AD from 2008R2 to 2019

Question

Hi,

Hope you are doing well in these troubled times

One more post on this topic, but can't find a exact answer regarding my situation.

One client want to update to 2019, here is the exact infra :

Two DC (DC01 has FSMO roles and DC02 is a backup DC with a CA).

Two DHCP (DHCP01 and DHCP02 in 50/50 load balancing

A bunch of RDS farms (2 in 2008R2 and 1 in 2019)

I'd like to keep existing IP Address for the two DCs, but the name will change.

What would be the best scenario ?

Scenario 1 :

• Move CA to another server
• Prep domain and forest
• Install and promote a new server (NEW-DC01), put a temporary IP Address
• demote DC02 and change IP Address
• Install and promote a new server (NEW-DC02), put DC02 old IP Address
• Transfer FSMO roles to NEW-DC01
• demote DC01 and change IP Address
• Put DC01 old IP Address on NEW-DC01

Scenario 2 :

• Move CA to another server
• Prep domain and forest
• demote DC02 and change IP Address
• Install and promote a new server (NEW-DC02), put DC02 old IP Address
• Transfer FSMO roles to NEW-DC02
• demote DC01 and change IP Address
• Install and promote a new server (NEW-DC01), put DC01 old IP Address
• Transfer FSMO roles to NEW-DC01

Or if you have a better one, I'm all ears.

Thanks All.

Best Regards,

John.

Answer 1

The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one. After the old ones are off network you can re-ip them.

I'd ask separate questions here for the RDS, DHCP, CA migrations.
https://learn.microsoft.com/en-us/answers/topics/windows-remote-desktop-services.html
https://learn.microsoft.com/en-us/answers/topics/windows-dhcp-dns.html
https://learn.microsoft.com/en-us/answers/topics/windows-server-security.html

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hi,

Sorry, I should have been a little bit more clear.
CA, DHCP and RDS are out of the topic, but I'll do as you kindly says, it's the best way to have answers :)

Functional levels are ok. migration to DFSR is ok too.
Dcdiag is not throwing any errors.

I'll go read the links you provided.
About the two scenarios, which is best for you ?

Thanks

Answer 3

I'd stand up the two new ones as mentioned above. Once the old ones have been removed from network you can re-ip the new ones. Do them an hour or so apart to minimize disruptions.

--please don't forget to Accept as answer if the reply is helpful--

Answer 4

Hi,

I am glad to hear that your issue was successfully resolved\I am pleased to know that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

Best Regards,
Vicky