How to Upgrade Active Directory from 2008/2012 to Server 2016

Share with friends
  • 3
    Shares

How to Upgrade Active Directory from 2008/2012 to Server 2016

Technology can’t be last forever, we have to keep moving on and have to be up-to-date. But the problem arise when we think to upgrade it has to be less risky and minimal of downtime. We always think of a way where low risks are involved. Today, we are going to discuss the simplest way to upgrade “Microsoft’s Active Directory upgrade from Windows Server 2008/2012 to Windows Server 2016” instead of using In-Place Upgrade.

Before we start we need to get plan ready in Black and White which means you have to make a migration/up-gradation plan according to your environment. Every organisation has their own Active Directory infrastructure that includes Forest, Trust, Sites and no. of Domain Controllers. A part from this we have to make sure what other roles or feature an individual Domain Controller may have like DHCP, DNS Server, DFS, FileServer, Radius(NAP/NPS) etc. Before you actual start migration you have to be 100% sure about all other services on Domain Controller may have and make a plan to migrate those Services as well.

I am going to take an example of an environment wherein I have two Domain Controllers. One DC has DHCP and DNS service role and Second DC has only DNS Server.  It is a Server 2012 Active Directory Environment with Single Site and Single Domain in a forest. In case, you have Child domain or Multi-Domain in a forest then also the basic concept of migration of Active Directory would be same.

Because Active Directory Itself is an Automatically driven application or Service, which itself take care of many things. It is a simple AD replication which will help to do a migration of Server Platform.  You just need to install/deploy a Server Machine of new Version (Server 2016) and promote it as an Additional Active Directory Controller (ADC) and it will be done.

But the main point is to remain use Old Domain Controller name and IP Address and other Service.

For Example, I have Domain Controllers name:- DC1 and DC2. DC1 has DHCP Service while DC2 holds all FSMO role (both residing on a same site) both servers have AD integrated DNS. In this case, I have to use same IP and Domain Controller name of DC1 reason is that it has been already configured in a Routers (IP Helper) while DC2 has been used in some appliance as an LDAP server (like Vcenter, proxy server etc.). Now, how we can do it without downtime? as we have to use same name and IP address. Here is a trick:

 

Choose a First DC 

We have to approach one by one Domain Controller’s migration plan because in this way we can pass on the role on other DC without any downtime. Let’s take DC2 first which have FSMO roles and DNS. Then we will choose DC1 and that has DHCP Role. (It is total up to you how want to start with but make sure you get everything transferred)

Migration phases:-

  1. Demote DC2.yourcomputer.in (Windows Server 2012) –> Promote DC2.yourcomputer.in (Windows Server 2016)
  2. Demote DC1.yourcomputer.in (Windows Server 2012) –> Promote DC1.yourcomputer.in (Windows Server 2016)

It will be go on with number of DCs in Environment

Demote DC2.yourcomputer.in (Windows Server 2012) –> Promote DC2.yourcomputer.in (Windows Server 2016)

In order to get same IP address and Host Name we have to demote DC2 but before that we have to get this server free from any dependencies related to AD.

AD integrated DNS 

We really won’t have to do anything if we have AD integrated DNS. So once we add additional domain controller it will be replicated together.

FSMO Roles

We need to get DC free with FSMO roles. So, in this case we need to transfer all five roles to other DC. Here are the steps:

  • RDP to Domain Controller that doesn’t have FSMO role or to DC where you want to transfer the roles (Mine is:- DC1.yourcomputer.in)
  • Identify the Roles by running “netdom query FSMO” in Command Prompt.

