Part 4 - How to Migrate and Upgrade Active Directory Server 2016/2019 to Server 2022

In the previous blog, we have set up an additional domain controller on Windows Server 2022. In this blog, we will now upgrade the root DC to Server 2022 and raise the functional level as well.

Virtual Machine	OS	Role	IP Address
DC1 ( Root DC )	2016	Primary Domain Controller	172.16.11.4
DC2 ( new DC )	2022	Secondary Domain Controller	172.16.11.5

Blog Series

Let’s first check the Master Operation role by running the command Get-ADForest.

As seen our Schema Master is on dc1.ash.local and our Forest Model level is still Windows2016.

We will now need the below info prior to the migration so we run the command Get-ADDomain

PDC Emulator
Infrastructure Master
RID Master

Migrating FSMO roles to Windows Server 2022 .

1- From DC1, open active directory users and computers console. Right-click your local domain and then Change Domain Controller to Switch to AD2.ash.local.

2- Change to AD2.ash.local and Click OK

3- Select RID tab and then click Change.

4- Click yes to transfer the role

5- Click OK.

6- Select PDC tab and then click Change.

7- Click yes to transfer the role

7- Click OK.

8- Select the Infrastructure tab and then click Change.

9- Click yes to transfer the role

10- When you are asked for confirmation, click Yes.

11- Click OK.

12- Thus our RID, PID and Infra roles are now switched to AD2.ash.local

13- Let’s again check the Master Operation role by running the command Get-Domain.

14- Let’s again check the Master Operation role by running the command Get-ADForest.

15- We can also use a command netdom query fsmo to get all outputs

Change Active Directory Domain Controller.

15- From DC.ash.local, launch Active Directory Domain and Trusts console

16- Right-click Active Directory Domain and Trusts, and then click change Active Directory Domain Controller.

17- Change the directory server from dc1.ash.local to AD2.ash.local and Click OK

18- Now we will change the Operations Master as well. Choose the top-level container and choose Operations Master

19- Change to transfer the domain naming master role to the DC2.ash.local server

20- Click Yes.

21- Click OK

22- In the Operation Master interface, verify if the domain naming operations master is now transferred.

23- We can also use a command netdom query fsmo to get all outputs and we still can see our Schema master pointing to dc1.ash.local

24- In the AD1.ash.local server, open cli and then type regsvr32 schmmgmt.dll to change the Schema Master.

Click OK.

How to Change Schema Master Role

25- On the DC1.ash.local server type mmc in cli and add the Active Directory Schema Snapin

26- Select File and then click Add/Remove Snap-in.

27- Add or Remove Snap-ins interface, choose Active Directory Schema, select Add and then click OK.

28- In the Console, right-click Active Directory Schema and then click Change Active Directory Domain Controller.

29- In the Change Directory Server interface, Choose AD2.ash.local and then click OK.

30- Click OK to proceed.

31- In the Console, right-click Active Directory Schema and select Operations Master.

32- To Change the Schema Master interface, choose the change button to transfer the schema master role to the AD2.ash.local server.

33- Click Yes.

34- Click OK to proceed.

35- Confirm schema master is now AD2.ash.local

36- We can also use a command netdom query fsmo to get all outputs and we still can see all roles have changed to AD2.ash.local

Change Global Catalog

37- Open Active Directory Sites and Services, expand Sites, expand Default-first-site-name, right-click on NTDS Settings and then select properties.

38- Untick Global Catalog checkbox and then click ok.

How to uninstall Active Directory Domain Services from Windows Server.

39- Open PowerShell and type below command then hit enter.

Get-WindowsFeature | Where-Object {$_. installstate -eq “installed”} | Format-List Name,Installstate | more

List all installed Features and Roles

Uninstall-ADDSDomainController -DemoteOperationMasterRole –RemoveApplicationPartition

40- Insert local administrator password, confirm password and then press enter.

5- The server will be rebooted automatically.

DOMAIN / FOREST FUNCTIONAL LEVEL

What you want to know about DFL and FFL is that they epitomize advanced features. That is accessible with the newest software that can be used in the domain. Generally, when you administer a large AD environment we will notice that you have various Windows OS versions on your DCs. If you have DCs that are server 2008 R2, 2012 and you install server 2016 you will not be able to use the latest advanced features. That comes with server 2016 until we upgrade all our DC’s to server 2016 and raise the functional level. AD features are not backward compatible with AD domain controllers on the earliest versions of Windows Server so if you are running Server 2008 R2 and you install server 2016. You will be limited to those features that come with Server 2008 R2. Functional levels can be used to determine which DCs are allowed to run in our environmental. For example, if you raise the functional level to server 2016 we will not be able to install server 2012 R2 DC in our domain. You can’t set the DFL (domain functional level) to a value that is lower than the FFL (forest functional level), but we can set it to a value that is similar to or higher than the forest functional level.

1- GUI, Right-click on your domain and then select properties.