For the purposes of this article, my environment consists of a single
Windows Server 2003 domain (ad.contoso.com), with one DC (dc1) running Active Directory
integrated DNS.This is a typical scenario for small businesses that can’t
afford the luxury of two physical servers or virtualization.I’m going to add a Windows Server 2012 R2 DC (newDC) to the existing
domain, decommission the Windows Server 2003 DC, and then raise the domain and
forest functional levels to Windows Server 2012 R2. If your domain has more
than one DC, or your server is running roles other than DNS, I’ve made notes
along the way where you may need to consider taking extra steps for a
successful transition.
Preparing the Domain
Before Windows Server 2012 R2 DCs can be added to the existing Windows
Server 2003 domain, you will need to meet some prerequisites and perform a few
recommend health checks.
Update Windows Server 2003
First let’s check that Windows Server 2003 is running Service Pack 2. Log
in to the Windows Server 2003 DC with a domain administrator account, and
following the instructions below:
Click Start,
and select Run… from the Start menu. In the Run box, type winver and press ENTER
The About Windows dialog will be
displayed, showing the installed build and service pack. If Service Pack 2
isn’t installed, you can Check the Service Pack level of Windows Server 2003. Now check to make sure any additional updates have been installed:
Click Start,
and select Command Prompt from the Start menu. In the command
prompt window, type wuauclt /detectnow and press ENTER. If there are any available updates, a yellow shield will appear in the
system tray. Double click it and follow the instructions for installing the
available updates. You may need to wait a few minutes for the icon in the
system tray to be updated. Domain and Forest Functional Levels Windows Server 2012 R2 DCs can only be added to a domain when the forest and
domain functional levels are set to Windows Server 2003 or higher. So let’s
check the forest and domain functional levels on the Windows Server 2003 DC: Check the domain and forest functional levels in Active Directory Domains
and Trusts
Go to Administrative
Tools on the Start menu, and click Active Directory Domains and
Trusts. Right click your
domain in the left pane, and select Properties from the menu. In the Properties dialog, check the
Domain
functional level and Forest
functional level. If they
are set to anything other than Windows Server 2003, continue with the instructions below. Remember that raising the domain
and forest functional levels is an irreversible operation. Raise the domain functional level using Active Directory Domains and Trusts
To raise the
domain functional level, right click your domain in the left pane of Active Directory
Domains and Trusts, and select Raise Domain Functional Level from the menu. In the Raise Domain
Functional Level dialog,
select Windows Server 2003 from the drop-down menu, and then click Raise. Click OK to
start the operation. Click OK
again to confirm the operation has completed. If you have more than one domain in your forest, they will all need to be
at the Windows Server 2003 domain functional level, before the forest
functional level can be raised.
Right click Active
Directory Domains and Trusts in the left pane of Active Directory
Domains and Trusts console, and select Raise Forest Functional Level from the menu. In the Raise Forest
Functional Level dialog,
select Windows Server 2003 from the drop-down menu and click Raise. Click OK to
start the operation. Click OK
again to confirm the operation has completed.
Active Directory Health
DCdiag is part
of the Windows Server 2003 support tools, which can be downloaded here and allows you to check the health
of Active Directory. Before adding Windows Server 2012 R2 DCs to your domain, I
recommend that you run this tool to make sure that the domain passes all the
basic tests. Any significant problems, including those connected to
replication, will show up in the results.
Use DCdiag in the Windows Server 2003
Support Tools to check Active Directory health
To run dcdiag, open a command prompt, type dcdiag and press ENTER. Check that the
DC passed each test.
In the next
part of this series, we’ll install Active Directory on Windows Server 2012 R2,
add it to the domain, transfer the five Flexible Single Operation Master (FSMO)
roles to the new DC, remove the Windows Server 2003 DC as a Global Catalog (GC)
in the domain, and configure the new DC to use its own DNS server for name
resolution.
Installing Active Directory in
Windows Server 2012 R2
Now that the
Windows Server 2003 domain is prepared to accept a Windows Server 2012 R2 DC,
we can install Active Directory (AD) on a new server. If you’re wondering
whether you need to run adprep.exe in the existing domain, starting in Windows
Server 2012, adprep /forestprep and adprep /domainprep are run automatically as part of the AD
Domain Services (AD DS) installation process.
For more
information on installing Windows Server 2012 R2, see How to Install Windows
Server 2012 R2 Don’t forget that you should assign the
server a static IP address, and make sure that DNS resolution is working.
Stated differently, be able to ping the fully-qualified domain name (FQDN)
of your AD domain, which in my environment means setting the preferred DNS
server on the new DCs network interface card (NIC) to point to my Windows
Server 2003 DC (192.168.0.5).
Configuring a Static IP Address and
DNS Server
To set a static
IP address and configure DNS in Windows Server 2012 R2, log in as a local
administrator and follow the instructions below:
Right click on
the network icon in system tray, and select Open Network and Sharing
Center. In the left
pane of the Network and Sharing Center, click Change adapter settings. In the Network Connections dialog, right click the Ethernet adapter,
and select Properties from the menu. In the list of
items, select Internet Protocol Version 4 (TCP/IPv4),
and click Properties. In the Properties dialog, add an IP address, subnet mask,
and default gateway. Set the Preferred DNS server address to the IP address of an existing DNS
server, and click OK. Close any
remaining windows.
