How to upgrade to a 2019 domain controller with a current 2008 primary controller

Computer Gladiator 441 Reputation points
2020-08-29T14:28:02.677+00:00

Hello, we currently have a 2008 R2 domain controller and a 2012 R2 secondary domain controller. I would like to add a 2019 domain controller and eventually demote the 2008 R2 DC. I understand that the 2019 server schema needs to be upgraded. Is there a set of steps in achieving this? The 2008 R2 DC has DHCP on it as well. I have raised the domain level from Server 2003 to 2008 and when using Get-ADForest command the Forest Mode still shows as Windows2003Forest. This was raised to 2008 yesterday afternoon. Is it still propagating? Best regards.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,228 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,643 questions
Accepted answer
  1. Stephanie Yu 396 Reputation points
    2020-08-31T08:47:02.463+00:00

    Hello ComputerGladiator,

    Thank you for posting here.

    Here are the answers for your questions:

    Q1: I have raised the domain level from Server 2003 to 2008 and when using Get-ADForest command the Forest Mode still shows as Windows2003Forest. This was raised to 2008 yesterday afternoon. Is it still propagating?
    A1: As DSPatrick mentioned, the minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 forest functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

    According to the description, please check whether your domain function level is 2008 in ADUC (Active Directory Users and Computers) and whether the forest function level is 2003 in ADDT (Active Directory Domains and Trusts).
    21430-image.png
    21390-image.png

    1. If your forest function level is 2003 and your domain function level is 2008, we should raise forest function level from 2003 to 2008 first.
    2. Then check SYSVOL replication type.
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.

    Before we do any change in existing AD domain environment, we had better do:

    1. Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
    2. Back up all domain controllers.
    1. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    2. Check we can update gpupdate /force on each DC successfully.

    After we ensure forest function level is 2008 and SYSVOL replication is DFSR replication type, we can add one Windows server 2019 to the existing domain and promote is as a domain controller.
    Q2: I understand that the 2019 server schema needs to be upgraded. Is there a set of steps in achieving this?
    A2: For upgrading domain controller from lower operating system to higher operating system, there are two methods:

    Method 1 Perform an in-place upgrade of an existing domain controller to higher operating system, in this way, we will need to run adprep /forestprep and adprep /domainprep manually.
    Method 2 Promote a new higher operating system of Windows server in the existing domain, you do not need to run these manually.

    However, we recommend we add new domain controller to the existing domain.
    Adprep and Domainprep
    If you are doing an in-place upgrade of an existing domain controller to the Windows Server 2016 operating system, you will need to run adprep /forestprep and adprep /domainprep manually. Adprep /forestprep needs to be run only once in the forest. Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.
    If you are promoting a new Windows Server 2016 server you do not need to run these manually. These are integrated into the PowerShell and Server Manager experiences.

    We can follow steps below to upgrade Window server 2008 R2 DC to Window server 2019 DC after you raise forest functional level to 2008 successfully:

    1. Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
    2. Add the new Window server 2019 to this existing domain.
    3. Add AD DS and DNS roles and promote this Windows server 2019 as a DC (as a GC).
    4. Check if AD environment is healthy again based on step 1.
    5. If step 1-step 4 is OK without any error. We can transfer FSMO roles to new 2019 DC if needed.
    6. Based on “The 2008 R2 DC has DHCP on it as well.”, migrate DHCP to new server if needed.
    7. Demote Windows server 2008 R2 after migrating AD DS and DHCP role if needed. Before we demote 2008 R2 DC, we should check:

    If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.

