Windows Server 2016

Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016

For those who may be considering upgrading Windows Server 2012 R2 Domain Controller to Windows Server 2016, there are a few things to consider first. I have never liked the idea of upgrading OS’es. It just seems like taking contaminated blood and infusing it into a potentially healthy person. However, there sometimes are good reasons to do this. Let’s take a look at the process of how to Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016.

There are some really nice new features that come with Active Directory Domain Services in Windows Server 2016. Just to name a few:

Privileged Access Management – A feature that helps to mitigate potential credentials breaches. It does this by utilizing a new bastion forest provisioned by Microsoft Identity Manager. This new forest has a special PAM trust with your existing AD forest. Also a cool feature of this provision is an expiring links feature which enables time-bound membership in a shadow group. Users can be added for specified periods of time. New KDC enhancements are in place as well restricting ticket time to the lowest possible TTL value. New monitoring capabilities. This requires a forest functional level of 2012 R2 or higher.

Azure AD join – Benefits include Single Sign On, BYOD access support, MDM integration, Accessing organization resources, etc

Microsoft Passport – This is a new key based authentication approach that utilizes OTP (one time password), phonefactor or different notification mechanism. Users log on with a biometric or PIN that is linked to a key pair.

FRS deprecation – Goodbye to FRS (file replication service). The old replication service with Windows Server 2003 is finally deprecated.  However, see our post on preparing a domain for Server 2016 – this is not entirely true.

Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016

To set up the test lab, I simply have a VM that is running Windows Server 2012 R2 and has the Active Directory Domain Services role installed.  It holds all the roles, so a basic single domain controller (you wouldn’t have this in production but for simplicity sake this is the way I setup the lab to test the upgrade).

Note Always make sure to test in a lab environment the outcome of upgrades, etc, before performing any major changes in your production infrastructure.

Just a quick sanity check.  As you can see below, we show to be at the highest domain level:

w2012dc16up19

Note I wanted to see how the upgrade handled the forestprep and domainprep since I hadn’t already ran this prior to starting the upgrade.  Let’s see.  First thing we are prompted to do is get updates.

w2012dc16up01
w2012dc16up02
w2012dc16up03

Prompted for product key…

w2012dc16up04

You can choose between the (Desktop Experience) which I opted for, or sans desktop experience.

w2012dc16up05

w2012dc16up06

w2012dc16up08

So first thing that is interesting is the warning we have here about the VMware SVGA 3D adapter.  The upgrade has you Confirm that you want to proceed and then has you do that again as you will see below.

w2012dc16up10

We are warned here that the best path may be to perform a clean install.

w2012dc16up11

Forest and Domain Prep

As the upgrade installer moves along, it recognizes that we are running this on a domain controller.  We are prompted that we have not ran the forestprep or domainprep commands and points us to the KB articles detailing these processes.

We are prompted that “Active Directory on this domain controller does not contain Windows Server 2016 ADPREP/ FORESTPREP.  The relevant KB article is found here:  https://go.microsoft.com/fwlink/?LinkId=113955

w2012dc16up11b

So we leave the upgrade screen open and just open an administrator command prompt and execute the command.

Note I have the ISO for Windows Server 2016 mounted on my VM.  It is mounted to the D: drive.

You need to be logged onto the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.

w2012dc16up11c

Confirm the forestprep operation by typing a ‘C‘ and then pressing ENTER.

w2012dc16up11d

Forestprep completes successfully.

w2012dc16up11e

Now, we hit the Refresh on the upgrade screen and we have made progress.  We now are prompted to run the /DOMAINPREP command.  It points us to the same KB article.

w2012dc16up11f

So, again, we open our administrator command prompt and run the domainprep command.

w2012dc16up11g

Domainprep executes speedily.

w2012dc16up11h

When you hit Refresh this time, it simply moves on to the applications compatibility check, so we know that we have successfully prepared the domain controller for 2016 compatibility.

w2012dc16up12

Space check is initiated…

w2012dc16up13

Ready to begin…

w2012dc16up14

I have to say this section took quite a while.  If you choose to download and install updates, those are installed during the process as well, adding to the total time.

w2012dc16up16
w2012dc16up17

Alas, we make it to the login screen:

w2012dc16up18

The first check – Can we open Active Directory?  A quick launch of Active Directory Users and Computers shows AD is alive and well after the upgrade.  The “Test User”  account I had created beforehand was brought across as we would expect, but a good check of objects coming across with the upgrade.

w2012dc16up20

Now, as we can see, when looking at both the forest and domain functional levels, we have the Windows Server 2016 level available to us.

w2012dc16up21
w2012dc16up22

Thoughts

An in place upgrade of a domain controller may not be something you want to do.  Especially if you are looking at upgrading physical hardware as older hardware may not be supported with Windows Server 2016.  Be sure to check your OEM to make sure of compatibility.  As we have shown, however, if you want to Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016, this is definitely doable.  It is great to see the upgrade installer recognize that we had not ran forest or domainprep as of yet and wouldn’t allow the installer to move forward until we did.

My personal preference is not to upgrade as upgrades can be messy and bring across problems.  It feels much better to start with a clean slate and move forward.  Bringing a new Windows Server 2016 domain controller online into the mix would be my preference here, then demoting the old domain controllers.  Your mileage may vary though and there may be specific reasons to perform an in place upgrade.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

2 Comments

  1. In a multi-DC scenario, should I wait a while for the changes to be propagated to all DCs? In a VM environment, should I take a VM snapshot before running the upgrade?

    1. Giorgio,

      I would take into account the time for replication to take place, although this is normally a fairly quick process. Are your DCs spanned across sites or geographic regions? You would need to take that into consideration as well if you have a replication interval set for your other sites.

      Also, snapshots on DCs are very dangerous. I wouldn’t advise using any kind of snapshot on a DC as rolling back to a point in time on a DC can lead to USN rollbacks and other weird issues in AD. When in doubt, I would always say demote the DC, upgrade it and then promote it again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.