Introduction

Upgrading your Active Directory (AD) environment from Windows Server 2012 R2 to Windows Server 2019 or 2022 is crucial for maintaining security, performance, and supportability. This guide outlines a structured approach to ensure a seamless migration with minimal disruption to your organization.

Active Directory Study Notes | Security & Auditing

Active Directory Study Notes | Engineering, Design & Security

Step 1: Assess Your Current Environment

Verify Domain Functional Level

Before proceeding with the migration, ensure that your Domain Functional Level (DFL) is at least Windows Server 2008. If it’s lower, you’ll need to upgrade it.

  1. Open Active Directory Users and Computers (ADUC).
  2. Right-click on the domain name and select Properties.
  3. Check the Current domain functional level.
  4. If required, raise it to a minimum of Windows Server 2008.

Check SYSVOL Replication

Ensure that SYSVOL is using DFS Replication (DFSR) instead of the older File Replication Service (FRS). If FRS is still in use, you must migrate to DFSR before proceeding.

To check your replication type:

  1. Open PowerShell as Administrator.
  2. Run:powershellCopyEditdfsrmig /getglobalstate
  3. If the output shows State 0 (Start), then FRS is still in use. You must migrate it to DFSR using the dfsrmig command.

Step 2: Prepare for the Upgrade

Backup Your Domain Controllers

Before making any changes, perform a full backup of your domain controllers, including:

  • System State
  • Active Directory Database
  • DNS Configuration
  • Group Policy Objects

Use Windows Server Backup or third-party backup software for a reliable recovery point.

Check Domain Health

Run the following commands to verify that your Active Directory environment is healthy:

  • Domain Controller DiagnosticpowershellCopyEditdcdiag /v
  • Replication StatuspowershellCopyEditrepadmin /replsummary
  • DNS ConfigurationpowershellCopyEditnslookup <your domain name>

Step 3: Deploy New Windows Server 2019/2022 Domain Controllers

Install Active Directory Domain Services (AD DS)

  1. Install Windows Server 2019/2022 on your new server.
  2. Open Server Manager and select Add Roles and Features.
  3. Choose Active Directory Domain Services (AD DS) and complete the installation.
  4. After installation, promote the server to a Domain Controller.

Promote the New Domain Controller

  1. Open Server Manager, go to Manage > Promote this server to a domain controller.
  2. Choose Add a domain controller to an existing domain.
  3. Provide Domain Administrator credentials.
  4. Select Global Catalog (GC) and DNS roles.
  5. Complete the installation and restart the server.

Step 4: Transfer FSMO Roles

To ensure smooth operation, transfer all FSMO (Flexible Single Master Operations) roles to the new DCs.

Check Current FSMO Role Holders

Run:

netdom query fsmo

Transfer FSMO Roles Using PowerShell

Run the following commands on the new domain controller:

Move-ADDirectoryServerOperationMasterRole -Identity "<NewDCName>" -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster

Alternatively, use Active Directory Users and Computers (ADUC) for manual FSMO role transfer.

Step 5: Demote and Decommission Old Domain Controllers

Demote Windows Server 2012 R2 DCs

  1. Open Server Manager on the old DC.
  2. Go to Manage > Remove Roles and Features.
  3. Uncheck the Active Directory Domain Services (AD DS) role.
  4. Follow the wizard to demote the domain controller.
  5. Restart the server.

Remove from Active Directory

After demotion, remove the old domain controllers completely:

Remove-ADComputer -Identity "<OldDCName>"

Cleanup DNS Records

  1. Open DNS Manager.
  2. Remove any references to the old domain controllers.
  3. Run:powershellCopyEditipconfig /flushdns

Step 6: Finalize the Migration

Raise Domain and Forest Functional Levels

Once all domain controllers are running Windows Server 2019/2022, raise the Domain Functional Level (DFL) and Forest Functional Level (FFL):

  1. Open Active Directory Domains and Trusts.
  2. Right-click your domain and select Raise Domain Functional Level.
  3. Choose Windows Server 2019 or 2022 and confirm.
  4. Repeat the process for Forest Functional Level.

Verify and Monitor

After migration, ensure everything is running smoothly:

  • Run dcdiag to check for errors.
  • Verify Group Policy settings.
  • Test authentication with user logins and applications.

Conclusion

Migrating from Windows Server 2012 R2 to 2019/2022 enhances security, performance, and manageability in your Active Directory environment. By following this structured approach—preparing, deploying new DCs, transferring roles, and decommissioning old servers—you can ensure a seamless transition with minimal disruptions.

Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles