Upgrade Active Directory 2012 to 2022
*You may use any version between 2008 to 2016 to upgrade to 2019/2022.
Introduction
Technology can’t last forever, we have to keep moving on and have to be up-to-date. But the problem arises when we think about upgrading it has to be less risky and have minimal downtime. We always think of a way where low risks are involved. Today, we are going to discuss the simplest way to upgrade “Microsoft’s Active Directory upgrade from Windows Server 2008/2012/2016 to Windows Server 2019/2022” instead of using In-Place Upgrade.
Prerequisites
Before we start we need to get a plan ready in Black and White which means you have to make a migration/up-gradation plan according to your environment. Every organization has its own Active Directory infrastructure that includes Forest, Trust, Sites, and no. of Domain Controllers. Apart from this, we have to make sure what other roles or features an individual Domain Controller may have like DHCP, DNS Server, DFS, FileServer, Radius(NAP/NPS), etc. Before you start migration you have to be 100% sure about all other services on Domain Controller may have and make a plan to migrate those Services as well.
Environment Setup
I am going to take an example of an environment wherein I have two Domain Controllers. One DC has DHCP and DNS service role and Second DC has only DNS Server. It is a Server 2012 Active Directory Environment with a Single Site and Single Domain in a forest. In case, you have a Child domain or Multi-Domain in a forest then the basic concept of migration of Active Directory would be the same.
Because Active Directory Itself is an Automatically driven application or Service, which itself takes care of many things. It is a simple AD replication that will help to migrate to the Server Platform. You just need to install/deploy a Server Machine of the new Version (Server 2019/2022) and promote it as an Additional Active Directory Controller (ADC) and it will be done.
Example Domains name: yourcomputer.in
Agenda
But the main point here is to keep using the Old Domain Controller name and IP Address and other Services.
For Example, I have Domain Controllers names:- DC1 and DC2. DC1 has DHCP Service while DC2 holds all FSMO roles (both residing on the same site) both servers have AD-integrated DNS. In this case, I have to use the same IP and Domain Controller name of DC1 reason is that it has been already configured in a Routers (IP Helper) while DC2 has been used in some appliances as an LDAP server (like Vcenter, proxy server, etc.). Now, how we can do it without downtime? as we have to use the same name and IP address. Here is a trick:
Choose a First DC
We have to approach one by the Domain Controller’s migration plan because in this way we can pass on the role to other DCs without any downtime. Let’s take DC2 first which has FSMO roles and DNS. Then we will choose DC1 which has a DHCP Role. (It is totally up to you now to start with but make sure you get everything transferred)
Migration phases:-
Phase 1
Demote DC2.yourcomputer.in (Windows Server 2012) –> Promote DC2.yourcomputer.in (Windows Server 2016)
Phase 2
Demote DC1.yourcomputer.in (Windows Server 2012) –> Promote DC1.yourcomputer.in (Windows Server 2016)
It will go on with a number of DCs in the Environment
To get the same IP address and Host Name we have to demote DC2 but before that, we have to get this server free from any dependencies related to AD.
Phase 1
Dependencies
- AD integrated DNS
We really won’t have to do anything if we have AD-integrated DNS. Once we raise the new domain controller it will be replicated together.
- FSMO Roles
We need to free the Domain Controller with FSMO roles. So, in this case, we need to transfer all five roles to other DCs. Here are the steps:
- RDP to Domain Controller that doesn’t have FSMO role or to DC where you want to transfer the roles (Mine is:- DC1.yourcomputer.in)
- Identify the Roles by running “netdom query FSMO” in the Command Prompt.
Power Shell CLI to transfer FSMO Roles
- Move-ADDirectoryServerOperationMasterRole -Identity “DC1” -OperationMasterRole 0,1,2,3,4
GUI to transfer FSMO Roles
- Click on Run and type “dsa.msc” or from Administrative Tools–> Open Active Directory Users and Computers
- Right-click on Domain Name (yourcomputer.in) and select Operation Masters.
