Link to home
Start Free TrialLog in
Avatar of Fabio Rosiglioni
Fabio Rosiglioni

asked on

Migrate Active Directory Server 2003 to Active Directory Server 2016

I have to migrate the windows 2003 32bit servers (yes I know, it was time!) with domain controller role to the windows 2016 64bit servers. I have read several documents on the procedure to follow. But I would like a confirmation on the procedure to follow according to my reality.

    1 domain (named (GF.local)
      1 Active directory
        3 sites (named C, F, V), in 3 different subnet connected by VPN
          6 servers (named AD1, AD2, AD3, AD4, AD5, AD6), 2 servers each site (AD1,AD2 in C; AD3, AD4 in F; AD5, AD6 in V)
            All servers 2003 all servers provide DNS, WINS, DHCP, AD services:
              Servers AD1, AD2 provide DNS, WINS, DHCP, AD services to the subnet in site C
                Servers AD3, AD4 provide DNS, WINS, DHCP, AD services to the subnet in site F
                  Servers AD5, AD6 provide DNS, WINS, DHCP, AD services to the subnet in site V
                    AD1 server is the primary domain controller (Operation Masters Role)
                      Other servers:
                        3 files server Win 2003 Standard edition (1 in each site)
                          2 app server Win 2019 (site C)
                          o      2 SQL server Win 2008 (site C)
                            2 RDP server Win 2008 (site C)
                              1 Oracle server Win 2008R2 (site C)
                                1 linus server (site V)
                                  Clients:
                                    Windows 10 Pro
                                      Windows 7 Pro
                                        Windows XP Pro (Sp2 & Sp3)

                                        I thought of following this procedure:
                                        Step 1. Install 6 new Windows Servers 2016, 2 for each site. (named DC1, DC2, DC3, DC4, DC5, DC6).
                                        Step 2. Assign the new IP Address in Servers 2016.
                                        Step 3. Join all new Windows Servers 2016 to AD 2003 Domain.
                                        Step 4. Login to Servers 2016 with the Domain Administrator account.
                                        Step 5. Raise the Domain & Forest Functional Levels on AD Server 2003.
                                        Q: Do I have to perform this procedure on all 2003 servers or is it sufficient on the primary domain controller?
                                        Step 6. Add Active Directory Domain Services to Server 2016. I do it for all new servers.
                                        Step 7. Promote Server 2016 to Domain Controller. I do it for all new servers.
                                        Step 8. Transfer the Operation Masters Role to Server 2016 . From AD1 (2003) to DC1 (2016).
                                        Step 9. Change the Active Directory Domain Controller to Server 2016. From AD1 (2003) to DC1 (2016).
                                        Step 10. Change the Domain Naming Master to Server 2016. From AD1 (2003) to DC1 (2016).
                                        Step 11. Change the Schema Master to Server 2016. From AD1 (2003) to DC1 (2016).
                                        Step 12. Verify that all FSMO Roles have transferred to Server 2016.
                                        Step 13. Remove Server 2003 from Global Catalog.
                                        Q: Do I have to perform this procedure on all 2003 servers or is it sufficient on the primary domain controller?
                                        Step 14. Change the Preferred DNS Address on Servers 2003 to match Server's 2016 IP.
                                        AD1, AD2 > DC1;
                                        AD3, AD4 > DC3;
                                        AD5, AD6 > DC5;
                                        Step 15. Demote Server 2003 from Domain Controller. (all servers 2003)
                                        Step 16. Change static IP addresses on servers 2003 and servers 2016, assigning new IP addresses to old 2003 servers and previously used IP addresses to 2016 servers. This in order not to have to reconfigure all the devices with static IP (not in DHCP).
                                        Step 17. Login to Active Directory 2016 from the Workstations.
                                        Q: Do I have to finish the whole procedure for all servers before connecting with workstations or can I also connect during the procedure?
                                        Step 18. (Optional) Remove all Servers 2003 from the Domain & Network.

                                        The clients are for 90% windows 10 Pro, 9% windows 7 Pro and for 1% windows XP Pro SP3 and 2 (I can't update these machines because they have industrial software dedicated to laboratory equipment.)
                                        Q: Do XP computers work in a domain with DC windows server 2016?

                                        Q: Should I expect something else?


                                        Fabio
                                        Avatar of Seth Simmons
                                        Seth Simmons
                                        Flag of United States of America image

                                        you will need to take steps first to get to 2016 because of dependencies
                                        at some point you need to migrate from FRS to DFSR which requires your functional level to be at least 2008 meaning you have to get off 2003 servers first.  also, 2016 domain controllers don't support a 2003 functional level (your step 3 and subsequent steps won't work) so your best bet is to install 2012 R2 first as a domain controller, decommission the 2003 server(s) then raise the forest/domain functional level to do the FRS -> DFSR migration prior to the 2016 domain controller install.  2012 R2 is the highest supported domain controller version that will work to co-exist with 2003.  it will be a longer process but you have to do that to get to where you want to be.



                                        ASKER CERTIFIED SOLUTION
                                        Avatar of Hello There
                                        Hello There

                                        Link to home
                                        membership
                                        This solution is only available to members.
                                        To access this solution, you must be a member of Experts Exchange.
                                        Start Free Trial
                                        SOLUTION
                                        Link to home
                                        membership
                                        This solution is only available to members.
                                        To access this solution, you must be a member of Experts Exchange.
                                        Start Free Trial
                                        Avatar of Fabio Rosiglioni
                                        Fabio Rosiglioni

                                        ASKER

                                        to kevinhsieh
                                        Do your DCs do anything else besides AD related stuff? 
                                        DCs perform only the roles listed above: DC, AD services, DNS, WINS, DHCP

                                        It is easier if your 2016 DC takes the IP address of the 2003 server it is replacing. Just give the 2003 DC a new IP. Give the 2016 DC the old IP and reboot. No need to update WINS or DNS or DHCP settings 
                                        In which step it is recommended to "exchange" the addresses?

                                        to Seth Simmons 
                                        you will need to take steps first to get to 2016 because of dependencies
                                        at some point you need to migrate from FRS to DFSR which requires your functional level to be at least 2008 meaning you have to get off 2003 servers first.  also, 2016 domain controllers don't support a 2003 functional level (your step 3 and subsequent steps won't work) so your best bet is to install 2012 R2 first as a domain controller, decommission the 2003 server(s) then raise the forest/domain functional level to do the FRS -> DFSR migration prior to the 2016 domain controller install.  2012 R2 is the highest supported domain controller version that will work to co-exist with 2003.  it will be a longer process but you have to do that to get to where you want to be.

                                        Is it the only way?
                                        I read somewhere that direct migration was possible after step 5 (Raise the Domain & Forest Functional Levels on AD Server 2003)
                                        https://techencyclopedia.wordpress.com/2017/02/02/windows-server-migration-2003-to-2016/ 
                                        But in the following article I find confirmation in your words
                                        https://docs.microsoft.com/it-it/windows-server/identity/ad-ds/active-directory-functional-levels 

                                        Do you all agree with Seth Simmons that I first have to step into Server 2012 or does anyone know of alternatives?

                                        Windows 2016 DCs can be added to a domain at 2003 functional level.
                                        https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers 
                                        "Windows Server 2016 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2016 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked. "
                                        It's a common misconception that Server 2016 doesn't support FRS for SYSVOL. Server 2016 domain controllers can still use FRS; 2019 DCs cannot. In fact, if you try to promote a 2019 DC in a domain that still uses FRS for SYSVOL, you'll get a blocking error telling you exactly why this won't work. If you're only promoting 2016 DCs, though, you can wait to migrate SYSVOL from FRS to DFSR until after everything else is done. You should still perform that migration at some point, though; DFSR is better than FRS in every conceivable way - and, as mentioned, FRS is no longer supported in 2019.

                                        You don't have to complicate things. Just install new servers and promote them. After that, migrate FSMO roles from DC2003 to DC2016. Then demote old servers. After they are gone, migrate from FRS to DFSR and raise domain and forest functional level to Windows Server 2016.

                                        How to transfer FSMO roles:                                                                        
                                        C:\Windows>ntdsutil
                                        ntdsutil: roles
                                        fsmo maintenance: connections
                                        server connections: connect to server <new_server>
                                        server connections: q
                                        fsmo maintenance: Transfer domain naming master
                                        fsmo maintenance: Transfer infrastructure master
                                        fsmo maintenance: Transfer PDC
                                        fsmo maintenance: Transfer RID master
                                        fsmo maintenance: Transfer schema master

                                        Open in new window


                                        How to migrate from FRS to DFSR:
                                        1. Perform on all DCs: Server Manager -> Manage -> Add Roles and Features -> select the DFS Replication role -> Install
                                        2. Then run from the PDC:                                                                     
                                        Dfsrmig /setglobalstate 1
                                        Dfsrmig /getmigrationstate
                                        Dfsrmig /setglobalstate 2
                                        Dfsrmig /getmigrationstate
                                        Dfsrmig /setglobalstate 3
                                        Dfsrmig /getmigrationstate

                                        Open in new window


                                        How to raise DFL or FFL:
                                        1. For Domain: Active Directory Users and Computers -> Right-click on your domain -> Raise Domain Functional Level -> Windows Server 2016    
                                        2. For Forest: Active Directory Sites and Trusts -> Right-click on Active Directory Sites and Trusts -> Raise Forest Functional Level -> Windows Server 2016      

                                        How to demote/remove old DCs:
                                        1. Uninstall ADDS role from all servers (dcpromo)
                                        2. Delete old DCs from Active Directory Users and Computers.
                                        3. Then run metadata cleanup:
                                        ntdsutil
                                        metadata cleanup
                                        remove selected server <servername>

                                        Open in new window

                                        4. After that, check there are no entries in DNS, Active Directory Sites and Services, Active Directory Domains and Trust. If you find any, delete them.
                                        Yes, you can essentially swap IPs between old and new DCs, though I just give the old DC a new IP. No need to change it twice, since the idea is to get the old DC out of the way on a new IP, and then if all goes well demote it.

                                        In adition to everyting already mentioned, you need to properly configure time sync on new DCs. Make sure time sync between host and DC as a VM is properly configured (usually disabled). Set PDC emulator to sync to a reliable time source.
                                        Windows 2016 DCs can be added to a domain at 2003 functional level.
                                        shame on microsoft for contradicting their own documentation

                                        2003 functional level shows 2003-2012 R2 domain controller support

                                        https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels  
                                        Aer you using physical servers and possibly transitioning to virtual Machines?

                                        The straight forward way with virtual machines is as noted deploy a windows server 2012 at each site)
                                        This will achieve a seemless transition. as the 2012 can be joined to a 2003 AD as another DC.
                                        If you have a VLCS license for windows server 2016 the 2012 is part of the coverage.
                                        you can then promote the 2012 to the have the master and GC roles.
                                        update the DHCP options pushed to clients to include the new DC ips.
                                        update the static servers to point to the 2012 Dcs for DNS.
                                        disconnect the 2003 from the network to confirm no issues,
                                        update sites and services to make sure they see the new Dcs at each location.
                                        Before going to 2016 you have to as suggested have to change the sysvol replication scheme from FRS to DFS-R.
                                        On this track, if you have any NTFRS replication between and among the sites, they too will need to be converted.

                                        Once you've achieved this, transition, you can manage in the same way the addition of the 2016 DC at a

                                        If your 2003 are 2003 R2 that include the DFS-R option, it might be possible to convert the sysvol replication......from FRS to DFS-R. but all the DCs have to be 2003R2.
                                        Before going to 2016 you have to as suggested have to change the sysvol replication scheme from FRS to DFS-R.

