Inquiridor
Migrate Domain controller from Windows 2008 R2 to Windows Server 2019

Pergunta
-
Hi,
As you know the End of support for Windows Server 2008 R2 has been slated by Microsoft for January 14th 2020.
We have a DC with Windows 2008 R2(physical machine) that holds all FSMOs and I have two DCs with Windows Server 2019 (vmware machines) live on the production.
DC with Windows 2008 R2 that hold all FSMOs is called
SRV
DCs with Windows server 2019 are called as following:
1) srvdc
2) srvdc1
That means I dont need to run "adprep.exe /forestprep or adprep.exe /domainprep or adprep.exe /domainprep /gpprep"
Am I here right?
Here are my Steps to migrate.
1) Transfer all FSMO with Power Shell from DC with Windows 2008 R (SRV) to the DC with Windows Server 2019 (srvdc)
2) run netdom query fsmo on the DC with Windows Server 2019 (srvdc) and check the FSMO are transfered
3) run netdom query fsmo on the DC with Windows Server 2008 R2 (SRV) and check the FSMO are not hold here
4) Check DNS, DHCP, Site and Services and replication between all DCs
5) Remove Ad services from Server 2008 R2 with "dcpromo"
on that step I get the following message:
That means I have to remove the "Active Directory Certificate Services" first from Windows 2008 R2 (SRV).
I am sure our all certificate for exchange server 2013, scom, sccm server are running on that machine.
Here are my questions:
1) Can I backup the certificate of the windows 2008 R2(SRV) and Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc and add the role "Active Directory Certificate Services" on the Windows server 2019 (srvdc) and import the certificate, before remove the certificate from DC with windows 2008 R2(SRV)?
2) Could add the roles "Active Directory Certificate Services" on DC the Windows 2019 (srvdc) now before backup the Certificate Services or remove the Certificate Services? If yes what happens?
2) Could I have two Certificate Authority at the same time on the DCs Windows 2008 R2(SRV) and Windows 2019 (srvdc)
3) Or I have to backup my Certificate Authority with Registry CertSvc and then remove the roles on the DC windows 2008 R2 (SRV) and then add the role "Active Directory Certificate Services" on the DC windows 2019 (srvdc)and import from backup I created before?
What is the best method?
We have a exchange server 2013 and it should not effected with migration the DC or certificate.
Thanks for help
Nick
Todas as Respostas
-
The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405adprep is a built-in component of domain controller promotion so no, it isn't necessary to run separately.
Better to ask the cert / security questions in dedicated forum over here.
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity
and exchange questions should be asked here.
https://social.technet.microsoft.com/Forums/office/en-US/home?category=exchangeserver
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. -
-
Yes, you're correct. Sounded like 2019 in an iso-test environment since you were asking about adprep and promo steps.
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. -
-
This one might help.
I'd also suggest reaching out to the cert / security experts in dedicated forum over here.
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows Server] Datacenter Management
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
- Editado Dave PatrickMVP terça-feira, 12 de novembro de 2019 22:30
- Sugerido como Resposta Teemo TangMicrosoft contingent staff quarta-feira, 4 de dezembro de 2019 08:18