Home
%3CLINGO-SUB%20id%3D%22lingo-sub-538377%22%20slang%3D%22en-US%22%3EHow%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-538377%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CSPAN%3EWith%20the%20%22end%20of%20support%22%20on%20the%20horizon%20for%20Windows%20Server%202008%20R2%20coming%20January%202020%2C%20folks%20are%20looking%20around%20for%20resources%20to%20help%20them%20check%20off%20some%20high%20ticket%20items%20from%20their%20%22to%20do%22%20list.%20While%20coming%20back%20from%20my%20last%20Microsoft%20Ignite%20The%20Tour%20stop%20-%20I%20had%20some%20time%20to%20kill%20waiting%20for%20my%20connection.%20I%20thought%20I%20would%20dust%20off%20some%20of%20my%20Active%20Directory%20admin%20skills%20and%20document%20the%20quick%20and%20dirty%20process%20of%20upgrading%20your%20Active%20Directory%20from%202008%20R2%20over%20to%20the%20latest%20version%20of%20Windows%20Server%202019.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112383i532FF702CE9E99A6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TailwindTradersBasicDiagram.png%22%20title%3D%22TailwindTradersBasicDiagram.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3EMy%20lab%20contains%20two%20domain%20controllers%20DC01%20and%20DC02%20running%20Windows%20Server%202008%20R2%20with%20the%20DNS%20and%20Active%20Directory%20Roles.%20I%20have%20also%20added%20in%20a%20Windows%20Server%202019%20member%20server%20which%20will%20serve%20as%20my%20new%20Domain%20Controller%20once%20I%20have%20promote%20it%20to%20host%20Active%20Directory%20and%20transfer%20the%20FSMO%20(flexible%20single%20masters%20of%20operation)%20over.%20This%20is%20a%20purposely%20simple%20lab%20and%20write%20up.%20I%20am%20going%20to%20do%20my%20%22Your%20Mileage%20May%20Very%22%20do%20your%20research%20and%20testing%20on%20all%20the%20nuances%20and%20gotch'yas%20out%20there%20prior%20to%20reproducing%20these%20procedures%20in%20your%20own%20environment.%20I%20would%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fdeploy%2Fupgrade-domain-controllers%3FWT.mc_id%3Ditopstalk-blog-rclaus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHIGHLY%20recommend%20checking%20out%20this%20article%3C%2FA%3E%20where%20John%20Flores%20has%20gone%20though%20an%20exhaustive%20list%20of%20what%20to%20look%20out%20for.%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EInstall%20Active%20Directory%20on%20a%20Windows%20Server%202019%20member%20server%3CFONT%20size%3D%222%22%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThis%20is%20easy%20enough%2C%20login%20to%20your%20WS2019%20server%20with%20an%20account%20that%20has%20Domain%20Admin%20rights%20and%20Enterprise%20Admin%20rights%20on%20the%20member%20server.%20These%20rights%20are%20required%20in%20order%20to%20add%20a%20domain%20controller%20into%20Active%20Directory%20as%20well%20as%20extend%20the%20schema.%20%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EStart%20up%20a%20PowerShell%20prompt%20and%20type%20in%20the%20command%20%3C%2FSPAN%3E%3CSTRONG%3EInstall-WindowsFeature%20AD-Domain-Services%3C%2FSTRONG%3E%3CSPAN%3E.%20This%20will%20install%20the%20binaries%20on%20your%20server.%3CBR%20%2F%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112384iD0BD631696DCEBA0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22PowershellADServices.png%22%20title%3D%22PowershellADServices.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EInstall%20the%20ADDSDeployment%20module%20by%20running%20%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3EImport-Module%20ADDSDeployment%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bin%20order%20to%20continue%20to%20work%20configuring%20Active%20Directory%20from%20PowerShell.%3CBR%20%2F%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EOnce%20those%20additional%20tools%20have%20been%20installed%20run%20%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3ETest-ADDSDomainControllerInstallation%20-DomainName%20tailwindtraders.com%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bto%20test%20for%20any%20prerequisites.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EIn%20this%20example%20my%20domain%20is%20TailwindTraders.com%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EYou%20will%20be%20prompted%20for%20the%20Active%20Directory%20safe%20mode%20administrator%20password.