Move 5 FSMO roles over
Schema
Domain Master
Infrastructure
RID
PDC
After this I can successfully remove active domain controller from old server and decommission it correct?
Thanks for all the help much appreciated.
Once the FSMO Roles are moved over and verified to be seated correctly, then the next step is to make sure DHCP is handing out IPs and DNS pointers for only the new DC and if there are others at least one other.
Then, shut down the old DC for a week. Watch for, and get calls from users, anything that may be set up to point to the old DC. This is possible given the way some LoBs are set up.
Make sure all server's have their NIC DNS moved to the new DC.
If there's only one DC then delete the $DNS1 and ,$DNS1 from the lines above. Change the IP(s) as necessary. SERVERNAME gets replaced with the intended server.
The above code must be run from an elevated PowerShell using an admin account for any of the remote servers being connected to.
Then, shut down the old DC for a week. Watch for, and get calls from users, anything that may be set up to point to the old DC. This is possible given the way some LoBs are set up.
Make sure all server's have their NIC DNS moved to the new DC.
Enter-PSSession SERVERNAME
$DNS0 = "192.168.1.93"
$DNS1 = "192.168.1.92"
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $DNS0,$DNS1
Exit
If there's only one DC then delete the $DNS1 and ,$DNS1 from the lines above. Change the IP(s) as necessary. SERVERNAME gets replaced with the intended server.
The above code must be run from an elevated PowerShell using an admin account for any of the remote servers being connected to.
Personally, before shuting down the retiring DC, I would simply disconnect it from the network, turn off network Switch port. turnartound is quicker if remote.
ASKER
Performed an initial copy of data and tested access of shares and everything looks fine, will perform final replication this evening. Reviewing FSMO transfer, when looking at the Domain Naming Master it shows an error message (picture attached) and only shows the current DC in both fields current and the new one. What may cause this error.
Thank You
Thank You
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As an update1. I ran ADUC and was able to transfer RID PDC and Infrastructure roles
2. Initially I had the error I mentioned above, but I attempted to run the Operations Master while on the old server and it did display the new server and it changed (previously I got the error message on the new server DC)
3. Last one was Schema Master and when attempting to make the change it only shows the old server for both masters
4. I then ran the above two GET commands on the old server and the response is attached. It shows the PDC,RID,Infra and DomainNaming all show the (RC-DC01) new server but the old server (Server01) as the schema master. The next message will show the new server after running the GET commands
ASKER
ASKER
ASKER
I finally got in done using Move-ADDirectoryServerOperationMasterRole command with SchemaMaster as option. All roles now show up with the new server. Do I just power down the server, restart it or remove AD off it. I plan to repurpose it for another role just not DC. Or should I pull the plug for an hour or two and see if anyone starts yelling at me first?
Thanks much for great help!!
Thanks much for great help!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I disconnect it won't I get replication errors or that is okay for the time being? After a week power the unit back on and remove AD from the unit?
Yes, there will be replication errors.
You do not need to power down, network disconnect is sufficient.
Usually, you should have two DCs..
You do not need to power down, network disconnect is sufficient.
Usually, you should have two DCs..
If its both, a domain controller and file server I'd split the roles: create 2 Windows Server 2019 VMs and let one be a domain controller, th e other one the member file server. Make things easier since you can easily rename a member server but not a domain controller.