Hello guy’s,
In this article I will tell you all about what you need do when you are planning to upgrade your Domain Controller. Every time that we are upgrade DC, we are getting some errors in the middle of the migration process that we must solve to continue. There is couple method to upgrade Domain Controllers, but I’m going to show you the Best Practice method of Microsoft.
Plan A – Planning:
In fact this is the most important think! The better we plan the project, the better the execution will be. as much as you will collect more and more information about the issues that will occur in your environment, you also will know how to solve them all, or even you will not start the upgrade of your Domain Controller in situation that you discover some compatibility issues between your company systems to the new Schema version of Active Directory.
Planning To Upgrade:
- Please make sure that you have a fresh backup of the Domain Controller servers.
- Check if you have Read Only Domain Controller (RODC) on your environment.
- Check the current Forest and Domain Functional Levels and compare if all your organization product or third-party apps that integrated with Active Directory, is still will be supported after the upgrade.
You can compare between the version of Forest and Domain Functional Levels on the following link of Microsoft article:
Understanding Active Directory Domain Services (AD DS) Functional Levels - Check who is the Domain Controller that holds the FSMO roles.
You can check that by running the next CMD command:
Netdom query fsmo- If your organization have more than one Domain Controller, you required to check the replication between the DC’s and verified that the synchronization is working properly.
You can check the DC’s replications by using the “Repadmin” commands on CMD:
repadmin /syncall
repadmin /replsummary
repadmin /showrepl /errorsonly
repadmin /Queue
repadmin /KCC- In additional to the replication’s checks, you need to do a proactive testing to the SYSVOL folder as follows:
- Go to the main Domain Controller and access to the next local path:
C:\Windows\SYSVOL\domain\scripts - Create a new item in the “Scripts” folder.
- Go to all others Domain Controller and verify that the new file is replicated to the local SYSVOL folder (C:\Windows\SYSVOL\domain\scripts).
- Go to the main Domain Controller and access to the next local path:
- Check the SYSVOL version using the next PowerShell command:
dfsrmig /getglobalstateIf you got the next result, your SYSVOL version is “FRS” (need to upgrade):
DFSR migration has not yet initialized. To start migration please
set global state to desired value.PS C:\Users\administrator.ISRAEL-IT>If you got the next result, your SYSVOL version is “DFSR” (don’t need to upgrade):
Current DFSR global state: 'Eliminated'
Succeeded.- If you need to upgrade the SYSVOL version, you can do it according the next article:
Migrate From FRS to DFSR - Mapping all the installed “Roles and Features” on your Domain Controller servers that you are going to upgrade (DHCP, Certificate Authority, .Net Framework, Network Policy Server (NPS), Network Load Balancer (NLB), etc).
- You can check the installed “Roles and Features” by using the next PowerShell command:
Get-WindowsFeature | where{$_.InstallState -eq "Installed"}- Make a backup to the list of your “Dns Zones” because that list will not be migrated to the new Domain Controller as a result you will be to recreate it again.
- To display the “DNS Zones“, please run the next PowerShell command on the Domain Controller:
Get-DnsServerZone- Mapping all your organization products and third-party apps that integrated with Active Directory (Netapp, Commvault, FireWall, Mail Relay, etc), and the installed software on DC’s.
You can check which installed software the DC have by open the “Control Panel” and click on “Programs and Features”. - Check who is the Network Time Protocol (NTP) server that all Domain Controllers are synchronized.
You can find the NTP server by using the following CMD command:
w32tm /query /status
# Source = NTP ServerOnce you done mapping all your environment and you planed how to handle with the issues that can be occurred during the migration, you can continue to the next Plan.
Plan B – Extending Schema Using Adprep:
Adprep – It’s a Microsoft tool that use us to extend the Schema and preparing the Forest to the new version of Windows Server. This can be used only from Windows Server 2008 and above.
If you won’t use on that tool and will try to upgrade the Domain Controller, The Schema will be extended by automatically. (Not Recommended)
So why we need use in “Adprep” tool in proactive?
- This is the Best Practice by Microsoft
- This is the safest way to extend the Schema in carefully.
In personally I had some issues that occurred because I didn’t use on “Adprep” tool.
Extend Schema by using Adprep:
- Go to your main Domain Controller who holds the 5 FSMO roles.
- Connect to the DC a new ISO of Windows Server that you want upgrade to.
Example:
if you upgrade windows server 2008, you need to use on iso with new version of windows server like: “2012, 2016, 2019 or higher”. - Open CMD as an Administrator and run the next commands:
X:\support\adprep\adprep.exe /forestprep
X:\support\adprep\adprep.exe /domainprep
When you ran those commands, you will get an alert that warning you about the Schema extend.
Please type “C” and then “Enter”.
- If you have Read Only Domain Controller (RODC), please run the next command:
X:\support\adprep\adprep.exe /rodcprep
- This is what a normal result looks like:
And now you are ready to add a new version of Windows Server to your Domain and prompt the new server to be an additional Domain Controller in your organization.
This Article Was Written By Matan Sigavker.
