I finally finished the project which raised the Active Directory domain and forest functional level from Windows 2008 R2 to Windows Server 2016. It’s time to log the steps and issue I met during the long journey.
The prerequisite of raise AD functional level to Windows server 2016 is that there is no any DC running old OS. The project is for an environment has a forest with one root corp.local domain and one ad.corp.local child domain. We had many Windows server 2008 R2 domain controllers (DC) but no any Windows server 2012 or 2016 DC when I started to plan this project. There is no upgrade path from Windows server 2008 R2 to Windows server 2016. I need decommission all DCs before I can raise the functional level.
FACTS:
There were many things to be considered before I can decommission any DC:
- All network and equipment’s Time source was on a physical domain controller (DC). Domain joined computer will automatically sync with the PDC role. Because of the complexity of the network and history, there might be many devices used the IP address to define time source.
- DNS was integrated with AD. 3 IP addresses of DC have been used every where as the DNS server configuration.
- DFS service was in use. DCs have been used as namespace servers.
- There were 2 sites and each site had a centralized DHCP/DC server for redundancy which served DHCP clients separate in more than one hundred subnets.
- Pulse VPN server, printer logic, printers and other system might be using LDAP service on DCs for authentication. It could be name of IP addresses. Good news was the LDAP server name used was a alias which could be easily changed to point a new DC or LDAPS server.
To make system stable and lower the risk of impact the whole system, I decided to keep the same IP addresses of time source, DNS server and LDAP/DC. DC does not support rename but it does support change IP address.
Useful commands
Run this command in Command Prompt window to find out FSMO roles:
netdom query fsmo
If you are promoting a new Windows Server 2016 server you do not need to run these manually. These are integrated into the PowerShell and Server Manager experiences. we decided to run adprep /forestprep and adprep /domainprep manually.
Adprep /forestprep needs to be run only once in the forest.
Adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrading to Windows Server 2016.
Promote DC running Windows Server 2016 server
It’s simple to use GUI to add Active Directory Domain Services and promote the server to a DC.
Because I have many DCs need to build, use PowerShell to make the process automatically made sense.
Import-Module ADDSDeployment
Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDNSDelegation:$false -CriticalReplicationOnly:$false
-DatabasePath “C:\Windows\NTDS” -DomainName “ad.corp.local” -InstallDNS:$true -LogPath “C:\Windows\NTDS”
-NoRebootOnCompletion:$false -SiteName “SITE1” -SYSVOLPath “C:\Windows\SYSVOL” -Force:$true
-safemodeadministratorpassword (convertto-securestring “YourADRestorepPWD” -asplaintext -force)
Change DFS name servers to new DCs
This prevented it from impacting DFS users when we decommission current DC. But if somebody used \\dcname\DFSSharename to access DFS share, the share would be broken after decommissioned the DC. I met one application had this issue, fixing by use \\dominaname\DFSSharenam.
Transfer the FSMO roles to a Windows Server 2016 domain controller
This used to be a really tedious task, but it has been made much easier thanks to PowerShell. So, from an administrative PowerShell window, enter this command:
Move-ADDirectoryServerOperationMasterRole -Identity “new DC name” -OperationMasterRole 0,1,2,3,4
In case you are wondering about the numbers at the end of the command, each number corresponds to a specific role. You can see what this looks like in the figure below:
Move-ADDirectoryServerOperationMasterRole -Identity “NEWDC1” -OperationMasterRole 0,1,2,3,4
Move Operation Master Role
Do you want to move role ‘PDCEmulator’ to server ‘NEWDC1.CORP.LOCAL’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):
Move Operation Master Role
Do you want to move role ‘RIDMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):
Move Operation Master Role
Do you want to move role ‘InfrastructureMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):
Move Operation Master Role
Do you want to move role ‘SchemaMaster’ to server ‘NEWDC1.CORP.LOCAL’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”):
Move Operation Master Role
Do you want to move role ‘DomainNamingMaster’ to server ‘NEWDC1.CORP.LOCAL’ ? [Y] Yes [A] Yes to All [N] No reast;mso-hansi
DC demote issue 1: Active Directory Domain Services could not transfer the remaining data in directory partition
The lab is a must in this kind of critical project. I met an issue when I tried to demote a DC in the lab. I could not demote a DC and got error message:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZone,DC=CORP,DC=LOCAL to Active Directory Domain Controller \\dcname.COPR.LOCAL. “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”
I found an article fixed this problem.https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/
The reason was that the DC who held the FSMO Role Holder for the DomainDNSZones and the ForestDNSZones (or both) application partition wasn’t there anymore. Someone deleted it, decommissioned it, basically it failed somewhere along the line but the DC owned one or more of the AD Integrated DNS Zones. The deleted DC can be seen in the mess above after cn=___ and in most cases this means someone had to do metadata cleanup and forcibly removed the server from AD. In case the article got removed, I post the code here:
‘——-fixfsmo.vbs——————
const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2
set inArgs = WScript.Arguments
if (inArgs.Count = 1) then
‘ Assume the command line argument is
the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write “usage:
cscript fixfsmo.vbs NdncDN”
End if
if (NdncDN <> “”) then
‘ Convert the DN form of the NDNC
into DNS dotted form.