Installing Active Directory Domain
Services
Once Windows
Server 2012 R2 has a static IP address, and I can ping my domain’s FQDN and get
a response from the Windows Server 2003 DC, then it’s time to start configuring
Active Directory. Log in to Windows Server 2012 R2 as a local administrator:
Install the Active Directory Domain
Services server role
Open Server
Manager using the icon on the desktop taskbar. In Server Manager, click Manage in
the top right corner, and select Add Roles and Features from the
drop-down menu. In the Add Roles and Features Wizard, click Server Selection
on the Before You Begin screen. The local
server should already be selected in the Server Pool box. Click Next
to continue. On the Server Roles screen, click Active
Directory Domain Services, and click Next. In the pop-up
dialog, click Add Features to confirm you want to
install the additional required components. Click Next
again to continue. On the Features screen, click Next. On the AD DS screen, click Next. On the Confirmation screen, click Install. Click Close
when the installation has completed.
Install the Active Directory Domain
Services server role Promoting to a Domain Controller
Now that the AD
DS bits are installed on the new server, we can add it as a DC in the Windows
Server 2003 domain.
Promote the server to a domain controller
in Server Manager
Back in Server Manager, notice the yellow exclamation mark that
indicates a notification. Click the notification icon in the top right corner. In the
notifications, click Promote this server to a domain controller. In the Active Directory Domain Services Configuration Wizard, select Add a new domain controller
to an existing domain, and type the FQDN of the Windows Sever
2003 domain in the box to the right of Domain: Below Supply the credentials to perform this operation, click Change. In the Windows Security dialog, type the username and password
for a domain administrator account in the Windows Server 2003 domain, using the
format username@ad.contoso.com for the username, and click OK.
Add the new domain controller to an
existing domain
Click Next
on the Deployment Configuration screen. On the Domain Controller Options screen, check Domain
Name System (DNS) server, and Global Catalog (GC). If you have
more than one site in your current domain, select the site in which you’d like
to place the DC from the drop-down menu to the right of Site name: Type and
confirm a password for Directory Services Restore
Mode, and then
click Next. As we are not installing a read-only domain
controller, the warning at the top of the dialog can be safely ignored.
Configure the domain options
On the DNS Options screen, click Next. On the Additional Options screen, click Next
unless you want to replicate AD from a specific DC, in which case select it
from the Replicate from drop-down menu.
Choose the domain controller from which to
replicate
Click Next
on the Paths screen, unless you want to modify any of
the default settings. It’s best practice to place the database and logs on
different physical disks. The Preparation Options screen confirms that forest and domain
schema preparation will be carried out by the wizard. Click Next. Check the
selected options on the Review Options screen, and click Next. Now we need to
wait as the wizard checks the prerequisites. Once it’s done, make a note of any
warnings, and click Install to begin the promote
operation.
Prerequisite check
The promotion
operation will take some time, especially as the forest and domain schemas also
need to be upgraded before Windows Server 2012 R2 can join the Windows Server
2003 domain as a DC.
The server will
automatically reboot, and you should then be able to log in using a domain
administrator username and password.
Change the Preferred DNS Server
At this point,
configure the new DC to use its own DNS server for name resolution. You can
follow the instructions given earlier in this article for setting the preferred
DNS server address, which should now be set to 127.0.0.1, which is the server’s
loopback address. You can specify an alternate DNS server address if required,
but make sure it’s not one of the Windows Server 2003 DCs that you’re about to
decommission.
DCdiag and Best Practices Analyzer
Check the new
DCs health by running dcdiag in a command prompt window, just as we did
for Windows Server 2003 in the first article in this series. You don’t need to
install the support tools in Windows Server 2012 R2, as dcdiag is a built-in command. There might be some initial replication or
errors, as name resolution might fail before the DNS zones have a chance to replicate.
I also
recommend that you run the Best Practices Analyzer for Active Directory, which can be found
in Server Manager.
Run the Best Practices Analyzer in Server
Manager
Go back to Server Manager, and click AD DS in the
left pane. In the right
pane of Server Manager, scroll down to the Best Practices Analyzer section, click the TASKS
drop-down menu on the far right, and select Start BPA Scan. In the Select Servers dialog, make sure your new DC is selected
and click Start Scan.
When the scan
has completed, check for any recommendations given in Server Manager.
Transferring FSMO Roles to the New DC
Prior to
decommissioning the Windows Server 2003 DC, you’ll need to transfer the five
Flexible Single Master Operation (FSMO) roles to Windows Server 2012 R2, and
decommission Windows Server 2003 as a Global Catalog server.Check for transfer fsmo roles
Open a
PowerShell prompt using the blue icon on the desktop taskbar, and run the Move-AdDirectoryServerOperationMasterRole cmdlet as shown below, replacing newDC with the name of your new Windows Server 2012 R2 DC. You’ll be asked to
confirm the operation before it’s executed.
Check the location of the FSMO roles
Remove the Global Catalog Server
To remove
Windows Server 2003 as a Global Catalog (GC) server from the domain, follow the
instructions below in Windows Server 2012 R2:
Open Server Manager using the icon on the desktop taskbar. In Server Manager, click Tools in the
top right corner, and select Active Directory Sites and Services
from the drop-down menu. In the left
pane of Active Directory Sites and
Services, expand the Sites
folder, and then your AD site. Mine is called Default-First-Site-Name. You should see your domain controllers
listed. Expand the
Windows Server 2003 DC, right click NTDS Settings, and select Properties
from the menu. In the NTDS Settings Properties dialog, uncheck the Global
Catalog check box, and click OK. Close Active Directory Sites and Services.
Remove Windows Server 2003 as a Global
Catalog (GC) server in the domain You will need
to repeat this action for any additional Windows Server 2003 DCs you’re
planning to retire in your domain that are also Global Catalog servers.
|