- A pop-up Windows will be opened that will have 3 Tabs:- RID, PDC, and Infrastructure.
- Choose all Tabs one by one and Transfer the roles by clicking on Change. A Successful Acknowledgement should come with each role transfer.
- Once 3 roles are transferred successfully move on for Domain Naming Role Transfer.
- Open “Active Directory Domains and Trusts” from Administrative Tools.
- Right Click on “Active Directory Domains and Trusts” and select “Operations Master“
- Click Change. A Successful Acknowledgement should come with role transfer. Click Close
- Now we have only one role remaining i.e. Schema Master.
- Open a Command Prompt and Type regsvr32 schmmgmt.dll. A successful DLL registered message should pop-up.
- Open MMC (run or Command Prompt).
- Click File–> Add/Remove Snap-in
- Select “Active Directory Schema” Click Add. Click OK.
- Right-click on “Active Directory Schema” choose “Change Active Directory Domain Controller” and select DC1 (should be the DC to where role has to be transferred). Click OK.
- Right-click on Active Directory Schema and select Operations Master
- Click Change–> OK.
- Now all 5 FSMO roles have been successfully transferred to DC1, which means DC2 doesn’t have any dependency and can be demoted.
Demote DC2 from Active Directory
- Login to DC2.yourcomputer.in
- Open Server Manager
- Click Manage. Select Remove Roles and Features
- Click Next and make sure that DC2.yourcomputer.in server is selected. Click Next
- Uncheck Active Directory Domain Services, a pop-up message will come to remove AD-dependent features. Click Remove Features
- A new window will pop-up that asks to Demote the DC before removing a role. Click demote this domain controller link
- Click Next, select Proceed with removal, Next, select Remove DNS delegation, Next
- Provide a New Administrator password. (it will be a local admin password post-demotion), Click Next
- Review the selection and click Demote
- The system will be rebooted once the demotion is completed.
- after reboot, the server will be a part of the Domain as a member server. Login to the server with the same domain credentials.
Decommission DC2 Server
- Unjoin DC2 from the domain and reboot
- Now this server is a normal workgroup machine
- Change the IP address and power off this machine.
- Also, make sure that the Computer Account is deleted from AD and the DNS record is cleared.
Install new Windows Server 2019/2022 as DC2
It is time to install the new Windows Server 2019/2022.
- Deploy/Install new Windows Server 2022 according to Hardware requirements and patch this server to the latest.
- Change the Hostname of this Server to “DC2“(same as old) and IP address (same as old), Verify DNS in IP configuration. Restart the machine.
- Install “Active Directory Domain Service” and “DNS” roles with all dependent features.
- Post role installed. Promote the domain controller.
- Choose to Join this DC to the existing Domain, provide Domain credentials, and DSRM Password, and complete the wizard.
- The Server will be rebooted.
- After Reboot machine will be a Domain Controller.
- Verify DNS Server and other things.
As “DC2” has been promoted successfully. It also has the integrated DNS. So first phase of migration is completed successfully. Now comes a second phase
Read also 7 Steps to Rename a Domain in Microsoft Active Directory Domain Services (AD DS)
Phase 2
Demote DC1.yourcomputer.in (Windows Server 2012) –> Promote DC1.yourcomputer.in (Windows Server 2019/2022)
FSMO Roles
We have already transferred all FSMO roles earlier to DC1. It is the time to revert it to DC2.
- RDP to Domain Controller:- DC2.yourcomputer.in.
- Identify the Roles by running “netdom query FSMO” in the Command Prompt.
Power Shell CLI to transfer FSMO Roles
- Move-ADDirectoryServerOperationMasterRole -Identity “DC2” -OperationMasterRole 0,1,2,3,4
GUI to transfer FSMO Roles
- Click on Run and type “dsa.msc” or from Administrative Tools–> Open Active Directory Users and Computers
- Right-click on Domain Name (yourcomputer.in) and select Operation Masters.
