Upgrading DC tips
Posted by adamixa1@reddit | sysadmin | View on Reddit | 19 comments
Hi everyone, looking for some advice here!
To give some background, we have two DCs and one RODC across different office locations. The two DCs are running Windows Server 2016 and 2012, while the RODC is on 2012. With Windows Server 2025 now out, our CAL licenses (which are for Windows 2022 and according to our vendor, it's cover up to 3 version back), this seems like a good time to upgrade our DCs since 2016 no longer covered if we add another CAL.
My manager is on board with the upgrade, so I’m working on the budget for a hardware refresh and new licenses, which I think I can handle. The bigger challenge is that I haven’t had experience with a domain controller migration before, let alone upgrading all our DCs and RODC at once.
I’d love any advice on what to expect, the main steps, and any risks I should be aware of. I was initially thinking about doing an in-place Windows upgrade, but the more I think about the complexity, the more stressed I get. Can anyone share their experiences with this kind of upgrade, including any pitfalls to avoid?
Thanks in advance for any tips!
frac6969@reddit
Microsoft downgrade rights cover all previous versions. The 2 versions back is about available keys and downloads.
adamixa1@reddit (OP)
is this applicable to CALs?
frac6969@reddit
CAL covers all previous versions. And future versions if you have SA. Except for RDS which has to version match.
Man-e-questions@reddit
As others have said, don’t in place upgrade, build new. The hardest part will be figuring out all the old apps and devices hardcoded to the old DCs name or IP for LDAP etc.
adamixa1@reddit (OP)
yeah, the ones that i am aware are the system that i deployed, and also our Radius. Maybe i need to do list first
SmallBusinessITGuru@reddit
I'm sure upgrading a DC is possible, and that one or many people will chime in that they had no issue doing so.
I've never done it in twenty-five years of managing Active Directory outside of a classroom lab I taught.
There's just no point in upgrading and adding that little bit of extra complexity, Active Directory is designed with the idea that domain controllers are replaceable. As such my response to any DC issue is to replace first, replace fast.
BuffaloRedshark@reddit
my company always just stands up new ones and then after some amount of time with everything still healthy we gracefully demote and decom the old
Any_Particular_Day@reddit
A domain controller is just a server running an application stack with a database, right? So an upgrade should work… And it may work, but if it goes sideways you may end up breaking ADDS in new and interesting ways. Don’t want to end up like this…
Now, I’ve done in place upgrades in my lab with a 50/50 success rate. Sometimes it works fine. Sometimes it breaks replication or the FSMO roles get lost in the shuffle and trying to seize them back gives interesting messages, or it all appears to work but the logs fill up with thousands of unhelpful error messages. It’s a fun thing to play with and wargame, in the lab.
In production, there’s no way I’d attempt an in place upgrade of a DC. Build new, promote, let replication happen for a while to make sure it’s good. Maybe even drop the network from one of the old ones for a while to see what screams. Then transfer FSMO roles to the new and demote the old.
One final thing… Server 2025 has just dropped. Why the rush to put it into possibly the most important role in a traditional MS on-prem network? I’d let that new thing stew for six months at least, let the early adopters and the bleeding edge peeps figure out the growing pains first, before putting it into service.
anonpf@reddit
I’d let it stew for a couple years to be frank. There’s no need to rush into a OS that will be buggy because it hasn’t baked long enough.
adamixa1@reddit (OP)
I only trigger the upgrade because we don't have enough CAL licenses, hence the proposed one shot upgrade to the DCs. OS wise, i might go for Windows 2022 for stability.
Any_Particular_Day@reddit
Okay, take a breath here. The CALS are important, but (per my MS vendor) there is some wiggle room here for this kind of scenario. If you’re in the midst of a DC upgrade project, no one for MS will be kicking your door down because you have one more machine than you have CALs for while you’re upgrading your DCs one by one.
adamixa1@reddit (OP)
ehem, actually we exceeded more than 50 already.
Puck1337@reddit
Do NOT in place upgrade a domain controller. EVER!
Your best bet is to build out the new one(s), promote to their respective rolls, then demote the old ones. I'm not at the office right now but do a Google search for promoting new DCs and you should find one.
adamixa1@reddit (OP)
ok sure. Yeah i will exclude the upgrade in my tdl
Beefcrustycurtains@reddit
Don't inplace upgrade them. Just setup new VM with server 2025, add domain roles, promote to domain controller. Since you don't ahve any 2019 dc's, you may need to do the dfsrmig process before you can promote a 2025 domain controller.
Migrate DFSRMig For Adding 2019 DC to domain still using FRS
dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.
dfsrmig /setglobalstate 1
Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
Type dfsrmig /setglobalstate 2 and press enter
Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state
dfsrmig /setglobalstate 3
Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state
This completes the migration process and to confirm the SYSVOL share, type net share command and enter.
adamixa1@reddit (OP)
thanks, i will put this in my note
jxd1234@reddit
Although I believe in place upgrades are now supported I'd avoid doing it as your AD isn't something that you want to go wrong. I'd also personally avoid using 2025 as this only went GA this week.
The process is very simple. From a high level it looks like the following.
Spin up new servers where you'd want them to be, join them to the domain and promote them to DCs. Transfer all FSMO roles to the new DCs.
If you use your DCs for DNS you'll have to update devices to point to your new DCs for DNS. Hopefully most stuff is using DHCP and this should be easy enough.
The last thing you'll need to do is ensure that nothing else is talking to the old DCs. A good way of doing this is wireshark. You'll be able to see if any devices are using the old DCs for DNS this way.
It's a good idea to have your DCs as pure DCs that are only doing the job of a DC. For example don't put DHCP on your DCs. If your current servers have any other services attached to them you'll have to migrate them as well. Ideally to a different server.
Once you think you've transferred everything to your new DCs switch off the old ones. If anything goes wrong you can turn them back on and investigate the issues. If you've had them off for a long enough period of time without issues you should be able to turn them back on and demote the old DCs.
adamixa1@reddit (OP)
thank you for the tips, i can imagine it right now. Is it ok if there are many DCs running at once? There will be 2 original DCs, and one new DCs, and another DCs that will be set up later. Or should I complete one DC first, shut down the old one, and set up another new DC?
jxd1234@reddit
Having multiple DCs is fine.
I would spin up the 2 new DCs alongside the old 2 and then decommission the old 2 when ready.