windowsServer2016

Migrating Active Directory Domain Controller from Windows Server 2012 R2 to Windows Server 2016

This is my third article on Migrating Active Directory Domain Controller. In the first article, I have written how you would migrating Active Directory Domain Controller from Windows Server 2003 SP2 to Windows Server 2008 R2. In the second article, I have written how you could migrating Active Directory Domain Controller from Windows Server 2008 R2 to Windows Server 2012 Domain Controller. In this article, I am going to explain how you can migrating Active Directory Domain Controller from Windows Server 2012 R2 to Windows Server 2016 Active Directory. There are two options for migrating Windows Server 2012 R2 to Windows Server 2016 Domain Controller.

 

[sociallocker id=”3617″]

1. Directly Upgrading to Windows Server 2016 on your existing AD DS Domain Controllers, which is not recommended?

2. Migrating specific AD DS Domain Controller functionality to the new Windows Server 2016 Active Directory Domain environment using new hardware, which is the best option for migrating Active Directory Domain Controller from Windows Server 2012 R2 to Window Server 2016 Domain Controller.

The prerequisites for migrating to Windows Server 2016 in a new hardware are as follows:

1. Ensure Windows Server 2012 R2 AD DS Domain and Forest functional levels must be at least Windows Server 2008.

2. Check the Schema version of AD DS.

3. Prepare the AD DS forest and domain using adprep. In Windows Server 2012 R2 Domain Controller, run adprep /forestprep and adprep /domainprep from the Windows Server 2016 installation DVD \support\adprep folder.

4. Join Windows Server 2016 to Existing Windows server 2012 R2 Domain.

5. Add the AD DS Server Role and Promote the computer as a new Domain Controller in an existing domain.

6. Transfer operations master roles to a new Windows Server 2016 Domain Controller.

7. Decommission the existing Windows Server 2012 R2 Domain Controllers.

8. Optionally, raise the forest and domain functional level.

Step 1: Ensure Windows Server 2012 R2 AD DS Domain and Forest functional levels must be at least Windows Server 2008:

Step 2: Check the Schema version of AD DS before adprep:

Step 3: Run adprep command to prepare the existing forest and domain:

1. Insert the Windows Server 2016 DVD into the DVD drive of the Windows Server 2012 R2 AD DS.

2. Open command prompt, and type the following commands and press Enter.


Check the Schema version of AD DS after adprep:

After the schema upgrade, the schema version can be manually verified by using the following dsquery command:
dsquery * cn=schema,cn=configuration,dc=msserverpro,dc=com -scope base -attr objectVersion

The objectVersion value is 87 for the Windows Server 2016 schema.

To Prepare the Active Directory domain. On a domain controller in your existing forest, run adprep /domainprep :

D:\support\adprep>adprep /domainprep
(where D: drive is the installation media of Windows Server 2016)

Note: Both these steps were required in Windows Server 2008 R2. In Windows Server 2012 and later, if you do not perform these two tasks manually from an elevated command prompt, the Active Directory Domain Services Configuration Wizard performs them automatically. In large organizations still prefer to separate the process of preparing the Active Directory forest from promoting the first domain controller. This is because often, separate administrative teams are responsible for those distinct configuration changes.

Related Post  Implementing Failover Clustering with Windows Server 2016 Hyper-V

The given below  adprep /domainprep command is run after completing Windows Server 2016 Domain Services Configuration Wizard performs. It’s showing a message “Domain-wide information has already been updated”.

Step 4: Deploying the first Windows Server 2016 domain controller in an existing forest, including DNS and Global Catalog:

1. First joining this server, KTM-DC1-2K16, as a member server in the existing Window Server 2012 R2 Domain before promoting to Domain Controller.

2. On the Server Manager, click Manage, and from the drop-down list box, click Add Roles and Features.

3. On the Before you begin page, click Next.

4. On the Select installation type page, confirm that Role-based or feature-based installation is selected, and then click Next.

5. On the Select destination server page, ensure that Select a server from the server pool is selected, and that KTM-DC1-2K16.msserverpro.com is highlighted, and then click Next.

6. On the Select server roles page, click Active Directory Domain Services.

7. On the Add features that are required for Active Directory Domain Services? Page, click Add Features.

8. On the Select server roles page, click Next.

9. On the Select features page, click Next.

10. On the Active Directory Domain Services page, click Next.

11. On the Confirm installation selections page, click Install. (This may take a few minutes to complete.)

12. When the Active Directory Domain Services (AD DS) binaries have installed, click the blue Promote this server to a domain controller link.

13. In the Deployment Configuration window, click Add a domain controller to an existing domain. Specify the domain information for this operation Domain: com and then click Next.

14. In the Domain Controller Options windows, ensure that both the Domain Name System (DNS) server and Global Catalog (GC) check boxes are selected. Confirm that Site Name: is set to Default-First-Site-Name and provide the Directory Services Restore Mode (DSRM) password. Click on Next.

15. On the DNS Options page, click Next.

16. On the Additional Options page, select KTM-DC1.msserverpro.com in the Replicate from drop-down box.

17. On the Paths windows, you can specify the AD Database, Log, and SYSVOL Select the appropriate locations and then click Next.

18. On the Preparation Options windows, click Next.

19. On the Review Options windows, Review your selection, and then click Next.

20. On the Prerequisites Check windows, confirm that there are no issues, and then click Install.

21. Installation Process begins..and server will automatically reboot after Installation Finished.

Verify the Domain Controller:

1. Open Active Directory Users and Computers, expand com and click Domain Controller OU. Verify KTM-DC1-2K16 Server is listed.

2. Open DNS Manager, right-click on com and select Properties and then click Name Servers Tab. Verify that KTM-DC1-2K16.msserverpro.com is listed in Name Servers: lists.

