Windows Server 2025 Core Domain Controller Migration

This runbook covers the migration from home-dc01 (Windows Server 2022 with AD + AD CS + DNS) to a new Windows Server 2025 Core deployment with Active Directory only.

Architecture Change

  • DNS: Migrated to pfSense

  • PKI: Migrated to HashiCorp Vault (DOMUS-ROOT-CA)

  • AD: Remains on Windows Server (this runbook)

  • AD CS: DEPRECATED - Remove by 2026-07

1. Pre-Migration Checklist

Step Verification Status

DNS on pfSense

All clients resolving via 10.50.1.1

[ ]

Vault PKI operational

vault secrets list shows pki/ and pki_int/

[ ]

Vault issuing certs

Test cert issued from domus-server role

[ ]

ISE trusts Vault CA

DOMUS-ROOT-CA in ISE trusted store

[ ]

AD replication healthy

repadmin /replsummary shows no errors

[ ]

Current DC backed up

Full system state backup completed

[ ]

2. Architecture

2.1. Current State (home-dc01)

Component Configuration

Hostname

home-dc01

OS

Windows Server 2022 Standard (Desktop Experience)

IP Address

10.50.1.50

Roles

AD DS, AD CS (HOME-ROOT-CA), DNS

Domain

inside.domusdigitalis.dev

2.2. Target State (home-dc02)

Component Configuration

Hostname

home-dc02

OS

Windows Server 2025 Standard (Core)

IP Address

10.50.1.51

Roles

AD DS only

Domain

inside.domusdigitalis.dev

3. Phase 1: Verify Prerequisites

3.1. 1.1 Verify DNS on pfSense

From a Linux workstation:

# Test DNS resolution via pfSense
dig @10.50.1.1 home-dc01.inside.domusdigitalis.dev

# Verify all clients using pfSense DNS
cat /etc/resolv.conf
# Should show: nameserver 10.50.1.1

3.2. 1.2 Verify Vault PKI

# Load Vault credentials
dsource d000 dev/vault

# Check PKI mounts
vault secrets list | grep pki

# Verify CA chain
vault read pki/cert/ca
vault read pki_int/cert/ca

# Test certificate issuance
vault write pki_int/issue/domus-server \
    common_name="test.inside.domusdigitalis.dev" \
    ttl="24h"

3.3. 1.3 Verify ISE Trust

# Check ISE trusted certificates via API
dsource d000 dev/network
netapi ise ers cert-profiles

# Verify DOMUS-ROOT-CA is present

3.4. 1.4 Backup Current DC

On home-dc01 (PowerShell as Administrator):

# Full system state backup
wbadmin start systemstatebackup -backuptarget:\\nas-01\backups\dc-migration

# Export AD CS configuration
certutil -backup C:\Backup\ADCS

# Document current FSMO roles
netdom query fsmo

4. Phase 2: Deploy Windows Server 2025 Core

4.1. 2.1 VM Specifications

Resource Value

RAM

4 GB (minimum for Core)

vCPUs

2

Disk

40 GB (Core requires less)

Network

Bridge to VLAN 1 (10.50.1.0/24)

ISO

Windows Server 2025 Standard (Core)

4.2. 2.2 Create VM on KVM

# Download virtio drivers if needed
# https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/

# Create VM
sudo virt-install \
    --name home-dc02 \
    --ram 4096 \
    --vcpus 2 \
    --disk path=/var/lib/libvirt/images/home-dc02.qcow2,size=40,bus=virtio \
    --os-variant win2k22 \
    --network bridge=br0,model=virtio \
    --graphics vnc,listen=0.0.0.0 \
    --cdrom /var/lib/libvirt/images/iso/windows_server_2025.iso \
    --disk path=/var/lib/libvirt/images/iso/virtio-win.iso,device=cdrom

4.3. 2.3 Windows Server Core Installation

During installation:

  1. Select Windows Server 2025 Standard (Server Core Installation)

  2. Accept license terms

  3. Select Custom: Install Windows only

  4. Load virtio drivers from second CD (virtio-win.iso):

    • Browse to viostor\2k22\amd64

    • Browse to NetKVM\2k22\amd64

  5. Select disk and install

4.4. 2.4 Initial Configuration (sconfig)

After first boot, use sconfig menu:

===============================================================================
                         Server Configuration
===============================================================================