    If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

    References:
    Forest and Domain Functional Levels
    https://video2.skills-academy.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

    Upgrade Domain Controllers to Windows Server 2016
    https://video2.skills-academy.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers

    How to Migrate DHCP from Windows Server 2008 to 2012/2016
    https://brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

    How to Migrate DHCP from Windows Server 2012 R2 to Server 2016
    https://www.faqforge.com/windows-server-2016/migrate-dhcp-windows-server-2012-r2-server-2016/

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Stephanie Yu

    0 comments

11 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Computer Gladiator 441 Reputation points
    2020-08-30T17:19:25.993+00:00

    Hello, I have complete the Quick Migration as from the link you provided successfully. I run a Get-ADForest and it still shows as Windows2003Forest as Forest Mode.

    0 comments
  2. Computer Gladiator 441 Reputation points
    2020-08-31T15:04:25.623+00:00
    0 comments
  3. Computer Gladiator 441 Reputation points
    2020-09-01T00:29:24.363+00:00

    Thank you Stephanie for your response. I have completed all steps for questions 1. Confimred that Functioanl level is 2008 but Get-ADForest still shows Windows2003. All steps completed successfully except DCDIAG /V command which displayed errors for N abd SystemLog as shown below. I have not continued to Question 2 steps.

    Starting test: NCSecDesc
    * Security Permissions check for all NC's on DC GCHC-DC1.
    The forest is not ready for RODC. Will skip checking ERODC ACEs.
    * Security Permissions Check for
    DC=DomainDnsZones,DC=gchc,DC=local
    (NDNC,Version 3)
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=gchc,DC=local
    * Security Permissions Check for
    DC=ForestDnsZones,DC=gchc,DC=local
    (NDNC,Version 3)
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=gchc,DC=local
    * Security Permissions Check for
    CN=Schema,CN=Configuration,DC=gchc,DC=local
    (Schema,Version 3)
    * Security Permissions Check for
    CN=Configuration,DC=gchc,DC=local
    (Configuration,Version 3)
    * Security Permissions Check for
    DC=gchc,DC=local
    (Domain,Version 3)
    ......................... GCHC-DC1 failed test NCSecDesc

      Starting test: SystemLog
     * The System Event log test
     An Error Event occurred.  EventID: 0x0000165B
        Time Generated: 08/31/2020   18:33:48
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x000016AD
        Time Generated: 08/31/2020   18:38:48
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0xC000000D
        Time Generated: 08/31/2020   18:54:12
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:18
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:19
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:20
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:23
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:23
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:24
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:25
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:26
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     An Error Event occurred.  EventID: 0x00000457
        Time Generated: 08/31/2020   18:58:27
        EvtFormatMessage failed, error 15100 Win32 Error 15100.
        (Event String (event log = System) could not be retrieved, error
        0x3afc)
     ......................... GCHC-DC1 failed test SystemLog
    0 comments
  4. Stephanie Yu 396 Reputation points
    2020-09-01T02:50:16.01+00:00

    Hello,
    Thank you for update your issue.
    As I mentioned in the reply last day, the minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 forest functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.
    Please check whether the forest function level is 2003 in ADDT (Active Directory Domains and Trusts)
    21786-image.png
    Click Raise Forest Functional Level to pop up the interface in the figure below to check whether the current forest functional level is 2008. According to your description, ensure that the domain functional level is 2008. If the forest functional level is still 2003 in the red box, please click Select 2008 in the drop-down menu and Apply. After the operation is completed, please log in to the interface again to check whether the forest function level has been upgraded to 2008.
    21787-image.png
    Please check if there is any problem with SYSVOL replication. The following is an experiment I did. There are two DCs in the domain. I created a new folder named "Sysvol" in the path of DC1 as shown in the figure below (Figure 1 and Figure 2) ), after the new creation is successful, check that the newly created folder has been successfully replicated in the same path in DC2. You can follow these steps to check whether there is a problem with the replication between DCs, which will affect whether you can successfully be in the domain Add new DC.
    21851-image.png
    21842-image.png
    21843-image.png
    If the above two steps are successful, the forest function level is upgraded to 2008, and there is no problem with SYSVOL replication. You can refer to my previous reply to add 2019DC.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best regards,
    Stephanie Yu

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.