Our domain has 3 domain controllers running on Windows Server 2012 R2. I am working on a plan to stand up new servers and promote them into the DC role and demote the existing ones.<\/p>\n

Advertisement

Close

Multiple roles have been installed on one or more DCs, including File and iSCSI Services, Windows Deployment Services, AD Lightweight Directory Services, DNS, DHCP, and Certificate Services.<\/p>\n

Advertisement

Close

I am planning to host only DNS & (possibly) DHCP Services on the new DCs. I’ll move the other services to dedicated servers or decommission them if they are no longer needed.<\/p>\n

At a high level, my plan is to:<\/p>\n

\n
1. Migrate certificates services to two new servers (a Root CA and a Subordinate CA). The Root CA would not be domain joined.<\/li>\n
2. Decommission unused services<\/li>\n
3. Migrate remaining services to dedicated domain joined servers<\/li>\n
4. Promote new servers to the DC role<\/li>\n
5. Demote existing servers from the DC role<\/li>\n<\/ol>\n

   I am hoping to get some insight to these questions.<\/p>\n

   \n
   1. Is this a workable plan?<\/li>\n
   2. Is the sequence of the steps ok?<\/li>\n
   3. I understand that each of these steps will consist of several additional steps but, at a high level, have I overlooked anything?<\/li>\n<\/ol>\n

      Thanks for any thoughts or insight you have.<\/p>","upvoteCount":0,"answerCount":6,"datePublished":"2024-06-13T20:56:30.836Z","author":{"@type":"Person","name":"spiceuser-kidtu","url":"https://community.spiceworks.com/u/spiceuser-kidtu"},"suggestedAnswer":[{"@type":"Answer","text":"

      Our domain has 3 domain controllers running on Windows Server 2012 R2. I am working on a plan to stand up new servers and promote them into the DC role and demote the existing ones.<\/p>\n

      Multiple roles have been installed on one or more DCs, including File and iSCSI Services, Windows Deployment Services, AD Lightweight Directory Services, DNS, DHCP, and Certificate Services.<\/p>\n

      I am planning to host only DNS & (possibly) DHCP Services on the new DCs. I’ll move the other services to dedicated servers or decommission them if they are no longer needed.<\/p>\n

      At a high level, my plan is to:<\/p>\n

      \n
      1. Migrate certificates services to two new servers (a Root CA and a Subordinate CA). The Root CA would not be domain joined.<\/li>\n
      2. Decommission unused services<\/li>\n
      3. Migrate remaining services to dedicated domain joined servers<\/li>\n
      4. Promote new servers to the DC role<\/li>\n
      5. Demote existing servers from the DC role<\/li>\n<\/ol>\n

         I am hoping to get some insight to these questions.<\/p>\n

         \n
         1. Is this a workable plan?<\/li>\n
         2. Is the sequence of the steps ok?<\/li>\n
         3. I understand that each of these steps will consist of several additional steps but, at a high level, have I overlooked anything?<\/li>\n<\/ol>\n

            Thanks for any thoughts or insight you have.<\/p>","upvoteCount":0,"datePublished":"2024-06-13T20:56:30.917Z","url":"https://community.spiceworks.com/t/upgrade-domain-controllers-hosting-multiple-roles/1086713/1","author":{"@type":"Person","name":"spiceuser-kidtu","url":"https://community.spiceworks.com/u/spiceuser-kidtu"}},{"@type":"Answer","text":"

            \n
            1. Good plan, so many people join the root to the domain, and you shouldn’t.<\/li>\n
            2. Also a good plan<\/li>\n
            3. Migration, good.<\/li>\n
            4. Tick<\/li>\n
            5. Don’t do this too quickly, make sure replication is good and turn off the old for a few days to ensure all is well before decommissioning them.<\/li>\n<\/ol>\n

               Don’t forget to update your DHCP scope to use the new DCs as the DNS source and be sure you go round and manually change static IPs/DNS accordingly.<\/p>","upvoteCount":1,"datePublished":"2024-06-13T21:37:29.851Z","url":"https://community.spiceworks.com/t/upgrade-domain-controllers-hosting-multiple-roles/1086713/2","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"

               That’s a great plan. You do not want a CA on your DC if you can avoid it. Your root CA should be offline, so after you create it and issue the cert for the Sub CA, shut the VM down and leave it off.<\/p>\n

               DNS should be on the DC. That’s fine to leave.
               \nMicrosoft best practice for security is that DHCP is not hosted on domain controllers. Everybody does it, but you technically shouldn’t. Separate if feasible. Have 2, put them in a DHCP failover relationsip.<\/p>\n

               Are you using lightweight directory services?
               \nWhat are you doing with file/iscsi services?
               \nWDS definitely should not be on a DC.<\/p>\n

               The biggest hurdle you have is spinning up the new enterprise PKI in my opinion. Once you get that done the rest is easy.<\/p>\n

               You will need to update DHCP scopes (as well as any static assigned devices) with the IP addresses of the new DNS servers.<\/p>\n

               Make sure have your DNS properly set up on your DCs both the existing and the new ones: Active Directory DNS Refresher<\/a><\/p>","upvoteCount":2,"datePublished":"2024-06-13T21:40:43.858Z","url":"https://community.spiceworks.com/t/upgrade-domain-controllers-hosting-multiple-roles/1086713/3","author":{"@type":"Person","name":"PatrickFarrell","url":"https://community.spiceworks.com/u/PatrickFarrell"}},{"@type":"Answer","text":"