Domain Controller and AD FS Upgrade from Windows Server 2008 R2

Prepare Your Environment for the Upgrade

Before proceeding, ensure you have a solid backup of your Active Directory environment and any important data. If you're running Active Directory Certificate Services (AD CS), make sure to back up the CA configuration as well.

• Backup your current DCs: This includes the system state and any application data.
• Create a test environment: If possible, replicate your environment in a test lab to test the upgrade process before doing it in production.
• Verify the health of your AD: Run the following commands to ensure everything is functioning well:
• dcdiag /v
  repadmin /replsummary

• Your AD Forest is currently in Windows 2003 Forest mode. Before upgrading to a newer version of Windows Server (e.g., 2016 or 2019), you must raise the Forest Functional Level to at least Windows Server 2008. Here’s how:

  1. Upgrade the Forest Functional Level:
     • First, ensure all DCs are on Windows Server 2008 R2 or later.
     • Raise the Forest Functional Level to Windows Server 2008 or higher:
     • Set-ADForestMode -Identity "sullivan.suny.edu" -ForestMode Windows2008Forest
     • Get-ADForest | select ForestMode
     • Raise the Domain Functional Level: If you are ready, raise the Domain Functional Level as well. However, note that this is a one-way operation, and you cannot revert to a lower level after the raise:
     • Set-ADDomainMode -Identity "sullivan.suny.edu" -DomainMode Windows2008Domain

     • Upgrade Your Domain Controllers

       The primary DC (DC01) and the secondary DC (DC02) are currently running Windows Server 2008 R2. To ensure that the Active Directory environment continues to function properly, follow these steps:

       3.1. Install a New DC (Windows Server 2016 or Later)

       1. Install Windows Server 2019 or 2022 on new hardware or VMs for your new Domain Controllers.
       2. Promote the new server to be a DC:
          • Open Server Manager > Manage > Add Roles and Features > Select Active Directory Domain Services.
          • After the installation completes, promote the new server to a Domain Controller. This will involve joining it to the existing domain and allowing it to replicate AD data from the older DCs.
          Example PowerShell to promote
       3. Install-ADDSDomainController -DomainName "sullivan.suny.edu" -InstallDns -Credential (Get-Credential)

     • Decommission Old DCs (DC01 and DC02)

       Once the new DC is up and replicating data, you can decommission the old Domain Controllers.

       1. Transfer FSMO roles from the old DCs to the new DC:
          • Identify the current FSMO role holders with:
       2. netdom query fsmo
       3. Move-ADDirectoryServerOperationMasterRole -Identity "DC03" -OperationMasterRole 0,1,2,3,4

       4. Demote DC01 and DC02:

          • After the FSMO roles have been transferred, you can demote DC01 and DC02 using Server Manager or PowerShell:
          • Uninstall-ADDSDomainController -DemoteOperationMasterRole -Force
       5. 1. Clean up DNS: Once demoted, clean up any leftover DNS entries for the old DCs in your DNS servers.

          4. Upgrade the AD FS Server

          Currently, your AD FS server is running Windows Server 2008 R2 with AD FS 2.0. AD FS 2.0 is an older version and not compatible with modern protocols, and it's critical to upgrade it.

          4.1. Install a New AD FS Server (Windows Server 2016 or Later)

          1. Install Windows Server 2016/2019/2022 on a new server.
          2.