1) Domain/Workgroup:                    Workgroup:  WORKGROUP
2) Computer Name:                       WIN-XXXXXXXX
3) Add Local Administrator
4) Configure Remote Management          Enabled

5) Windows Update Settings:             Manual
6) Download and Install Updates
7) Remote Desktop:                      Disabled

8) Network Settings
9) Date and Time
10) Telemetry settings:                 Required
11) Windows Activation

12) Log Off User
13) Restart Server
14) Shut Down Server
15) Exit to Command Line

Enter number to select an option:

4.4.1. Set Computer Name

# Select option 2
Enter new computer name: home-dc02
Restart now? (Y/N): N

4.4.2. Configure Network (Option 8)

# Select adapter index (usually 1)
# Select option 1 - Set Network Adapter Address

Select (D)HCP or (S)tatic IP address: S
Enter static IP address: 10.50.1.51
Enter subnet mask: 255.255.255.0
Enter default gateway: 10.50.1.1

4.4.3. Set DNS Server

# Still in Network Settings
# Select option 2 - Set DNS Servers

Enter new preferred DNS server: 10.50.1.50
Enter alternate DNS server: 10.50.1.1

4.4.4. Enable Remote Desktop (Option 7)

# Select option 7
Enable Remote Desktop? (E)nable or (D)isable: E
Allow only NLA connections? (1) More secure or (2) Less secure: 1

4.4.5. Restart Server

# Select option 13 to restart

4.5. 2.5 Post-Restart Configuration (PowerShell)

Press 15 in sconfig to exit to command line, then:

# Start PowerShell
powershell

# Verify network configuration
Get-NetIPConfiguration

# Test connectivity to existing DC
Test-Connection home-dc01.inside.domusdigitalis.dev

# Test DNS resolution
Resolve-DnsName home-dc01.inside.domusdigitalis.dev

5. Phase 3: Join Domain and Promote

5.1. 3.1 Join Domain

# Add to domain
Add-Computer -DomainName inside.domusdigitalis.dev -Credential (Get-Credential)
# Enter domain admin credentials when prompted

# Restart
Restart-Computer

5.2. 3.2 Install AD DS Role

After restart, open PowerShell:

# Install AD DS role
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Verify installation
Get-WindowsFeature AD-Domain-Services

5.3. 3.3 Promote to Domain Controller

# Import AD deployment module
Import-Module ADDSDeployment

# Promote to DC (replicating from existing DC)
Install-ADDSDomainController `
    -DomainName "inside.domusdigitalis.dev" `
    -SiteName "Default-First-Site-Name" `
    -ReplicationSourceDC "home-dc01.inside.domusdigitalis.dev" `
    -DatabasePath "C:\Windows\NTDS" `
    -LogPath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -NoGlobalCatalog:$false `
    -InstallDns:$false `
    -SafeModeAdministratorPassword (Read-Host -AsSecureString "DSRM Password") `
    -Force:$true

# Server will restart automatically

We use -InstallDns:$false because DNS is handled by pfSense.

5.4. 3.4 Verify Replication

After restart, verify AD replication:

# Check replication status
repadmin /replsummary

# Check replication partners
repadmin /showrepl

# Verify DC registration
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem

# Test LDAP connectivity
Get-ADUser -Filter * -Server home-dc02.inside.domusdigitalis.dev | Select-Object -First 5

6. Phase 4: Transfer FSMO Roles

6.1. 4.1 Check Current FSMO Holders

# View current FSMO role holders
netdom query fsmo

# Or via PowerShell
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
Get-ADDomain | Select-Object InfrastructureMaster, PDCEmulator, RIDMaster

6.2. 4.2 Transfer All FSMO Roles

From home-dc02 (PowerShell as Administrator):

# Transfer all roles to home-dc02
Move-ADDirectoryServerOperationMasterRole `
    -Identity "home-dc02" `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster `
    -Force

# Verify transfer
netdom query fsmo

6.3. 4.3 Update DNS Records

On pfSense or DNS server:

# Update A records
home-dc02.inside.domusdigitalis.dev -> 10.50.1.51

# Update SRV records for AD
_ldap._tcp.inside.domusdigitalis.dev -> home-dc02.inside.domusdigitalis.dev
_kerberos._tcp.inside.domusdigitalis.dev -> home-dc02.inside.domusdigitalis.dev

6.4. 4.4 Update ISE LDAP Configuration

# Via netapi (if configured)
dsource d000 dev/network

# Check current AD configuration
netapi ise ers ad

# Update primary LDAP server to home-dc02
# This may require ISE GUI:
# Administration > Identity Management > External Identity Sources > Active Directory

