Professional Documents
Culture Documents
Step-by-Step Guide Active Directory Migration From Windows Server 2008 R2 To Windows Server 2022
Step-by-Step Guide Active Directory Migration From Windows Server 2008 R2 To Windows Server 2022
Step-by-Step Guide Active Directory Migration From Windows Server 2008 R2 To Windows Server 2022
By dishanfrancis
Windows Server 2008 and Windows Server 2008 R2 Operating system reached the end of
their support cycle on the 14th of January 2020. Because of this many organizations
wanted to migrate away from these legacy operating systems. End-of-life operating
systems have a direct impact on various industry compliances, IT audits, Penetration
tests, and so on. Even business does not have a business requirement to upgrade, end of
life operating system leaves no choice but to upgrade.
In the past, I did a similar blog post covering migration AD from Windows Server 2008 to
Windows Server 2016. Microsoft released Windows Server 2022 recently (Aug 2021) and
I thought it good to demonstrate how we can migrate AD from 2008 R2 to the newest.
AD migrations from other operating systems (newer than Windows Server 2008R2) also
follow a similar process.
AD DS’ improvements are bond to its forest and domain functional levels. Upgrading the
operating system or adding domain controllers that run Windows Server 2022 to an
existing AD infrastructure isn’t going to upgrade the forest and domain functional levels
automatically. We need to upgrade it manually once older domain controllers are
decommissioned. There was a big difference with Windows Server 2019 when it comes to
forest and domain functional levels. With each and every Windows Server release up to
Windows Server 2016, had a new forest and domain functional level. But with Windows
Server 2019 there were NO new forest or domain functional levels. It is the same with
Windows Server 2022. The maximum forest and domain functional level we can choose
still is Windows Server 2016.
Active Directory Domain Services was first introduced to the world with Windows Server
2000. For more than 21 years, AD DS helps organizations to manage digital identities.
However, the modern access management requirements are complicated. Businesses are
using more and more cloud services now. The majority of the workforce is still working
from home and accessing sensitive corporate data via unsecured networks. Most software
vendors are moving into SaaS model. Cybercrimes are skyrocketing and identity
protection is at stake. To address these requirements, we need to go beyond legacy
access management. Azure Active Directory is a cloud-based, managed, Identity as a
Service (IDaaS) provider, which can provide world-class security, strong authentication,
and seamless collaboration. So, it does make sense why there are no significant changes
to on-premises AD anymore.
1/14
One of the key themes of Windows Server 2022 is “security”. Advanced multi-layer
security in Windows Server 2022 provides comprehensive protection against modern
threats. This also adds an additional layer of security to roles run on Windows Server
2022 including Active Directory. For more details about these security features please
refer to https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-
windows-server-2022
Migrating FSMO roles to a new server and upgrading forest and domain functional levels
doesn’t take more than few minutes but when it comes to migration there are few other
things we need to consider. Therefore, I have summarized the AD DS Migration process
with the following checklist.
Below I listed some of the most common questions I get about AD migration,
Can I keep the same IP address for the PDC? Yes, you can. Active Directory
fully supports IP address changes. Once FSMO role migration is completed, you can
swap the IP addresses of Domain Controllers.
Can I downgrade forest/domain functional levels? If you required you can do
so but this is not a recommended approach. From Windows Server 2008 R2, we can
downgrade forest/domain functional levels.
Do I need to migrate the DNS role? No, it is part of the AD. When you add a
new domain controller, you can make it as a DNS server too.
Do I need to change SYSVOL replication from FRS to DFS? If your domain is
built based on Windows server 2008 or Windows Server 2008 R2, you are already
using DFS for SYSVOL replication. If you originally migrated from Windows server
2003, it’s more likely you are still using FRS. In that case, before migration, you
need to change the SYSVOL replication method from FRS to DFS. I already have a
blog post covering this topic https://www.rebeladmin.com/2015/04/step-by-step-
guide-for-upgrading-sysvol-replication-to-dfsr-distr…
2/14
Can I keep Windows 2008 R2 Domain Controllers and upgrade forest and
domain functional level to Windows Server 2016? No, you can’t. Before forest
and domain functional level upgrade, you need to decommission Windows server
2008 R2 domain controllers.
Design topology
As per the following diagram, the rebeladmin.net domain has two domain controllers:
As explained in the above illustration, The FSMO role holder DC08 is a Windows Server
2008 R2 Domain Controller. The domain and forest functional levels currently operate in
Windows Server 2008 R2. A new domain controller with Windows Server 2022(DC22) will
be introduced and will be the new FSMO role holder for the domain. Once the FSMO role
migration is complete, the domain controller running Windows Server 2008 R2 will be
decommissioned. After that, the forest and domain functional levels will be raised to
Windows Server 2016.
We need to do few things to prepare the new Windows Server 2022 before we migrate
the FSMO roles.
1. After the OS installation and Patching process is completed, go ahead and join the
new Windows Server 2022 to the existing domain.
3/14
2. In Windows Server 2022, it is recommended to use PowerShell 7 instead of native
Windows PowerShell. Please go to https://aka.ms/PSWindows for more information.
At the time this article was written, the latest version was 7.1.4.