- A pop-up Windows will be opened that will have 3 Tabs:- RID, PDC, and Infrastructure
- Choose all Tabs one by one and Transfer the roles by clicking on Change. A Successful Acknowledgement should come with each role transfer. (cross-check the following computer name should be different from current)
- Once 3 roles are transferred successfully move on for Domain Naming Role Transfer.
- Open “Active Directory Domains and Trusts” from Administrative Tools.
- Right Click on “Active Directory Domains and Trusts” and select “Operations Master“
- Click Change. A Successful Acknowledgement should come with role transfer. Click OK.
- Now we have only one role remaining i.e. Schema Master.
- Open a Command Prompt and Type regsvr32 schmmgmt.dll. A successful DLL registered message should pop-up.
- Open MMC (run or Command Prompt).
- Click File–> Add/Remove Snap-in
- Select “Active Directory Schema” Click Add.
- Right Click on “Active Directory Schema” and choose Change Active Directory Domain Controllers Select DC2.yourcomputer.in (should be the DC to where role has to be transferred).
- Right-click on Active Directory Schema and select Operations Master
- Click Change, Click Yes, Ok
- Now all 5 FSMO roles have been successfully transferred to DC2, which means DC1 doesn’t have any FSMO Role dependency and can be demoted.
DHCP Server
A DHCP is different from AD. But it needs a downtime or if you have configured DHCP failover then there won’t be a downtime. However, you need to unauthorize the DHCP Server from AD after taking the backup.
A backup can be taken by using the DHCP console, right-clicking on Server Name, selecting Backup choosing destination folder, and copying the backup to any other save location out of this server. Right-click the DHCP server and unauthorize it.
Now, DC1 is free and can be demoted following the same steps as DC2.
Demote DC1 from Active Directory
- Open Server Manager
- Click Manage. Select Remove Roles and Features
- Click Next and make sure that DC1.yourcomputer.in the server is selected. Click Next
- Uncheck Active Directory Domain Services, a pop-up message will come to demote the domain controller.
- Click demote this domain controller link
- Click Next, Select Proceed with removal, Next, select Remove DNS delegation, Next
- Provide a New Administrator password. (it will be a local admin password post-demotion), Click Next
- Review the selection and click Demote
- The system will be rebooted once the demotion is completed.
- after reboot, the server will be a part of the Domain as a member server. Login to the server with the same domain credentials.
Decommission DC1 Server
- Unjoin DC1 from the domain, and remove the remaining DNS and DHCP Roles.
- Reboot
- Now this server is a normal workgroup machine
- Change the IP address and power off this machine.
- Also, make sure that the Computer Account is deleted from AD and the DNS record is cleared.
Install new Windows Server 2016 as DC1
It is time to install the new Windows Server 2016 and promote it to the Domain Controller
- Deploy/Install new Windows Server 2016 according to Hardware requirements and patch this server to the latest.
- Change the Hostname of this Server to “DC1“(same as old) and IP address (same as old). Restart the machine.
- Install “Active Directory Domain Service“,”DHCP” and “DNS” roles.
- Promote the domain controller.
- Choose Join this DC to existing Domain, provide Domain credentials, and DSRM Password, and complete the wizard.
- After Reboot machine will be a Domain Controller.
- Verify DNS and other things.
- Configure DHCP Post-deployment and authorize it
- Restore DHCP backup by copying the backup to %SystemRoot%System32\DHCP\backup
- Verify the DHCP
Conclusion
We have successfully migrated both Domain Controllers to the Windows Server 2016 platform with the same Hostname and IP address. You may now raise the domain functional level to Windows Server 2016 in case you don’t have any older version Domain Controller in Domain.
That’s it folks for now. I hope it is useful information for all the Active Directory System Admins.
Subscribe to my YouTube channel
- Entra ID (Azure Active Directory): Migration and Integration Guide - 20 December 2024
- Active Directory Federation Services (ADFS): Implementation Guide - 16 December 2024
- Active Directory Backup and Recovery Strategy: Comprehensive Guide - 11 December 2024
Comments are closed.