I've been through two rounds of DC upgrades, and I do it in pretty much the same fashion
Build new server with temp name and IP Note if old server is GC DCPROMO old server down (roles are automatically transferred). Rename it Change IP address of old server. Change new server name Change new server IP DCPROMO up new server Change roles back. Make GC if needed Your certificate server will be a challenge. Even though the documentation referenced hints that you can change the name of the CA, I'm pretty sure that doesn't work without some extra steps that are not documented anywhere publicly accessible. A while back I posted a query about CA migration and of the responses, two people said they tried to change the name of the CA. One person said they never could get it to work, gave up, and went back to the old name. The other person did get it to work, but he had to call PSS to get it running. I'd separate the CA role from the DC. Build a new DC to replace the old DC/CA and give it a new name. Migrate the CA to a new server keeping the old server name. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Thursday, August 29, 2013 5:47 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Upgrade 2003 DC's And this: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx - WJR On Thu, Aug 29, 2013 at 4:42 PM, William Robbins <dangerw...@gmail.com<mailto:dangerw...@gmail.com>> wrote: This should help w/the CA: http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx - WJR On Thu, Aug 29, 2013 at 4:35 PM, David Lum <david....@nwea.org<mailto:david....@nwea.org>> wrote: So... in my environment we have four ancient DC's. Two root DC's and two of five subdomain DC's. These have been around enough and our environment is complex enough that we aren't sure how many systems rely in the specific IP or hostname. Seems to me it should be fairly straightforward to stand up new with same name/IP as the originals: * Transfer all FSMO roles * Demote DC (DCRPOMO) * Unjoin from domain * Power off * Build new server with same name * Join to domain * Install AD DS roles * DCPROMO * Transfer FSMO roles back (optional) Now in one case the DC is also a certificate server, although we aren't 100% sure if/how it's being used. Surely there are some caveats to consider? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764>
