Open a ticket
Chat with us
BLOG Published on 2015/07/07 by Asitha De Silva in Tech-Tips

Upgrade Active Directory from Windows Server 2008R2 to Windows server 2012R2

From our previous post we have discussed the importance of implementing security best practices for Active directory. And I have recommended to keep updated with the latest active directory domain services. Which is the windows server 2012 R2 ADDS.

Here are some benefits of moving to Windows server 2012R2 ADDS

  • Active Directory Recycle Bin User Interface

    Active Directory Administrative Center (ADAC) adds GUI management of recycle bin feature originally introduced in Windows Server 2008 R2.

  • Active Directory Replication and Topology Windows PowerShell cmdlets

    Supports the creation and management of Active Directory sites, site-links, connection objects, and more using Windows PowerShell.

  • Fine-Grained Password Policy User Interface

    ADAC adds GUI support for the creating, editing and assignment of PSOs originally added in Windows Server 2008.

  • Direct-Access Offline Domain Join

    Extends offline domain-join by including Direct-Access prerequisites.

  • Rapid deployment via virtual domain controller (DC) cloning

    Virtualized DCs can be rapidly deployed by cloning existing virtual domain controllers using Windows PowerShell cmdlets.

  • Active Directory-Based Activation (AD BA)

    Simplifies the task of configuring the distribution and management of volume software licenses.

There are two ways to do this upgrade

1. In-Place Upgrade

This is the easiest and the quickest, only require to put the windows 2012 installation media to the DVD rom and do the OS Upgrade. But this method is more risky and require downtime.

2. AD migration to 2012R2 version

This is the method that recommended by most of the consultants. Which does not require a down time. From this article I'm expecting to provide detail information about the AD migration to 2012R2.

Solution Overview


 

 

  

According to this solution you have to domain join a windows server 2012R2 server to the existing active directory 2008 domain. Then after completing the prerequisites and domain perp, this new server will be promoted as an additional domain controller. All the directory objects will be replicated to the new server and it will work as an active domain controller to the existing active directory services.

Then you can transfer the FSMO roles to the new windows server 2012R2. After transferring the roles, new windows server 2012R2 DC will work as the primary domain controller and then you can decommission the existing Domain controllers. Before doing so please add another Windows server 2012R2 DC as an Additional domain controller to handle the load and also as a DR. This method does not need a downtime and if you follow the steps correctly, you can do a smooth upgrade to 2012R2 ADDS.

Step By Step Approach


1. Complete the Prerequisites

  • Require New server hardware or VM with minimum following configurations
  • Window server 2012R2 installation media
  • Forest and Domain functional level should be Windows Server 2003 or higher
  • If this condition not met, please upgrade the functional level
  • Meta data cleanup (Optional) – remove any DC's that was not demoted properly

Meta data clean up required only when you are having Domain controllers which is not operational right now, DC's that was forcefully removed from the system, DC's that was stopped replication and Tombstone life time expired or DC's were formatted without demoting first.

If you are having DC's Meta data in your ADDS, use Event viewer to track down. Or you can easily check this by navigating to the Active directory users and computers-Domain controllers OU and check whether there are any Domain controller exists that was not operational right now.

If you are having DC Meta data, you have to remove them before doing the upgrade. There are two ways to do the cleanup, GUI and Command prompt. In windows server 2003 GUI is not supported. But after 2008 its supported but I always prefer to use the Command prompt.

Clean up Meta data using command line

1. Login to one of DC's and Get the command prompt using run as administrator

2. Type- Ntdsutil

3. Type in ntdsutil: metadata cleanup 

4. At the metadata cleanup: Type the server name which is removed forcefully.

remove selected server <ServerName>

5. Confirm the removal

 

For more information refer the technet article

https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

 

2. Preparing the Forest Schema

Before adding a 2012R2 domain controller to the existing 2008 environment, it is mandatory to update the Active Directory schema to windows server 2012. You must update the schema from the domain controller that hosts the schema operations master role (FSMO). To do this you have to login to the Schema role holder DC using Enterprise admin and schema admin privileged account. Please follow the detail steps

  • Log on to the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups privileged account
  • Note the schema version from registry 
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters
  • Insert the windows server 2012R2 Installation DVD to the Rom.
  • Open the command prompt using run as administrator
  • Locate the following path - 'D:\support\adprep\'
  • Run- 'Adprep/forestprep'

 

  • After ADPrep successfully updated, run the domain prep 'Adprep/ domainprep'
  • Check the schema version from registry key.

 

3. Join the Windows server 2012R2 server as a member server to the domain.
 

 

 

4. Promote the windows server 2012R2 server as an Additional Domain controller.
Set a static IP address and DNS should be the primary domain controllers IP. Follow the screens to promote as a DC.
  • Login to the server using Domain admin credentials
  • Server Manager – Add roles and features
  • Press next and select Active Directory Domain Services
  • Press next, next and install

  • After the installation go to the server manager and select Prompt this server to a domain controller

  • Select Add a domain controller to an existing domain

  • Type a domain restore mode password

  •  Type next till the installation window, and after the installation DC will be restarted.

 

5. Verify the successfully prompted domain controller

You can verify the DC by checking the DNS, Active directory users and computers and event viewer.

 

6. FSMO Role transfer to new Windows server 2012R2 Domain controller.

To finish up the AD Upgrade/Migration you have to move the FSMO roles to the new windows server 2012R2 Environment. Moving this roles will make 2012R2 DC as the primary server and after only you can demote the windows server 2008R2 DC's from your network. You can do this process can do using GUI or Command prompt. I prefer to do this using the command prompt which is less hassle.

  • Login to the Window server 2012R2 DC
  • Open the command prompt using run as administrator
  • Type following command and verify the server name of the windows server 2008 DC 
    Netdom query fsmo

  • Next type ntdsutil
  • Type roles
  • Type Connections
  • In connections type
    Connect to server <FQDN of win2012R2 DC>
    Ie - Connect to server TestDC2012R2.Lordstar.int

  • Type Quit, this will bring back the fsmo maintenance prompt
  • Type ?, enter
  • Type transfer schema master and press yes to transfer the role

  • Then transfer other roles
    Transfer naming master
    Transfer PDC
    Transfer RID master
    Transfer infrastructure master
  • After all roles are transferred, type quit and type netdom query fsmo and verify all roles are placed in 2012R2 DC.

 

7. Demote the existing windows server 2008R2 Domain controllers

Its not mandatory to demote the old servers right away, first you should have to implement other domain controllers to handle the load. After that you can demote the 2008 servers from the domain. Follow these steps.

  • Login to the 2008R2 DC and Type DCPromo in Run, press next
  • Don't select the Delete the domain because this server is the last domain controller in the domain, press next
  • Type the local administrator password and press next.
  • Restart the server.

Now DC role is removed and it's just a member server. If you want you can remove it from domain also.

Hope this is useful

Asitha De Silva
https://lk.linkedin.com/pub/asitha-de-silva/27/b09/429 

 

References

https://technet.microsoft.com/en-us/library/hh994618.aspx?f=255&MSPPError=-2147217396
http://blogs.technet.com/b/canitpro/archive/2015/02/11/step-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2.aspx
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2021 TerminalWorks. All Rights Reserved