%3CBR%20%2F%3E%26nbsp%3B%20%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112387i15C374A912CDF6B2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22TestDomainControllerInstall.png%22%20title%3D%22TestDomainControllerInstall.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3ENote%20the%20warning%20regarding%20%22Allow%20cryptography%20algorithms%20compatible%20with%20Windows%20NT%204.0%22%20-%20this%20is%20a%20reminder%20that%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F942564%2Fthe-net-logon-service-on-windows-server-2008-and-newer-domain-controll%3FWT.mc_id%3Ditopstalk-blog-rclaus%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Eold%20clients%20and%20applications%20pre-dating%20Windows%20Vista%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bwill%20not%20be%20able%20to%20establish%20connections%20or%20logon%20to%20domain%20controllers%20running%20this%20more%20modern%20OS%20of%20windows%20Server%202019.%20%3CBR%20%2F%3E%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EPromote%20this%20member%20server%20into%20a%20domain%20controller%20by%20running%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EInstall-ADDSDomainController%20-CreateDnsDelegation%3A%24false%20-InstallDns%3A%24true%20-DatabasePath%20'C%3A%5CWindows%5CNTDS'%20-DomainName%20'tailwindtraders.com'%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EAfter%20prompting%20you%20for%20an%20ADSafeMode%20password%20and%20confirming%20a%20reboot%20will%20take%20place%20-%20this%20will%20kick%20off%20the%20installation%20process.%20%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EIt%20will%20initiate%20the%20install%2C%20while%20not%20bothering%20to%20make%20a%20new%20DNS%20delegation%20zone.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EIt%20will%20install%20DNS%20service%20when%20promoting%20this%20machine%20to%20a%20Active%20Directory%20domain%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20controller.%20It%20will%20add%20itself%20(127.0.0.1)%20to%20its%20DNS%20name%20server%20list%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EIt%20will%20place%20the%20Database%20(and%20logs)%20in%20the%20in%20C%3A%5Cwindows%5CNTDS%20directory%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EIt%20will%20contact%20any%20domain%20controller%20using%20a%20standard%20AD%20query%20to%20locate%20one%20in%20the%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20tailwindtraders.com%20domain%20in%20order%20to%20proceed%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20-%20%3C%2FSPAN%3E%3CSPAN%3EYou%20COULD%20target%20a%20domain%20controller%20if%20you%20like%20by%20adding%20%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3E-ReplicationSourceDC%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3Eand%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20using%20the%20fully%20qualified%20domain%20name%20of%20a%20DC%20if%20you%20prefer%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EYou%20can%20see%20various%20informational%20messages%20appear%20in%20the%20PowerShell%20window%20as%20the%20install%2C%20schema%20extension%20and%20replication%20are%20Progress.%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112388i60C021B04D37A118%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ADDSDomainControllerInstall.png%22%20title%3D%22ADDSDomainControllerInstall.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%3CSPAN%3E%20restart%20will%20now%20take%20place%20once%20the%20steps%20are%20completed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3ETransferring%20the%20FSMO%20(Flexible%20Single%20Masters%20of%20Operations)%20roles%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIf%20this%20was%20a%20real%20environment%20you%20would%20want%20to%20wait%20a%20while%20to%20allow%20for%20replication%20to%20take%20place%20around%20your%20Active%20Directory.%20You%20need%20to%20login%20to%20the%20new%20domain%20controller%20with%20Enterprise%20Admin%20rights%20in%20order%20to%20do%20these%20next%20steps%20in%20order%20to%20transfer%20FSMO%20roles.%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EYou%20can%20check%20for%20replication%20errors%20by%20opening%20up%20a%20Powershell%20window%20an%20running%26nbsp%3B%3CSTRONG%3EGet-ADReplicationFailure%20-scope%20SITE%20-target%20default-first-site%20%7C%20FT%20Server%2C%20FirstFailureTime%2C%20FailureClount%2C%20LastError%2C%20Partner%20-AUTO%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%0A%3CBLOCKQUOTE%3E%0A%3CDIV%3E%3CSPAN%3ENOTE%3A%20If%20this%20were%20a%20PRODUCTION%20migration%20of%20my%20Active%20Directory%20and%20I%20had%20NOT%20finished%20switching%20from%20SYSVOL%20replication%20to%20DFSR%20replication%20as%20of%20yet%20-%20I%20would%20stop%20everything%20I%20was%20doing%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FStorage-at-Microsoft%2FStreamlined-Migration-of-FRS-to-DFSR-SYSVOL%2Fba-p%2F425405%3FWT.mc_id%3Ditopstalk-blog-rclaus%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eread%20NedPyle's%20simplified%20article%3C%2FA%3E%26nbsp%3Bon%20how%20to%20do%20this.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CDIV%3E%3CSPAN%3ENo%2C%20really...%20%3C%2FSPAN%3E%3CSTRONG%3EGO%20READ%20IT%20NOW%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3Bif%20you%20have%20not%20read%20it%20yet%20or%20made%20the%20switch.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%3EYou%20could%20use%20the%20old%20school%20NDTSUTIL%20command%20line%20utility%20to%20transfer%20the%20FSMO%20roles%20to%20the%20new%20domain%20controller.%20Since%20we're%20using%20PowerShell%20for%20this%20blog%20-%20we'll%20do%20it%20all%20in%20one%20command.%20Lets%20figure%20out%20which%20domain%20controllers%20have%20the%20roles%20now%3A%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ETo%20list%20off%20the%20two%20AD%20Forest%20wide%20roles%20and%20find%20out%20which%20DC%20currently%20holds%20them%20-%20run%20%3C%2FSPAN%3E%3CSTRONG%3EGet-ADForest%20tailwindtraders.com%20%7C%20Format-List%20SchemaMaster%2CDomainNamingMaster%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3ETo%20list%20off%20the%20three%20AD%20Domain%20wide%20roles%20and%20find%20out%20which%20DC%20currently%20holds%20them%20-%20run%20%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CSTRONG%3EGet-ADDomain%20tailwindtraders.com%20%7C%20Format-List%20PDCEmulator%2CRIDMaster%2CInfrastructureMaster%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%3CSPAN%3EYou%20can%20see%20here%20I%20have%20them%20split%20across%20both%20DC01%20and%20DC02.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112394iC4D74904F945B3F3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22FSMOroleLocation.png%22%20title%3D%22FSMOroleLocation.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ETo%20transfer%20all%20five%20FSMO%20roles%20from%20their%20current%20location%20to%20the%20new%20DC03%20-%20run%20%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3EMove-ADDirectoryServerOperationMasterRole%20-identity%20DC03%20-OperationMasterRole%20PDCEmulator%2CRIDMaster%2CInfrastructureMaster%2CSchemaMaster%2CDomainNamingMaster%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%3CSPAN%3EIt%20will%20prompt%20you%20to%20confirm%20before%20completing%20the%20task%20of%20transferring%20the%20roles.%20Once%20you%20confirm%20-%20it's%20all%20done.%20You%20can%20confirm%20with%20commands%20listed%20above%20to%20see%20that%20DC03%20is%20the%20new%20owner%20of%20all%20the%20roles.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F112395iCEDA5866E13920CA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22FinalFSMOTransfer.png%22%20title%3D%22FinalFSMOTransfer.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EIt%20should%20be%20said%20-%20the%20preference%20is%20to%20%3CSTRONG%3EALWAYS%3C%2FSTRONG%3E%20transfer%20FSMO%20roles%20between%20DCs%20instead%20of%20Seizing%20them.%20If%20for%20some%20reason%20a%20Domain%20Controller%20is%20down%20-%20you%20would%20have%20to%20seize%20it%20(by%20adding%20a%20%3CSTRONG%3E-force%3C%2FSTRONG%3E%20to%20the%20command)%20but%20that%20DC%20can%20%3CSTRONG%3ENEVER%20be%20added%20back%3C%2FSTRONG%3E%20into%20the%20Active%20Directory%20domain%20again%20without%20causing%20issues.%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EWhat's%20left%3F%3CBR%20%2F%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EIf%20this%20were%20a%20production%20environment%20-%20I%20would%20once%20again%20wait%20until%20replication%20has%20worked%20it's%20way%20through%20all%20my%20domain%20controllers%20before%20proceeding.%20I%20would%20also%20do%20the%20following%20in%20order%20to%20continue%20this%20migration%20from%202008R2%20to%20Windows%20Server%202019%3A%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EI%20would%20bring%20up%20an%20additional%20Windows%20Server%202019%20Domain%20controller%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EI%20would%20ensure%20any%20clients%20I%20had%20were%20using%20the%20new%202019%20DC%20as%20its%20primary%20DNS.%20I%20had%20DC01%20with%20an%20address%20of%20192.168.10.100%20as%20the%20primary%20DNS%20in%20this%20lab.%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EI%20would%20run%20DCPROMO%20on%20both%20DC01%20and%20DC02%20boxes%20in%20order%20to%20demote%20and%20remove%20them%20from%20the%20Active%20Directory.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EOnce%20all%20downlevel%20domain%20controllers%20have%20been%20removed%20(and%20replicated)%20I%20would%20raise%20the%20Domain%20functional%20level%20to%26nbsp%3B%3CSTRONG%3EWindows2016Domain%3C%2FSTRONG%3E%20domain%20mode%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%3Erun%26nbsp%3B%3CSTRONG%3ESet-ADDomainMode%20-identity%20tailwindtraders.com%20-DomainMode%20Windows2016Domain%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOnce%20all%20domains%20have%20been%20raised%20to%20Windows2016Domain%20mode%2C%20I%20would%20raise%20the%20Forest%20functional%20level%20to%26nbsp%3B%3CSTRONG%3EWindows2016Forest%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3Erun%26nbsp%3B%3CSTRONG%3ESet-ADForestMode%20-Identity%20tailwindtraders.com%20-ForestMode%20Windows2016Forest%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%3CSPAN%3EThat's%20about%20it.%20I%20hope%20you%20found%20this%20quick%20walk-through%26nbsp%3Buseful%20in%20learning%20the%20steps%20required%20to%20migrating%20FSMO%20roles%20from%202008R2%20to%202019%20while%20performing%20an%20upgrade%20of%20Active%20Directory.%20What%20do%20you%20think%20of%20this%20format%20and%20content%20-%20is%20it%20something%20you%20found%20useful%20and%20would%20like%20more%20of%20it%3F%20Feel%20free%20to%20reach%20out%20and%20share%20your%20answers%20below%20in%20the%20comment%20area%20and%20suggest%20other%20topics%20you'd%20like%20to%20see%20the%20team%20cover.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-538377%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EWith%20the%20%22end%20of%20support%22%20on%20the%20horizon%20for%20Windows%20Server%202008%20R2%20coming%20January%202020%2C%20folks%20are%20looking%20around%20for%20resources%20to%20help%20them%20check%20off%20some%20high%20ticket%20items%20from%20their%20%22to%20do%22%20list.%20I%20thought%20I%20would%20dust%20off%20some%20of%20my%20Active%20Directory%20admin%20skills%20and%20document%20the%20quick%20and%20dirty%20process%20of%20upgrading%20your%20Active%20Directory%20from%202008%20R2%20over%20to%20the%20latest%20version%20of%20Windows%20Server%202019.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F71983iC390E6702DB6E1CE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Windows_Server_101.jpg%22%20title%3D%22Windows_Server_101.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHow%20To%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-538377%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-839992%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-839992%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20done%20this%20in%20a%20production%20environment%20yet%3F%26nbsp%3B%20%26nbsp%3BIf%20so%2C%20anything%20to%20share%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895763%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895763%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20carried%20out%20the%20FSMO%20migration%20from%202008%20to%202019%20in%20production%20using%20the%20above%20process%20no%20problems%20at%20all%20all%20worked%20like%20a%20charm.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895931%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895931%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420926%22%20target%3D%22_blank%22%3E%40skynet051%3C%2FA%3E%26nbsp%3B%20-%20glad%20to%20hear%20it%20worked%20for%20ya.%20Even%20though%20it%20can%20be%20considered%20a%20major%20change%20to%20work%20with%20your%20domain%20controllers%2C%20this%20a%20relatively%20low%20risk%20task.%20Don't%20forget%20to%20have%20coverage%20for%20your%20global%20catalog%20servers%20as%20well.%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-896238%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-896238%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Rick%2C%3C%2FP%3E%3CP%3EThanks%20for%20this%20article.%20You%20mention%20this%20regarding%20FRS%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENOTE%3A%20If%20this%20were%20a%20PRODUCTION%20migration%20of%20my%20Active%20Directory%20and%20I%20had%20NOT%20finished%20switching%20from%20SYSVOL%20replication%20to%20DFSR%20replication%20as%20of%20yet%20-%20I%20would%20stop%20everything%20I%20was%20doing%20and%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FStorage-at-Microsoft%2FStreamlined-Migration-of-FRS-to-DFSR-SYSVOL%2Fba-p%2F425405%3FWT.mc_id%3Ditopstalk-blog-rclaus%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eread%20NedPyle's%20simplified%20article%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bon%20how%20to%20do%20this.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20Would%20like%20to%20understand%20why%20this%20could%20be%20problematic%20for%20FSMO%20roles%20transfert.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ERobert%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-896640%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-896640%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10314%22%20target%3D%22_blank%22%3E%40Rick%20Claus%3C%2FA%3E%26nbsp%3BI%20removed%20the%20global%20catalog%20role%20from%20server%202008%20and%20confirmed%20and%20my%202019%20was%20global%20catalog%20server%20then%20demoted%20the%202008%20and%20still%20till%20today%20it%20hasn%E2%80%99t%20shown%20my%20problem%20yet.%20Also%20my%20previous%20domain%20controller%20was%202008%20first%20DC%20it%20didn%E2%80%99t%20had%202003%20DC%20before%20that%20so%20I%20didn%E2%80%99t%20had%20to%20go%20through%20migrating%20FRS%20to%20DFS%20so%20in%20my%20case%20the%20whole%20process%20took%2030%20mins%20including%20demotion%20of%202008.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897037%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897037%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F421094%22%20target%3D%22_blank%22%3E%40diquattrobob%3C%2FA%3E%26nbsp%3BEnsuring%20SYSVOL%20replication%20(FRS)%20to%20DFS%20is%20not%20a%20matter%20of%20FSMO%20role%20transfer%20as%20it%20is%20about%20a%20more%20modern%202019%20OS%20not%20having%20the%20ability%20to%20participate%20in%20FRS%20replication%20of%20SYSVOL.%20You%20would%20end%20up%20with%20an%20empty%20SYSVOL%20on%20your%202019%20DCs%2C%20which%20would%20become%20problematic%20if%20you%20had%20scripts%2C%20group%20policies%20and%20other%20critical%20components%20living%20in%20SYSVOL.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1029482%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1029482%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10314%22%20target%3D%22_blank%22%3E%40Rick%20Claus%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20this.Can%20you%20answer%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20What%20would%20be%20the%20impact%20of%20the%20new%20ip%20address%20and%20new%20server%20name%20of%20the%20primary%20domain%20controller%20(server%202019)%20in%20the%20environment.Any%20impact%20on%20the%20exchange%20server%20configured%20on%20a%20member%20server%20%3F%3C%2FP%3E%3CP%3E2.%20After%20moving%20the%20fsmo%20roles%2C%20additional%20roles%20such%20as%20DHCP%2C%20DNS%2C%20RADIUS%20will%20be%20migrated%20automatically%20or%20have%20to%20be%20migrated%20manually%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20advise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1031946%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1031946%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F467870%22%20target%3D%22_blank%22%3E%40Bijay_George%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20your%20questions%3A%20New%20IP%20address%20and%20computer%20name%20for%20the%20role%20holder%20should%20have%20NO%20impact%20on%20your%20environment%20-%20unless%20you%20have%20clients%20or%20applications%20who%20have%20hard%20coded%20the%20IP%20address%20or%20computer%20name%20into%20their%20authentication%20mechanisms.%20I.E.%20Say%20a%20user%20went%20and%20mapped%20a%20shared%20drive%20to%20the%20DC%20for%20some%20reason%20-%20that%20machine%20name%20(or%20IP%20address)%20would%20be%20different%20now%20and%20it%20would%20not%20work.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20replication%20needs%20to%20propagate%20across%20all%20your%20DCs%20using%20your%20site%20replication%20process%20and%20schedule.%20Once%20that%20takes%20place%20-%20you%20could%20take%20over%20the%20original%20IP%20address%2C%20restart%20the%20server%20so%20that%20it%20registers%20all%20appropriate%20services%20with%20the%20new%20IP%2C%20and%20allow%20for%20replication%20to%20once%20again%20propagate.%20I%20am%20PERSONALLY%20not%20a%20big%20fan%20of%20changing%20the%20computer%20name%20-%20but%20that%20could%20also%20be%20done.%26nbsp%3B%20Because%20this%20is%20a%20NEW%20domain%20controller%20built%20from%20a%20clean%20member%20server%20-%20you%20are%20not%20going%20to%20be%20introducing%20DUPLICATE%20SIDs.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20your%202nd%20question%20-%20i%20was%20making%20the%20lab%20assumption%20that%20these%20additional%20services%20ARE%20NOT%20on%20the%20domain%20controller%20and%20are%20on%20different%20member%20servers.%20if%20that%20is%20not%20the%20case%20-%20you%20would%20have%20to%20migrate%20those%20services%20OFF%20to%20a%20different%20system.%20I%20have%20details%20on%20how%20to%20migrate%20DHCP%2C%20DNS%20is%20included%20as%20part%20of%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1032560%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Migrate%20Windows%20Server%202008%20R2%20FSMO%20roles%20to%20Windows%20Server%202019%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1032560%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10314%22%20target%3D%22_blank%22%3E%40Rick%20Claus%3C%2FA%3E%26nbsp%3B%20for%20your%20prompt%20response.That%20answers%20well!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFOr%20my%20second%20question%2C%20yes%20you%20are%20right.The%20additional%20roles%20are%20co-hosted%20in%20the%20DC.Is%20it%20possible%20to%20backup%20the%20roles%20separately%20and%20restore%20to%20the%20new%20DC%20with%20a%20possible%20downtime%20%3F%20or%20as%20you%20mentioned%20I%20need%20to%20migrate%20it%20to%20another%20member%20server%20%3F%20which%20would%20be%20the%20best%20practice%20%3F%3C%2FP%3E%3CP%3ECould%20you%20please%20share%20a%20link%20if%20you%20have%20procedures%20to%20migrate%20roles%20co-hosted%20in%20AD%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20support%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EBijay%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft
With the "end of support" on the horizon for Windows Server 2008 R2 coming January 2020, folks are looking around for resources to help them check off some high ticket items from their "to do" list. While coming back from my last Microsoft Ignite The Tour stop - I had some time to kill waiting for my connection. I thought I would dust off some of my Active Directory admin skills and document the quick and dirty process of upgrading your Active Directory from 2008 R2 over to the latest version of Windows Server 2019.TailwindTradersBasicDiagram.png
My lab contains two domain controllers DC01 and DC02 running Windows Server 2008 R2 with the DNS and Active Directory Roles. I have also added in a Windows Server 2019 member server which will serve as my new Domain Controller once I have promote it to host Active Directory and transfer the FSMO (flexible single masters of operation) over. This is a purposely simple lab and write up. I am going to do my "Your Mileage May Very" do your research and testing on all the nuances and gotch'yas out there prior to reproducing these procedures in your own environment. I would HIGHLY recommend checking out this article where John Flores has gone though an exhaustive list of what to look out for.
 
Install Active Directory on a Windows Server 2019 member server
 

This is easy enough, login to your WS2019 server with an account that has Domain Admin rights and Enterprise Admin rights on the member server. These rights are required in order to add a domain controller into Active Directory as well as extend the schema.
 
  1. Start up a PowerShell prompt and type in the command Install-WindowsFeature AD-Domain-Services. This will install the binaries on your server.
     PowershellADServices.png
     
  2. Install the ADDSDeployment module by running Import-Module ADDSDeployment in order to continue to work configuring Active Directory from PowerShell.
     
  3. Once those additional tools have been installed run Test-ADDSDomainControllerInstallation -DomainName tailwindtraders.com to test for any prerequisites.
         -
    In this example my domain is TailwindTraders.com
         -
    You will be prompted for the Active Directory safe mode administrator password.
     
    TestDomainControllerInstall.png
     
    Note the warning regarding "Allow cryptography algorithms compatible with Windows NT 4.0" - this is a reminder that old clients and applications pre-dating Windows Vista will not be able to establish connections or logon to domain controllers running this more modern OS of windows Server 2019.
     
  4. Promote this member server into a domain controller by running Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DatabasePath 'C:\Windows\NTDS' -DomainName 'tailwindtraders.com'
     
  5. After prompting you for an ADSafeMode password and confirming a reboot will take place - this will kick off the installation process.
         -
    It will initiate the install, while not bothering to make a new DNS delegation zone.
         -
    It will install DNS service when promoting this machine to a Active Directory domain
            controller. It will add itself (127.0.0.1) to its DNS name server list
         -
    It will place the Database (and logs) in the in C:\windows\NTDS directory
         -
    It will contact any domain controller using a standard AD query to locate one in the
            tailwindtraders.com domain in order to proceed
         -
    You COULD target a domain controller if you like by adding -ReplicationSourceDC and
            using the fully qualified domain name of a DC if you prefer

     
  6. You can see various informational messages appear in the PowerShell window as the install, schema extension and replication are Progress. 
      ADDSDomainControllerInstall.png

 

A restart will now take place once the steps are completed.

 

Transferring the FSMO (Flexible Single Masters of Operations) roles
 
If this was a real environment you would want to wait a while to allow for replication to take place around your Active Directory. You need to login to the new domain controller with Enterprise Admin rights in order to do these next steps in order to transfer FSMO roles. 
 
  • You can check for replication errors by opening up a Powershell window an running Get-ADReplicationFailure -scope SITE -target default-first-site | FT Server, FirstFailureTime, FailureClount, LastError, Partner -AUTO
NOTE: If this were a PRODUCTION migration of my Active Directory and I had NOT finished switching from SYSVOL replication to DFSR replication as of yet - I would stop everything I was doing and read NedPyle's simplified article on how to do this.
No, really... GO READ IT NOW if you have not read it yet or made the switch.
 

You could use the old school NDTSUTIL command line utility to transfer the FSMO roles to the new domain controller. Since we're using PowerShell for this blog - we'll do it all in one command. Lets figure out which domain controllers have the roles now:
 

  • To list off the two AD Forest wide roles and find out which DC currently holds them - run Get-ADForest tailwindtraders.com | Format-List SchemaMaster,DomainNamingMaster
  • To list off the three AD Domain wide roles and find out which DC currently holds them - run Get-ADDomain tailwindtraders.com | Format-List PDCEmulator,RIDMaster,InfrastructureMaster
You can see here I have them split across both DC01 and DC02.
FSMOroleLocation.png
  • To transfer all five FSMO roles from their current location to the new DC03 - run Move-ADDirectoryServerOperationMasterRole -identity DC03 -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
It will prompt you to confirm before completing the task of transferring the roles. Once you confirm - it's all done. You can confirm with commands listed above to see that DC03 is the new owner of all the roles.
FinalFSMOTransfer.png
It should be said - the preference is to ALWAYS transfer FSMO roles between DCs instead of Seizing them. If for some reason a Domain Controller is down - you would have to seize it (by adding a -force to the command) but that DC can NEVER be added back into the Active Directory domain again without causing issues.
 
What's left?
 

If this were a production environment - I would once again wait until replication has worked it's way through all my domain controllers before proceeding. I would also do the following in order to continue this migration from 2008R2 to Windows Server 2019:
  • I would bring up an additional Windows Server 2019 Domain controller
  • I would ensure any clients I had were using the new 2019 DC as its primary DNS. I had DC01 with an address of 192.168.10.100 as the primary DNS in this lab.
  • I would run DCPROMO on both DC01 and DC02 boxes in order to demote and remove them from the Active Directory.
  • Once all downlevel domain controllers have been removed (and replicated) I would raise the Domain functional level to Windows2016Domain domain mode
    • run Set-ADDomainMode -identity tailwindtraders.com -DomainMode Windows2016Domain
  • Once all domains have been raised to Windows2016Domain mode, I would raise the Forest functional level to Windows2016Forest
    • run Set-ADForestMode -Identity tailwindtraders.com -ForestMode Windows2016Forest
That's about it. I hope you found this quick walk-through useful in learning the steps required to migrating FSMO roles from 2008R2 to 2019 while performing an upgrade of Active Directory. What do you think of this format and content - is it something you found useful and would like more of it? Feel free to reach out and share your answers below in the comment area and suggest other topics you'd like to see the team cover.
9 Comments
Regular Visitor

Has anyone done this in a production environment yet?   If so, anything to share?

Occasional Visitor

Yes carried out the FSMO migration from 2008 to 2019 in production using the above process no problems at all all worked like a charm.

Microsoft

Hey @skynet051  - glad to hear it worked for ya. Even though it can be considered a major change to work with your domain controllers, this a relatively low risk task. Don't forget to have coverage for your global catalog servers as well. ;)

Occasional Visitor

Hello Rick,

Thanks for this article. You mention this regarding FRS :

 

NOTE: If this were a PRODUCTION migration of my Active Directory and I had NOT finished switching from SYSVOL replication to DFSR replication as of yet - I would stop everything I was doing and read NedPyle's simplified article on how to do this.

 

I Would like to understand why this could be problematic for FSMO roles transfert.

Thanks in advance

Robert

 

Occasional Visitor

@Rick Claus I removed the global catalog role from server 2008 and confirmed and my 2019 was global catalog server then demoted the 2008 and still till today it hasn’t shown my problem yet. Also my previous domain controller was 2008 first DC it didn’t had 2003 DC before that so I didn’t had to go through migrating FRS to DFS so in my case the whole process took 30 mins including demotion of 2008.

Microsoft

@diquattrobob Ensuring SYSVOL replication (FRS) to DFS is not a matter of FSMO role transfer as it is about a more modern 2019 OS not having the ability to participate in FRS replication of SYSVOL. You would end up with an empty SYSVOL on your 2019 DCs, which would become problematic if you had scripts, group policies and other critical components living in SYSVOL. 

Frequent Visitor

@Rick Claus  Thanks for this.Can you answer the following:

 

1. What would be the impact of the new ip address and new server name of the primary domain controller (server 2019) in the environment.Any impact on the exchange server configured on a member server ?

2. After moving the fsmo roles, additional roles such as DHCP, DNS, RADIUS will be migrated automatically or have to be migrated manually ?

 

 

Thank you for your advise.

 

Regards

Microsoft

Hey @Bijay_George 

Regarding your questions: New IP address and computer name for the role holder should have NO impact on your environment - unless you have clients or applications who have hard coded the IP address or computer name into their authentication mechanisms. I.E. Say a user went and mapped a shared drive to the DC for some reason - that machine name (or IP address) would be different now and it would not work.  

 

All replication needs to propagate across all your DCs using your site replication process and schedule. Once that takes place - you could take over the original IP address, restart the server so that it registers all appropriate services with the new IP, and allow for replication to once again propagate. I am PERSONALLY not a big fan of changing the computer name - but that could also be done.  Because this is a NEW domain controller built from a clean member server - you are not going to be introducing DUPLICATE SIDs. 

 

As for your 2nd question - i was making the lab assumption that these additional services ARE NOT on the domain controller and are on different member servers. if that is not the case - you would have to migrate those services OFF to a different system. I have details on how to migrate DHCP, DNS is included as part of AD.

Frequent Visitor

Thank you @Rick Claus  for your prompt response.That answers well!!

 

FOr my second question, yes you are right.The additional roles are co-hosted in the DC.Is it possible to backup the roles separately and restore to the new DC with a possible downtime ? or as you mentioned I need to migrate it to another member server ? which would be the best practice ?

Could you please share a link if you have procedures to migrate roles co-hosted in AD ?

 

Thanks again for your support

 

Regards

Bijay