Upgrading Domain Controllers

With Windows Server 2008 R2 on the way out in January of 2020 there will be some who will be moving to Server 2016 or 2019.  Follow the steps below to ensure your migration goes fairly smoothly, no guarantees – it’s Microsoft.  This is assuming you’ll be using virtualized domain controllers, your IP’s are remaining the same, and that you have no read-only DCs.

Things to check for:
  • Where is your DHCP server?
  • Where is your certificate authority? How to move it.
  • Where are your FSMO roles?
  • Are you keeping your names?
  • Are you keeping your IP’s?  If you’re moving DHCP you should consider leaving DHCP associated with the same IP it was before otherwise you’ll be changing the helper IP on your core switch/router (not a biggie, but it’s another change).  Also if you’re IP’s change for your DNS servers you’ll need to change those on your core switch and DHCP options.
Let’s get started!
  • Get your domain controllers running using Server 2016 running and up to date (I’m holding off on 2019 until after the first major update is released) 2 domain controllers can process logins for many 1000’s of users.
  • Run
    netdom /query FSMO
  • Move all of your FSMO roles to the most complicated DC to move (this would be your DHCP server most likely).  This will give you some instant gratification for knocking out one DC.
  • How to move your FSMO roles with Powershell (this should be all on one line when it’s pasted)
    Move-ADDirectoryServerOperationMasterRole –Identity YourNewServerName –OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
  • Go to your DC of choice for demoting and run dcpromo.
  • Walk through the wizard and see if there are any issues, like a left over certificate authority.
  • If all goes well it will just reboot and no longer be a DC.  If it doesn’t go away gracefully you’ll need to use dcpromo /forceremoval then cleanup metadata
  • Shutdown the DC and disconnect the network connection (at this point it’s donezo so delete it if it’s a VM.
  • Go ahead and name your new 2016 DC and give it the IP the old server had and test it to see if you can ping 8.8.8.8.
  • Make your new server a domain controller.  This is how.
  • Leave Global Catalog checked (make sure it’s checked)
  • Add the DNS role.
  • Move your FSMO roles to the new server the same way as above just change the DC name.
  • Prepair your users for not having DHCP services
  • Backup the DHCP server. Here’s how to backup and restore.
  • Copy your Backup somewhere you’ll have access to after this server is down.
  • Demote your DC using the same steps as before.
  • Shutdown the DC and disconnect the network connection
  • Give this DC the same IP as the old DC with the same services.
  • Promote this server to a domain controller
  • Leave Global Catalog checked (make sure it’s checked)
  • Add DHCP and DNS roles
  • Copy your DHCP backup to the new DC and restore it.  Make sure the server is authorized and test a PC to see if it will pull an IP.