Forum Discussion

fmulharin's avatar
fmulharin
Copper Contributor
Oct 14, 2024

Domain Controller and AD FS Upgrade from Windows Server 2008 R2

My Site,  a Community College is planning to upgrade our Domain controllers and AD FS Server from Windows Server 2008 R2 Data Center,  We have 2 Domain Controllers and 1 AD FS Server,  Looking for advice on how to stage this upgrade

 

Here are More Details on our current configuration.

 

PS C:\Windows\system32> Get-ADForest
ApplicationPartitions : {DC=ForestDnsZones,DC=sullivan,DC=suny,DC=edu, DC=DomainDnsZones,DC=sullivan,DC=suny,DC=edu}
CrossForestReferences : {}
DomainNamingMaster : http://dc01.sullivan.suny.edu/
Domains : {http://sullivan.suny.edu/}
ForestMode : Windows2003Forest
GlobalCatalogs : {DC01.sullivan.suny.edu, http://dc02.sullivan.suny.edu/}
Name : http://sullivan.suny.edu/
PartitionsContainer : CN=Partitions,CN=Configuration,DC=sullivan,DC=suny,DC=edu
RootDomain : http://sullivan.suny.edu/
SchemaMaster : http://dc01.sullivan.suny.edu/
Sites : {Default-First-Site-Name}
SPNSuffixes : {}
UPNSuffixes : {}

 

Primary Domain Controller dc01
OS Version - Windows Server 2008 R2 Data Center
Roles
Active Directory Certificate Services
Active Directory Domain Services
DHCP Server
DNS Server

2nd Domain Controller dc02
OS Version - Windows Server 2008 R2 Data Center
Roles
Active Directory Certificate Services
Active Directory Domain Services
Network Policy and Access Services


ADFS SERVER

OS Version - Windows Server 2008 R2 Data Center
ADFS version 2.0

Roles
Web Server (IIS)

Features
Remote Server Administration Tools

 

Active Directory
Windows Server

2 Replies

  • kyazaferr's avatar
    kyazaferr
    MCT
    Nov 13, 2024

    Install-WindowsFeature ADFS-Federation -IncludeManagementTools

    1. Configure AD FS:
      • Run the AD FS Configuration Wizard and choose to Create the first federation server in a new federation farm.
      • Ensure you have the necessary SSL certificates installed on the new AD FS server.
      • If you have an AD FS proxy, configure that as well to ensure external access.

    4.2. Migrate AD FS Settings and Trusts

    If you have relying party trusts or claims rules configured in your old AD FS 2.0 environment, you will need to manually migrate these settings to the new AD FS server. Export and import the configuration settings as needed.

    • To export the configuration from the old AD FS 2.0 server:
    • Export-AdfsConfiguration -Path "C:\ADFS_Backup"
    • Import-AdfsConfiguration -Path "C:\ADFS_Backup"

    • Post-Upgrade Steps

      • Verify Functionality: Ensure that Active Directory and AD FS are functioning correctly. Test Group Policy, DNS, and authentication processes.
      • Monitor for replication issues between the Domain Controllers and the AD FS server.
      • Retire old hardware: Once you confirm the environment is stable, you can safely retire the old Domain Controllers and the AD FS server.

      6. Key Considerations

      • Windows Server 2022 or Windows Server 2019 is highly recommended for the DCs and AD FS servers. Make sure you install a supported version.
      • DNS and DHCP Configuration: Ensure these services are correctly transferred to the new DCs.
      • Legacy Applications: Check for any applications relying on older versions of AD FS or Active Directory features and plan for their compatibility.
  • kyazaferr's avatar
    kyazaferr
    MCT
    Nov 13, 2024

    Prepare Your Environment for the Upgrade

    Before proceeding, ensure you have a solid backup of your Active Directory environment and any important data. If you're running Active Directory Certificate Services (AD CS), make sure to back up the CA configuration as well.

    • Backup your current DCs: This includes the system state and any application data.
    • Create a test environment: If possible, replicate your environment in a test lab to test the upgrade process before doing it in production.
    • Verify the health of your AD: Run the following commands to ensure everything is functioning well:
    • dcdiag /v
      repadmin /replsummary

    • Your AD Forest is currently in Windows 2003 Forest mode. Before upgrading to a newer version of Windows Server (e.g., 2016 or 2019), you must raise the Forest Functional Level to at least Windows Server 2008. Here’s how:

      1. Upgrade the Forest Functional Level:
        • First, ensure all DCs are on Windows Server 2008 R2 or later.
        • Raise the Forest Functional Level to Windows Server 2008 or higher:
        • Set-ADForestMode -Identity "sullivan.suny.edu" -ForestMode Windows2008Forest
        • Get-ADForest | select ForestMode
        • Raise the Domain Functional Level: If you are ready, raise the Domain Functional Level as well. However, note that this is a one-way operation, and you cannot revert to a lower level after the raise:
        • Set-ADDomainMode -Identity "sullivan.suny.edu" -DomainMode Windows2008Domain

        • Upgrade Your Domain Controllers

          The primary DC (DC01) and the secondary DC (DC02) are currently running Windows Server 2008 R2. To ensure that the Active Directory environment continues to function properly, follow these steps:

          3.1. Install a New DC (Windows Server 2016 or Later)

          1. Install Windows Server 2019 or 2022 on new hardware or VMs for your new Domain Controllers.
          2. Promote the new server to be a DC:
            • Open Server Manager > Manage > Add Roles and Features > Select Active Directory Domain Services.
            • After the installation completes, promote the new server to a Domain Controller. This will involve joining it to the existing domain and allowing it to replicate AD data from the older DCs.
            Example PowerShell to promote
          3. Install-ADDSDomainController -DomainName "sullivan.suny.edu" -InstallDns -Credential (Get-Credential)

        • Decommission Old DCs (DC01 and DC02)

          Once the new DC is up and replicating data, you can decommission the old Domain Controllers.

          1. Transfer FSMO roles from the old DCs to the new DC:
            • Identify the current FSMO role holders with:
          2. netdom query fsmo
          3. Move-ADDirectoryServerOperationMasterRole -Identity "DC03" -OperationMasterRole 0,1,2,3,4

          4. Demote DC01 and DC02:

            • After the FSMO roles have been transferred, you can demote DC01 and DC02 using Server Manager or PowerShell:
            • Uninstall-ADDSDomainController -DemoteOperationMasterRole -Force
            1. Clean up DNS: Once demoted, clean up any leftover DNS entries for the old DCs in your DNS servers.

            4. Upgrade the AD FS Server

            Currently, your AD FS server is running Windows Server 2008 R2 with AD FS 2.0. AD FS 2.0 is an older version and not compatible with modern protocols, and it's critical to upgrade it.

            4.1. Install a New AD FS Server (Windows Server 2016 or Later)

            1. Install Windows Server 2016/2019/2022 on a new server.
            2.  

Resources