Set objTranslator =
CreateObject(“NameTranslate”)
objTranslator.Init
ADS_NAME_INITTYPE_GC, “”
objTranslator.Set ADS_NAME_TYPE_1779,
NdncDN
strDomainDNS =
objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS,
len(strDomainDNS)-1)
Wscript.Echo “DNS name: ”
& strDomainDNS
‘ Find a domain controller that hosts
this NDNC and that is online.
set objRootDSE =
GetObject(“LDAP://” & strDomainDNS & “/RootDSE”)
strDnsHostName =
objRootDSE.Get(“dnsHostName”)
strDsServiceName =
objRootDSE.Get(“dsServiceName”)
Wscript.Echo “Using DC ”
& strDnsHostName
‘ Get the current infrastructure
fsmo.
strInfraDN =
“CN=Infrastructure,” & NdncDN
set objInfra =
GetObject(“LDAP://” & strInfraDN)
Wscript.Echo “infra fsmo is
” & objInfra.fsmoroleowner
‘ If the current fsmo holder is
deleted, set the fsmo holder to this domain controller.
if (InStr(objInfra.fsmoroleowner,
“\0ADEL:”) > 0) then
‘ Set the fsmo holder to this
domain controller.
objInfra.Put
“fSMORoleOwner”,
strDsServiceName
objInfra.SetInfo
‘ Read the fsmo holder back.
set objInfra =
GetObject(“LDAP://” & strInfraDN)
Wscript.Echo “infra fsmo
changed to:” & objInfra.fsmoroleowner
End if
End if
The example of running it and output.
C:\>cscript fixfsmo.vbs “DC=DomainDnsZones,DC=corp,DC=local”
Microsoft (R) Windows Script Host Version 5.812
DNS name: DomainDnsZones.CORP.LOCAL
Copyright (C) Microsoft Corporation. All rights reserved.
Using DC DC1.CORP.LOCAL
infra fsmo is CN=NTDS Settings\0ADEL:a111ff40-e2c9-473f-8cf8-12fg35-0574c47,CN=DC3\0ADEL:bcde871a5-er42-127-82f0-c56019275ae3,CN=Servers,CN=ABC,CN=Sites,CN=Configuration,DC=CORP,DC=LOCAL
infra fsmo changed to:CN=NTDS Settings,CN=DC1,CN=Servers,CN=ABC,CN=Sites,CN=Configuration,DC=CORP,DC=LOCAL
DC demote issue 2: the Netlogon service error when demote a DC
This issue happened when the DC DNS was configured as 127.0.0.1 or it’s self IP address. Change the first DNS setting on your network card to point to your new DNS server, not the server you are currently demoting. Once you change the DNS setting to the new DNS server you should be able to demote the server without any issues.
Change IP addresses, register DNS
After downgrade the 2008 R2 DC to member server, change it’s IP address and let the new Windows server 2016 DC IP address to use the IP address. Configure the DNS properly. In administrator command prompt, run commands:
ipconfig/flushdns
ipconfig/registerdns
I met the issue that the remote desktop got disconnected after changed the DNS settings of the Azure servers. Reboot the Azure VMs fixed the issue.
Dnslint utility and AD Replication Status Tool
I had a few DCs running on premise and in Azure. I made sure the DC DNS and replication work well after each DC got replaced. It took me 3 weeks to get all done because of the strict change management policies.
DNSLint utility can be found at https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility
Dnslint /ad /s localhost /v
Dnslint /ad /s 192.168.1.1 /v
192.168.1.1 is the DNS/DC server IP address.
AD Replication Status Tool can be found at https://www.microsoft.com/en-ca/download/details.aspx?id=30005
The TIME Source
We decided to use a time source pool as the time source of VMware vSphere host. All new on premise DCs sync to the host including a new DC with the old time source PDC IP address. There is no change to other computer or device in the network .
The DHCP server
The DHCP servers IP addresses had to be changed because the new DC and DNS servers needed the IP addresses. The network team added the firewall rule to allow DHPCP relay to the new IP addresses of the DHCP servers in advance. It went smoothly when I changed the DHCP servers IP addresses.
Raise domain and forest functional level
After all of the legacy domain controllers have been removed, and the organization was running only Windows Server 2016 domain controllers, I raised the forest and domain functional levels.
To raise the functional level, open the Active Directory Domains and Trusts console, and then right click on your domain and select the Raise Domain Functional Level command, as shown below. Once you have raised the domain functional level, right click on the Active Directory Domains and Trust container, and choose the Raise Forest Functional Level command to raise the forest functional level.
Reference:
Forest and Domain Functional Levels https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
DNSlint Utility https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility