Windows Server 2008 End of Support - Active Directory and DNS Migration

Hey folks, it’s Ned Pyle here again, talking about end of support and the migration strategies again. 2008 support either is about to happen or has just happened if you’re watching this video, and what you need now besides your options to pick things up and move them to Azure or to add extended security updates to 2008 and keep tracking along is really your true long-term strategy of, how do I get off of this old platform which is no longer in support? But more importantly isn’t containing a lot of the functionality and safety that came from a later platform like 2012, even much less 2016 or 2019. So I’m going to go through a demo now and talk about how I can migrate Domain Controllers and DNS servers in the smoothest possible fashion, so that your users and applications see little to no interruption whatsoever, and you’re not forced to reconfigure anything. I’ll also be talking about your best favorite thing, FRS to DFSR migration as part of this process, so let’s get into this demo. So having performed my 2008 R2 Server Domain Controller and file server inventories, I think I’m ready to go ahead and do the actual migration and get my 2008 DCs replaced.

01:27 - In a separate demo of course I’ll show you storage migration service for Cloud servers, so let’s get rolling here. I’m inside the Server Manager and what I need to do first really is add in my proposed new for DCs that I’m going to use to replace my existing 2008 DCs. So I’ve got four 2019 servers here, I’m just going to add to management and that way I could start running DC promotion on these machines. I can also do this with PowerShell, I could batch up the whole thing, I could make this much more automated and much more hands-off, but for the purposes of demonstration let’s just do these things in sort of a piecemeal. So on one of these 2019 DCs I’m going to add the Active Directory Domain Services role and promote it.

02:22 - If you’ve been in the world of 2008 for a long time, you’re realizing now that you don’t see me running DCPromo, that tool is long gone. If you moved onto the role of 2012, 2016, 2019, we are now using the Server Manager tool or PowerShell, and I’ll go ahead and add this role, it will be a time compressor here for the demo. There’s that little option there promote this server to Domain Controller, this is the DCPromo process that you are familiar with in the past. We’ll go ahead and give some domain admin credentials, this is my migrator account that I’ve been using for various demos. I’m adding this regular member server, this 2019 server to the domain and I’m going to try and co-locate these things with wherever they might be with their existing DCs.

03:14 - So you saw from my inventory that I had several sites, now I can put in a DSRM recovery password for these DCs and I will be forced now because I’ve used sites directly to specify a site. So this particular DC, I’m going to put it into the headquarter site and click “Next” and click “Next.” Notice this piece here, DomainPrep, ForestPrep, if you were 2008 domain admin, you used to do those things separately using the Adprep tool, that is all included now as part of the deployment process. One thing to be careful about also is that when you first promote your first DC 2012 or later DC into your environment, the first thing it’s going to do is prep your schema and domain. So here we go, I’m going to time compress this installation just to save us a little time, you see I was upgrading Forest, adding in the DC, it will replicate and all those things will take as long as it takes for the environment.

04:25 - This server has now restarted, let’s just jump onto this box and see how things went. Let’s go ahead and run the Event Viewer, it will give us an idea of how healthy the DC is right now after promotion, and if it’s truly ready to go, don’t forget when your DCPromo box it’s going to continue to inbound replicate. Take a look here in the Directory Services Event Log, it is calling itself a DC. Now, let’s go back to the story of the FSMO roles, remember I had to look at those during inventory, I’m going to look at them again because somebody is messing with them in the meantime. I need to move these roles, so as I promote up these DCs, I’m going to use PowerShell to move the various FSMO roles onto my new Domain Controllers as I deploy them, so I can start getting rid of my old DCs.

05:34 - In this particular case, I’m taking the PDC Emulator role and putting it onto my brand new 2019 DC02 server, I’ll do the same thing for other roles as I see fit and need to. I’m going to put Schema Master on here, I can put these all together, separate them with commas and do this all in one command if I wanted because PowerShell is pretty cool, but I’m not going to do that though. Now, I’ve started to add my DCs, I’ve got my 2019 DCs up and I’ve been doing a few in the background here, cooking show style. I need to get rid of my old 2008, so now we’re back to the classic DCPromo tool that you know and love. So this piece here, I will use the Legacy tool on the 2008 Domain Controllers and start getting rid of them.

