How to upgrade to a 2019 domain controller with a current 2008 primary controller

Computer Gladiator 441

Hello, we currently have a 2008 R2 domain controller and a 2012 R2 secondary domain controller. I would like to add a 2019 domain controller and eventually demote the 2008 R2 DC. I understand that the 2019 server schema needs to be upgraded. Is there a set of steps in achieving this? The 2008 R2 DC has DHCP on it as well. I have raised the domain level from Server 2003 to 2008 and when using Get-ADForest command the Forest Mode still shows as Windows2003Forest. This was raised to 2008 yesterday afternoon. Is it still propagating? Best regards.

Stephanie Yu 396 Reputation points

2020-09-04T03:33:48.97+00:00

Hello @Computer Gladiator ,

I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this case, please let me know.

Have a nice day!

Best Regards,
Stephanie Yu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Stephanie Yu 396 Reputation points

2020-09-14T01:03:46.337+00:00

Hello @Computer Gladiator ,

Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

If anything is unclear, please feel free to let us know.

Thank you so much for your time and support.

Best regards,
Stephanie Yu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Stephanie Yu 396 Reputation points

2020-09-16T03:04:20.473+00:00

Hello @Computer Gladiator ,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

If anything is unclear, please feel free to let us know.

Thank you so much for your time and support.

Best regards,
Stephanie Yu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Computer Gladiator 441 Reputation points

2020-09-19T14:19:58.097+00:00

My Apologies, I thought this was replied to. I find this new forum glitchy.
I was able to remove the CNAME but there is no was to remove the Host Name. Will demoting the 2008 server take care of removing the host name?
Stephanie Yu 396 Reputation points

2020-09-21T01:13:24.93+00:00

Yes, The Host Name will be deleted with demoting the 2008 server, also same as DNS.
Computer Gladiator 441 Reputation points

2020-09-27T20:41:45.177+00:00

Hi, it appears that the 2008 server is demoted. Unfortunately, The Host Name in DNS is still referencing the demoted server. Does not appear that it is causing problems however. I also wanted to share a few links that helped me with the demoting of the server.
https://tekbloq.com/2017/05/15/decommission-uninstall-a-windows-2008-r2-domain-controller/
http://www.chicagotech.net/win8&2012/w2012e-1.htm
https://www.informaticar.net/demote-windows-server-2008-dc-removing-server-2008-dc/

Thank you to everyone especially Stephanie for all your help.
Computer Gladiator 441 Reputation points

2020-10-06T23:19:38.68+00:00

Hi, just an update. I completed the demotion of the 2008 server but the Host Name remained. This did not appear to cause any problems however. I did eventually discovered how to manually remove the Host Name. In DNS, go to Forward Lookup Zones and for each zone double-click the Name Server on the right, and under the name Servers tab I selected the demoted server and removed it. The Name server under the zone will then be removed. I have completed this my task of installed a 2019 DC and demoting previous 2008 DC. Thank you

Accepted answer

Stephanie Yu 396 Reputation points

2020-08-31T08:47:02.463+00:00
Hello ComputerGladiator,

Thank you for posting here.

Here are the answers for your questions:

Q1: I have raised the domain level from Server 2003 to 2008 and when using Get-ADForest command the Forest Mode still shows as Windows2003Forest. This was raised to 2008 yesterday afternoon. Is it still propagating?
A1: As DSPatrick mentioned, the minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 forest functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

According to the description, please check whether your domain function level is 2008 in ADUC (Active Directory Users and Computers) and whether the forest function level is 2003 in ADDT (Active Directory Domains and Trusts).

If your forest function level is 2003 and your domain function level is 2008, we should raise forest function level from 2003 to 2008 first.

Then check SYSVOL replication type.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.

Before we do any change in existing AD domain environment, we had better do:

Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.

Back up all domain controllers.

Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.

Check we can update gpupdate /force on each DC successfully.

After we ensure forest function level is 2008 and SYSVOL replication is DFSR replication type, we can add one Windows server 2019 to the existing domain and promote is as a domain controller.
Q2: I understand that the 2019 server schema needs to be upgraded. Is there a set of steps in achieving this?
A2: For upgrading domain controller from lower operating system to higher operating system, there are two methods:

Method 1 Perform an in-place upgrade of an existing domain controller to higher operating system, in this way, we will need to run adprep /forestprep and adprep /domainprep manually.
Method 2 Promote a new higher operating system of Windows server in the existing domain, you do not need to run these manually.

However, we recommend we add new domain controller to the existing domain.
Adprep and Domainprep
If you are doing an in-place upgrade of an existing domain controller to the Windows Server 2016 operating system, you will need to run adprep /forestprep and adprep /domainprep manually. Adprep /forestprep needs to be run only once in the forest. Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.
If you are promoting a new Windows Server 2016 server you do not need to run these manually. These are integrated into the PowerShell and Server Manager experiences.

We can follow steps below to upgrade Window server 2008 R2 DC to Window server 2019 DC after you raise forest functional level to 2008 successfully:

Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.

Add the new Window server 2019 to this existing domain.

Add AD DS and DNS roles and promote this Windows server 2019 as a DC (as a GC).

Check if AD environment is healthy again based on step 1.

If step 1-step 4 is OK without any error. We can transfer FSMO roles to new 2019 DC if needed.

Based on “The 2008 R2 DC has DHCP on it as well.”, migrate DHCP to new server if needed.

Demote Windows server 2008 R2 after migrating AD DS and DHCP role if needed. Before we demote 2008 R2 DC, we should check:

If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.

If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

References:
Forest and Domain Functional Levels
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

Upgrade Domain Controllers to Windows Server 2016
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers

How to Migrate DHCP from Windows Server 2008 to 2012/2016
https://brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

How to Migrate DHCP from Windows Server 2012 R2 to Server 2016
https://www.faqforge.com/windows-server-2016/migrate-dhcp-windows-server-2012-r2-server-2016/

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Stephanie Yu
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

11 additional answers

Computer Gladiator 441 Reputation points

2020-08-30T17:19:25.993+00:00

Hello, I have complete the Quick Migration as from the link you provided successfully. I run a Get-ADForest and it still shows as Windows2003Forest as Forest Mode.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Computer Gladiator 441 Reputation points

2020-08-31T15:04:25.623+00:00

Hello DSPatrick. These are the links. Thanks
https://1drv.ms/u/s!Av1PEgpeCgHJiX75pGUsrI20nRDh?e=TRff1K
https://1drv.ms/u/s!Av1PEgpeCgHJiX_lT9vQAjLZeFe7?e=3jOXeT
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Computer Gladiator 441

Thank you Stephanie for your response. I have completed all steps for questions 1. Confimred that Functioanl level is 2008 but Get-ADForest still shows Windows2003. All steps completed successfully except DCDIAG /V command which displayed errors for N abd SystemLog as shown below. I have not continued to Question 2 steps.

Starting test: NCSecDesc
* Security Permissions check for all NC's on DC GCHC-DC1.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=DomainDnsZones,DC=gchc,DC=local
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=gchc,DC=local
* Security Permissions Check for
DC=ForestDnsZones,DC=gchc,DC=local
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=gchc,DC=local
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=gchc,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=gchc,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=gchc,DC=local
(Domain,Version 3)
......................... GCHC-DC1 failed test NCSecDesc

  Starting test: SystemLog
     * The System Event log test
     An Error Event occurred.  EventID: 0x0000165B
        Time Generated: 08/31/2020   18:33:48
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x000016AD
        Time Generated: 08/31/2020   18:38:48
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0xC000000D
        Time Generated: 08/31/2020   18:54:12
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:18
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:19
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:20
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:23
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:23
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:24
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:25
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:26
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:27
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     ......................... GCHC-DC1 failed test SystemLog

Stephanie Yu 396 Reputation points

2020-09-01T02:50:16.01+00:00

Hello，
Thank you for update your issue.
As I mentioned in the reply last day, the minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 forest functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.
Please check whether the forest function level is 2003 in ADDT (Active Directory Domains and Trusts)

Click Raise Forest Functional Level to pop up the interface in the figure below to check whether the current forest functional level is 2008. According to your description, ensure that the domain functional level is 2008. If the forest functional level is still 2003 in the red box, please click Select 2008 in the drop-down menu and Apply. After the operation is completed, please log in to the interface again to check whether the forest function level has been upgraded to 2008.

Please check if there is any problem with SYSVOL replication. The following is an experiment I did. There are two DCs in the domain. I created a new folder named "Sysvol" in the path of DC1 as shown in the figure below (Figure 1 and Figure 2) ), after the new creation is successful, check that the newly created folder has been successfully replicated in the same path in DC2. You can follow these steps to check whether there is a problem with the replication between DCs, which will affect whether you can successfully be in the domain Add new DC.

If the above two steps are successful, the forest function level is upgraded to 2008, and there is no problem with SYSVOL replication. You can refer to my previous reply to add 2019DC.

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best regards,
Stephanie Yu
Please sign in to rate this answer.

0 comments No comments
Sign in to comment