question

matteu31400 avatar image
0 Votes"
matteu31400 asked DSPatrick commented

Domain controller migration 2008r2 to 2019

Hello,

I need to migrate domain controller from 2008r2 to 2019 and I would like to know if I can keep the same ip and same name.
I think I can use temporary ip + name on my new domain controller during the migration and when my new domain controller is operationnal, I just demote the older and remove it from AD. Then I change IP + name on my new DC and reboot + verify DNS are updated and it's ok ?

Thanks for your answer.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

There are only 2 DC(SRV1 and SRV2) on the environment. I would like to avoid shut down one of them and build new one after. If there is an issue, I could have 0 DC.

Yes, I can understand this and what you propose may work out for you but it is just a very messy way to accomplish the task. The much simpler / safer method would be to stand up the temporary (SRV3), now you have redundancy! Now move roles off (SRV1) decommission demote, build a new one,, follow same steps for (SRV2), in the end decommission / demote temp (SRV3) Here was a 10,000 foot view of steps. Follow my detailed steps above for actual.

--please don't forget to Accept as answer if the reply is helpful--






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CARLOSGERMANBISSIO-9884 avatar image
0 Votes"
CARLOSGERMANBISSIO-9884 answered DSPatrick commented

Hi... I did a test. I created a new VM with 2019 server standard. Joined to domain, and then moved to de DOMAIN CONTROLLERS OU and then... CRASH!!! The same sympton if I join the server as DC. So there is sth in the group policy at the OU that CRASH 2019 WINDOWS SERVER.

Then I tried to unjoin from the Domain, and also still CRASHED.

Any suggest or someone with new idea? BEFORE REINSTALLING ENTIRE DOMAIN?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'd start a new thread as opposed to hijacking this one.




1 Vote 1 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Ok, yes definitely redirect the hard coded members and update the DHCP server to hand out valid healthy ones.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Before beeing DC, DC1 is just workstation.
Then it's DC + DNS.
Between this time, I suppose my client try to authenticate themself on it because they are configured with DC1 as first DNS.

I suppose that was my issue ?

I don't understand what it could be if it's not...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

but it isn't DNS server -

Not sure what is meant. You didn't install DNS role?

I depromote DC1 and rename it DC1-OLD I build new server DC1

Before building the new one you might check if clean up is necessary. Also clean up DNS (if needed)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to Accept as answer if the reply is helpful--











5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Migration worked fine except something :

Before migration, there are DC1 + DC2.
I build DC3
When I depromote DC1 and rename it DC1-OLD I build new server DC1
Client computer can join DC1 but it isn't DNS server -> error when client try to login. It's working fine if I shutdown DC1 or after DC1 is promoted as DC + DNS.
Is there a way to avoid this for my next time ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CARLOSBISSIO-7630 avatar image
0 Votes"
CARLOSBISSIO-7630 Suspended answered

Hi!... be careful... I tried to migrate, and after adding w2019 as DC, all text from desktop and explorer disappeared!! I'am working around it but not success yet.



80886-captura-de-pantalla-2021-03-23-225134.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered DSPatrick commented

I forget to say I would like to migrate from 2 2008r2 to 3 2019.
That means SRV3 will stay.

I understand perfectly how I have to do now :)

I think it's a good way to do migration by using temporary DC when there are only 2 DC in the environment.
I will try to convince my client to have 3 DC permanently because with 2, when 1 is down and you need to restart the other.... (He had this issue on december 2020 ^^ ).

Thank you for your help.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sounds good, you're welcome.




0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered

Hello,

There are only 2 DC(SRV1 and SRV2) on the environment. I would like to avoid shut down one of them and build new one after. If there is an issue, I could have 0 DC.
Could you validate me this :

I prefer to stay both actual online while I build the new one(SRV3) with "temporary" and IP and promote it as DC.
I can then verify Active directory is functionnal with SRV1 / SRV2 / SRV3 (dcdiag / repadmin).
I can demote SRV1, and shut down it.
I can swap temporary name and IP from SRV3 to match SRV1
Now I need to restart netlogon service to force srv service to register on msdcs dns zone
After all updates are done on DNS, verify dcdiag and repadmin are ok and remove SRV1

I need to do the same operation for SRV2.


To test health Active directory :
dcdiag /a

To test replication :
repadmin /replsum
repadmin /showrepl

Am I ok ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered

The much safer / simpler solution is to move roles off, decommission, then stand up the new one with correct name and address.

The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.


--please don't forget to Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.