Need a high level sanity check on replacing our DC's
Posted by Blindsay24@reddit | sysadmin | View on Reddit | 21 comments
We have 3x DC's. 2 are running server 2016 and these are the primary and secondary. Both running DNS/DHCP, the primary also runs our AD -> Azure Sync (which i understand now is not best practice to have on the DC?). Our 3rd DC does not have DHCP and is Server 2019 so I plan to leave it as is for now.
I have a feeling there is a bunch of stuff hardcoded to the IP's of the current DC's so I would like to re-use them (The names are changing though).
I have a new Server 2025 box spun up and ready to go. I was going to replace DC2 first then DC1.
Any tips for the general order that I should tackle this?
Master-IT-All@reddit
Be careful of server 2025 domain controllers and earlier mixed together, there have been some known issues due to the security hardening of the Server.
For domain controllers and wanting to reuse the IP, I do this frequently myself and generally have few issues.
If possible I would demote and remove the server first, then reuse the IP prior to domain joining and promoting.
Blindsay24@reddit (OP)
Thanks for the heads up. If I were to replace all 3 DC's do you think Server 2025 is ok then, or other issues still?
Gary_harrold@reddit
The mixed environment with server 2025 DCs caused us some crazy Kerberos issues. We switched everything to 2025 and now it has been smooth sailing. I would plan on a full switchover to 2025 if you are going to be heading that direction.
Master-IT-All@reddit
Everything is Windows 11 desktop it should be ok.
Popensquat01@reddit
We’ve been on all 2025 DCs for awhile now. No issues. Our DHCP is handled by networking equipment, and we’re a pretty vanilla shop for the most part. But again, no huge issues
Master-IT-All@reddit
Ya, if you can go straight to 2025 or start there it isn't an issue. It's the people with a lot of legacy debt they can't clear that are hitting problems.
PatrickStrieker@reddit
We've recently updated all of our DC's from 2022-2025 (Clean install & new names) but we've re-used the IP's to ensure anything hardcorded towards those would still work.
it's best practice to run DHCP on separate servers, so I'd recommend moving that before upgrading/re-installing DC's
only issue we had with WS2025 was related to our Cisco ISE (https://www.cisco.com/c/en/us/support/docs/field-notices/743/fn74321.html) which was resolved after an update from Cisco - so if you're using ISE I'd recommend checking this out
Furthermore as people mention, you should check for RC4 usage in your environment
https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos
Granntttt@reddit
Think the advice has always been to have Azure Sync on a separate member server, same with DHCP. I'd get those moved as the first step.
JwCS8pjrh3QBWfL@reddit
You can run the newer Cloud Sync on DCs but yeah it was always suggested that the older Connect Sync should be on its own server. If you're not syncing devices, just replace Connect with Cloud Sync at this point.
lart2150@reddit
Last I looked there are a few features that are missing on the cloud sync.
RevolutionaryWorry87@reddit
Yes. I would strongly recommend removing DHCP. Either use a network device or kea.
sgtpepper78@reddit
If you have any legacy auth still in the ecosystem intro of 2025 will likely break those. Check your exposure to RC4 and make a plan from there.
WendoNZ@reddit
No they aren't, one might be running the PDCe role, but primary and secondary don't exist in AD anymore. One DC emulates a PDC but that's as far as it goes, there is no secondary anymore.
You'll probably want to manually migrate the FSMO roles just so you know where they are, but I'm pretty sure that will be done for you automatically when you demote the server running a FSMO role anyway so even thats not mandatory anymore.
ewire@reddit
Most of the other commenters cover it, but an idea if you can swing a couple of extra VMs...stand up member servers, install DNS, configure it to do nothing but forward to your DCs. These are your new DNS servers for everything else in the environment.
Then point all of your other member servers' DNS clients, DHCP scopes, and everything else that needs DNS resolution at these two new servers rather than at your DCs directly.
Once done, you will be able to demote/promote at will, and you just need to update the DNS servers' forwarding IPs without touching everything else again.
magataga@reddit
ADFS is kind of a big deal. You should think about upgrading.
Calm_House8714@reddit
Add both new ones as DCs, let it replicate. Promote one of them to primary, demote and remove the old ones. Should be that simple.
Affectionate-Cat-975@reddit
I would hunt down the hard coded IPs and convert it over. Otherwise you will have to disable the Strict Naming conventions.
Mehere_64@reddit
The way I have done this is build the new DC, promote to DC, migrate over non IP dependent roles and when ready to migrate over ip dependent roles, proceed to do so, then demote old DC, change IP, then change IP of new DC. Verify in DNS this is all updated correctly.
Others will say to start fresh but I do get what you are stating in regards the IPs being hardcoded in places that might not be known.
One other thing. Review issues people have with 2025 DCs. I have seen quite a few posts here regarding issues with 2025 DCs.
Blindsay24@reddit (OP)
Thanks for the heads up, I was hoping it would have been enough time to work out the bugs with 25. I didn't want to go 16->22
mtnfreek@reddit
Sounds fairly straigh forward but I bet those DHCP servers are ocnfigured as network helper IPs. So check that out and upgrade to core if you can.
theoverseerer@reddit
Well, if they have DNS, typically you have to hard code your DNS server IP's, as you use that service to translate hostname to IP. If most of your environment is DHCP and it serves out the DNS IP, you change that, everything static change by hand/script. Or don't change IP, instead replace one at a time (demote old first change ip. Then promote new with existing IP), clean up AD records. Tons of documentation on how to go about it