Check List — Active Directory Migration to Server 2016

This is a quick check list for folks doing an Active Directory server upgrade or migration to new AD servers. There are a lot of gotchas with anything IT, and there is a reason us Private and Commercial pilots use check lists - to keep us out of trouble. So here is my evolving checklist for doing an AD server upgrade:

Prepare the AD Domain and Forest

• Make sure all AD servers have current good replication (command line tools for this), and fix any AD replication issues first
• Make note of what IP’s your current AD servers have
• Make sure that the primary DNS entry for the primary NIC on the old AD servers is pointed not at itself, but another AD DNS server, second DNS entry can be itself.
• Make sure that the domain is at the highest available Domain Functional Level for the current (old) AD servers that is supported by your org (if you’re on Windows Server 2000, you’ll have to upgrade to 2003/2008 first)
• Make sure that the forest is at the highest Forest Functional Level for the current (old) AD servers that is supported by your org
• Make note of where your DHCP servers are, you’ll need to update these later
• Make sure you have good backups of your AD infrastructure!
• If you’re using Windows DHCP, and you haven’t already done so, create an AD service account for DHCP, and delegate control to that account for DHCP AD duties, only needed if you’re going to migrate DHCP to Server 2016 as well

Install Server 2016

• Join your new Windows Server 2016 instances to the current AD and name them appropriately
• Assign them static IP’s as appropriate
• Install the AD and DNS roles on the server using the Server Manager or powershell
• Run the Add Active Directory Install Wizard, this will prep Forest and Domain for upgrade
• Reboot
• Make sure the new DNS on the new servers is working properly
• Move the FSMO roles to your new 2016 DC making it the new PDC

Decommission the old Domain Controllers

• If using windows DHCP, install the role on your new 2016 servers, and configure it with the same scope and options as your old server
• Make sure to update the DNS handed out by DHCP to reflect the IP of your new AD DNS servers
• Disable the DHCP scope on the old server (you may have overlapping IP Assignments, these will clear up after leases expire, if this concerns you reduce the lease time ahead of time before your migration)
• Enable the scope on the new server
• Run the DCPROMO on the old servers, removing the Active Directory, reboot
• Change the IP of the old servers to an unused IP on the same subnet, make sure DNS reflects new IP
• Assign the IP of the old DC’s as additional IP (or on secondary NICs) to the new AD Servers
• Make sure there isn’t any left over items in DNS from the old DC’s ie make sure there aren’t any entries pointing to the old DC’s for AD/Site/Name server stuff
• Update the NIC’s Primary and Secondary Name Server IPs on the new AD Servers, make sure they primary point to a different new AD DNS server, not itself, then the secondary name server IP point at itself, do this for both the PDC and BDC and other domain controllers

Like I said, this list is evolving, use at your own risk of course.