Windows Server 2008 and Windows Server 2008 R2 Operating systems reached the end of their support cycle on the 14th of January 2020 and because of this many organisations wanted to migrate away from these legacy operating systems. End-of-life operating systems have a direct impact on various industry compliances, IT audits, Penetration tests, and so on. Even businesses without a requirement to upgrade, end-of-life operating systems are left with no choice but to upgrade.
Microsoft released Windows Server 2022 recently (Aug 2021) and we thought it would be good to demonstrate how we can migrate AD from 2008 R2 to the newest. AD migrations from other operating systems (newer than Windows Server 2008R2) by following a similar process.
AD DS’ improvements are bound to its forest and domain functional levels. Upgrading the operating system or adding domain controllers that run Windows Server 2022 to an existing AD infrastructure is not going to upgrade the forest and domain functional levels automatically. We need to upgrade it manually once older domain controllers are decommissioned. There was a big difference with Windows Server 2019 when it comes to forest and domain functional levels. Each Windows Server release up to Windows Server 2016, had a new forest and domain functional level. But with Windows Server 2019 there were NO new forest or domain functional levels. It is the same with Windows Server 2022. The maximum forest and domain functional level we can choose still is Windows Server 2016.
Active Directory Domain Services was first introduced to the world with Windows Server 2000. For more than 21 years, AD DS helps organizations to manage digital identities. However, modern access management requirements are complicated. Businesses are using more and more cloud services now. Most of the workforce is still working from home and accessing sensitive corporate data via unsecured networks. Most software vendors are moving into the SaaS model. Cybercrimes are skyrocketing and identity protection is at stake. To address these requirements, we need to go beyond legacy access management. Azure Active Directory is a cloud-based, managed, Identity as a Service (IDaaS) provider, which can provide world-class security, strong authentication, and seamless collaboration. So, it does make sense why there are no significant changes to on-premises AD anymore.
One of the key themes of Windows Server 2022 is “security”. Advanced multi-layer security in Windows Server 2022 provides comprehensive protection against modern threats. This also adds an additional layer of security to roles run on Windows Server 2022 including Active Directory.
Migrating FSMO roles to a new server and upgrading forest and domain functional levels doesn’t take more than a few minutes but when it comes to migration there are a few other things we need to consider. Therefore, to summarize the AD DS Migration the following checklist is the process.
Below is the list of some of the most common questions about AD migration,
As per the following diagram, the example (domain.local) domain has two domain controllers:
As explained in the above illustration, The FSMO role holder DC08 is a Windows Server 2008 R2 Domain Controller. The domain and forest functional levels currently operate in Windows Server 2008 R2. A new domain controller with Windows Server 2022(DC22) will be introduced and will be the new FSMO role holder for the domain. Once the FSMO role migration is complete, the domain controller running Windows Server 2008 R2 will be decommissioned. After that, the forest and domain functional levels will be raised to Windows Server 2016.
Note: When you introduce new domain controllers to existing infrastructure, it is recommended that you introduce the forest root level first and then go to the domain tree levels.
We need to do a few things to prepare for the new Windows Server 2022 before we migrate the FSMO roles.
In this demo environment, the Domain controller already using DFSR.
As the next part of the configuration, we need to make DC22 an Additional Domain Controller. To do that,
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomainController
-CreateDnsDelegation:$false
-InstallDns:$true
-DomainName “your domain”
-SiteName “Default-First-Site-Name”
-ReplicationSourceDC “DC08.your domain”
-DatabasePath “C:\Windows\NTDS”
-LogPath “C:\Windows\NTDS”
-SysvolPath “C:\Windows\SYSVOL”
-Force:$true
There are no line breaks for the command, and listed here is as above to allow readers to focus on the parameters.
The following table explains the PowerShell arguments and what they will do.
Argument |
Description |
Install-ADDSDomainController |
This cmdlet will install the domain controller in active directory infrastructure. |
-CreateDnsDelegation |
Using this parameter can define whether to create DNS delegation that reference active directory integrated DNS. |
-InstallDns |
Using this can specify whether DNS role need to install with active directory domain controller. For new forest, it is default requirement to set it to $true. |
-DomainName |
This parameter defines the FQDN for the active directory domain. |
-SiteName |
This Parameter can use to define the active directory site name. the default value is Default-First-Site-Name |
-ReplicationSourceDC |
Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific. |
-DatabasePath |
This parameter will use to define the folder path to store active directory database file (Ntds.dit) |
-LogPath |
Log path can use to specify the location to save domain log files. |
-SysvolPath |
This is to define the SYSVOL folder path. Default location for it will be C:\Windows |
-Force |
This parameter will force command to execute by ignoring the warning. It is typical for the system to pass the warning about best practices and recommendations. |
Once execute the command it will ask for SafeModeAdministrator Password. Please use a complex password to proceed. This will be used for DSRM.
Now we have the new domain controller. The next step is to migrate FSMO roles from DC08 to the new domain controller.
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
As we can see all five FSMO roles currently belong to DC08 (Windows Server 2008 R2) Domain Controller.
Move-ADDirectoryServerOperationMasterRole -Identity DC22 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
In the preceding command, DC22 is the domain controller running Windows Server 2022.
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
As expected, Now FSMO roles are successfully moved to DC22 Domain Controller (Windows Server 2022).