Upgrade Domain Controller running NPS

jarweb 111 Reputation points


We have a Windows 2012 server which is running Network Policy Server as part of a Radius setup. This was installed by a 3rd party and I don't have proper documentation for this and I'm not really familiar with NPS. The server is also a Domain Controller.

Due to W2012 going End Of Life soon we need to upgrade the server to at least Windows 2016. We have another DC in place already.

I know we can't do an in-place upgrade while the server is still a DC so I was thinking there were probably 2 options.

  1. Demote the server, upgrade the O/S, then re-promote to a DC.
  2. Stand up a brand new DC and migrate the NPS config to this.

I appreciate that option 2 would probably be the preferred option but, as I said, I'm not really familiar with NPS.

Would there be any issue doing option 1 apart from it not being a "clean" install ? Should NPS continue to function as it did ?


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,751 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 426.2K Reputation points MVP

    That's correct, doing an in-place upgrade is never a recommended method. Also mixing roles like that is also not recommended. A better option may be to clean install it, patch fully, add the hyper-v role (as only role) on host, then stand up two virtual machines, one for active directory, another for NPS.

    The prerequisite before introducing the first 2016 domain controller: domain functional level needs to be 2003 or higher

    Migration from older sysvol FRS replication to DFSR is recommeded (if not already done)

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2016, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    Export an NPS Configuration for Import on Another Server

    --please don't forget to upvote and Accept as answer if the reply is helpful--

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 44,091 Reputation points

    Hello there,

    Upgrading a Domain Controller running Network Policy Server (NPS) requires careful planning and execution to avoid any disruptions to the network services. Here are the general steps to upgrade a Domain Controller with NPS:

    Review System Requirements: Ensure that the new operating system version you plan to upgrade to meets the system requirements for the Domain Controller and NPS roles.

    Backup: Before performing any upgrades, ensure you have a full backup of your Active Directory database and system state. This step is critical to recover your system in case of any issues during the upgrade process.

    Prepare Active Directory: Verify that your current Active Directory environment is healthy and has no replication issues. You can use the "dcdiag" and "repadmin" commands to check the domain controller's health and replication status.

    Identify and Record NPS Settings: Make a note of all the NPS settings, policies, and configuration details on the existing Domain Controller. You may need to manually reconfigure NPS on the new system after the upgrade.

    Prepare New Server: Install the new operating system version on the new server that will become the upgraded Domain Controller. Join it to the existing domain as an additional domain controller.

    Promote New Server: Use the "dcpromo" or "Add Roles and Features" wizard to promote the new server to a Domain Controller. Follow the steps to transfer the FSMO roles to the new DC if you intend to decommission the old one.

    Install NPS Role: After promoting the new server to a Domain Controller, install the Network Policy Server (NPS) role on the new server. You may need to reconfigure NPS settings on the new server manually.

    Test NPS Configuration: Once NPS is installed, verify that the NPS policies and configurations are correctly set up on the new server. Test NPS functionality to ensure authentication and authorization are working as expected.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--