How to go about transferring current DC to new server

spiceuser-yw57 · 2024-07-23T02:49:14.413Z

Upgrading to Windows Server 2022 and was wondering the best way to transfer FSMO roles, etc to the new server … currently only running AD services and DNS on my current server.

I was thinking of adding a temporary server and setting it as a PDC and transferring all the roles over to it, re-imaging current on-premise server with Server 2022 and then transferring back the roles and making re-imaged server the PDC… is this correct way to do it or no?

PatrickFarrell · 2024-07-23T03:31:18.004Z

More or less. There is no PDC/BDC anymore, that hasn’t been a thing since NT 4.0

Assuming you are not permanently replacing the hardware and your existing server supports Server 2022, then yes you would promote a second domain controller. Transfer all FSMO roles. Make sure it is replicating properly. That means repadmin /showrepl doesn’t show errors and dcdiag /v run from bother domain controllers shows no errors.

You will need to contend with DNS and DHCP. What currently hands out DHCP? If it is the existing server, then you need to move it to the new one first. You also need to change your DHCP scope to hand out DNS for both domain controllers, or when you shut down the first one nobody will be able to reach the domain.

Once you do that, shut down the first server for a day and make sure people can log in without issue. Bring it back up, let it replicate. Again check repadmin and dcdiag.

Make sure when you configure DNS on the domain controllers you do it how I describe here:

Active Directory DNS Refresher Windows

It’s DNS. It’s always DNS. No, DNS is fine, it’s not DNS, trust me. It was DNS. I’m posting because in the last few weeks we’ve had a few posts that turned out to be misconfigurations with DNS in a domain environment. Things like Domain controllers pointing at themself first for DNS, or having a public DNS server on the NIC of the Domain Controller or the clients. Hopefully this will help some people get out in front of potential issues. The general rules for DNS in an AD E…

Demote the first domain controller. Nuke it, install Server 2022, and then do the same procedure that you just did above to bring that server into the fold, validate it, and then ultimately decom the second one. Better yet, keep 2 domain controllers.

adrian_ych · 2024-07-23T03:38:27.434Z

spiceuser-yw57:

Upgrading to Windows Server 2022 and was wondering the best way to transfer FSMO roles, etc to the new server … currently only running AD services and DNS on my current server.

I was thinking of adding a temporary server and setting it as a PDC and transferring all the roles over to it, re-imaging current on-premise server with Server 2022 and then transferring back the roles and making re-imaged server the PDC… is this correct way to do it or no?

But why do you need to reimage servers or do you mean to create templates ?
The thing with DCs is that the less done is better… I would think to create perm DCs rather than temp servers then demote/destroy as any screw-ups may cause Domain-wide issues ?

Then the thing is if there are other servers and/or services that may rely on DCs (DHCP, DNS, credentials etc) and replication between DCs may need 24 hrs to 72 hrs so that is not like immediate actions (up one DC and down another DC would literally take a better part of a week).

spiceuser-yw57 · 2024-07-23T03:58:44.659Z

DHCP is being handed out by the firewall. DNS would be set up like you explained above.

spiceuser-yw57 · 2024-07-23T04:00:47.628Z

I need to re-image the server because I do not want to do an in-place upgrade as it can cause further issues down the line and is not advised. There is only one physical server on-premise so I would have to bring a temporary one that I have hanging around to transfer roles, DC for time being and then transfer back once server 2022 is up and ready.

adrian_ych · 2024-07-23T04:07:07.120Z

Then why not consider using Server 2022 with hyper-v role and install DC2022 as a VM ?

The best practise is also to have 2 DCs and let the DCs replicate with each other.

spiceuser-yw57 · 2024-07-23T04:17:08.790Z

So you’re saying after a fresh install of Server 2022, add the role/feature of Hyper-V and set up two VMs, DC1 and DC2 with Windows Server 2022 and then transfer over roles from temporary server?

PatrickFarrell · 2024-07-23T04:31:38.460Z

Ideally, 2 DCs on seperate hardware. VMs are nice because they reboot almost instantly on decent hardware because you don’t have to deal with the hardware post. You do however have to patch the outer OS that hosts the VM so that is a consideration.

randomparts · 2024-07-23T14:50:26.074Z

When I upgraded DC’s from 2012 to 2019 I spun up new servers and migrated the roles to them. Like everyone has suggested here, I had 2 DCs. I used this site to transfer the FSMO roles.
https://adamtheautomator.com/transfer-fsmo-roles/
This made it easier, because I could spin up a DC, replicate to it and demote the old one with no downtime to users.

edrubin1718 · 2024-07-23T15:05:05.587Z

I’ve done it both ways, some sites we built a new server, promoted it to DC and moved roles, DNS DHPCP, IP addresses etc. Alternatively a lot of our clients sites have done an upgrade in place and have had no problems. In these cases the DC was a VM so we migrated to a new host and then upgraded in place. This gave us a back out since we could snapshot/checkpoint the VM before upgrading.

spiceuser-yw57 · 2024-07-24T13:22:45.245Z

Should I run any tests before transferring roles, etc? Like dcdiag?

sactownchad · 2024-07-24T13:36:13.313Z

I think you will find restoring a DC from a snapshot can be daunting if you have multiple DCs as the shared AD DB will be out of sync. With DCs the best path is to build a new one and migrate roles, no need whatsoever to keep the old DC around to “upgrade” just toss it.

PatrickFarrell · 2024-07-24T14:11:16.520Z

PatrickFarrell:

Assuming you are not permanently replacing the hardware and your existing server supports Server 2022, then yes you would promote a second domain controller. Transfer all FSMO roles. Make sure it is replicating properly. That means repadmin /showrepl doesn’t show errors and dcdiag /v run from bother domain controllers shows no errors.

See my first reply

“Assuming you are not permanently replacing the hardware and your existing server supports Server 2022, then yes you would promote a second domain controller. Transfer all FSMO roles. Make sure it is replicating properly. That means repadmin /showrepl doesn’t show errors and dcdiag /v run from bother domain controllers shows no errors.”

spiceuser-yw57 · 2024-07-25T14:21:36.610Z

If I have Server 2012 on one DC can I transfer roles, etc to lets say Server 2016 or Server 2019 machine for the time being until the 2012 gets upgraded to 2019 or 2022?

PatrickFarrell · 2024-07-25T14:40:45.940Z

You can transfer the roles to any domain controller in your domain regardless of version.

PatrickFarrell · 2024-07-25T14:42:33.331Z

You want whichever server has the PDCe role to be the authoritative time source for the domain.

learn.microsoft.com

Recommendation - Configure the Root PDC with an Authoritative Time Source and...

Recommends to configure the Root PDC with an Authoritative Time Source and Avoid a Widespread Time Skew.

spiceuser-yw57 · 2024-07-25T21:15:59.454Z

What errors am I looking for exactly when dcdiag/v ? I just added a second DC as a VM in my home lab for testing and ran rep admin commands that don’t show any errors, but dcdiag /v is showing a couple warnings and errors

PatrickFarrell · 2024-07-25T21:20:03.501Z

It depends on what the errors and warning are. Ideally you don’t want any. Some can potentially be ignored, but would have to know the specifics to make that judgement.

spiceuser-yw57 · 2024-07-25T22:23:34.930Z

Does it usually take a while for the DCs to replicate? My physical server is a DC and then I created a VM in Hyper-V role and promoted it to a DC in the same domain. I set the preferred DNS server on the VM to point to DC1 and secondary as a loopback.

PatrickFarrell · 2024-07-26T01:35:06.857Z

Should be very quick if they are in the same site.