Hi,
As you have more one domain controllers per domain, you can demote domain controller on old server after moving fsmo roles to another domain controller, because The other domain controllers will ensure the authentication.
Once this steps is completed , you can start by migrate DHCP service then certificate service.
I recommend you to perform the following steps:
- Move FSMO role to another domain controller
- Demote domain controller on old server
- Backup DHCP settings (Export settings ) : export-dhcpserver
- Migrate DHCP service on new server by importing the settings of old server: import-dhcpserver
- Migrate certificate service , I invite you to read the following links :
AD CS Migration: Migrating the Certification Authority
migrate-root-ca-to-a-new-server - Switch IP between old and new server
- promote domain controller on new server
I recommend you to test and validate all migration procedures in your test and Pre-Prod environment before apply it on production environment.
Don't forget to backup at least one domain controller per domain in your forest , to be able to restore the forest in case of issue
Please don't forget to mark helpful reply as answer