Replacing a DC

It is safer to replace a DC than to upgrade the OS.

The order we want to do this is: new server gets DHCP address, Remove all services from old server, change old server to DHCP, set new server to the old server static IP addr (so we dont have to change every static config)

Create a new VM, install windows server 2019, add roles for DC, DNS, DHCP, reboot

On a surviving DC, open server manager, Manage (top right), Add Servers, add the new server you created. After a few minutes you should see a yellow “bang” prompting you to do a post-deployment configuration.

If your current logon doesn’t have domain admin privilege you will need to supply one that does.

Below i had already manually authorized my DHCP.

DHCP in server manager, Manage the new server. In server manager, DHCP, right click the new DC name and choose Authorize.

Recreate your server options on the new server, since Micro$oft allows you to export the options on the old server but doesn’t allow Importing on the new server… really M$?
Recreate custom options by right clicking IPv4, Set Predefined Options, Add… You may want to edit this on the old server, then cut/paste as the field names are confusing.

On the same scope right click and choose Configure failover. Available scopes is auto-populated, click next, The first time you will need to click “Add Server” button, type the name of the new server in the “this server” field, Use browser to verify, click OK. Now when you pull down the arrow near “Partner Server” you should see the new server. chose it, UNcheck Reuse past config, next, Check box “State Switchover Interval”, add a Shared Secret and record it in your password manager.

Need to remove replication to/from the server we are decomissioning. Manage DHCP on a survivng server. Drill down to a scope that isn’t used, right click and choose Deconfigure Failover, accept the warning, if you get a warning about not a NORMAL state replication may not have completed OR you may have custom DHCP options, like a VoIP VLAN, this will fail until you re-create those options on the new DHCP server. right click on IPv4 and choose Replicate Failover Scopes.

Next do that for every DHCP scope.

DNS:

Click a scope, Properties, Name Servers, Verify that the new server shows. This is a good time to clean up old DNS servers from both the forward and reverse zones.

From Server Manager, Manage, Remove Roles and Features, choose the Dc to be demoted and click Next

003-server-pool-selection-demote-domain-controller-in-windows-server-2012-AD-DS

Uncheck DHCP, DNS first. when asked to delete the admin tools as well unchecking that box will save some time. This will happen in real-time.

005-roles-demote-domain-controller-in-windows-server-2012-AD-DS

When you uncheck Active Directory Domain Services you will shortly after get the following message. Click Demote this domain controller.

006-remove-roles-features-demote-domain-controller-in-windows-server-2012-AD-DS

You will need to supply a new Local Administrator password.

008-new-admin-password-demote-domain-controller-in-windows-server-2012-AD-DS

The DC will reboot, and will still be a domain MEMBER.

go into Active directory sites n services n manually delete the old dc

You can now logon to the server and remove it from the domain, if you don’t need it.

Servers typically have statically assigned IP addresses and DNS config. Recommend assigning that IP address to the new DC as it can have multiple IP addresses.

As a precaution after the old DC is removed, delete it’s DNS A record, and create a DNS CNAME record, it’s old computer name should point to the new DC that was created.

If you are running PRTG monitor, check settings for DNS/ADS as they will have changed.

On the new DC start event viewer, Windows Logs, Security, Properties, set max log size to 512Mb (this still won’t be enough) set Application and System logs to 128Mb. when u click on Windows Logs you can see the current log size. Make sure you have enough space to hold all the logs until the next FULL backup.

Open DNS Manager, right click each server, Properties, Debug Logging, check box Log packets, File path = C:\Windows\Logs\dns.log default 500mb is fine Apply Now you can search this log for references to your old domain controller. You may want to share the C:\Windows\Logs directory as READONLY to the Administrators group

more info

ETC

Make sure the new DC has the correct Time Zone set

Make sure it’s getting it’s time from a reliable source as VMWare guest will drift

reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
w32tm /stripchart /computer:time.windows.com
w32tm /stripchart /computer:ca.pool.ntp.org

w32tm /resync /nowait /soft

w32tm /config /syncfromflags:manual /manualpeerlist:”0.ca.pool.ntp.org 1.ca.pool.ntp.org 2.ca.pool.ntp.org 3.ca.pool.ntp.org”

sduncan