Migrate Active Directory from Windows Server 2003 to 2012 R2: Install AD and Transfer FSMO Roles
In the first part of this three part series, I showed you how to prepare a Windows Server 2003 domain controller (DC) and domain so that a Windows Server 2012 R2 DC could be added. In this second article, we’ll install Active Directory Domain Services on Windows Server 2012 R2, configure it as a DC in the domain, set it to use its own DNS server for name resolution, and finally transfer the five Flexible Single Master Operation (FSMO) AD roles to the new DC.
Migrating Active Directory from Windows Server 2003 to Server 2012 R2 Article Series
- Part 1: Prepare Windows Server and Active Directory
- Part 2: Install AD and Transfer FSMO Roles
- Part 3: Migrate DHCP, Remove Windows Server 2003, and Raise Functional Levels
Installing Active Directory in Windows Server 2012 R2
Now that the Windows Server 2003 domain is prepared to accept a Windows Server 2012 R2 DC, we can install Active Directory (AD) on a new server. If you’re wondering whether you need to run adprep.exe in the existing domain, starting in Windows Server 2012, adprep /forestprep and adprep /domainprep are run automatically as part of the AD Domain Services (AD DS) installation process.
For more information on installing Windows Server 2012 R2, see How to Install Windows Server 2012 R2 on the Petri IT Knowledgebase. Don’t forget that you should assign the server a static IP address, and make sure that DNS resolution is working. Stated differently, be able to ping the fully-qualified domain name (FQDN) of your AD domain, which in my environment means setting the preferred DNS server on the new DCs network interface card (NIC) to point to my Windows Server 2003 DC (192.168.0.5).
Configuring a Static IP Address and DNS Server
To set a static IP address and configure DNS in Windows Server 2012 R2, log in as a local administrator and follow the instructions below:
- Right click on the network icon in system tray, and select Open Network and Sharing Center.
- In the left pane of the Network and Sharing Center, click Change adapter settings.
- In the Network Connections dialog, right click the Ethernet adapter, and select Properties from the menu.
- In the list of items, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.
- In the Properties dialog, add an IP address, subnet mask, and default gateway.
- Set the Preferred DNS server address to the IP address of an existing DNS server, and click OK.
- Close any remaining windows.
Alternatively, open a PowerShell prompt and run the cmdlets below, replacing the IP addresses and NIC –Name as appropriate. You can use Get-NetAdapter to find out the name of the server’s NIC. Next, use Set-NetIPInterface to disable DHCP so a static IP address can be set. New-NetIPAddress can then be used to add an IP address, subnet mask (255.255.255.0), and default gateway to the NIC, where you finally can use Set-DnsClientServerAddress to specify the preferred DNS server. The following shows how each work together:
$nic = Get-NetAdapter -Name Ethernet0
$nic | Set-NetIPInterface -Dhcp Disabled
$nic | New-NetIPAddress -IPAddress 192.168.0.6 -PrefixLength 24 –DefaultGateway 192.168.0.1
$nic | Set-DnsClientServerAddress -ServerAddresses 192.168.0.5
Installing Active Directory Domain Services
Once Windows Server 2012 R2 has a static IP address, and I can ping my domain’s FQDN and get a response from the Windows Server 2003 DC, then it’s time to start configuring Active Directory. Log in to Windows Server 2012 R2 as a local administrator:
- Open Server Manager using the icon on the desktop taskbar.
- In Server Manager, click Manage in the top right corner, and select Add Roles and Features from the drop-down menu.
- In the Add Roles and Features Wizard, click Server Selection on the Before You Begin screen.
- The local server should already be selected in the Server Pool box. Click Next to continue.
- On the Server Roles screen, click Active Directory Domain Services, and click Next.
- In the pop-up dialog, click Add Features to confirm you want to install the additional required components. Click Next again to continue.
- On the Features screen, click Next.
- On the AD DS screen, click Next.
- On the Confirmation screen, click Install.
- Click Close when the installation has completed.
Promoting to a Domain Controller
Now that the AD DS bits are installed on the new server, we can add it as a DC in the Windows Server 2003 domain.
- Back in Server Manager, notice the yellow exclamation mark that indicates a notification. Click the notification icon in the top right corner.
- In the notifications, click Promote this server to a domain controller.
- In the Active Directory Domain Services Configuration Wizard, select Add a new domain controller to an existing domain, and type the FQDN of the Windows Sever 2003 domain in the box to the right of Domain:
- Below Supply the credentials to perform this operation, click Change.
- In the Windows Security dialog, type the username and password for a domain administrator account in the Windows Server 2003 domain, using the format [email protected] for the username, and click OK.
- Click Next on the Deployment Configuration screen.
- On the Domain Controller Options screen, check Domain Name System (DNS) server, and Global Catalog (GC).
- If you have more than one site in your current domain, select the site in which you’d like to place the DC from the drop-down menu to the right of Site name:
- Type and confirm a password for Directory Services Restore Mode, and then click Next. As we are not installing a read-only domain controller, the warning at the top of the dialog can be safely ignored.
- On the DNS Options screen, click Next.
