Upgrading Domain Controllers to Windows Server 2012 R2


Ok, not really an upgrade, but more of “replacement”.  Smile

With the release of Windows Server 2012 R2 to MSDN which was recently announced HERE, it is time for me to upgrade my lab domain controllers to Windows Server 2012 R2.

I started by first “upgrading” my Hyper-V hosts to Windows Server 2012 R2.  This would allow me to take full advantage of all the new benefits of 2012 R2 for Hyper-V.  That was pretty simple, just shut down the OS, unplug all my additional storage in the machine which contains all my VM’s, and boot from my USB key that contained WS2012R2.  Then, once I added the Hyper-V role back, I simply connect my storage back to the system, and import the previous VM’s I was running.

My next step in upgrading my VM’s is targeting the domain controllers.  I have two DC’s, each running AD services, certificate services, DHCP, DNS, etc.  Since I don’t want to risk messing up the complex configuration of each service, I choose to deploy two NEW VM’s for additional DC’s, and I will migrate these additional roles to the new DC’s later.

My first step is to deploy the two new VM’s.  First decision I need to make is whether to use Gen1 or Gen2 VM’s:

image

Gen2 VM’s are a new feature of Hyper-V in Windows Server 2012 R2, and offer significant advantages over Gen1 VM’s, such as secure boot, discarding the emulated devices like IDE and using SCSI disks event for the boot volumes, PXE capability on a standard NIC, etc.  Read more about Gen2 VM’s here: http://technet.microsoft.com/en-us/library/dn282285.aspx

Installing Windows Server 2012 R2 is just like any other OS install.  When it stops on the Activation Key screen, I decided to leverage another new feature for Windows Server 2012 R2 – Automatic VM Activation.  You can use these new keys to activate servers when they are running on Windows Server 2012 R2 Hyper-V.  Read more about Automatic VM Activation here:  http://technet.microsoft.com/en-us/library/dn303421.aspx

I rename the VM’s with the correct server names, and join them to my domain.

The first step in promoting these new VM’s to Domain Controllers is to add that role, which you can perform from Server Manager. A walkthrough of the process is described here:  http://technet.microsoft.com/en-us/library/jj574134.aspx

image

image

When the role is added – you will see a post-deployment task warning, to run the promotion:

image

The wizard will run AD forest prep, schema update, and domain prep for 2012 R2 when you promote the first DC on Windows Server 2012 R2. 

When it is complete, you will see your new DC’s added to the domain controllers OU in Active Directory.

The next step in the process is to migrate the AD Operations Master roles.  The simplest way to move these roles is via PowerShell.  On Server 2012 AD PowerShell modules, this can be done from anywhere.  Simply run the following command to view you current configuration, and change them:

PS C:\> netdom query FSMO
Schema master                   DC1.opsmgr.net
Domain naming master     DC1.opsmgr.net
PDC                                    DC1.opsmgr.net
RID pool manager              DC1.opsmgr.net
Infrastructure master         DC1.opsmgr.net

Then use the Move-ADDirectoryServerOperationMasterRole cmdlets to move them.  You can do this with a simple one liner!

Move-ADDirectoryServerOperationMasterRole -identity "DC01" -OperationMasterRole 0,1,2,3,4

The identity is the server you want to transfer these roles to, and the 0-4 numeric represents each role to move.  Read more about this cmdlets here:  http://technet.microsoft.com/en-us/library/ee617229.aspx

 

When complete, you can run a “netdom query FSMO” again and ensure that your master roles have been moved successfully.

Then, you simply need to migrate any other roles or services running on the DC’s, then demote them when complete.  To demote the domain controller on Server 2012, simply begin by removing the Active Directory Services role, which will prompt you to demote first with a task link.  Once demoted, you can remove the server from the domain.


Comments (21)

  1. Anonymous says:

    Oke, I have tried it, Had two!!! new 2012 R2 DC's in my domain. after transfering all roles and demoting the last "old" 2012 DC my complete domain was gone !?!?!?!?!
    Lukely I had an export (VM) of the last "old" DC so I was able to restore it
    Somehowe replication between 2012 DC and 2012 R2 DC did not work.

  2. Ray Safar says:

    Also I would suggest you research Kerberos 5 vs 4 - as the functional level change can cause problems for systems that rely on V4, which could break when you raise the functional level of the domain after you've brought in your 2012 R2 DC's.

    Those of you doing crypto know that Kerberos v4 used a Pseudo Random Generator (PRG) – provided by; GNU libc random() . The whole point of the PRG was to be unpredictable, it unpredictability makes it appear ‘random’.

    Firstly, this doesn’t haven’t have perfect security as the key is not as long as the message. GNU libc random() can be broken with a XOR pretty easily, because the prefix of bits are predictable.

    GNU libc random():
    r[i] ← ( r[i-3] + r[i-31] ) % 2^32 | Linear transformation
    output r[i] >> 1 | It outputs a few bits at every iteration

    So this is the push for V5 I suppose. More info here http://technet.microsoft.com/en-us/library/hh831747.aspx

    Also worth noting is you only need to do the ADPREP's if you want to raise the functional level to 56 without introducing 2012 / 2012 R2 domains - as in the article it is done via the dcpromo process.