Related Post  Cluster OS Rolling Upgrades in Windows Server 2016

3. Open Active Directory Sites and Services; verify that KTM-DC1-2K16 is listed in Servers under Default-First-Site-Name.

 

Step 6: Transfer operations master roles to a new Windows Server 2016 Domain Controller.

1. Log on KTM-DC1-2K16 new domain controller, Open the Command Prompt and type netdom query fsmo.

2. Verify the FSMO Roles on Windows Server 20012 R2 Server (KTM-DC1) before we transfers FSMO roles to new Windows Server 2012 Server (KTM-DC1-2K16).

3. In the command prompt, type ntdsutil and press Enter.

4. Type roles and press Enter. The prompt will display “fsmo maintenance:”

5. Type connections and press Enter. The prompt will display “server connections:”

6. In the “server connections: “, type connect to server KTM-DC1-2K16.msserverpro.com and press Enter (where KTM-DC1-2K16 is the name of the target Windows Server 2016)

7. Type quit and press Enter. The prompt will display “fsmo maintenance:”

8. In the “fsmo maintenance:” type “?” for help.

9. In the “fsmo maintenance: “ , type transfer schema master and Press Enter and Click Yes On Role Transfer Confirmation Dialog box to confirm the Operations Master change.

10. Do the same process for: transfer infrastructure master.






transfer naming master, transfer PDC and transfer RID master.

11. Type quit and press Enter; the type quit and press Enter again to exit the ntdsutil.

12. Verify the FSMO Roles on new Windows Server 2012 Domain Controller, KTM-DC1-2K16.

You can also move these roles by using the Windows PowerShell:
Move-ADDirectoryServerOperationMasterRole cmdlet. For example, the following cmdlet transfers the SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, and InfrastructureMaster  to KTM-DC1-2K16:

Move-ADDirectoryServerOperationMasterRole -Identity “KTM-DC1-2K16”  -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press Enter. Type “ A” Yes to All

Once you have transferred the operations master roles to new Windows Server 2016 domain controllers, you can remove your older domain controllers from AD DS, and then physically decommission them.

Step 7: Decommission the existing Windows Server 2012 R2 Domain Controllers:

After you transfer the operations master roles to new Windows Server 2016 Domain Controller, you can remove your older Windows Server 2012 R2 Domain Controller from AD DS, and then physically decommission them.

1. Log on to Windows Server 2012 R2 Domain Controller, KTM-DC1, Change the Preferred DNS address point to Windows Server 2016 Domain Controller, KTM-DC1-2K16.

2. On the Server Manager, click Manage, and from the drop-down list box, click Remove Roles and Features.

3. On the Before you begin page, click Next.

4. On the Select destination server page, ensure that Select a server from the server pool is selected, and that KTM-DC1.msserverpro.com is highlighted, and then click Next.

5. On the Remove server roles page, click Active Directory Domain Services.

6.On the Remove Roles and Features Wizard features Page, click Remove Features.

7. On the Remove Roles and Features Wizard page, click the blue Demote this domain controller link.

8. On the Credentials page, click Next.

9. On the Warnings page, click check box Procced with removal and click Next.

Related Post  Resetting Administrator Password in Windows Server 2016 Domain Controller

10. On the New Administrator Password page, type the Password and Confirm password, then click Next.

11. On the Review Options page, Review your selections and click Demote.

12. On the Results page, Successfully demoted the Active Directory domain controller and automatically restart the server. Now this server will be member server of the com domain.

13. Log on with the Domain Administrator, On the Server Manager,KTM-DC1 click Manage, and from the drop-down list box, click Remove Roles and Features.

14. On the Before you begin page, click Next.

15. On the Select destination server page, click Next.

16. On the Remove server roles page, uncheck Active Directory Domain Services.

17. On the Remove Roles and Features Wizard dialog box, click Remove Features.

18. On the Remove server roles page, remove DNS Server roles also and then click Next.

19. On the Remove features page, click Next.

20. On the Confirm removal selections page, select Restart the destinations server automatically if required and then Remove.

21. After restart the server, KTM-DC1 computer account will automatically move from Domain Controller OU to Computers OU because now KTM-DC1 is only the member server.


22. Lastly disjoin Windows Server 2012 R2 (KTM-DC1) from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services and DNS.







Finally, after you decommission Windows Server 2012 R2 older Domain Controller, remove Windows Server 2012 R2 older Domain Controller  records from DNS and Active Directory Sites and Services, you can consider changing the forest and domain functional levels to Windows  Server 2016 to get new features in AD DS:

  • Privileged access management
  • Azure AD Join
  • Microsoft Passport

To raise the forest and domain functional levels to Windows Server 2016, use the following cmdlet:

1. Verify the current forest and domain functional levels.
Get-ADDomain -Identity msserverpro.com | Fl Name,DomainMode
Get-ADForest -Identity msserverpro.com | Fl Name,ForestMode

2. To raise the forest functional level, you can use the Active Directory Domains and Trusts snap-in tool or you can use the following Windows PowerShell cmdlets:
Set-ADForestMode –Identity msserverpro.com -ForestMode Windows2016Forest

3. To raise the domain functional level, use Active Directory Users and Computers or you can use the following Windows PowerShell cmdlets.
Set-ADDomainMode –Identity msserverpro.com -DomainMode Windows2016Domain

4. Verify the forest and domain functional levels to Windows Server 2016.

 

 

 

 

Summary:

I hope this article will help you in the near future when you are Migrating Active Directory Domain Controller from Windows Server 2012 R2 to Windows Server 201 Domain Controller.

[/sociallocker]

2 comments

Leave a Reply to Gurwinkle Cancel reply

Your email address will not be published. Required fields are marked *