                                        Nope, this is only if you're promoting a 2019 DC. 2016 DCs can still use FRS.

                                        If your 2003 are 2003 R2 that include the DFS-R option, it might be possible to convert the sysvol replication......from FRS to DFS-R. but all the DCs have to be 2003R2.

                                        2003 R2 did include DFSR, but not for SYSVOL. The DCs have to be running at least 2008 in order to use DFSR to replicate SYSVOL.

                                        Agree with Hello There.
                                        but step3 is required only if the server is not properly demoted.
                                        I.e. 3. Then run metadata cleanup
                                        Why wait till 2019 and not do a clean migration to DFSR at the first available opportunity.

                                        The sysvol was not handled by DFSR on windows2003, but the availability of DFSR on 2003R2 makes things possible to if needed setup a DFSR replication group with the sysvol as the base and the one on the 2003 as the reference...
                                        This ties into the presence and migration of any shares that currently exist on the 2003 platform that need to be migrated to the new one.

                                        Do not see this as a disagreement, but options.

                                        Why wait till 2019 and not do a clean migration to DFSR at the first available opportunity.

                                        Right; I absolutely agree that it should be done, and there's no need to wait until you're about to promote a 2019 DC to do it. I'm bringing it up for the sake of simplicity, though. Since 2016 still supports FRS, you don't have to migrate ahead of promoting the 2016 domain controllers. This has two benefits:

                                        • You don't have to worry about whether it's actually possible to migrate SYSVOL to DFSR in 2003 R2. (I don't think it is, although it may be possible to jury-rig something.)
                                        • You don't have to promote a DC running an intermediate version in order to make it happen. Simply perform the migration using the supported procedure after the 2003 R2 DCs are long gone.

                                        So in this case, it's easier to wait until everything else is done before migrating SYSVOL.

                                        I think that is the issue whether a 2016 DC can exist in a 2003 AD.
                                        thus the suggestion to add at least one DC in each site with 2012 and have a test while the 2003's are offline.
                                        time is potentially the issue at hand...

                                        It is NOT POSSIBLE to have a 2019 DC and 2003 DC coexist in  domain. Full stop.
                                        https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405 
                                        "It is done; Windows Server 2016 RS1 is the last version that will allow FRS - RS3 no longer includes the binaries."

                                        You can't do the FRS to DFSR migration until the domain functional level is at least 2008. You cannot successfully introduce a 2019 DC until the migration is done to DFSR for SYSVOL replication.

                                        If the goal is to get to 2019, then you need to make a stop off at some intermediate OS for the DCs. If the goal is to get to Windows 2016 for the DCs, you can go straight there.

                                        See the link in this post for the instructions on getting from FRS to DFSR. 

                                        It is NOT POSSIBLE to have a 2019 DC and 2003 DC coexist in  domain. Full stop.

                                        Agreed. They're only going to 2016, though, so there shouldn't be a problem.

                                        Thanks a lot of information.
                                        Summing up:
                                        • It is confirmed that an intermediate step to server 2012 is not required, Windows 2016 DCs can be added to a domain at 2003 functional level, if I first raise the forest level to Windows Server 2003. (Note I don't have 2003R2).
                                        • After the last 2003 server has been demoted from the domain I migrate the SYSVOL from FRS to DFSR and the AD from DFL to FFL.
                                         
                                        The procedure will be:
                                        Step 1 Install 6 new Windows Servers 2016, 2 for each site. (named DC1, DC2, DC3, DC4, DC5, DC6).
                                        Assign the new IP Address in Servers 2016           
                                        Enable SMB 1
                                        I configure the time sync of all the 2003 and 2016 servers
                                         
                                        Step 2 Raise the Domain & Forest Functional Levels on AD Server 2003.
                                        I do this procedure on the primary domain controller only
                                        Q1: After this operation, do clients and everything else continue to function regularly? No other action is required?  In other words: can I prepare this phase a few days before the next steps?
                                         
                                        Step 3 Join all-new Windows Servers 2016 to the domain.
                                         
                                        Step 4. Promote one Server 2016 to Domain Controller. DC1 (2016).
                                         
                                        Step 5.Transfer FSMO roles from 2003 to 2016. From AD1 (2003) to DC1 (2016).
                                        Using the commands documented by Hello There
                                         
                                        Step 6 Promote the other 5 Servers 2016 to Domain Controller level.
                                         
                                        Step 7 Demote/remove all old 2003 DCs and remove Server 2003 from Global Catalog (on all servers)
                                        Using the commands documented by Hello There
                                         
                                        Step 8 I swap the IPs:
                                        assigning new IP addresses to old 2003 servers
                                        assigning previously used IPs addresses to 2016 servers.
                                         
                                        Step 9 The 2016 servers are operational, the 2003 servers are off, I proceed with:
                                        migrate the SYSVOL from FRS to DFSR 
                                        raise the AD from DFL to FFL.
                                        as shown Hello There

                                        Step 10 Check there are no entries in DNS, Active Directory Sites and Services, Active Directory Domains and Trust of old 2003 DCs. In case I find them, I delete them.
                                         
                                        Q2: As I have illustrated, the domain is extended in 3 sites, do you recommend carrying out the procedure in the shortest time possible or breaking it into several stages?
                                         
                                        Q3: Clients, file servers, SQL servers, etc. will they work regularly after the change of DCs in 2016, or do I have to perform any procedures?
                                         
                                        Q4: The old servers are virtual machines, if something went wrong after step 4, is it possible to restore a previous state?
                                        SOLUTION
                                        Link to home
                                        membership
                                        This solution is only available to members.
                                        To access this solution, you must be a member of Experts Exchange.
                                        Start Free Trial
                                        You can join servers running any os as a member server at any time.
                                        You would need to run adprep32 from the 2016 media to update schema, domain, gpo in the ad on the primary dc.

                                        Personally. I would not go down ip swap ...route. note you will be going down this road after you confirmed everything is functioning as expected.
                                        Why go down this road?

                                        You could script the name server list update on servers with static ips.

                                        Once you demote, you should not restore DCs as it will run into issues.
                                        Conflict it counter/ids..
                                        Updating the name server list will maintain functionality.


                                        I will disagree with Arnold here. Swapping IPs is trivially easy, and easy to undo, which makes it a low risk activity.
                                        I have a small enterprise environment. The IP addresses of my DCs are stored in literally thousands of locations between DHCP relay agents, DHCP scopes for DNS, NTP entries, static IP assignments, firewall settings and firewall rules, and wierd postfix settings. It would be impossible for me to fully successfully migrate from one set of IPs to another in any reasonable amount of time.

                                        I once had a linux system query a specific DNS server about once a month for what looked like a mail setting. We never found the entry. I didn't get the DNS server retired until we retired the linux box several years later.
                                        Ok thanks guys.
                                        I have to plan the job by June, if I need help I will contact you.
                                        Fabio
                                        I feel the question should be closed differently.

                                        Comments above provide relevant information to the author's questions. I would mark these comments because:
                                        1. The author also made a conclusion based on these comments that he was going to follow (here: https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43090424 )
                                        2. These answers are general steps the author had to do to succeed

                                        Comments that provided relevant info:
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43089947 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43089949 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43089951 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43089988 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43090012 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43090076 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43090090 
                                        https://www.experts-exchange.com/questions/29182699/Migrate-Active-Directory-Server-2003-to-Active-Directory-Server-2016.html#a43090477 
                                        I made the migration following the steps indicated with complete success. Perfect.
                                        Thank you for your feedback. Please mark all posts that were a solution for you as "Yes. This is my solution." You can mark multiple answers.