Inplace upgrade of AD server?

Posted by Chance_Brilliant_138@reddit | sysadmin | View on Reddit | 9 comments

I run a small 2 domain controller Active Directory shop. Our servers also provide DNS and DHCP to our entire lab. One of our servers is on Win2kr2 and the other server is on Win2016. I think our functional domain level is 2008 (I need to check). I’d like to upgrade our win12r2 server to win2016. Microsoft recommends demoting the AD server, removing from the domain, and standing up a freshly installed server. Is this overkill or extremely wise move? CAN you demote 1 of your 2 domain controllers? Any other gotchas you could think of, especially since they’re running DNS and DHCP? I’ve already moved the FSMO roles over to the 2016 server. Your help is appreciated.

Reply to Post

9 Comments

[-]

Glum_Competition561@reddit

I have done in place upgrades in place many times without issue. That being said, its not best practice or wise. If you attempt it, back it up a couple different ways before hand. I also would never recommend it in any environment with more than one DC, or generally complex environments. In other words, if its a small network, one DC, and only if your backups are solid. . Its better to go the route everyone else is mentioning. In your specific case I would advise against it.

[-]

TuntheFish@reddit

Make sure to move the FSMO roles over before demoting.. I think that the wizard will check/solve this for you when your in the process of demoting but something to keep your eye on,

[-]

Chance_Brilliant_138@reddit (OP)

This is all been great info, thanks everyone for your responses.

[-]

RetroactiveRecursion@reddit

This video isn't exactly what you're doing but it helped me immensely and may be useful. I know just enough about windows server admin to be dangerous, and I pulled it off without a hitch last year [https://www.youtube.com/watch?v=bpJwZNX1MT8](https://www.youtube.com/watch?v=bpJwZNX1MT8)

[-]

breakwaterlabs@reddit

Demote first and do a clean install. Also avoid 2016: * 2019 brings the new Windows LAPS * 2016 had big issues with slow updates and boot loops * 2022 is out and is supported for far longer

[-]

NoLongerGage@reddit

Agree here. I am in the process of upgrading all of our DCs to 2019 and up (much bigger shop). I would also read about the functional levels and see what may be of use in your environment. If you really are 2008 there are quite a few new features : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

[-]

nate-isu@reddit

Migrate all roles & services to the 'secondary' 2016 server. Demote and remove old server. Stand up server 2022 Core and only install DHCP/DNS or other necessary Microsoft roles. No other third party BS software. Now you have a GUI DC for those that don't know about RSAT tools and a lightweight DC that's super easy to upgrade in the future; in fact, I'd have no qualms doing an in-place upgrade of server core with minimal/simple roles installed.

[-]

kntmeng@reddit

Yes, demote and build fresh is best practice. You'll get MS fresh server defaults for better security at that point. As stated, pay attention to what is running on the DC being demoted so you know what needs to be redone or considered. Have a good backup, just in case, communication with stakeholders is important. The assumption here is you know the environment well and don't have boxes only pointed to one DC. If so, fix that first else you'll have outages if you run a 24x7 shop when the one box is demoted as clients might not find other DCs or DNS servers. With that said, I have done in place upgrades of DCs before, it works, but I only do that in unique situations. Good luck.

[-]

Colossus-of-Roads@reddit

Extremely wise, I really wouldn't do an in-place upgrade of a DC. Of course, you'll have other considerations - backing up DHCP, checking for non-integrated DNS zones, conditional forwarders, actual forwarder config etc. All doable but make a list.