  3. Kevin Holman says:

    @Suresh -
    We do not support moving SCOM servers from one domain to another, nor do we support having management servers in different domains in the same management group. If you are migrating from one domain to another, you'd need to deploy a new SCOM management group
    in the new domain. If you just want to monitor machines in both domains you can use a single SCOM management group in either domain, then monitor the other domain using gateways.

  4. Suresh Gaddam says:

    Hello,
    Previously i have a test environment which is a domain controller but i need to change that domain I mean i need to add my machine into some other machine but i have installed SCOM 2012sp1 on domaincontroller account(server.com) now i need to shift to someother
    domain(servermachine.com) if change my domain how can i configure my scom to use another management server and existing management server.

  5. Hawry Kadir says:

    Hello,
    We are also in the process of upgrading our AD 2003 environment to windows 2012. I have the following questions :

    GPO is in place – do I need to run adprep /domainprep /gpupdate
    We also use NTP to configure time do we need to make any additional steps post upgrade

  6. Ray Safar says:

    * ahem typo- without introducing 2012 / 2012 R2 domain CONTROLLERS - as in the article it is done via the dcpromo process.

  7. Marco Novelli says:

    Two days ago I've deployed two DC Windows 2012 R2 on an existing Windows 2003 AD, I've opened a support case with Microsoft because lsass.exe keep crashing on Windows 2012 R2 DC and reboot them

  8. Steve Paplanus says:

    If you want to upgrade an existing 2012 dc to 2012 r2 dc, do we need to do adprep on the domain before doing the upgrade?

  9. Francis says:

    Yes Steve

    adprep /forestprep

    adprep /domainprep

    adprep /domainprep /gpprep

  10. Clint says:

    I was just on a Premier webcast yesterday from MS and they said it runs domainprep and gprep automatically now???  

  11. iSiek says:

    Yes, since Windows Server 2012 adpreping is a transparent process. You don't have to do that manually as on the eralier operating systems. You are still allowed to do that manually but only on 64-bit architecture OSes because adprep is no more in 32-bit architecture (like adprep32 from Windows Server 2008 R2 media). So, when you have 32-bit DC with FSMO roles (Schema, Infrastructure) you need to rely on transparent adpreping during new DC promotion process.

    You still need to have appropriate credentials when you are deploying your first new Windows Server 2012 R2 DC (Schema Admin and Domain Admin or Enterprise Admin)

    If you wish, you may visit my blog and read an article about that at

    kpytko.pl/.../adding-first-windows-server-2012-r2-domain-controller-within-windows-200320082008r22012-network

    I hope I could clarify your dubts 🙂

    Regards,

    Krzysztof

  12. I'm having a bit of an issue.

    I followed the steps you've outlined, but the new DC doesn't seem to be able to run well on its own.

    J-DC01 is the new 2012R2 DC

    DC01 is an old 2012 DC

    J-DC01 is a GC as well as having all of the FSMO roles in it (as evidenced by a successful netdom query fsmo on both DCs).

    It seems like there may be no replication? But it seems to have been confirmed in ASDI Edit.

    Not sure what to do to fix this......

  13. The oddest behavior happens as well, if I power down the old DC01 VM and reboot the new J-DC01, it takes a REALLY long time to boot. Just hangs at Please Wait for a really long time.

    I think this is a problem with the KDC. It isn't allowing replication......

  14. Well the hanging at boot is "normal" since it tries to replicate and sync with another DC at boot.

    The real reason why I think this hasn't taken properly is because when I offline the DC01,  I cannot check AD as it say no DC is available, no GPOs are available, etc.

    I think I'm missing something really stupid........

    repadmin /showrepl shows successful replication from the DC01 and everything is just jingles. It just will not run standalone.

  15. pcdoc says:

    Did you try turning on remote registry?  This is needed for replication.

  16. Phil Easterbrook says:

    If you try to install/update 2012 pdc to 2012 r2 it fails because it says
    "Active Directory on this domain controller does not
    contain Windows Server 2012 R2 ADPREP /FORESTPREP updates.
    See http://go.microsoft.com/fwlink/?LinkId=113955."

    How does this article relate? And the issue is do we need to remove a dc to upgrade it? Cause it doesn't want to install the AD from the 2012r2 media.

  17. Jon says:

    Not sure if this is the right forum.
    I am in the process of creating a small network for the purposes of studying SQL.
    I have installed Win 8 and Hyper V, created a bunch of 2012 VM's and promoted one to a DC. The installation of directory services and promotion to a DC runs fine until the server reboots (as part of the process), the server then goes straight into automatic
    repair mode. This also happens if I do this in VMware Workstation.

    Any ideas?

    Thanks

  18. Don D says:

    Phil, I believe that you simply need to run the version of adprep that is included with the 2012 R2 media.

  19. Kinan says:

    This article is not about upgrade. You didn't upgrade anything except the schema!!!!

  20. Vic Hsu says:

    Thanks for this article it is really helpful.
    I installed 2012 R2 two node cluster woking fine. I want to installed Windows 2008 DC because I can't upgrade DC to 2012 R2 yet for legacy application.
    Is 2008 DC supported on windows 2012 R2 Hyper-V?

  21. David Puckhaber says:

    Already have two Enterprise Domain Controllers that are running 2012 and 18 site DC's running 2012r2 (bare metal rebuilds). All that is left is to upgrade the 2012 servers to 2012r2. Can I do a simple in place o/s upgrade? I have already moved the FSMO roles. Not sure I want/need to do a full rebuild.

Skip to main content