Power Shell CLI to transfer FSMO Roles:

  • Move-ADDirectoryServerOperationMasterRole -Identity “DC1” -OperationMasterRole 0,1,2,3,4

 

GUI to transfer FSMO Roles:

  • Click on Run and type “dsa.msc” or from Administrative Tools–> Open Active Directory Users and Computers
  • Right click on Domain Name (yourcomputer.in) select Operation Masters.
  • A pop-up windows will be opened that will have 3 Tabs:- RID, PDC and Infrastructure.
  • Choose all Tab one by one and Transfer the roles by click on Change. A Successful Acknowledgement should come with each role transfer.
  • Once 3 roles are transferred successfully move on for Domain Naming Role Transfer.
  • Open “Active Directory Domains and Trusts” from Administrative Tools.
  • Right Click on “Active Directory Domains and Trusts” and select “Operations Master
  • Click Change. A Successful Acknowledgement should come with role transfer. Click Close
  • Now we have only one role remaining i.e Schema Master.
  • Open a Command Prompt and Type regsvr32 schmmgmt.dll. A successful DLL registered message should pop-up.
  • Open MMC (run or Command Prompt).
  • Click File–> Add/Remove Snap-in
  • Select “Active Directory Schema” Click Add. Click OK.
  • Right Click on “Active Directory Schema” choose “Change Active Directory Domain Controller” and select DC1 (should be the DC to where role has to be transferred). Click OK.
  • Right click on Active Directory Schema and select Operations Master
  • Click Change–> OK.
  • Now all 5 FSMO roles have been successfully transferred to DC1, which means DC2 doesn’t have any dependency and can be demoted.

 

Demote DC2 from Active Directory

  • Login to DC2.yourcomputer.in
  • Open Server Manager
  • Click Manage. Select Remove Roles and Features
  • Click Next and make sure that DC2.yourcomputer.in server is selected. Click Next
  • Uncheck Active Directory Domain Services, a pop-up message will come to remove AD dependent features. Click Remove Features
  • A new window will pop-up that asks to Demote the DC before removing a role. Click demote this domain controller link
  • Click Next, Select Proceed with removal, Next, select Remove DNS delegation, Next 
  • Provide New Administrator password. (it will be a local admin password post demotion), Click Next
  • Review the selection and click Demote
  • System will be rebooted once demotion is completed.
  • after reboot, server will be a part of Domain as a member server. Login to the server with same domain credentials.

Decommission DC2 Server

  • Unjoin DC2 from domain and reboot
  • Now this server is a normal workgroup machine
  • Change the IP address and power off this machine.
  • Also make sure that Computer Account is deleted from AD and DNS record is cleared.

Install new Windows Server 2016 as DC2

It is a time to install new Windows Server 2016.

  • Deploy/Install new Windows Server 2016 according to Hardware requirement and patch this server to the latest.
  • Change the Hostname of this Server to “DC2“(same as old) and IP address (same as old), Verify DNS in IP configuration. Restart the machine.
  • Install “Active Directory Domain Service” and “DNS” role with all dependent features.
  • Post role installed. Promote the domain controller.
  • Choose Join this DC to existing Domain, provide Domain credentials, DSRM Password and complete the wizard.
  • Server will be rebooted.
  • After Reboot machine will be a Domain Controller.
  • Verify DNS Server and other things.

Since DC2 has been promoted successfully. It also has integrated DNS. So first phase of migration is completed successfully. Now comes a second phase

 

Video Tutorial

Demote DC1.yourcomputer.in (Windows Server 2012) –> Promote DC1.yourcomputer.in (Windows Server 2016)

FSMO Roles

As we have transferred all FSMO roles earlier to DC1. It is a time to revert it to DC2.

  • RDP to Domain Controller:- DC2.yourcomputer.in.
  • Identify the Roles by running “netdom query FSMO” in Command Prompt.