7. Phase 5: Decommission Old DC

Do not proceed until:

  • All FSMO roles transferred

  • AD replication confirmed healthy

  • ISE/services updated to use home-dc02

  • Test authentication from Linux workstations

7.1. 5.1 Verify Services Using New DC

# From Linux workstation - test 802.1X auth
nmcli connection up "Wired-802.1X"

# Check ISE auth logs
netapi ise mnt sessions

# Verify LDAP binds going to new DC
netapi ise dc session --filter "home-dc02"

7.2. 5.2 Demote Old DC

On home-dc01 (PowerShell as Administrator):

# Demote to member server
Uninstall-ADDSDomainController `
    -DemoteOperationMasterRole:$true `
    -RemoveDnsDelegation:$true `
    -LocalAdministratorPassword (Read-Host -AsSecureString "Local Admin Password") `
    -Force

# Server will restart

7.3. 5.3 Remove AD CS Role

After demotion, remove the deprecated CA:

# Remove AD CS role
Uninstall-WindowsFeature AD-Certificate-Services -IncludeManagementTools

# Clean up CA database
Remove-Item -Recurse -Force C:\Windows\System32\CertLog\

7.4. 5.4 Unjoin and Shutdown

# Remove from domain
Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Restart

After restart, shut down the old VM:

# On KVM host
sudo virsh shutdown home-dc01

# Optional: Remove VM after verification period
# sudo virsh undefine home-dc01 --remove-all-storage

8. Phase 6: Post-Migration Verification

8.1. 6.1 AD Health Check

# On home-dc02
# Check AD services
Get-Service NTDS, Netlogon, KDC | Select-Object Name, Status

# Check replication (should show only home-dc02)
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address

# Verify FSMO roles
netdom query fsmo

8.2. 6.2 Linux Client Verification

# Test Kerberos
kinit user@INSIDE.DOMUSDIGITALIS.DEV
klist

# Test LDAP
ldapsearch -H ldap://home-dc02.inside.domusdigitalis.dev -b "dc=inside,dc=domusdigitalis,dc=dev" -Y GSSAPI

# Test 802.1X authentication
nmcli connection up "Wired-802.1X"
netapi ise mnt sessions

8.3. 6.3 ISE Verification

# Check AD join status
netapi ise ers ad

# Test authentication
netapi ise mnt auth-status --last 10

9. Phase 7: Documentation Updates

9.1. 7.1 Update Infrastructure Docs

Document Update Required

domus-infra-ops/architecture/ip-addressing.adoc

Update DC IP from 10.50.1.50 to 10.50.1.51

domus-ise-linux/02-pki/windows-adcs.adoc

Mark as deprecated, reference Vault

All antora.yml files

Update ad-dc-ip and homedc-hostname attributes

9.2. 7.2 Update Antora Attributes

In domus-infra-ops/docs/asciidoc/antora.yml:

# Update DC references
homedc-hostname: home-dc02.inside.domusdigitalis.dev
homedc-ip: 10.50.1.51

9.3. 7.3 Archive Old Documentation

# Move deprecated AD CS docs to archive
git mv docs/asciidoc/modules/ROOT/pages/runbooks/windows-dc-adcs.adoc \
       docs/asciidoc/modules/ROOT/pages/archive/

# Update nav.adoc to reflect changes

10. Rollback Procedure

If issues occur before decommissioning old DC:

  1. Transfer FSMO roles back to home-dc01

  2. Update DNS/ISE to point to home-dc01

  3. Demote home-dc02

  4. Investigate and retry

 
# On home-dc01 - reclaim FSMO roles
Move-ADDirectoryServerOperationMasterRole `
    -Identity "home-dc01" `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster `
    -Force

11. Appendix: Windows Server Core Quick Reference

11.1. Common Commands

Task Command

Open Server Configuration

sconfig

Open PowerShell

powershell

Check IP Configuration

ipconfig /all or Get-NetIPConfiguration

Restart Server

shutdown /r /t 0 or Restart-Computer

Check Services

Get-Service

Check Event Logs

Get-EventLog -LogName System -Newest 20

Remote Management

winrm quickconfig

11.2. Useful PowerShell Modules

# AD management
Import-Module ActiveDirectory

# Check DC health
dcdiag /v

# Check DNS (if installed)
Import-Module DnsServer