Quick & Dirty Domain Controller Migration

By -

It's the year 2023 now and it astounds me to know that there are still businesses running Active Directory and other domain services on Server 2003 and Server 2008 boxes. Migration of domain controller roles from old servers to new isn't as difficult as you might think. Honestly the hardest part is probably figuring out Microsoft licensing for Server 2019/2022. Over the last few years since upgrading our own domain controllers, I've helped others with the simple setup steps below. 

Also, I'm assuming that anyone reading this is not a complete dunce when it comes to Windows Server and Active Directory because there's a lot of stuff around AD that I'm not taking time to spell out. (You can probably get away with being about a 75% dunce ;) just not a complete one.)

QDDCM - Quick & Dirty DC Migration 

(For On-Prem Active Directory Domain Services on Server 2019/2022 with GUI)

I'm going to just dive right in here with out much preamble. Following this guide will help you migrate your PDC from an EOL'd server version to a supported one. 

However, before you get started...

STEP ZERO IS ALWAYS TO MAKE BACKUPS OR SNAPSHOTS OF YOUR EXISTING DCS BEFORE YOU MIGRATE! Always, ALWAYS have a working backup in case your installation or migration gets messed up.

  1. Run dcdiag from cmd on your old DCs to make sure they are healthy. If you have multiple DCs and are not sure which is the primary DC, or PDC, you can also run netdom query fsmo from cmd to find out.
  2. On your new Server 2019 or 2022 server that's going to be your PDC, assign a static IP address to it and join it to your domain. Then, reboot it and log in as a domain administrator.
  3. From Server Manager, add the Active Directory Domain Services role and click through the wizard until it installs.
  4. After AD DS is installed, a link will appear in Server Manager that will allow you to promote it to a domain controller. Click that link. 
  5. Add the new server to the existing domain, setting it up for DNS and as a GC (Global Controller). Set passwords where prompted and make note of what they are. 
  6. Replicate settings from your old DC to the new one.
  7. On both your new DC and your old ones, set the new one as the primary DNS server in the static IP settings. It's not a bad idea to reboot your new server again at this point.
  8. Now migrate fsmo roles from the old PDC to the new DC:
    1. Verify that DNS, Group Policy, and AD DS roles have all installed successfully
    2. Open up AD, select Operations Masters, and make your new server the master for RID, PDC, and Infrastructure tabs.
    3. Run netdom query fsmo from cmd on all DCs to verify that three of the five fsmo roles have migrated successfully to your new DC.
    4. Follow Tools > AD Domain and Trust > Operations Masters and run regsvr32 schmmgmt.dll in cmd.
    5. Run mmc then add the snap-in for AD Schema and change the Operations Masters setting to the new DC.
    6. Run netdom query fsmo in cmd again to verify that all five fsmo roles are now assigned to your new DC. 
    7. Run dcdiag in cmd to verify domain health.
  9.  Once you have verified fsmo roles and domain health, you can decommission your old DC:
    1. From the new PDC, open ADUC (Active Directory Users & Computers) and right-click on the old DC in the Domain Controllers OU, then select Properties.
    2. Click on NTDS Settings and uncheck Global Catalog from the General tab.
    3. Now on the old DC, run dcpromo in cmd to begin the decommissioning process. Ignore the warning about global catalog, and click Next. DO NOT CHECK THE BOX TO DELETE THE DOMAIN. You will need to enter the administrator password, and then allow the old server to reboot when the dcpromo process is complete.
    4. From ADUC on the new PDC, refresh the list of domain controllers to ensure that the old server's name has dropped out of the Domain Controllers OU.
    5. From Server Manager on the old server, remove Active Directory and DNS roles, confirm, and reboot.
    6. Check that roles are gone from Server Manager after the reboot. 
  10. To verify that your new PDC is working as a logon server, run set from cmd on endpoints in your domain. If you have multiple DCs, it is okay to see them in the results of the set command, but you will want to run set on different endpoints until you see the new PDC show up as the logon server. 
  11. Verify roles and domain health one more time by running netdom query fsmo and dcdiag. After this, you should be safe to permanently shut down the old server.

Migration Considerations

Now that you've read through my QDDCM guide, I'll list out a few things you may need to consider before, during, and after migration. 

First, DNS. If you have a lot of servers with static IPs using your old DC as their primary DNS server or name server, you will want to fix the static IP configuration on those servers sometime around steps 7 and 8. This is especially critical if you have only one DC (please for the love of your chosen deity, put 2-3 DCs minimum in your environment for redundancy's sake). 

Second, downtime. If you only have one DC, performing this migration might cause some logon hiccups for your users. If you're not heeding my advice of having at least 2 DCs running at any given time, it's probably best to save your migration for after-hours.

Third, AD/DNS management. If you or your team are the type to RDP into the DCs directly to make changes to DNS, ADUC, or DHCP... stop doing that, and install RSAT (Remote Server Administration Tools) on each admin's workstation. Each admin should use an unprivileged account for regular workstation use, and either have specific permissions (such as resetting passwords and unlocking accounts) delegated to them in ADUC OR have a separate unique domain admin account specifically for as-needed privilege escalation.


And there you have it. Good luck & happy migrating!

Comments

Post a Comment

"What you type into a comment box on the Internet
echoes in eternity."
- Gerald Ford