How to Migrate Domain Controllers to a Newer Version of Windows Server

Learn how to migrate domain controllers from older versions of Windows Server to newer versions, such as Windows Server 2016, 2019, or 2022, using the best practices and tools.

Domain controllers are the core of Active Directory Domain Services (AD DS), which provide identity and access management for Windows-based networks. Domain controllers store and replicate the information about users, computers, groups, and other objects in the domain. They also process authentication and authorization requests, enforce security policies, and provide domain-wide services such as DNS and DHCP.

Migrating domain controllers from older versions of Windows Server to newer versions is a common task for IT administrators who want to take advantage of the latest features and security enhancements in the newer operating systems. However, migrating domain controllers is not a trivial task, as it involves careful planning, preparation, and execution to avoid potential issues and downtime.

In this article, we will explain the steps and best practices for migrating domain controllers from Windows Server 2008 or 2012 R2 to Windows Server 2016, 2019, or 2022. We will also introduce some tools and resources that can help you with the migration process.

Table of Contents

Upgrade vs. Migration
Prerequisites
Migration Steps
Tools and Resources
Frequently Asked Questions (FAQs)
Question: Can I upgrade and migrate domain controllers at the same time?
Question: Can I migrate domain controllers from different versions of Windows Server to the same version of Windows Server?
Question: Can I migrate domain controllers from a newer version of Windows Server to an older version of Windows Server?
Question: How long does it take to migrate domain controllers to a newer version of Windows Server?
Question: How can I monitor and verify the migration process?
Summary

Upgrade vs. Migration

Before we start, we need to clarify the difference between upgrading and migrating domain controllers. Upgrading means installing a newer version of Windows Server on an existing domain controller, which is also known as an in-place upgrade. Migrating means promoting new servers to domain controllers that run a newer version of Windows Server and demoting the older domain controllers as needed, which is also known as a side-by-side migration.

The recommended way to migrate domain controllers is to use the migration method, rather than the upgrade method. This is because the migration method has several advantages over the upgrade method, such as:

It allows you to test the new domain controllers before decommissioning the old ones, which reduces the risk of errors and downtime.
It allows you to perform a gradual and controlled migration, which minimizes the impact on the network and the users.
It allows you to use different hardware and configurations for the new domain controllers, which can improve performance and reliability.
It allows you to avoid potential compatibility issues and bugs that may arise from upgrading the operating system of an existing domain controller.

Therefore, in this article, we will focus on the migration method for migrating domain controllers to a newer version of Windows Server.

Prerequisites

Before you start the migration process, you need to make sure that you meet the following prerequisites:

You have a backup of your AD DS data and system state, in case you need to restore them in the event of a failure.
You have verified the system requirements and application compatibility for the new version of Windows Server that you want to install on the new domain controllers.
You have reviewed the recommendations and best practices for moving to a newer version of Windows Server, such as checking the security settings, the connectivity, and the availability of the Flexible Single Master Operations (FSMO) roles in AD DS.
You have installed the new servers that will become the new domain controllers and joined them to the existing domain as member servers.
You have prepared the AD DS schema and the domain for the new version of Windows Server by running the adprep command on the schema master and the infrastructure master domain controllers, respectively.

Migration Steps

After you have completed the prerequisites, you can follow these general steps to migrate domain controllers to a newer version of Windows Server:

Promote the new servers to domain controllers by using the Active Directory Domain Services Configuration Wizard or the Install-ADDSDomainController PowerShell cmdlet. During the promotion process, you can choose to install the DNS Server role and the Global Catalog role on the new domain controllers, as well as configure them as read-only domain controllers (RODCs) if needed.
Transfer the FSMO roles from the old domain controllers to the new domain controllers by using the Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Schema snap-ins, or the Move-ADDirectoryServerOperationMasterRole PowerShell cmdlet. The FSMO roles are the schema master, the domain naming master, the PDC emulator, the RID master, and the infrastructure master. You should transfer all the FSMO roles to the new domain controllers before demoting the old ones.
Migrate any other roles and services that are running on the old domain controllers to the new domain controllers, such as DHCP, IIS, or file and print services. You can use the Server Migration Tools feature in Windows Server or other tools and methods to migrate these roles and services.
Demote the old domain controllers by using the Active Directory Domain Services Configuration Wizard or the Uninstall-ADDSDomainController PowerShell cmdlet. During the demotion process, you can choose to remove the DNS Server role and the Global Catalog role from the old domain controllers, as well as force the removal if the old domain controllers are not reachable or have replication issues.
Verify that the old domain controllers have been removed from AD DS and DNS by using the Active Directory Sites and Services, Active Directory Users and Computers, and DNS Manager snap-ins, or the Get-ADDomainController and Get-DnsServer PowerShell cmdlets. You should also check the event logs and run the dcdiag and repadmin commands to ensure that there are no errors or issues in the domain controller migration.
Optionally, you can raise the domain and forest functional levels to the new version of Windows Server by using the Active Directory Domains and Trusts snap-in or the Set-ADDomainMode and Set-ADForestMode PowerShell cmdlets. Raising the functional levels enables you to use the new features and capabilities that are available in the new version of Windows Server. However, you should only raise the functional levels after you have verified that all the domain controllers in the domain and the forest are running the new version of Windows Server and that there are no compatibility issues with the applications and services in your environment.

Tools and Resources

To help you with the domain controller migration process, you can use the following tools and resources:

The Active Directory Migration Tool (ADMT) is a tool that allows you to migrate users, groups, computers, and other objects from one domain to another, within or across forests. ADMT can also migrate passwords, SID history, and group memberships, as well as restructure domains and forests. You can use ADMT to consolidate domains within a forest or migrate domains to a new AD DS forest, as part of the domain controller migration process.
The Windows Server Migration Tools feature is a feature that allows you to migrate roles and features from one server to another, within or across domains. You can use Windows Server Migration Tools to migrate roles and features such as DHCP, IIS, file and print services, and local users and groups, as part of the domain controller migration process.
The Microsoft Learn module on Active Directory Domain Services migration is a learning module that provides an overview of the concepts and procedures for migrating domain controllers to a newer version of Windows Server. You can use this module to learn how to compare upgrading and migrating domain controllers, how to upgrade an existing AD DS forest, how to migrate to a new AD DS forest, and how to use the ADMT tool.
The Microsoft Docs article on upgrading domain controllers to a newer version of Windows Server is a technical article that provides detailed information and guidance on how to upgrade domain controllers from an earlier version of Windows Server to a newer version. You can use this article to learn how to prepare for the upgrade, how to perform the upgrade, and how to troubleshoot the upgrade issues.

Frequently Asked Questions (FAQs)

Question: Can I upgrade and migrate domain controllers at the same time?

Answer: No, you cannot upgrade and migrate domain controllers at the same time. You have to choose one method or the other. The recommended method is to migrate domain controllers, rather than upgrade them.

Question: Can I migrate domain controllers from different versions of Windows Server to the same version of Windows Server?

Answer: Yes, you can migrate domain controllers from different versions of Windows Server to the same version of Windows Server, as long as the source and the target versions are supported by the AD DS schema and the domain and forest functional levels.

Question: Can I migrate domain controllers from a newer version of Windows Server to an older version of Windows Server?

Answer: No, you cannot migrate domain controllers from a newer version of Windows Server to an older version of Windows Server. You can only migrate domain controllers from an older version of Windows Server to a newer version of Windows Server.

Question: How long does it take to migrate domain controllers to a newer version of Windows Server?

Answer: The time it takes to migrate domain controllers to a newer version of Windows Server depends on several factors, such as the number and size of the domain controllers, the network bandwidth and latency, the replication frequency and topology, and the complexity of the migration scenario. It can take from a few hours to a few days to complete the migration process.

Question: How can I monitor and verify the migration process?

Answer: You can monitor and verify the migration process by using various tools and methods, such as the event logs, the dcdiag and repadmin commands, the Active Directory Sites and Services, Active Directory Users and Computers, and DNS Manager snap-ins, and the Get-ADDomainController and Get-DnsServer PowerShell cmdlets. You should also test the functionality and performance of the new domain controllers and the applications and services that depend on them.

Summary

In this article, we have explained how to migrate domain controllers from older versions of Windows Server to newer versions, such as Windows Server 2016, 2019, or 2022, using the best practices and tools. We have also provided some FAQs and resources that can help you with the migration process. We hope that this article has been helpful and informative for you. If you have any questions or