Migrating FSMO roles Windows 2019 Server

9 months ago 8 months agoStephane ThirionMicrosoft, Windows 2019Active directory, automation, FSMO, Migrating, PowerShell, Windows 2019

Be careful, the Windows 2019 Server iso have been pulled out, it should be back shortly (Nov-2018)

As Microsoft Windows 2019 became (almost) available, this is time again to move the FSMO roles from Windows Server 2016 to Windows Server 2019. Before destroying everything to rebuilt, I like to migrate my Active Directory and keep the work, policies and OU organisation I got for years. For this one, I wanted to migrate my forest to 2019 by adding a Domain Controller to my existing Windows 2016 Active Directory, migrating all the FSMO roles to this new Domain Controller and then removing the Windows 2016 Server once everything have been done.

Details :
My Windows Server 2016 Domain Controller is DC01.metal.inc
The new Windows 2019 Server is DC92.metal.inc

my domain name is metal.inc

First, to deploy the AD role (DCPromo) on my new Windows 2019 Server machine, i used Powershell commands as follow :

Take a note of your site name and make sure to replace it by the correct value.

Installing Role

#
# Windows PowerShell script for AD DS Deployment
#
 
Get-WindowsFeature AD-Domain-Services | Install-WindowsFeature 
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "METAL.INC" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "DC01.METAL.INC" `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Be careful, at the end of the execution of this first script, the new Windows 2019 Server Domain Controller will reboot.

Once it’s done, I connected on the Windows 2019 Domain Controller to use this powershell script and move the FSMO roles from the Windows Server 2016 Domain Controller

Source code

Move-ADDirectoryServerOperationMasterRole -Identity "DC92" -OperationMasterRole 0,1,2,3,4

If you want to make sure everything change the way you intend to, you can use this short Powershell script to make sure everything is ok

Check FSMO

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
 
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
 
Get-ADDomainController -Filter * |
 
     Select-Object Name, Domain, Forest, OperationMasterRoles |
 
     Where-Object {$_.OperationMasterRoles} |
 
     Format-Table -AutoSize

The result :

2019 Domain Controller is up and running, now I want to get rid of the 2016 one, the same way as I did for the DCpromo, I will demote the old controller using this Powershell script :

Source code

#
# Windows PowerShell script for AD DS Deployment
#
 
Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-ForceRemoval:$true `
-Force:$true

You have to specify the password for the local administrator account of the machine once it will have been demoted.

And at last, if you want to upgrade the functional level of your Active Directory to 2016/2019 :

Upgrade Funct. Lev.

Set-ADDomainMode –identity metal.inc -DomainMode Windows2016Domain

Share

Stephane Thirion