OK, I know that this is not really a good idea, but I had questions on this and wanted to test. I wanted to test an upgrade Windows Server 2012R2 AD to Server 2016. In place migration. Yes, I know, it's not really worth it as often when migrating, the system isn't really “clean” with all those Microsoft patches accumulated over the years. And also, you usually deploy a new hardware as old hardware might not have the drivers compatible with Windows Server 2016.
Yes, we're talking about physical domain controller (DC) as in real life it's really not worth it to upgrade a virtual machine running 2012R2 into 2016. Usually, I'd chose the second option, which is just to install Windows Server 2016 as a member server and then add a DC role to it and do the migration of the AD like this, then “downgrading” the 2012R2 DC back to server member, before completely decommission the system from the domain.
The AD Services in Windows Server 2016 brought quite a few new things that I have already detailed. Let's remind just a few:
Privileged Access Management – This PAM feature allows mitigating security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing … this is very interesting how it works.
Azure AD Join – This enhances identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.
Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that go beyond passwords. This form of authentication relies on a breach, theft, and phish-resistant credentials.
Group Membership Expiration – Windows Server 2016 adds support for group membership expirations, allowing you to add a user to a group for a certain period of time. Very interesting indeed for folks you want to give them access for a limited time period only.
But as I said I was curious as I haven't tried this just yet. So one of my lab DCs which runs as VMs (not physical), will be migrated this way. Currently the VM has the Active Directory Domain Services role installed. I think it has also all 5 FSMO roles as well as I did not bother to separate the roles, to spread them out, to my other DC, which is also running 2012R2. OK, let's kick in the lab and do an Upgrade Windows Server 2012 R2 Domain Controller to Windows Server 2016 with the AD services.
How to Upgrade Windows Server 2012R2 AD to Server 2016 – The steps
The process starts with mounting the ISO and executing the setup.exe > The installer proposes to download the latest updates > Select the image you want to install
Then we'll have a message saying that “Active Directory on this domain controller does not contain Windows Server ADPREP /FORESTPREP updates. Our Windows 2016 ISO image is still attached, so we'll need to change drive letter and do:
E: (our CD-ROM drive letter)
then do a:
You'll need to press letter “c” on your keyboard to validate the command.
Once finished, rinse and repeat. Execute the:
and again validate by pressing the “c” letter on your keyboard. Once done you can click the finish button to start the upgrade process.
Then the process will start the process of upgrading Windows Server 2012r2 to Windows Server 2016 by preserving our Active Directory (AD) services. During the process the system will reboot once (in my case).
Then we simply check that we can successfully login and that our AD is still there.
I have also recorded a quick video detailing the steps. Note that the video is accelerated on some parts. This is to make it faster on the parts of the upgrade which are boring and slow.
Here is the video. Best to watch in Full Screen and HD (1080p).
More from ESX Virtualization:
- How to Deploy VMware LogInsight 4 and What's new?
- DISM ++ is Free Utility better than the command line version
- Free Tools