For those who may be considering upgrading Windows Server 2012 R2 Domain Controller to Windows Server 2016, there are a few things to consider first. I have never liked the idea of upgrading OS’es. It just seems like taking contaminated blood and infusing it into a potentially healthy person. However, there sometimes are good reasons to do this. Let’s take a look at the process of how to Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016.
There are some really nice new features that come with Active Directory Domain Services in Windows Server 2016. Just to name a few:
Privileged Access Management – A feature that helps to mitigate potential credentials breaches. It does this by utilizing a new bastion forest provisioned by Microsoft Identity Manager. This new forest has a special PAM trust with your existing AD forest. Also a cool feature of this provision is an expiring links feature which enables time-bound membership in a shadow group. Users can be added for specified periods of time. New KDC enhancements are in place as well restricting ticket time to the lowest possible TTL value. New monitoring capabilities. This requires a forest functional level of 2012 R2 or higher.
Azure AD join – Benefits include Single Sign On, BYOD access support, MDM integration, Accessing organization resources, etc
Microsoft Passport – This is a new key based authentication approach that utilizes OTP (one time password), phonefactor or different notification mechanism. Users log on with a biometric or PIN that is linked to a key pair.
FRS deprecation – Goodbye to FRS (file replication service). The old replication service with Windows Server 2003 is finally deprecated. However, see our post on preparing a domain for Server 2016 – this is not entirely true.
Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016
To set up the test lab, I simply have a VM that is running Windows Server 2012 R2 and has the Active Directory Domain Services role installed. It holds all the roles, so a basic single domain controller (you wouldn’t have this in production but for simplicity sake this is the way I setup the lab to test the upgrade).
***Note*** Always make sure to test in a lab environment the outcome of upgrades, etc, before performing any major changes in your production infrastructure.
Just a quick sanity check. As you can see below, we show to be at the highest domain level:
***Note*** I wanted to see how the upgrade handled the forestprep and domainprep since I hadn’t already ran this prior to starting the upgrade. Let’s see. First thing we are prompted to do is get updates.
You can choose between the (Desktop Experience) which I opted for, or sans desktop experience.
So first thing that is interesting is the warning we have here about the VMware SVGA 3D adapter. The upgrade has you Confirm that you want to proceed and then has you do that again as you will see below.
We are warned here that the best path may be to perform a clean install.
Forest and Domain Prep
As the upgrade installer moves along, it recognizes that we are running this on a domain controller. We are prompted that we have not ran the forestprep or domainprep commands and points us to the KB articles detailing these processes.
We are prompted that “Active Directory on this domain controller does not contain Windows Server 2016 ADPREP/ FORESTPREP. The relevant KB article is found here: http://go.microsoft.com/fwlink/?LinkId=113955
So we leave the upgrade screen open and just open an administrator command prompt and execute the command.
***Note*** I have the ISO for Windows Server 2016 mounted on my VM. It is mounted to the D: drive.
You need to be logged onto the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.
Confirm the forestprep operation by typing a ‘C‘ and then pressing ENTER.
Forestprep completes successfully.
Now, we hit the Refresh on the upgrade screen and we have made progress. We now are prompted to run the /DOMAINPREP command. It points us to the same KB article.
So, again, we open our administrator command prompt and run the domainprep command.
Domainprep executes speedily.
When you hit Refresh this time, it simply moves on to the applications compatibility check, so we know that we have successfully prepared the domain controller for 2016 compatibility.
Ready to begin…
I have to say this section took quite a while. If you choose to download and install updates, those are installed during the process as well, adding to the total time.
The first check – Can we open Active Directory? A quick launch of Active Directory Users and Computers shows AD is alive and well after the upgrade. The “Test User” account I had created beforehand was brought across as we would expect, but a good check of objects coming across with the upgrade.
Now, as we can see, when looking at both the forest and domain functional levels, we have the Windows Server 2016 level available to us.
An in place upgrade of a domain controller may not be something you want to do. Especially if you are looking at upgrading physical hardware as older hardware may not be supported with Windows Server 2016. Be sure to check your OEM to make sure of compatibility. As we have shown, however, if you want to Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016, this is definitely doable. It is great to see the upgrade installer recognize that we had not ran forest or domainprep as of yet and wouldn’t allow the installer to move forward until we did.
My personal preference is not to upgrade as upgrades can be messy and bring across problems. It feels much better to start with a clean slate and move forward. Bringing a new Windows Server 2016 domain controller online into the mix would be my preference here, then demoting the old domain controllers. Your mileage may vary though and there may be specific reasons to perform an in place upgrade.