I have now received several emails regarding the migration of domain controllers that are still running an older operating system. Most of the emails are about retaining the IP address of the original domain controller.
The environments described in the emails were all similar, only the operating system on which the original domain controller runs varies. In most cases, there was only one domain controller running on Windows Server 2008, which is now to be replaced by Windows Server 2016. In one case, there was even a domain controller running on Server 2003.
Of course, it is not recommended to operate only one domain controller, but some small environments do not allow anything else.
This article is dedicated to the migration of an Active Directory with only one domain controller based on Server 2008 to Server 2016, including the retention of the original IP of the Server 2008 DC.
Server 2003 is excluded here, but can be migrated first to Server 2008 and then from Server 2008 to Server 2016 using the same method. A direct migration from Server 2003 to Server 2016 DCs is not possible.
The surroundings
For this article, I have created your test environment, which is structured as follows:
There is a Windows Server 2008 Domain Controller with the static IP 172.16.100.10 and the name DC2008. There are other clients in the network that use the domain controller as a DNS server. The name of the Active Directory is frankysweb.local.
A new Windows Server 2016 with the name DC2016 and the IP 172.16.100.20 has been installed. The server is currently only a member of the Active Directory and also uses DC2008 as a DNS server. Once the migration is complete, the new server is to be given the IP 172.16.100.10 again.
Install new domain controller
First, the "Active Directory Domain Services" role must be installed on DC2016 before DC2016 can be upgraded to Domain Controller:
This means that two domain controllers will be running during the migration from DC2008 to DC2016.
Once the role has been installed, DC2016 can be upgraded directly to DC:
The default settings can be left as they are:
In the next dialog, only the password for the recovery mode needs to be set; the checkboxes for "DNS server" and "Global catalog" remain checked:
Delegation is not required in most small environments, so the warning can be ignored:
The other dialogs can all be confirmed with "Next". In the last dialog, a summary with two warnings is displayed. In this case, the two warnings are to be regarded as notes:
- No delegation can be created for the parent DNS server -> not required here
- NT4 clients can no longer connect -> is also no longer required
After DC2016 was automatically restarted, there are now two domain controllers for the frankysweb.local domain:
The event logs should now be checked to see whether any errors have occurred during replication. A new user account can also be created as a test and then checked to see whether it is displayed on both DCs. If the replication works, you can continue.
FSMO Move rolls
The easiest way to move FSMO roles from DC2008 to DC2016 is to use the command line and the "ntdsutil" tool. The following commands can be used to move all FSMO roles from DC2008 to DC2016 (note: the connection is established to DC2016):
roles connection connect to server DC2016 quit transfer schema master transfer naming master transfer RID master transfer PDC transfer Infrastructure Master
The queries must then be confirmed with "OK".
The command "netdom query fsmo" can be used to check whether all FSMO roles have been moved:
Once this is done, you can move on to the next step.
Remove old domain controller
From now on, some downtime is necessary. The old domain controller will be removed and with it the old DNS server. All clients/servers that only have the IP 172.16.100.10 (from DC2008) configured as DNS server will not be able to find the new domain controller via DNS. This step should therefore be carried out in a maintenance window.
To avoid downtime, the new server can simply be set as the primary DNS server; if this is done on all clients, the IP address of the new domain controller does not need to be changed. However, this is exactly the case where the new server is to inherit the IP of the old server. Therefore continue in the text.
DC2008 is now downgraded, this works with the command "dcpromo":
The dialog for removing the domain controller opens. The "Delete domain, as this is the last domain controller in the domain" checkbox must NOT be ticked:
A new local administrator password must be entered in the following dialog:
The summary can be confirmed:
The domain controller role is now removed from DC2008 and the server can be restarted.
After DC2008 has been restarted, there is only the DC2016 computer account in the "Domain Controllers" OU:
DC2008 can be shut down after the restart, so the IP address is free and can be assigned to the new domain controller straight away. However, some tidying up work is necessary beforehand.
Cleanup work
The old DC2008 computer account can now be found in the "Computers" OU and can be deleted here:
The DNS setting of the network card on DC2016 can now be corrected, the IP of DC2008 is still entered here:
The DNS server 127.0.0.1 is now used here. Incidentally, it makes little sense to enter a router or public DNS server as the secondary DNS server here, as these cannot usually resolve the zones for the local Active Directory. In environments with only one DC, only 127.0.0.1 is used here:
In the DNS Manager, all zones and subzones must now be checked once, as corpses of the old domain controller often remain here. Corpses can be recognized and deleted here using the old IP / host names:
The delegated zone "_msdcs" also still has an old nameserver entry, which must also be corrected:
Here is an example of a corpse that was not deleted:
As I said, go through all zones and subzones once and check for old entries, there is always something left behind somewhere. Don't forget the reverse zone either.
Change the IP address of the DC
Changing the IP address is no longer rocket science. First, the IP is configured from DC2008 to DC2016:
This is followed by "ipconfig /registerdns":
The login service is then restarted:
Now clean up the DNS and delete the following three old entries:
Done. To be on the safe side, Exchange and SQL Server should be restarted once if available.