none
OK to demote the only DC in a site when upgrading?

    Question

  • I have a relatively small network with 2 sites and one DC in each one (total 2 DCs in the network). They are currently running Windows Server 2003 and it's finally time to upgrade.

    Since upgrading Windows Server 2003 DCs directly to Windows Server 2016 is not officially supported (and I read mixed responses to the question whether it technically works) I'll be upgrading the DC on one site to Windows Server 2008 R2 first (it will be upgraded to Windows Server 2016 later). The upgrade is not in-place since the said DC is running on antique hardware and is 32-bit, so I'll introduce a new DC and demote the old one.

    This is done in one location. In the other one I'm trying to spare the need to have a temporary 2008 R2 server and go to 2016 directly. If I understand correctly I need to remove all 2003 DCs before I can introduce the first 2016 DC, right? So my plan is that after I have the 2008 R2 DC running in the first site (2003 will be removed from it), I'll also demote the 2003 server in the second site and only then promote the 2016 server, however this temporarily leaves the domain with only one functioning DC and the second site without a DC at all. This situation should probably not take too long because I'll be promoting the new DC immediately after demoting the old one, however since I've demoted the only DC in the second site it means that the new DC will have to replicate its schema from the first site - and the sites are connected via VPN connections.

    Do you think this is an acceptable risk? Can you pinpoint things that can go wrong?

    Thanks!

    Friday, July 13, 2018 1:10 PM

All replies

  • Generally should work (see steps below). I'd make the first 2016 DC local to the remaining 2008 R2 DC for simplicity sake. Also note 2008 R2 is 64 bit so it would not run on the 32 bit hardware.

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting. Then I'd stand up the new guest, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to verify health, when all is good you can decommission / demote old one. Move on to next one.

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Friday, July 13, 2018 1:19 PM
  • It is risky but possible. Make sure you have a valid backup of the domain before you start.
    Friday, July 13, 2018 6:01 PM
  • Could you recommend a way? Just ghost the entire DC?
    Friday, July 13, 2018 11:35 PM
  • This one might help.

    https://technet.microsoft.com/en-us/library/cc535164.aspx?f=255&MSPPError=-2147217396

    If you don't have any confidence in the temp hardware then stand up two of them.

     

     

     




    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, July 13, 2018 11:57 PM
  • OK, just finished and apparently it was not a moment too soon. The DC at the second site was so old and the hard drives already had bad sectors. I guess it's fortunate that no critical files were corrupted. Fortunately also the Windows Server 2008 R2 DC and the VPN links were stable.

    Anyway one problem I ran into, and I'll write it here in case someone else runs into it - As part of the migration I needed to migrate the enterprise CA to the Windows Server 2008 R2 DC and migrate IAS settings to NPS as well. Both of these initially failed - turns out that because the second site DC was so old and was in-place upgraded from Windows 2000 way back, the Windows 2003 installation was in C:\WINNT instead of C:\WINDOWS. Apparently both the CA and IAS exported settings have the full path of certain files in the Windows folder so I had to change them manually before I got CA and NPS to work. This may be the issue with other roles (that I don't use) as well.

    Saturday, July 14, 2018 9:57 PM
  • Good to hear of success.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, July 14, 2018 10:02 PM