06:29 - So obviously if you’ve done this before, this looks very familiar but maybe you’ve never demoted a DC before. Go ahead and give it some local admin creds, it’s going to need once it stops being part of the domain and tell it to go ahead and do its work and we’re going to come back to this, let it reboot and finish rather than making you watch that in the demo. We’ll see now that this machine is a member machine, and what we will want to do is take a look at its IP information real quick. That IP information is what was being used for DNS, so our clients are pointing still to the server probably for DNS information and there’s a problem with that. The server is not a DC anymore, it’s not a DNS server anymore either, so we can do two things, we could change every client and member server in the company or we could just go take over these IP addresses and put them on our new server which I think is a much better solution.

07:29 - So this machine is part of the domain, we’re going to have to rename it now so that nobody ever connects to this box by its old name anymore just by a mistake, and that way it’s still around, it might still have some data on for some reason but it is effectively unreachable by IP or name ever again. On my new DC02, I’m going to give it the IP address of my old DC02, and that way all my DNS clients and applications using anything by IP address just won’t know that anything happened, and they’re happy and back in business which is really nice. So rather than changing thousands of clients, I’m changing a handful of DCs, but if you want to get really fancy and we have a nice document on this somewhere. You could even go through and specify an alternate computer name and give it my DC02 2019 server here, the old server name of DC02, so we’ll answer for both maybe, I’m not going to do that right now. What else can we do here? Let’s take a look at my site information.

08:32 - When I demoted that old DC02, you might not know this, its computer object is still hanging out there inside, so we’ll do a little clean up here and get rid of old DCs from topology. Now, that I’ve gone all the way, I’ve made all my DCs 2019, now I have the ability to raise the Forest and Domain Functional levels to their maximum, which is the 2016 FFL DFL and start unlocking features I didn’t have back when I was at 2008 environment, it’s not just to get new DCs but you want to get new functionality. So for example I can enable the Recycle Bin now, something which 2008 didn’t have and instead of relying on system state backups for the deletion of objects, users, groups, computers, I now have an actual Recycle Bin inside of Active Directory. This one example of a good reason to have gotten on 2019, not just because 2008 support ended. So I’m going to create a user here, this is Mark Russinovich, he is my user and he’s a really important person for Microsoft, you’ve probably heard of him, and he’s one of the big wigs over in Azure, he does a lot of talks.

09:43 - I’m going to create his user account because I work over on the help desk and then accidentally after he’s been using his account, I deleted his account, so now Mark can’t log in anymore. In the past this would be a big fire drill, you’d often find your backups, do a non-authoritative restore, hopefully that all works, it’s a big yikes. Starting in 2019, I enabled the Recycle Bin and now I can just right-click and restore and put Mark right back into his spot with his password, with all group memberships, with all his attribute metadata, and he’ll be able to just log right back in and maybe he didn’t even notice anything happened, and we’ll make sure that we update his special title so everybody knows how important Mark is. So this is just a great example of not just the hard work you’re doing to get migrated, isn’t just to keep being supported on Windows Server on the later version, you’re missing functionality when you run 2008, tons of security pieces, tons of features, tons of options that make your environment run better, more smoothly, and give your users new abilities. So the migration and upgrade process shouldn’t just be a chore every 10 years of getting supported, it should also be a way for you to start unlocking and bringing value into the environment that you just didn’t have on your 10-year-old 2008 OS.

11:11 - So that was the process of how you would migrate your Domain Controllers, your DNS, your SYSVOL, and make sure that you are no longer on 2008 but instead on a nice comprehensive, modernized platform like say Server 2019. I hope you’ve enjoyed this, this URL will give you more information on how to do these types of migrations, and of course if you have any questions. .