3. In the previous section, I mentioned before migration we need to make sure
SYSVOL is using DFSR instead of FRS. To verify that, Log in to the DC08 domain
controller (Windows Server 2008 R2) as a Domain Admin. Then run dfsrmig
/getmigrationstate command in Powershell. If the command returns state as
“eliminated”, it means DFSR is already in use for SYSVOL replication. If it is not, we
must migrate SYSVOL replication to DFSR as Windows Server 2022 does not
support FRS replication. FRS to DFSR migration steps are covered in a blog post I
have written and it can access via https://www.rebeladmin.com/2015/04/step-by-
step-guide-for-upgrading-sysvol-replication-to-dfsr-distr…
As the next part of the configuration, we need to make DC22 an Additional Domain
Controller. To do that,
Install-ADDSDomainController
-CreateDnsDelegation:$false
4/14
-InstallDns:$true
-DomainName “rebeladmin.net”
-SiteName “Default-First-Site-Name”
-ReplicationSourceDC “DC08.rebeladmin.net”
-DatabasePath “C:WindowsNTDS”
-LogPath “C:WindowsNTDS”
-SysvolPath “C:WindowsSYSVOL”
-Force:$true
Note – There are no line breaks for the command and I have listed it as above to allow
readers to focus on the parameters.
The following table explains the PowerShell arguments and what it will do.
Argument Description
5/14
-DatabasePath This parameter will use to define the folder path
to store active directory database file (Ntds.dit)
Once execute the command it will ask for SafeModeAdministrator Password. Please
use a complex password to proceed. This will be used for DSRM.
Now we have the new domain controller. The next step is to migrate FSMO roles from
DC08 to the new domain controller.
1. After the server is rebooted, log back in as an administrator. and run the following
commands to verify the current FSMO role holder.
As we can see all five FSMO roles currently belong to DC08 (Windows Server 2008 R2)
Domain Controller.
6/14
2. Migrate all five FSMO roles to the new domain controller by running the following
command in DC02 server:
In the preceding command, DC22 is the domain controller running Windows Server
2022.
3. Once we’re done, we can verify the new FSMO role holder using the following
command:
As expected, Now FSMO roles are successfully moved to DC22 Domain Controller
(Windows Server 2022)
Before we upgrade forest and domain functional levels, first we need to decommission
the old DC which is running with windows server 2008 R2.
To do that,
7/14
4. On the next page also click on Next as it is not the last domain controller.
5. In the Remove DNS Delegation page keep the default selection and click on Next.
8/14
6. Then the system will prompt for credentials. Provide Domain Admin credentials
here.
On the next page, type a new password for the local administrator account.
9/14
8. Once the process is completed, reboot the server.
After you demote your last domain controller running with windows server 2008 R2, we
can raise Domain and Forest Functional level to windows server 2016 (Windows server
2022 is the same).
To upgrade the domain functional level, we can use the following PowerShell command in
the Windows server 2022 domain controller.
10/14
Now, we have completed the migration from AD DS 2008 R2 to AD DS 2022. The same
steps apply when you’re migrating from Windows Server 2012, Windows Server 2012 R2,
Windows Server 2016, and Windows Server 2019.
Verification
Although the migration is complete, we still need to verify whether it’s completed
successfully. The following command will show the current domain functional level of the
domain after the migration:
Get-ADDomain | fl Name,DomainMode
The following command will show the current forest functional level of the domain after
migration:
Get-ADForest | fl Name,ForestMode
You can also use the following command to verify the forest & domain functional level
updates:
The following screenshot shows events 2039 and 2040 in the Directory Service log,
which verify the forest and domain functional level updates:
11/14
Event ID 1458 verifies the transfer of the FSMO roles:
We can use the following command to verify the list of domain controllers and make sure
that the old domain controller is gone:
This marks the end of this blog post. Hope now you know how to migrate Active Directory
from Windows Server 2008 R2 to Windows Server 2022.
Quick note for those reading this post. Use the Get-WinEvent cmdlet instead of Get-
EventLog. Get-EventLog uses a Win32 API that is deprecated and the results may not be
accurate.
– use Server Core Installation Option for your new Server. You don’t need a GUI. Thank
me later.
12/14
– don’t run other roles but ADDS and DNS on this VM.
– you no longer need hardware ADDS. Not even for modern Cluster Services.
– consider to avoid SMB1 use (basically only needed if have pre 2008 / Vista connections
to sysvol.
– don’t forget to upgrade your DNS forward and reverse zones to support lastest version.
Many will be still in 2000 Mode.
– check your site and services and mirror all networks in DNS reverse lookup zones
– consider DHCP proxy updates for Linux, MFPs and other OSes
– make yourself familiar to use Active Directory Administrative Center (DSAC), Server
Manager and Windows Admin Center
– consider to use the lastest AD functional level and forest level if possible
– change passwords of all critical Accounts (could be same password) after upgrading the
AD level to 2008R2 or later use a more secure hash for the password.
© Microsoft. This article was originally published by Microsoft's ITOps Talk Blog. You
can find the original article here.
Related Articles
Step-By-Step: Enabling Advanced Security Audit Policy via Directory Services
Access
Active directory is one of the more impactful services from a security perspective
within an organization. Even small changes with in an Organization’s AD can cause
a major…
13/14
Windows Server 2008 End of Support - Active Directory and DNS Migration
January 14th 2020 has come and gone which means unless you have either
migrated your 2008 servers and their workloads to Azure (to get free security
updates) or…
14/14