- On the Additional Options screen, click Next unless you want to replicate AD from a specific DC, in which case select it from the Replicate from drop-down menu.
- Click Next on the Paths screen, unless you want to modify any of the default settings. It’s best practice to place the database and logs on different physical disks.
- The Preparation Options screen confirms that forest and domain schema preparation will be carried out by the wizard. Click Next.
- Check the selected options on the Review Options screen, and click Next.
- Now we need to wait as the wizard checks the prerequisites. Once it’s done, make a note of any warnings, and click Install to begin the promote operation.
The promotion operation will take some time, especially as the forest and domain schemas also need to be upgraded before Windows Server 2012 R2 can join the Windows Server 2003 domain as a DC. You can also promote Windows Server 2012 R2 to a DC by using PowerShell with the settings given in the instructions above:
Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -Credential (Get-Credential) -CriticalReplicationOnly:$false -DatabasePath ‘C:\Windows\NTDS’ -DomainName ‘ad.contoso.com’ -InstallDns:$true -LogPath ‘C:\Windows\NTDS’ -NoRebootOnCompletion:$false -ReplicationSourceDC ‘DC1.ad.contoso.com’ -SiteName ‘Default-First-Site-Name’ -SysvolPath ‘C:\Windows\SYSVOL’ -Force:$true
The server will automatically reboot, and you should then be able to log in using a domain administrator username and password.
Change the Preferred DNS Server
At this point, configure the new DC to use its own DNS server for name resolution. You can follow the instructions given earlier in this article for setting the preferred DNS server address, which should now be set to 127.0.0.1, which is the server’s loopback address. You can specify an alternate DNS server address if required, but make sure it’s not one of the Windows Server 2003 DCs that you’re about to decommission.
DCdiag and Best Practices Analyzer
Check the new DCs health by running dcdiag in a command prompt window, just as we did for Windows Server 2003 in the first article in this series. You don’t need to install the support tools in Windows Server 2012 R2, as dcdiag is a built-in command. There might be some initial replication or errors, as name resolution might fail before the DNS zones have a chance to replicate.
I also recommend that you run the Best Practices Analyzer for Active Directory, which can be found in Server Manager.
- Go back to Server Manager, and click AD DS in the left pane.
- In the right pane of Server Manager, scroll down to the Best Practices Analyzer section, click the TASKS drop-down menu on the far right, and select Start BPA Scan.
- In the Select Servers dialog, make sure your new DC is selected and click Start Scan.
When the scan has completed, check for any recommendations given in Server Manager.
Transferring FSMO Roles to the New DC
Prior to decommissioning the Windows Server 2003 DC, you’ll need to transfer the five Flexible Single Master Operation (FSMO) roles to Windows Server 2012 R2, and decommission Windows Server 2003 as a Global Catalog server. For more information on AD’s FSMO roles, see Manage Flexible Single Master Operation (FSMO) Roles Using PowerShell on the Petri IT Knowledgebase.
Open a PowerShell prompt using the blue icon on the desktop taskbar, and run the Move-AdDirectoryServerOperationMasterRole cmdlet as shown below, replacing newDC with the name of your new Windows Server 2012 R2 DC. You’ll be asked to confirm the operation before it’s executed.
Move-AdDirectoryServerOperationMasterRole -Identity newDC –OperationMasterRole pdcemulator,ridmaster,infrastructuremaster,schemamaster,domainnamingmaster
Run the two commands below to check that all five FSMO roles have been moved to the new DC:
get-adforest ad.contoso.com | format-list schemamaster,domainnamingmaster
get-addomain ad.contoso.com | format-list pdcemulator,ridmaster,infrastructuremaster
Remove the Global Catalog Server
To remove Windows Server 2003 as a Global Catalog (GC) server from the domain, follow the instructions below in Windows Server 2012 R2:
- Open Server Manager using the icon on the desktop taskbar.
- In Server Manager, click Tools in the top right corner, and select Active Directory Sites and Services from the drop-down menu.
- In the left pane of Active Directory Sites and Services, expand the Sites folder, and then your AD site. Mine is called Default-First-Site-Name. You should see your domain controllers listed.
- Expand the Windows Server 2003 DC, right click NTDS Settings, and select Properties from the menu.
- In the NTDS Settings Properties dialog, uncheck the Global Catalog check box, and click OK.
- Close Active Directory Sites and Services.
You will need to repeat this action for any additional Windows Server 2003 DCs you’re planning to retire in your domain that are also Global Catalog servers. If you’re not sure which servers are running as GCs, use the PowerShell cmdlet below to discover all the GCs in the forest, replacing ad.contoso.com with the FQDN of your domain:
Get-ADForest ad.contoso.com | Format-List GlobalCatalogs
In the final part of this series, I’ll show you how to install DHCP on your new Windows Server 2012 R2 DC. I’ll also show you how to migrate the DHCP settings across from Windows Server 2003, how to demote Windows Server 2003 as a domain controller, and finally raise the domain and forest functional levels to Windows Server 2012 R2 once all your Windows Server 2003 DCs have been decommissioned.