Migrate Active Directory from Windows Server 2003 to 2012 R2: Migrate DHCP, Remove Server 2003, and Raise Functional Levels
In the second part of this series, I showed you how to configure Windows Server 2012 R2 as a domain controller (DC) in an existing Windows Server 2003 domain, set up DNS on the new DC, and transfer the Flexible Single Master Operation (FSMO) AD roles from Windows Server 2003 to the new DC. In this third and final article, I’ll show you how to set up DHCP in Windows Server 2012 R2 and migrate the DHCP server settings from Windows Server 2003, remove the Windows Server 2003 DC from the domain, and then raise the domain and forest functional levels to Windows Server 2012 R2.
Migrating Active Directory from Windows Server 2003 to Server 2012 R2 Article Series
- Part 1: Prepare Windows Server and Active Directory
- Part 2: Install AD and Transfer FSMO Roles
- Part 3: Migrate DHCP, Remove Windows Server 2003, and Raise Functional Levels
Moving DHCP to the new DC isn’t quite as straightforward as DNS, because DHCP isn’t tightly integrated with AD. While it’s possible to set up a secondary DHCP server, the best strategy is to use the Windows Server Migration Tools to migrate the old settings across to a new DHCP server running on Windows Server 2012 R2. Before you can use the migration tools on Windows Server 2003, you’ll need to install the .NET Framework 3.5, and then the Windows Management Framework Core 2.0, which includes PowerShell 2.0.
Note that the source and destination DHCP servers must have the same number of network interface cards (NICs). Additionally, the NICs on the destination DHCP server don’t need to be assigned the same IP addresses as on the source server, but they must have IP addresses in the same subnet(s) and not be part of an address range that’s used in a DHCP scope.
Install and Prepare the Migration Tools in Windows Server 2012 R2
Log in to the Windows Server 2012 R2 DC as a domain administrator, open a PowerShell prompt using the blue icon on the desktop taskbar, and run the two cmdlets below to install the DHCP bits and Windows Server Migration Tools:
Now we need to create a migration package to run on Windows Server 2003. We'll do this on Windows Server 2012 R2. To open a command prompt, press the WINDOWS key to switch to the Start screen, type cmd and then click Command Prompt in the search results, and change the working directory to the location of the migration tools:
Use SmigDeploy to create a migration package for Windows Server 2003, changing c:\migrate if required. The migrate directory will be automatically created if it doesn't already exist. If you're running a 64-bit edition of Windows Server 2003, swap x86 for amd64.
Register the Migration Tools in Windows Server 2003Log in to your Windows Server 2003 DHCP server as a domain administrator and copy the migrate folder that we just created in Windows Server 2012 R2 across to Windows Server 2003. Once the migrate folder has copied across to Window Server 2003, run SmigDeploy in the c:\migrate\SMT_Ws03_X86 folder to register the tools and open a command prompt in the working directory.
Export the Windows Server 2003 DHCP Server SettingsIn the command prompt, stop the DHCP service:
Then type Get-SmigServerFeature and press ENTER to see which Windows Server 2003 roles can be migrated. You should see DHCP Server in the list. Now run the command below to export the Windows Server 2003 DHCP settings across to Windows Server 2012 R2. You will be asked to enter a password, which is used to protect the exported data. Make sure that you change the given UNC path to point to your Windows Server 2012 R2 DHCP server. The DHCPSettings folder will be created if it doesn't already exist. In the UNC path below, I'm using the default c$ administrative share on the Windows Server 2012 R2 DC, or you could specify a local path and copy the DHCPSettings folder to Windows Server 2012 R2 manually.
The –User and –Group parameters export information about the DHCP Administrators group on the source server. As we are exporting DHCP server information to a DC in the domain, these parameters can me omitted. Before setting up the DHCP configuration in Windows Server 2012 R2, you should remove the Windows Server 2003 DHCP server's authorization in Active Directory, replacing dc1.ad.contoso.com with the FQDN of your Windows Server 2003 DHCP server, and 192.168.0.5 with its IP address.
Import DHCP Settings in Windows Server 2012 R2Now open a PowerShell prompt in Windows Server 2012 R2, and stop the DHCP Server service:
Change the working directory in the PowerShell prompt, and start a second PowerShell prompt where the migration tool cmdlets are registered:
In the new PowerShell prompt, import the DHCP settings that we exported in the previous steps. When prompted, type the password given previously:
There's no need to include the –Users or –Group parameters here, because the new DC is in the same domain as the old DHCP server. Had the DC been in a new domain, I could have specified –Group to populate the DHCP Administrators group. The –Users parameter should only be used when the DHCP Administrators group needs to be populated with local user accounts. Now start the DHCP server service on Windows Server 2012 R2 and authorize it in Active Directory, replacing newDC.ad.contoso.com with the FQDN of your Windows Server 2012 R2 DHCP server, and 192.168.0.6 with its IP address:
Change Scope OptionsWhile most of my DHCP scope options will remain unchanged, I do need to change the DNS server address that DHCP assigns from the Windows Server 2003 DC (192.168.0.5), to my new Windows Server 2012 R2 DNS server (192.168.0.6).
- Open Server Manager in Windows Server 2012 R2 using the icon on the desktop taskbar.
- In Server Manager, click Tools in the top right corner, and select DHCP from the drop-down menu.
- In the left pane of the DHCP management console, expand your DHCP server, IPv4, Scope and click Scope Options.
- In the center pane, double click 006 DNS Servers.
- In the Scope Options dialog, type the IP address of the Windows Server 2012 R2 server in the IP address box, and click Add.
- In the box that contains the list of DNS server IP addresses, select the IP address of the Windows Server 2003 DNS server, and click Remove.
- Now click OK in the Scope Options dialog.
Verify DHCPOnce the new Windows Server 2012 R2 DHCP server service is running, authorized in AD, and DHCP scope options updated as necessary, make sure that you can start devices joined to your AD domain, and that they receive an IP address as expected.
- In the left pane of the DHCP management console, expand your DHCP server, IPv4, Scope and click Address Leases.
- In the center pane, you should see leases for each device that requests an IP address as it boots.
Remove the Windows Server 2003 Domain ControllerNow that we have a working Windows Server 2012 R2 that's running DNS and DHCP, and we're happy that the domain is working as it should, we can demote the Windows Server 2003 domain controller. Don't forget that it's recommended to have a minimum of two domain controllers in each domain. Before completing the following steps, you might want to run DCdiag again on your new Windows Server 2012 R2 DC, as outlined in part two of this series, just to check everything is in working order.
Modify Windows Server 2003 DNSBefore demoting the Windows Server 2003 DC, you should change its network card settings to point to the Windows Server 2012 R2 DNS server. When a DC is demoted, DNS is removed and the server becomes a member server in the domain. As such, you must configure DNS resolution so that it works without relying on a DNS server that will be removed during the demotion.
- Log in to your Windows Server 2003 DC as a domain administrator.
- Click Start, and then select Control Panel > Network Connections, right click the local network adapter and select Properties from the menu.
- In the Properties dialog, select Internet Protocol (TCP/IP) on the General tab, and click Properties.
- In the Internet Protocol (TCP/IP) Properties dialog, change the IP address for preferred DNS server to the IP address of your new Windows Server 2012 R2 DNS server, and click OK.
- Close the NIC properties dialog.
Demote the Windows Server 2003 DCNow that the DNS server settings have been changed, we can demote the Windows Server 2003 DC to a member server.
- Open the Start menu and click Run.
- In the Run dialog, type dcpromo and click OK.
- In the Active Directory Installation Wizard dialog, click Next on the welcome screen.
- On the Remove Active Directory screen, click Next.
- On the Administrator Password screen, type and confirm a new password for the local Administrator account, and then click Next.
- Review the information on the Summary screen, and click Next to remove Active Directory from the server.
- Click Finish once the DC has been removed from the domain.
Raise the Forest and Domain Functional LevelOnce all the Windows Server 2003 DCs have been removed from your domain and/or forest, you can raise the domain and forest functional levels. Bearing in mind that this is an irreversible process, you will not be able to add down-level Windows Server operating systems as domain controllers to the domain again. Log in to your Windows Server 2012 R2 DC as an enterprise administrator, and open a PowerShell prompt using the blue icon on the desktop taskbar. Run the two commands below to raise the domain functional level, and then the forest functional level, replacing ad.contoso.com with your domain and forest FQDNs as appropriate. You will be prompted to confirm each operation.
For more information on raising the domain and forest functional levels in Active Directory, see Raise Active Directory Domain and Forest Functional Levels using PowerShell on the Petri IT Knowledgebase. Congratulations, you've now decommissioned your Windows Server 2003 DCs and have a native Windows Server 2012 R2 domain!