 

Power Shell CLI to transfer FSMO Roles:

  • Move-ADDirectoryServerOperationMasterRole -Identity “DC2” -OperationMasterRole 0,1,2,3,4

GUI to transfer FSMO Roles:

  • Click on Run and type “dsa.msc” or from Administrative Tools–> Open Active Directory Users and Computers
  • Right click on Domain Name (yourcomputer.in) select Operation Masters.
  • A pop-up windows will be opened that will have 3 Tabs:- RID, PDC and Infrastructure
  • Choose all Tabs one by one and Transfer the roles by click on Change. A Successful Acknowledgement should come with each role transfer. (cross check following computer name should be different from current)
  • Once 3 roles are transferred successfully move on for Domain Naming Role Transfer.
  • Open “Active Directory Domains and Trusts” from Administrative Tools.
  • Right Click on “Active Directory Domains and Trusts” and select “Operations Master
  • Click Change. A Successful Acknowledgement should come with role transfer. Click OK.
  • Now we have only one role remaining i.e Schema Master.
  • Open a Command Prompt and Type regsvr32 schmmgmt.dll. A successful DLL registered message should pop-up.
  • Open MMC (run or Command Prompt).
  • Click File–> Add/Remove Snap-in
  • Select “Active Directory Schema” Click Add.
  • Right Click on “Active Directory Schema” choose Change Active Directory Domain Controllers Select DC2.yourcomputer.in (should be the DC to where role has to be transferred).
  • Right click on Active Directory Schema and select Operations Master
  • Click Change, Click Yes, Ok
  • Now all 5 FSMO roles have been successfully transferred to DC2, which means DC1 doesn’t have any FSMO Role dependency and can be demoted.

DHCP Server

A DHCP is a different from AD. But it needs a downtime or if you have configured DHCP failover then there won’t be a downtime. Though you need to unauthorized DHCP Server from AD after taking the backup.

A backup can be taken by using DHCP console, right click on Server Name, select Backup choose destination folder and copy the backup to any other save location out of this server.  RIght Click DHCP server and unauthorize it.

Now, DC1 is free can be demoted following the same steps of DC2.

Demote DC1 from Active Directory

  • Open Server Manager
  • Click Manage. Select Remove Roles and Features
  • Click Next and make sure that DC1.yourcomputer.in server is selected. Click Next
  • Uncheck Active Directory Domain Services, a pop-up message will come to demote domain controller.
  • Click demote this domain controller link
  • Click Next, Select Proceed with removal, Next, select Remove DNS delegation, Next 
  • Provide New Administrator password. (it will be a local admin password post demotion), Click Next
  • Review the selection and click Demote
  • System will be rebooted once demotion is completed.
  • after reboot, server will be a part of Domain as a member server. Login to the server with same domain credentials.

Decommission DC1 Server

  • Unjoin DC1 from domain, remove remaining DNS and DHCP Role.
  • Reboot
  • Now this server is a normal workgroup machine
  • Change the IP address and power off this machine.
  • Also make sure that Computer Account is deleted from AD and DNS record is cleared.

Install new Windows Server 2016 as DC1

It is a time to install new Windows Server 2016 and promote it to Domain Controller

  • Deploy/Install new Windows Server 2016 according to Hardware requirement and patch this server to the latest.
  • Change the Hostname of this Server to “DC1“(same as old) and IP address (same as old). Restart the machine.
  • Install “Active Directory Domain Service“,”DHCP” and “DNS” role.
  • Promote the domain controller.
  • Choose Join this DC to existing Domain, provide Domain credentials, DSRM Password and complete the wizard.
  • After Reboot machine will be a Domain Controller.
  • Verify DNS and other things.
  • Configure DHCP Post deployment and authorize it
  • Restore DHCP backup by copying the backup to %SystemRoot%System32\DHCP\backup
  • Verify the DHCP

We have successfully migrated both Domain Controllers to Windows Server 2016 platform with same Hostname and IP address. You may now raise the domain functional level to Windows Server 2016 in case you don’t have any older version Domain Controller in Domain.

That’s it folks for now. I hope it is a useful information to all the Active Directory System Admins.

Don’t forget to like or share this share this post or Video.

Subscribe to my Youtube channel

 

VN:F [1.9.22_1171]
Please Rate & Comment !
Rating: 5.0/5 (1 vote cast)
How to Upgrade Active Directory from 2008/2012 to Server 2016, 5.0 out of 5 based on 1 rating

Share with friends
  • 3
    Shares