windows server migration from 2012 to 2016

Royal D Costa 241 Reputation points
2020-09-15T05:11:55.777+00:00

Hi All

i Have been given a task to migrate domain to new server, currently we have AD DS running on 2012 platform which will be upgraded to 2016. following would be the scenario

current setup:

Site A - primary domain controller running on 2008

Site B - additional DC running on 2012

New setup- (target)

installed new server at site B with 2016 server OS,

  1. designate new server at site B as PDC and migrate all setup from old DC to New DC
  2. upgrade server at Site A and make it ADC , also import new setup to new the server.

looking forward for an expert advice on this, kindly help me to accomplish this with minimal steps without much downtime,

Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
434 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 25,446 Reputation points Microsoft Vendor
    2020-09-15T07:23:43.267+00:00

    Hello @Royal D Costa ,

    Thank you for posting here.

    First check something

    Before we do any change in the existing AD domain environment, we had better do:
    1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v.
    Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
    2.Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    3.Check we can update gpupdate /force on each DC successfully.
    4.Back up all domain controllers if needed.
    5.We had better perform the DC migration during downtime.

    Second

    If we want to add 2016 DC into the existing domain, the forest functional level must be at least 2003.

    Third: steps

    Then everything is working fine, we can do as below:
    1.Installed a new WIndows server with 2016 server OS.
    2.Add the server 2016 to the domain.
    3.Add AD DS and DNS roles on this server 2016 (also as GC).
    4.Promote this server 2016 as a domain controller. During promotion, we should select "add a domain controller to the existing domain" and put this DC to "Site B".

    24786-site1.png

    24837-site2.png

    5.Check AD environment health again.
    6.If everything works fine, we can transfer FSMO roles from 2008 to 2016.

    7.If we want to upgrade Domain Controller in Site A - primary domain controller running on 2008 to 2016, we had better perform the same steps above. It is not recommended we perform in-place upgrade operating system from lower operating system version to higher operating system version. It is recommended we add a new Domain Controller to the existing domain and demote the old DC when needed.

    8.If the old DCs is also DNS server, before we demote old DCs, we should:
    If the old DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
    If the old DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the old DC for name resolution.

    9.Demote the old DC if needed.

    10.Raise the functional level after demoting the old DC if needed.

    Tip:
    1.If AD replication is working fine, when we add new a DC to the existing domain, after AD replication is complete, all the AD data in all DCs should be the same.
    2.If we have installed any other roles in the old Domain Controllers, migrate all the roles if needed.
    3.Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
    Ideally, a DC should be easy to replace, just by standing up another DC.
    When we put other software and roles on one DC, maybe the DC is harder to replace it.

    For example,
    If we have a DC with AD CS(it is also a CA server), if there is some issues with this DC and we want to demote this DC, we need to remove AD CS first and then demote this DC.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Anonymous
    2020-09-15T12:29:24.527+00:00

    The prerequisite before introducing the first 2016 domain controller is domain functional level needs to be 2003 or higher

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2016, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Daisy Zhou 25,446 Reputation points Microsoft Vendor
    2020-09-16T08:19:00.813+00:00

    Hello @@Royal D Costa ,

    **Q1:**can i add new server as AD DC without upgrading any of the servers in both sites.
    **A1:**Yes, for upgrading the DC in the existing domain, we can add a new Windows server with higher OS to the domain and promote the server as DC, then demote the old DC.

    Would you please tell us the concerns (maybe the Schema version)?

    We can refer to the link below to check what we concerned.

    Upgrade Domain Controllers to Windows Server 2016
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers

    **Q2:**can the forest level be raised to 2012 after adding new DC, (most of client machines are running on windows 7 OS).
    **A2:**Check the following two points, then we can raise forest level.

    1.Ensure that all domain functional levels are equal to or higher than the forest functional level;
    2.Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;

    From the following link, we can see:

    Forest and Domain Functional Levels
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

    Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

    Based on the understanding, if we have Exchange server in AD domain, for the Exchange version, AD forest functional level and AD Domain Controllers version, we can refer to the link below.
    Exchange Server supportability matrix
    https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019

    References:
    What is the Impact of Upgrading the Domain or Forest Functional Level?
    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-is-the-impact-of-upgrading-the-domain-or-forest-functional/ba-p/399348

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.