Raise AD Domain and Forest functional level from Windows Server 2008 R2 to Windows Server 2016

I finally finished the project which raised the Active Directory domain and forest functional level from Windows 2008 R2 to Windows Server 2016. It’s time to log the steps and issue I met during the long journey.

The prerequisite of raise AD functional level to Windows server 2016 is that there is no any DC running old OS. The project is for an environment has a forest with one root corp.local domain and one ad.corp.local child domain. We had many Windows server 2008 R2 domain controllers (DC) but no any Windows server 2012 or 2016 DC when I started to plan this project. There is no upgrade path from Windows server 2008 R2 to Windows server 2016. I need decommission all DCs before I can raise the functional level.

FACTS:

There were many things to be considered before I can decommission any DC:

  • All network and equipment’s Time source was on a physical domain controller (DC). Domain joined computer will automatically sync with the PDC role. Because of the complexity of the network and history, there might be many devices used the IP address to define time source.
  • DNS was integrated with AD. 3 IP addresses of DC have been used every where as the DNS server configuration.
  • DFS service was in use. DCs have been used as namespace servers.
  • There were 2 sites and each site had a centralized DHCP/DC server for redundancy which served DHCP clients separate in more than one hundred subnets.
  • Pulse VPN server, printer logic, printers and other system might be using LDAP service on DCs for authentication. It could be name of IP addresses. Good news was the LDAP server name used was a alias which could be easily changed to point a new DC or LDAPS server.

To make system stable and lower the risk of impact the whole system, I decided to keep the same IP addresses of time source, DNS server and LDAP/DC. DC does not support rename but it does support change IP address.

Useful commands

Run this command in Command Prompt window to find out FSMO roles:

netdom query fsmo

If you are promoting a new Windows Server 2016 server you do not need to run these manually. These are integrated into the PowerShell and Server Manager experiences. we decided to run adprep /forestprep and adprep /domainprep manually.

Adprep /forestprep needs to be run only once in the forest.

Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.

Promote DC running Windows Server 2016 server

It’s simple to use GUI to add Active Directory Domain Services and promote the server to a DC.

Because I have many DCs need to build, use PowerShell to make the process automatically made sense.

Import-Module ADDSDeployment

Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDNSDelegation:$false -CriticalReplicationOnly:$false
-DatabasePath “C:\Windows\NTDS” -DomainName “ad.corp.local” -InstallDNS:$true -LogPath “C:\Windows\NTDS”
-NoRebootOnCompletion:$false -SiteName “SITE1” -SYSVOLPath “C:\Windows\SYSVOL” -Force:$true
-safemodeadministratorpassword (convertto-securestring “YourADRestorepPWD” -asplaintext -force)

Change DFS name servers to new DCs

This prevented it from impacting DFS users when we decommission current DC. But if somebody used \\dcname\DFSSharename to access DFS share, the share would be broken after decommissioned the DC. I met one application had this issue, fixing by use \\dominaname\DFSSharenam.

Transfer the FSMO roles to a Windows Server 2016 domain controller

This used to be a really tedious task, but it has been made much easier thanks to PowerShell. So, from an administrative PowerShell window, enter this command:

Move-ADDirectoryServerOperationMasterRole -Identity “new DC name” -OperationMasterRole 0,1,2,3,4

In case you are wondering about the numbers at the end of the command, each number corresponds to a specific role. You can see what this looks like in the figure below:

Move-ADDirectoryServerOperationMasterRole -Identity “NEWDC1” -OperationMasterRole 0,1,2,3,4

Move Operation Master Role

Do you want to move role ‘PDCEmulator’ to server ‘NEWDC1.CORP.LOCAL’ ?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”):

Move Operation Master Role

Do you want to move role ‘RIDMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”):

Move Operation Master Role

Do you want to move role ‘InfrastructureMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”):

Move Operation Master Role

Do you want to move role ‘SchemaMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”):

Move Operation Master Role

Do you want to move role ‘DomainNamingMaster’ to server ‘NEWDC1.CORP.LOCAL’ ? [Y] Yes  [A] Yes to All  [N] No  reast;mso-hansi

DC demote issue 1: Active Directory Domain Services could not transfer the remaining data in directory partition

The lab is a must in this kind of critical project. I met an issue when I tried to demote a DC in the lab. I could not demote a DC and got error message:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZone,DC=CORP,DC=LOCAL to Active Directory Domain Controller \\dcname.COPR.LOCAL. “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

I found an article fixed this problem.https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/

The reason was that the DC who held the FSMO Role Holder for the DomainDNSZones and the ForestDNSZones (or both) application partition wasn’t there anymore. Someone deleted it, decommissioned it, basically it failed somewhere along the line but the DC owned one or more of the AD Integrated DNS Zones. The deleted DC can be seen in the mess above after cn=___ and in most cases this means someone had to do metadata cleanup and forcibly removed the server from AD. In case the article got removed, I post the code here:

‘——-fixfsmo.vbs——————
const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
    ‘ Assume the command line argument is the NDNC (in DN form) to use.
    NdncDN = inArgs(0)
Else
    Wscript.StdOut.Write “usage: cscript fixfsmo.vbs NdncDN”
End if

if (NdncDN <> “”) then

    ‘ Convert the DN form of the NDNC into DNS dotted form.
    Set objTranslator = CreateObject(“NameTranslate”)
    objTranslator.Init ADS_NAME_INITTYPE_GC, “”
    objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
    strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
    strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)
    
    Wscript.Echo “DNS name: ” & strDomainDNS

    ‘ Find a domain controller that hosts this NDNC and that is online.
    set objRootDSE = GetObject(“LDAP://” & strDomainDNS & “/RootDSE”)
    strDnsHostName = objRootDSE.Get(“dnsHostName”)
    strDsServiceName = objRootDSE.Get(“dsServiceName”)
    Wscript.Echo “Using DC ” & strDnsHostName

    ‘ Get the current infrastructure fsmo.
    strInfraDN = “CN=Infrastructure,” & NdncDN
    set objInfra = GetObject(“LDAP://” & strInfraDN)
    Wscript.Echo “infra fsmo is ” & objInfra.fsmoroleowner

    ‘ If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

    if (InStr(objInfra.fsmoroleowner, “\0ADEL:”) > 0) then

        ‘ Set the fsmo holder to this domain controller.
        objInfra.Put “fSMORoleOwner”,  strDsServiceName
        objInfra.SetInfo

        ‘ Read the fsmo holder back.
        set objInfra = GetObject(“LDAP://” & strInfraDN)
        Wscript.Echo “infra fsmo changed to:” & objInfra.fsmoroleowner

    End if

End if

The example of running it and output.

C:\>cscript fixfsmo.vbs “DC=DomainDnsZones,DC=corp,DC=local”

Microsoft (R) Windows Script Host Version 5.812

DNS name: DomainDnsZones.CORP.LOCAL

Copyright (C) Microsoft Corporation. All rights reserved.

Using DC DC1.CORP.LOCAL

infra fsmo is CN=NTDS Settings\0ADEL:a111ff40-e2c9-473f-8cf8-12fg35-0574c47,CN=DC3\0ADEL:bcde871a5-er42-127-82f0-c56019275ae3,CN=Servers,CN=ABC,CN=Sites,CN=Configuration,DC=CORP,DC=LOCAL

infra fsmo changed to:CN=NTDS Settings,CN=DC1,CN=Servers,CN=ABC,CN=Sites,CN=Configuration,DC=CORP,DC=LOCAL

DC demote issue 2: the Netlogon service error when demote a DC

This issue happened when the DC DNS was configured as 127.0.0.1 or it’s self IP address. Change the first DNS setting on your network card to point to your new DNS server, not the server you are currently demoting.  Once you change the DNS setting to the new DNS server you should be able to demote the server without any issues.

Change IP addresses, register DNS

After downgrade the 2008 R2 DC to member server, change it’s IP address and let the new Windows server 2016 DC IP address to use the IP address. Configure the DNS properly. In administrator command prompt, run commands:

ipconfig/flushdns

ipconfig/registerdns

I met the issue that the remote desktop got disconnected after changed the DNS settings of the Azure servers. Reboot the Azure VMs fixed the issue.

Dnslint utility and AD Replication Status Tool

I had a few DCs running on premise and in Azure. I made sure the DC DNS and replication work well after each DC got replaced. It took me 3 weeks to get all done because of the strict change management policies.

DNSLint utility can be found at https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility

Dnslint /ad /s localhost /v

Dnslint /ad /s 192.168.1.1 /v

192.168.1.1 is the DNS/DC server IP address.

AD Replication Status Tool can be found at https://www.microsoft.com/en-ca/download/details.aspx?id=30005

The TIME Source

We decided to use a time source pool as the time source of VMware vSphere host. All new on premise DCs sync to the host including a new DC with the old time source PDC IP address. There is no change to other computer or device in the network .

The DHCP server

The DHCP servers IP addresses had to be changed because the new DC and DNS servers needed the IP addresses. The network team added the firewall rule to allow DHPCP relay to the new IP addresses of the DHCP servers in advance. It went smoothly when I changed the DHCP servers IP addresses.

Raise domain and forest functional level

After all of the legacy domain controllers have been removed, and the organization was running only Windows Server 2016 domain controllers, I raised the forest and domain functional levels.

To raise the functional level, open the Active Directory Domains and Trusts console, and then right click on your domain and select the Raise Domain Functional Level command, as shown below. Once you have raised the domain functional level, right click on the Active Directory Domains and Trust container, and choose the Raise Forest Functional Level command to raise the forest functional level.

Raise domain functional level

Reference:

Forest and Domain Functional Levels https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

DNSlint Utility https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility

Leave a Reply

Your email address will not be published. Required fields are marked *