Active DirectoryMicrosoft Technologies

Step-by-Step Guide to Migrate from Active Directory 2012 R2 to Active Directory 2019 (PowerShell Guide)

Windows server 2019 was available for public (GA) from early oct 2018. In past i have written many articles about domain migrations by covering different Active Directory versions. So, it is time me to write about AD 2019 migrations. In this demo I am going to demonstrate how to migrate from Active Directory 2012 R2 to Active Directory 2019. The same procedure is going to apply for any AD version from Windows Server 2008.   

Migration itself is very straight forward task. But there are other things you need to consider before you do an AD migration. In below I listed a checklist you can use in many occasions.

Evaluate business requirement for active directory migration 

Perform Audit on Existing Active Directory Infrastructure

Provide Plan for implementation Process

Prepare Physical / Virtual resources for Domain Controller

Install Windows server 2019 Standard / Datacenter

Patch Servers with latest Windows Updates

Assign Dedicate IP address to Domain Controller

Install AD DS Role

Migrate Application and Server Roles from the Existing Domain Controllers.

Migrate FSMO roles to new Domain Controllers

Add New Domain controllers to the Existing Monitoring system

Add New Domain controllers to the Existing DR Solution

Decommission old domain controllers 

Raise the Domain and Forest Functional level

On Going Maintenance 

As per the above figure therebeladmin.com domain has two domain controllers.  In here, the FSMO role holder is running windows server 2012 R2. Domain and forest functional level currently operating at Windows server 2012 R2. A new domain controller with Windows server 2019 will be introduce and it will be the new FSMO role holder for the domain. once FSMO role migration completed, Domain controller running windows server 2012 R2 will be decommissioned. After that forest and domain function level will raised to the windows server 2019. 
In the demonstration, REBEL-DC2012 is the domain controller with windows server 2012 R2 and REBEL-DC2016 is the domain controller with windows server 2019. 
 
[su_note]When you introduce new domain controllers to the existing infrastructure it is recommended to introduce to the forest root level first and then go to the domain tree levels.[/su_note]
 
 
1. Log in to the Server 2019 as a member of local administrators group. 
2. Add server to the existing domain as member
 
 
3. After restart, log in to the server as Enterprise Administrator
4. Assign static IP address to the server
5. Launch the PowerShell Console as an Administrator
6. Before the configuration process, we need to install the AD DS Role in the given server. In order to do that we can use Following command. 
 
Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
 
 
7. Configure the new server as additional domain controller.
 
Install-ADDSDomainController
-CreateDnsDelegation:$false
-NoGlobalCatalog:$true
-InstallDns:$true
-DomainName "therebeladmin.com"
-SiteName "Default-First-Site-Name"
-ReplicationSourceDC "REBEL-DC2012.therebeladmin.com"
-DatabasePath "C:\Windows\NTDS"
-LogPath "C:\Windows\NTDS"
-NoRebootOnCompletion:$true
-SysvolPath "C:\Windows\SYSVOL"
-Force:$true
 
 
There are no line breaks for the command and I have listed it as above to allow readers to identify on the parameters clearly.
 

Argument

Description

Install-ADDSDomainController

This cmdlet will install the domain controller in active directory infrastructure.

-NoGlobalCatalog

If you do not need to create the domain controller as global catalog server, this parameter can use. By default, system will enable global catalog feature.

-SiteName

This Parameter can use to define the active directory site name.  the default value is Default-First-Site-Name

-DomainName

This parameter defines the FQDN for the active directory domain.

-ReplicationSourceDC

Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific.

Once execute the command it will ask for SafeModeAdministrator Password. Please use complex password to proceed. This will be used for DSRM.

8. After configuration completed, restart the system and log back in as administrator to check the AD DS status. 

Get-Service adws,kdc,netlogon,dns

Will confirm the status of the AD DS service. 

Get-ADDomainController -Filter * |  Format-Table Name, IPv4Address, Site

Will list down the domain controllers along with the IP address and Sites it belongs to.

9. Migrate all five FSMO roles to the New domain controller using following command,

Move-ADDirectoryServerOperationMasterRole -Identity REBEL-DC2019 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

In above the REBEL-DC2019 is domain controller running with windows server 2019. 

Once its completed, we can verify the new FSMO role holder using 

Netdom query fsmo

10. The new step of the process is to decommission the old windows domain controller which running with windows server 2012 R2. To do that execute the following command as enterprise administrator from the relevant DC. 

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

After execute the command it will ask to define password for the local administrator account.

Once its completed it will be a member server of the therebeladmin.com domain.

11. Next step is to raise the domain and forest functional level to windows server 2019. To do that can use the following commands.

To upgrade domain functional levels

Set-ADDomainMode –identity therebeladmin.com -DomainMode Windows2016Domain

To upgrade forest function levels

Set-ADForestMode -Identity therebeladmin.com -ForestMode Windows2016Forest

[su_note]With windows server 2019, there is no domain or forest functional level called windows2019. It is still 2016. [/su_note]

Now we have completed the migration from AD DS 2012R2 to AD DS 2019. Same steps apply when migrate from windows server 2008, Windows server 2008 R2, Windows server 2012 & Windows server 2016.

12. After the migration completes, we still need to verify if its completes successfully. 

Get-ADDomain | fl Name,DomainMode

This command will show the current Domain functional level of the domain after the migration. 

Get-ADForest | fl Name,ForestMode

Above command will show the current forest functional level of the domain. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

5 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *