Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012

Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012

Updated: April 15, 2016

Applies To: Windows Server Technical Preview

This topic provides background information about Active Directory Domain Services in Windows Server 2012 R2 and Windows Server 2012 and explains the process for upgrading domain controllers from Windows Server 2008 or Windows Server 2008 R2.

  • Domain controller upgrade steps
  • What’s new in Windows Server 2012?
  • What’s new in AD DS in Windows Server 2012 R2?
  • What’s new in AD DS in Windows Server 2012?
  • AD DS server role installation changes
  • Deprecated features and behavior changes related to AD DS in Windows Server 2012
  • Operating system requirements
  • Supported in-place upgrade paths
  • Functional level features and requirements
  • AD DS interoperability with other server roles and Windows operating systems
  • Operations master roles
  • Virtualizing domain controllers that run Windows Server 2012
  • Administration of Windows Server 2012 servers
  • Application compatibility
  • Known issues/en-us/library/hh994618.aspxThe recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server and demote older domain controllers as needed. That method is preferable to upgrading the operating system of an existing domain controller. This list covers general steps to follow before you promote a domain controller that runs a nnewer version of Windows Server:
  • Domain controller upgrade steps
  1. Verify the target server meets system requirements.
  2. Verify Application compatibility.
  3. Verify security settings. For more information, see Deprecated features and behavior changes related to AD DS in Windows Server 2012 and Secure default settings in Windows Server 2008 and Windows Server 2008 R2.
  4. Check connectivity to the target server from the computer where you plan to run the installation.
  5. Check for availability of necessary operation master roles:
  • To install the first DC that runs Windows Server 2012 in an existing domain and forest, the machine where you run the installation needs connectivity to the schema master in order to run adprep /forestprep and the infrastructure master in order to run adprep /domainprep.
  • To install the first DC in a domain where the forest schema is already extended, you only need connectivity to infrastructure master.
  • To install or remove a domain in an existing forest, you need connectivity to the domain naming master.
  • Any domain controller installation also requires connectivity to the RID master.
  • If you are installing the first read-only domain controller in an existing forest, you need connectivity to the infrastructure master for each application directory partition, also known as a non-domain naming context or NDNC.
  1. Be sure to supply the necessary credentials to run the AD DS installation.
Installation action Credential requirements
Install a new forest Local Administrator on the target server
Install a new domain in an existing forest Enterprise Admins
Install an additional DC in an existing domain Domain Admins
Run adprep /forestprep Schema Admins, Enterprise Admins, and Domain Admins
Run adprep /domainprep Domain Admins
Run adprep /domainprep /gpprep Domain Admins
Run adprep /rodcprep Enterprise Admins

You can delegate permissions to install AD DS. For more information, see Installation Management Tasks.

Steps-by-step instructions to promote new and replica Windows Server 2012 domain controllers using Windows PowerShell cmdlets and Server Manager can be found in the following links:

     
Active Directory Certificate Services (AD CS) Active Directory Rights Management Services (AD RMS) BitLocker Drive Encryption
BranchCache Dynamic Host Configuration protocol (DHCP) Domain Name System (DNS)
Failover Clustering File Server Resource Manager Group Policy
Hyper-V IP Address Management (IPAM) Kerberos Authentication
Managed Service Accounts Networking Remote Desktop Services
Security Auditing Server Manager Smart Cards
TLS/SSL (Schannel SSP) Windows Deployment Services Windows PowerShell 3.0

Automatic Maintenance and changes to restart behavior after updates are applied by Windows Update

Prior to the release of Windows 8, Windows Update managed its own internal schedule to check for updates, and to download and install them. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources.

Windows 8 and Windows Server 2012 introduce a new feature called Automatic Maintenance. Automatic Maintenance consolidates many different features that each used to manage its own scheduling and execution logic. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

Because Windows Update is a part of Automatic Maintenance in Windows 8 and Windows Server 2012, its own internal schedule for setting a day and time to install updates is no longer effective. To help ensure consistent and predictable restart behavior for all devices and computers in your enterprise, including those that run Windows 8 and Windows Server 2012, see Microsoft KB article 2885694 (or see October 2013 cumulative rollup 2883201), then configure policy settings described in the WSUS blog post Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694).

What’s new in AD DS in Windows Server 2012 R2?

/en-us/library/hh994618.aspx

 

The following table summarizes new features for AD DS in Windows Server 2012 R2, with a link to more detailed information where it is available. For a more detailed explanation of some features, including their requirements, see What’s New in Active Directory in Windows Server 2012 R2.

Feature Description
Workplace Join Allows information workers to join their personal devices with their company to access company resources and services.
Web Application Proxy Provides access to web application using a new Remote Access role service.
Active Directory Federation Services AD FS has simplified deployment and improvements to enable users to access resources from personal devices and help IT departments manage access control.
SPN and UPN uniqueness Domain Controllers running Windows Server 2012 R2 block the creation of duplicate service principal names (SPNs) and user principal names (UPNs).
Winlogon Automatic Restart Sign-On (ARSO) Enables lock screen applications to be restarted and available on Windows 8.1 devices.
TPM Key Attestation Enables CAs to cryptographically attest in an issued certificate that the certificate requester private key is actually protected by a Trusted Platform Module (TPM).
Credentials Protection and Management New credential protection and domain authentication controls to reduce credential theft.
Deprecation of File Replication Service (FRS) The Windows Server 2003 domain functional level is also deprecated because at the functional level, FRS is used to replicate SYSVOL. That means when you create a new domain on a server that runs Windows Server 2012 R2, the domain functional level must be Windows Server 2008 or newer. You can still add a domain controller that runs Windows Server 2012 R2 to an existing domain that has a Windows Server 2003 domain functional level; you just can’t create a new domain at that level.
New domain and forest functional levels There are new functional levels for Windows Server 2012 R2. New features are available at Windows Server 2012 R2 DFL.
LDAP query optimizer changes Performance improvement in LDAP search efficiency and LDAP search time of complex queries.
1644 Event improvements LDAP search result statistics were added to event ID 1644 to aid in troubleshooting.
Active Directory replication throughput improvement Adjusts the maximum AD Replication throughput from 40Mbps to around 600 Mbps

What’s new in AD DS in Windows Server 2012?

/en-us/library/hh994618.aspx

 

The following table summarizes the new features for AD DS in Windows Server 2012, with a link to more detailed information where it is available. For a more detailed explanation of some features, including their requirements, see What’s New in Active Directory Domain Services (AD DS).

Feature Description
Active Directory-Based Activation (AD BA) see Volume Activation Overview Simplifies the task of configuring the distribution and management of volume software licenses.
Active Directory Federation Services (AD FS) Adds role install via Server Manager, simplified trust-setup, automatic trust management, SAML-protocol support, and more.
Active Directory lost page flush events NTDS ISAM event 530 with jet error -1119 is logged to detect lost page flush events to Active Directory databases.
Active Directory Recycle Bin User Interface Active Directory Administrative Center (ADAC) adds GUI management of recycle bin feature originally introduced in Windows Server 2008 R2.
Active Directory Replication and Topology Windows PowerShell cmdlets Supports the creation and management of Active Directory sites, site-links, connection objects, and more using Windows PowerShell.
Dynamic Access Control New claims-based authorization platform that enhances the legacy access control model.
Fine-Grained Password Policy User Interface ADAC adds GUI support for the creating, editing and assignment of PSOs originally added in Windows Server 2008.
Group Managed Service Accounts (gMSA) A new security principal type known as a gMSA. Services running on multiple hosts can run under the same gMSA account.
DirectAccess Offline Domain Join Extends offline domain-join by including DirectAccess prerequisites.
Rapid deployment via virtual domain controller (DC) cloning Virtualized DCs can be rapidly deployed by cloning existing virtual domain controllers using Windows PowerShell cmdlets.
RID pool changes Adds new monitoring events and quotas to safeguard against excessive consumption of the global RID pool. Optionally doubles the size of the global RID pool if the original pool becomes exhausted.
Secure Time service Enhances security for W32tm by removing secrets from the wire, removing the MD5 hash functions and requiring the server to authenticate with Windows 8 time clients
USN rollback protection for virtualized DCs Accidentally restoring snapshot backups of virtualized DCs no longer causes USN rollback.
Windows PowerShell History Viewer Allow administrators to view the Windows PowerShell commands executed when using ADAC.

Automatic Maintenance and changes to restart behavior after updates are applied by Windows Update

Prior to the release of Windows 8, Windows Update managed its own internal schedule to check for updates, and to download and install them. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources.

Windows 8 and Windows Server 2012 introduce a new feature called Automatic Maintenance. Automatic Maintenance consolidates many different features that each used to manage its own scheduling and execution logic. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

Because Windows Update is a part of Automatic Maintenance in Windows 8 and Windows Server 2012, its own internal schedule for setting a day and time to install updates is no longer effective. To help ensure consistent and predictable restart behavior for all devices and computers in your enterprise, including those that run Windows 8 and Windows Server 2012, you can configure the following Group Policy settings:

  • Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Update|Configure Automatic Updates
  • Computer Configuration|Policies|Administrative Templates|Windows Components|Windows Update|No auto-restart with logged on users
  • Computer Configuration|Policies|Administrative Templates|Windows Components|Maintenance Scheduler|Maintenance Random Delay
  • The following table lists some examples of how to configure these settings to provide desired restart behavior.
   
Scenario Recommended configuration(s)
WSUS managed – Install updates once per week – Reboot Fridays at 11PM Set machines to auto-install, prevent auto-reboot until desired time Policy: Configure Automatic Updates (Enabled) Configure automatic updating: 4 – Auto download and schedule the install Policy: No auto-restart with logged-on users… (Disabled) WSUS deadlines: set to Fridays at 11PM
WSUS managed – Stagger installs across different hours/days Set target groups for different groups of machines that should be updated together Use above steps for previous scenario Set different deadlines for different target groups
Not WSUS-managed – no support for deadlines – Stagger installs at different times Policy: Configure Automatic Updates (Enabled) Configure automatic updating: 4 – Auto download and schedule the install Registry key: Enable the registry key discussed in Microsoft KB article 2835627 Policy: Automatic Maintenance Random Delay (Enabled) Set Regular maintenance random delay to PT6H for 6-hour random delay to provide the following behavior: – Updates will install at the configured maintenance time plus a random delay – Restart for each machine will take place exactly 3 days later Alternatively, set a different maintenance time for each group of machines

For more information about why the Windows engineering team implemented these changes, see Minimizing restarts after automatic updating in Windows Update.

AD DS server role installation changes

/en-us/library/hh994618.aspx

 

In Windows Server 2003 through Windows Server 2008 R2, you ran the x86 or X64 version of the Adprep.exe command-line tool before running the Active Directory Installation Wizard, Dcpromo.exe, and Dcpromo.exe had optional variants to install from media or for unattended installation.

Beginning in Windows Server 2012, command-line installations are performed by using the ADDSDeployment Module in Windows PowerShell. GUI-based promotions are performed in Server Manager using a completely new AD DS Configuration Wizard. To simplify the installation process, ADPREP has been integrated into the AD DS installation and runs automatically as needed. The Windows PowerShell–based AD DS Configuration Wizard automatically targets the schema and infrastructure master roles in the domains where DCs are being added, then remotely runs the required ADPREP commands on the relevant domain controllers.

Prerequisite checks in the AD DS Installation Wizard identify potential errors before the installation begins. Error conditions can be corrected to eliminate concerns from a partially complete upgrade. The wizard also exports a Windows PowerShell script that contains all the options that were specified during the graphical installation.

Taken together, the AD DS installation changes simplify the DC role installation process and reduce the likelihood of administrative errors, especially when you are deploying multiple domain controllers across global regions and domains. More detailed information on GUI and Windows PowerShell-based installations, including command line syntax and step-by-step wizard instructions, see Install Active Directory Domain Services. For administrators that want to control the introduction of schema changes in an Active Directory forest independent of the installation of Windows Server 2012 DCs in an existing forest, Adprep.exe commands can still be run at an elevated command prompt.

Deprecated features and behavior changes related to AD DS in Windows Server 2012

/en-us/library/hh994618.aspx

 

There are some changes related to AD DS:

  • Deprecation of Adprep32.exe
  • There is only one version of Adprep.exe and it can be run as needed on 64-bit servers that run Windows Server 2008 or later. It can be run remotely, and must be run remotely if that targeted operations master role is hosted on a 32-bit operating system or Windows Server 2003.
  • Deprecation of Dcpromo.exe
  • Dcpromo is deprecated although in Windows Server 2012 only it can still be run with an answer file or command line parameters to give organizations time to transition existing automation to the new Windows PowerShell installation options.
  • LMHash is disabled on user accountsBeginning with Windows Server 2008, domain controllers also have the following secure default settings, compared to domain controllers that run Windows Server 2003 or Windows 2000.
  • Secure defaults in Security templates on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 enable the NoLMHash policy which is disabled in the security templates of Windows 2000 and Windows Server 2003 domain controllers. Disable the NoLMHash policy for LMHash-dependent clients as required, using the steps in KB article 946405.
       
Encryption type or policy Windows Server 2008 default Windows Server 2012 and Windows Server 2008 R2 default Comment
AllowNT4Crypto Disabled Disabled Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on domain controllers. In all cases, these settings can be relaxed to allow interoperability, but only at the expense of security. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558).
DES Enabled Disabled Article 977321 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=177717)
CBT/Extended Protection for Integrated Authentication N/A Enabled See Microsoft Security Advisory (937811) (http://go.microsoft.com/fwlink/?LinkId=164559) and article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251). Review and install the hotfix in article 977073 (http://go.microsoft.com/fwlink/?LinkId=186394) in the Microsoft Knowledge Base as required.
LMv2 Enabled Disabled Article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251)

Operating system requirements

/en-us/library/hh994618.aspx

 

The minimum system requirements for Windows Server 2012 are listed in the following table. For more information about system requirements and pre-installation information, see Installing Windows Server 2012. There are no additional system requirements to install a new Active Directory forest, but you should add sufficient memory to cache the contents of Active Directory database in order to improve performance for domain controllers, LDAP client requests, and Active Directory-enabled applications. If you are upgrading an existing domain controller or adding a new domain controller to an existing forest, review the next section to ensure the server meets disk space requirements.

   
Processor 1.4 Ghz 64-bit processor
RAM 512 MB
Free disk space requirements 32 GB
Screen resolution 800 x 600 or higher
Miscellaneous DVD drive, keyboard, Internet access

Disk space requirements for upgrading domain controllers

This section covers disk space requirements only for upgrading domain controllers from Windows Server 2008 or Windows Server 2008 R2. For more information about disk space requirements for upgrading domain controllers to earlier versions of Windows Server, see Disk space requirements for upgrading to Windows Server 2008 or Disk space requirements for upgrading to Windows Server 2008 R2.

Size the disk that hosts the Active Directory database and log files in order to accommodate the custom and application-driven schema extensions, application and administrator-initiated indexes, plus space for the objects and attributes that you will be added to the directory over deployment life of the domain controller (typically 5 to 8 years). Right sizing at deployment time is typically a good investment compared to greater touch costs required to expand disk storage after deployment. For more information, see Capacity Planning for Active Directory Domain Services.

On domain controllers that you plan to upgrade, make sure that the drive that hosts the Active Directory database (NTDS.DIT) has free disk space that represents at least 20% of the NTDS.DIT file before you begin the operating system upgrade. If there is insufficient free disk space on the volume, the upgrade can fail and the upgrade compatibility report returns an error indicating insufficient free disk space:

In this case, you can try an offline defragmentation of the Active Directory database to recapture additional space, and then retry the upgrade. For more information, see Compact the Directory Database File (Offline Defragmentation).

Available SKUs

There are 4 editions of Windows Server: Foundation, Essentials, Standard and Datacenter. The two editions that support the AD DS role are Standard and Datacenter.

In previous releases, Windows Server editions differed in their support of server roles, processor counts and large memory support. The Standard and Datacenter editions of Windows Server support all features and underlying hardware but vary in their virtualization rights – two virtual instances are allowed for Standard edition and unlimited virtual instances are allowed for Datacenter edition.

Windows client and Windows Server operating systems that are supported to join Windows Server domains

The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012 or later:

  • Client operating systems: Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP
  • Computers that run Windows 8.1 or Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see Running Windows 8 member computers in Windows Server 2003 domains.
  • Server operating systems: Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003/en-us/library/hh994618.aspxDomain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 can be upgraded to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
  • Supported in-place upgrade paths
If you are running these editions You can upgrade to these editions
Windows Server 2008 Standard with SP2 OR Windows Server 2008 Enterprise with SP2 Windows Server 2012 Standard OR Windows Server 2012 Datacenter
Windows Server 2008 Datacenter with SP2 Windows Server 2012 Datacenter
Windows Web Server 2008 Windows Server 2012 Standard
Windows Server 2008 R2 Standard with SP1 OR Windows Server 2008 R2 Enterprise with SP1 Windows Server 2012 Standard OR Windows Server 2012 Datacenter
Windows Server 2008 R2 Datacenter with SP1 Windows Server 2012 Datacenter
Windows Web Server 2008 R2 Windows Server 2012 Standard

For more information about supported upgrade paths, see Evaluation Versions and Upgrade Options for Windows Server 2012. Note that you cannot convert a domain controller that runs an evaluation version of Windows Server 2012 directly to a retail version. Instead, install an additional domain controller on a server that runs a retail version and remove AD DS from the domain controller that runs on the evaluation version.

Due to a known issue, you cannot upgrade a domain controller that runs a Server Core installation of Windows Server 2008 R2 to a Server Core installation of Windows Server 2012. The upgrade will hang on a solid black screen late in the upgrade process. Rebooting such DCs exposes an option in boot.ini file to roll back to the previous operating system version. An additional reboot triggers the automatic rollback to the previous operating system version. Until a solution is available, it is recommended that you install a new domain controller running a Server Core installation of Windows Server 2012 instead of in-place upgrading an existing domain controller that runs a Server Core installation of Windows Server 2008 R2. For more information, see KB article 2734222.

Functional level features and requirements

/en-us/library/hh994618.aspx

 

Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.

Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest. In this case, consider the following workflow:

  1. Install domain controllers that run Windows Server 2003 or later. These domain controllers can be deployed on an evaluation version of Windows Server. This step also requires running adprep.exe for that operating system release as a prerequisite.
  2. Remove the Windows 2000 domain controllers. Specifically, gracefully demote or forcibly remove Windows Server 2000 domain controllers from the domain and used Active Directory Users and Computers to remove the domain controller accounts for all removed domain controllers.
  3. Raise the forest functional level to Windows Server 2003 or higher.
  4. Install domain controllers that run Windows Server 2012.
  5. Remove domain controllers that run earlier versions of Windows Server.The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any new domain created in the forest will automatically operate at the Windows Server 2012 domain functional level. The Windows Server 2012 domain functional level does not provide other new features beyond KDC support for claims, compound authentication, and Kerberos armoring. But it ensures that any domain controller in the domain runs Windows Server 2012. For more information about other features that are available at different functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.After you set the domain functional level to a certain value, you cannot roll back or lower the domain functional level, with the following exceptions: when you raise the domain functional level to Windows Server 2008 R2 or Windows Server 2012, and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008 or Windows Server 2008 R2. You can lower the domain functional level only from Windows Server 2012 to Windows Server 2008 R2 or Windows Server 2008 or from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.Beyond functional levels, a domain controller that runs Windows Server 2012 provides additional features that are not available on a domain controller that runs an earlier version of Windows Server. For example, a domain controller that runs Windows Server 2012 can be used for virtual domain controller cloning, whereas a domain controller that runs an earlier version of Windows Server cannot. But virtual domain controller cloning and virtual domain controller safeguards in Windows Server 2012 do not have any functional level requirements.
  6. For more information about features that are available at lower functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.
  7. After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with the following exceptions: after you raise the forest functional level to Windows Server 2012, you can lower it to Windows Server 2008 R2. If Active Directory Recycle Bin has not been enabled, you can also lower the forest functional level from Windows Server 2012 to Windows Server 2008 R2 or Windows Server 2008 or from Windows Server 2008 R2 back to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
  8. The new Windows Server 2012 domain functional level enables one new feature: the KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see Bookmark link ‘BKMK_Sup4ClaimsCAarmoring’ is broken in topic ‘{“project_id”:”9d7ea2d6-0d7b-45bf-8053-9abcc47e2420″,”entity_id”:”d7d7f393-6ca8-4ade-88a9-802d51717952″,”entity_type”:”Article”,”locale”:”en-US”}’. Rebuilding the topic ‘{“project_id”:”9d7ea2d6-0d7b-45bf-8053-9abcc47e2420″,”entity_id”:”d7d7f393-6ca8-4ade-88a9-802d51717952″,”entity_type”:”Article”,”locale”:”en-US”}’ may solve the problem..
Note
Microsoft Exchange Server 2013 requires a forest functional level of Windows server 2003 or higher.

AD DS interoperability with other server roles and Windows operating systems

/en-us/library/hh994618.aspx

 

AD DS is not supported on the following Windows operating systems:

  • Windows MultiPoint Server
  • Windows Server 2012 Essentials
  • AD DS cannot be installed on a server that also runs the following server roles or role services:
  • Hyper-V Server
  • Remote Desktop Connection Broker/en-us/library/hh994618.aspxSome new features in Windows Server 2012 affect operations master roles:
  • Operations master roles
  • The PDC emulator must be running Windows Server 2012 to support cloning virtual domain controllers. There are additional prerequisites for cloning DCs. For more information, see Active Directory Domain Services (AD DS) Virtualization.
  • New security principals are created when the PDC emulator runs Windows Server 2012.
  • The RID Master has new RID issuance and monitoring functionality. The improvements include better event logging, more appropriate limits, and the ability to – in an emergency – increase the overall RID pool allocation by one bit. For more information, see Managing RID Issuance.
Note
Though they are not operations master roles, another change in AD DS installation is that DNS server role and the global catalog are installed by default on all domain controllers that run Windows Server 2012.

Virtualizing domain controllers

/en-us/library/hh994618.aspx

 

Improvements in AD DS beginning in Windows Server 2012 enable safer virtualization of domain controllers and the ability to clone domain controllers. Cloning domain controllers in turn enables rapid deployment of additional domain controllers in a new domain and other benefits. For more information, see Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100).

Administration of Windows Server 2012 servers

/en-us/library/hh994618.aspx

 

Use the Remote Server Administration Tools for Windows 8 to manage domain controllers and other servers that run Windows Server 2012. You can run the Windows Server 2012 Remote Server Administration Tools on a computer that runs Windows 8.

Application compatibility

/en-us/library/hh994618.aspx

 

The following table covers common Active Directory-integrated Microsoft applications. The table covers what versions of Windows Server that the applications can be installed on and whether the introduction of Windows Server 2012 DCs affects application compatibility.

Product Notes
Microsoft Configuration Manager 2007 Configuration Manager 2007 with SP2 (includes Configuration Manager 2007 R2 and Configuration Manager 2007 R3): – Windows 8 Pro – Windows 8 Enterprise – Windows Server 2012 Standard – Windows Server 2012 Datacenter Note: Though these will be fully supported as clients, there is no plan to add support for deploying these as operating systems by using the Configuration Manager 2007 operating system deployment feature. Also, no site servers or site systems will be supported on any SKU of Windows Server 2012.
Microsoft SharePoint 2007 Microsoft Office SharePoint Server 2007 is not supported for installation on Windows Server 2012.
Microsoft SharePoint 2010 SharePoint 2010 Service Pack 2 is required to install and operate SharePoint 2010 on Windows Server 2012 Servers SharePoint 2010 Foundation Service Pack 2 is required to install and operate SharePoint 2010 Foundation on Windows Server 2012 Servers The SharePoint Server 2010 (without service packs) installation process fails on Windows Server 2012 The SharePoint Server 2010 prerequisite installer (PrerequisiteInstaller.exe) fails with error “This program has compatibility issues.” Clicking “Run the program without getting help” displays the error “Verifying if SharePoint can be installed | SharePoint Server 2010 (without service packs) cannot be installed on Windows Server 2012.”
Microsoft SharePoint 2013 Minimum requirements for a database server in a farm The 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter or the 64-bit edition of Windows Server 2012 Standard or Datacenter Minimum requirements for a single server with built-in database: The 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter or the 64-bit edition of Windows Server 2012 Standard or Datacenter Minimum requirements for front-end web servers and application servers in a farm: The 64-bit edition of Windows Server 2008 R2 Service Pack 1 (SP1) Standard, Enterprise, or Datacenter or the 64-bit edition of Windows Server 2012 Standard or Datacenter.
Microsoft System Center Configuration Manager 2012 System Center 2012 Configuration Manager Service Pack 1: Microsoft will add the following operating systems to our client support matrix with the release of Service Pack 1: – Windows 8 Pro – Windows 8 Enterprise – Windows Server 2012 Standard – Windows Server 2012 Datacenter All site server roles – including site servers, SMS providers, and management points – can be deployed to servers with the following operating system editions: – Windows Server 2012 Standard – Windows Server 2012 Datacenter
Microsoft Lync Server 2013 Lync Server 2013 requires with Windows Server 2008 R2 or Windows Server 2012. It cannot be run on a Server Core installation. It can be run on virtual servers.
Lync Server 2010 Lync Server 2010 can be installed on a new (not upgraded) installation Windows Server 2012 if October 2012 cumulative updates for Lync Server are installed. Upgrading the operating system to Windows Server 2012 for an existing installation of Lync Server 2010 is not supported. Microsoft Lync Server 2010 Group Chat Server is also not supported on Windows Server 2012.
System Center 2012 Endpoint Protection System Center 2012 Endpoint Protection Service Pack 1 will update the client support matrix to include the following operating systems – Windows 8 Pro – Windows 8 Enterprise – Windows Server 2012 Standard – Windows Server 2012 Datacenter
System Center 2012 Forefront Endpoint Protection FEP 2010 with Update Rollup 1 will update the client support matrix to include the following operating systems: – Windows 8 Pro – Windows 8 Enterprise – Windows Server 2012 Standard – Windows Server 2012 Datacenter
Forefront Threat Management Gateway (TMG) TMG is supported to run only on Windows Server 2008 and Windows Server 2008 R2. For more information, see System requirements for Forefront TMG.
Windows Server Update Services This release of WSUS already supports Windows 8-based computers or Windows Server 2012-based computers as clients.
Windows Server Update Services 3.0 Update KB article 2734608 lets servers that are running Windows Server Update Services (WSUS) 3.0 SP2 provide updates to computers that are running Windows 8 or Windows Server 2012: Note: Customers with standalone WSUS 3.0 SP2 environments or System Center Configuration Manager 2007 Service Pack 2 environments with WSUS 3.0 SP2 require 2734608 to properly manage Windows 8-based computers or Windows Server 2012-based computers as clients.
Exchange 2013 Windows Server 2012 Standard and Datacenter are supported for the following roles: schema master, global catalog server, domain controller, mailbox and client access server role Forest Functional Level: Windows Server 2003 or higher Source: Exchange 2013 System Requirements
Exchange 2010 Source: Exchange 2010 Service Pack 3 Exchange 2010 with Service Pack 3 can be installed on Windows Server 2012 member servers. Exchange 2010 System Requirements lists the latest supported schema master, global catalog and domain controller as Windows Server 2008 R2. Forest Functional Level: Windows Server 2003 or higher
SQL Server 2012 Source: KB 2681562 SQL Server 2012 RTM is supported on Windows Server 2012.
SQL Server 2008 R2 Source: KB 2681562 Requires SQL Server 2008 R2 with Service Pack 1 or later to install on Windows Server 2012.
SQL Server 2008 Source: KB 2681562 Requires SQL Server 2008 with Service Pack 3 or later to install on Windows Server 2012.
SQL Server 2005 Source: KB 2681562 Not supported to install on Windows Server 2012.

Known issues

/en-us/library/hh994618.aspx

 

The following table lists known issues related to AD DS installation.

     
KB article number and title Technology area impacted Issue/description
2830145: SID S-1-18-1 and SID S-1-18-2 can’t be mapped on Windows 7 or Windows Server 2008 R2-based computers in a domain environment AD DS Management/App compat Applications that map SID S-1-18-1 and SID S-1-18-2, which are new in Windows Server 2012, may fail because the SIDs cannot be resolved on Windows 7-based or Windows Server 2008 R2-based computers. To resolve this issue, install the hotfix on the Windows 7-based and Windows Server 2008 R2-based computers in the domain.
2737129: Group Policy preparation is not performed when you automatically prepare an existing domain for Windows Server 2012 AD DS Installation Adprep /domainprep /gpprep is not automatically run as part of installing the first DC that runs Windows Server 2012 in a domain. If it has never been run previously in the domain, it must be run manually.
2737416: Windows PowerShell-based domain controller deployment repeats warnings AD DS Installation Warnings can appear during prerequisite validation and then reappear during the installation.
2737424: “Format of the specified domain name is invalid” error when you try to remove Active Directory Domain Services from a domain controller AD DS Installation This error appears if you are removing the last DC in a domain where pre-created RODC accounts still exist. This affects Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008.
2737463: Domain controller does not start, c00002e2 error occurs, or “Choose an option” is displayed AD DS Installation A DC does not start because an administrator used Dism.exe, Pkgmgr.exe, or Ocsetup.exe to remove the DirectoryServices-DomainController role.
2737516: IFM verification limitations in Windows Server 2012 Server Manager AD DS Installation IFM verification can have limitations as explained in the KB article.
2737535: Install-AddsDomainController cmdlet returns parameter set error for RODC AD DS Installation You can receive an error when you try to attach a server to an RODC account if you specify arguments that are already populated on the pre-created RODC account.
2737560: “Unable to perform Exchange schema conflict check” error, and prerequisites check fails AD DS Installation Prerequisite check fails when you configure the first Windows Server 2012 DC in an existing domain because DCs are missing the SeServiceLogonRight for Network Service or because WMI or DCOM protocols are blocked.
2737797: AddsDeployment module with the -Whatif argument shows incorrect DNS results AD DS Installation The –WhatIf parameter shows DNS server will not be installed but it will be.
2737807: The Next button is not available on the Domain Controller Options page AD DS Installation The Next button is disabled on the Domain Controller Options page because the IP address of the target DC does not map to an existing subnet or site, or because the DSRM password is not typed and confirmed correctly.
2737935: Active Directory installation stalls at the “Creating the NTDS settings object” stage AD DS Installation The installation hangs because the local Administrator password matches the domain Administrator password, or because networking problems prevent critical replication from completing.
2738060: “Access is denied” error message when you create a child domain remotely by using Install-AddsDomain AD DS Installation You receive the error when you run Install-ADDSDomain with the Invoke-Command cmdlet if the DNSDelegationCredential has a bad password.
2738697: “The server is not operational” domain controller configuration error when you configure a server by using Server Manager AD DS Installation You receive this error when you try to install AD DS on a workgroup computer because NTLM authentication is disabled.
2738746: You receive access denied errors after you log on to a local administrator domain account AD DS Installation When you log on using a local Administrator account rather than the built-in Administrator account and then create a new domain, the account is not added to the Domain Admins group.
2743345: “The system cannot find the file specified” Adprep /gpprep error, or tool crashes AD DS Installation You receive this error when you run adprep /gpprep because the infrastructure master is implements a disjoint namespace
2743367: Adprep “not a valid Win32 application” error on Windows Server 2003, 64-bit version AD DS Installation You receive this error because Windows Server 2012 Adprep cannot be run on Windows Server 2003.
2753560: ADMT 3.2 and PES 3.1 installation errors on Windows Server 2012 ADMT ADMT 3.2 cannot be installed on Windows Server 2012 by design.
2750857: DFS Replication diagnostic reports do not display correctly in Internet Explorer 10 DFS Replication DFS Replication diagnostic report does not display correctly because of changes in Internet Explorer 10.
2741537: Remote Group Policy updates are visible to users Group Policy This is due to scheduled tasks run in the context of each user who is logged on. The Windows Task Scheduler design requires an interactive prompt in this scenario.
2741591: ADM files are not present in SYSVOL in the GPMC Infrastructure Status option Group Policy GP replication can report “replication in progress” because GPMC Infrastructure Status does not follow customized filtering rules.
2737880: “The service cannot be started” error during AD DS configuration Virtual DC cloning You receive this error while installing or removing AD DS, or cloning, because the DS Role Server service is disabled.
2742836: Two DHCP leases are created for each domain controller when you use the VDC cloning feature Virtual DC cloning This happens because the cloned domain controller received a lease before cloning and again when cloning was complete.
2742844: Domain controller cloning fails and the server restarts in DSRM in Windows Server 2012 Virtual DC cloning The cloned DC starts in DSRM because cloning failed for any of a variety of reasons listed in the KB article.
2742874: Domain controller cloning does not re-create all service principal names Virtual DC cloning Some three-part SPNs are not recreated on the cloned DC because of a limitation of the domain rename process.
2742908: “No logon servers are available” error after cloning domain controller Virtual DC cloning You receive this error when you try to log on after cloning a virtualized DC because cloning failed and the DC is started in DSRM. Log on as .\administrator to troubleshoot the cloning failure.
2742916: Domain controller cloning fails with error 8610 in dcpromo.log Virtual DC cloning Cloning fails because the PDC emulator has not performed inbound replication of the domain partition, likely because the role was transferred.
2742927: “Index was out of range” New-AdDcCloneConfig error Virtual DC cloning You receive the error after you run New-ADDCCloneConfigFile cmdlet while cloning virtual DCs, either because the cmdlet was not run from an elevated command prompt or because your access token does not contain the Administrators group.
2742959: Domain controller cloning fails with error 8437: “invalid parameter was specified for this replication operation” Virtual DC cloning Cloning failed because an invalid clone name or a duplicate NetBIOS name was specified.
2742970: DC Cloning fails with no DSRM, duplicate source and clone computer Virtual DC cloning The cloned virtual DC boots in Directory Services Repair Mode (DSRM), using a duplicate name as the source DC because the DCCloneConfig.xml file was not created in the correct location or because the source DC was rebooted before cloning.
2743278: Domain controller cloning error 0x80041005 Virtual DC cloning The cloned DC boots into DSRM because only one WINS server was specified. If any WINS server is specified, both Preferred and Alternate WINS servers must be specified.
2745013: “Server is not operational” error message if you run New-AdDcCloneConfigFile in Windows Server 2012 Virtual DC cloning You receive this error after you run the New-ADDCCloneConfigFile cmdlet because the server cannot contact a global catalog server.
2747974: Domain controller cloning event 2224 provides incorrect guidance Virtual DC cloning Event ID 2224 incorrectly states that managed service accounts must be removed before cloning. Standalone MSAs must be removed but Group MSAs do not block cloning.
2748266: You cannot unlock a BitLocker-encrypted drive after you upgrade to Windows 8 BitLocker You receive an “Application not found” error when you try to unlock a drive on a computer that was upgraded from Windows 7.

 

 

Step-by-Step Guide to Migrate from Exchange Server 2007 to Exchange Server 2013

Step-by-Step Guide to Migrate from Exchange Server 2007 to Exchange Server 2013
Posted by Ajit Singh on 7 September 2015, 2:20 pm
Before planning your Exchange Server 2013 migration ensure you are familiar with all its features like virtualization, retention, modern public folders, managed availability, transport, unified messaging, EWS, Outlook Web App etc.
As Exchange is critical to the communication network, it is important to do a smooth Exchange migration which causes minimum or zero interruption to the organizational communication. In this blog, we will see how to migrate all users and services from Exchange 2007 to Exchange 2013 and finally decommission the old Exchange 2007.
The high-level steps that we will take to devise the migration are:
Deploying Exchange 2013 as new environment
Configuring Digital Certificates for the new Exchange
Configuring Name Space and Virtual Directories
Offline Address Book (OAB) configuration
Mail Flow Configurations
Moving Client Access to Exchange 2013
Moving Mailboxes to Exchange 2013
Moving Public Folders to Exchange 2013 and decommissioning old Exchange Server
1. Deploying Exchange 2013 as new environment
Active Directory Preparation
When we install Exchange Server it needs to store User mailboxes’ and Exchange Server’s configuration information in the organization. So it is important that Active Directory is duly prepared before you install Exchange 2013 in the organization. Following things need to be done before you deploy Exchange Server 2013 in the environment: a> Extend Active Directory Schema b> Prepare Active Directory and 3> Prepare Active Directory Domains. To ensure that AD preparation is done correctly, verify that the rangeUpper property on ms-Exch-Schema-Version-Pt is set to the correct value. After this force AD replication.
Exchange Server 2013 Installation
When you are ready for running Exchange Server setup ensure that server is fully updated with latest patches. To install Windows Features using PowerShell Run Windows PowerShell as Administrator and paste the following command:
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
After the installation is complete restart your server. And after the reboot, download and install Microsoft Unified Communications Managed API 4.0. Core Runtime 64-bit, Microsoft Office 2010 Filter Packs 64 bit, Microsoft Office 2010 Filter Packs SP1 64 bit.
2. Configuring Digital Certificates
You should be using as few certificates and host names as possible for cost control since certificate providers charge a fee based on number of host names you add to your certificate. By default, Exchange comes with self-signed certificates, we will replace this certificates with the ones relevant to our case.
mail.contoso.com: FQDN for most connections to Exchange including Microsoft Outlook, Outlook Web App, Outlook Anywhere, the Offline Address Book, Exchange Web Services, POP3, IMAP4, SMTP, Exchange Control Panel, and ActiveSync.
autodiscover.contoso.com: FQDN used by clients that support Auto discover, including Microsoft Office Outlook 2007 and later versions, Exchange ActiveSync and Exchange Web Services clients.
legacy.contoso.com: FQDN used by all external and internal clients for old server i.e. Exchange Server 2007.
Next we will create certificate request, for this open EMS and run the New-ExchangeCertificate cmdlet command:
Once the certificate is created, get it signed by the appropriate certification authority (CA) and use the Import-ExchangeCertificate to import the certificate.
Then Exchange Server 2013 need to be configured to use the certificates using the Enable-ExchangeCertificate command.
Please note that Enable-ExchangeCertificate cmdlet cannot be used to enable a wildcard certificate for POP and IMAP services, also it cannot be used to enable a certificate for federation.
Use private key to export the certificate and import it on Exchange 2007 CAS servers using the same steps.
3. Configuring Name Space and Virtual Directories for Exchange Server
Follow the given steps to configure Exchange Server 2013 virtual directories using EMS:
Exchange Control Panel
To configure Exchange Control Panel (ECP) virtual directories properties, use Set-EcpVirtualDirectory cmdlet.
Outlook Web App
To configure Outlook Web App virtual directories use Set-OwaVirtualDirectory cmdlet.
Offline Address Book
To configure offline address book virtual directory use Set-OABVirtualDirectory cmdlet.
ActiveSync
Use Set-ActiveSyncVirtualDirectory cmdlet to configure the Microsoft Exchange ActiveSync settings on specified virtual directory.
Web Services
To modify Exchange Web Services virtual directory use Set-WebServicesVirtualDirectory cmdlet on the server running Exchange Server 2013.
AutoDiscover
To set properties on specified Client Access Server objects use Set-ClientAccessServer cmdlet.
Outlook Anywhere
To set properties on a computer running Microsoft Exchange Server 2013 enabled for Microsoft Outlook Anywhere use Set-OutlookAnywhere cmdlet.
4. Offline Address Book (OAB) configuration
In Exchange Server 2013, OABGen (Offline Address Book Generation) service which runs on Mailbox server generates offline address book.
Change the default OAB on Exchange 2013 database using Get-MailboxDatabase and Set-MailboxDatabase
5. Mail Flow Configurations on Exchange 2013
Receive Connector
To create this connector use the New-ReceiveConnector cmdlet.
Send Connector
Now add the new Exchange Server to the existing send connector by the Set-SendConnector cmdlet.
Transport Rules:
Transport rules cannot be migrated from Exchange Server 2007 to 2013. So you need to do the following to get Transport rules in Exchange Server 2013.
Use Export-TransportRuleCollection cmdlet to export all transport rules from Exchange Server 2007.
Copy the exported Transport Rule file to the system which has Exchange Server 2013 installed on it.
Use Import-TransportRuleCollection cmdlet to import the Transport Rules from the file to the Exchange Server 2013.
6. Moving Client Access to Exchange 2013
In the Exchange 2007 management shell you need to run the following commands.
Outlook Web App
Use Set-OwaVirtualDirectory cmdlet to modify properties of MS Outlook Web App virtual directories.
Offline Address Book
Use Set-OABVirtualDirectory cmdlet to configure offline address book virtual directory.
ActiveSync
Use Set-ActiveSyncVirtualDirectory cmdlet to configure the Microsoft Exchange ActiveSync settings on specified virtual directory.
Web Services
To modify Exchange Web Services virtual directory use Set-WebServicesVirtual Directory cmdlet on the server running Exchange Server 2007.
Unified Messaging
To modify an existing Exchange Unified Messaging virtual directory, run the Set-UMVirtualDirectory cmdlet.
Outlook Anywhere
To set Microsoft Outlook Anywhere properties on Microsoft Exchange Server 2007 use Set-OutlookAnywhere cmdlet.
Threat Management Gateway Rules
Now create and update your TMG publish rules.
Next update your publish rules for Exchange 2007 to accept connections for Legacy name space. And then publish Exchange Server 2013 using TMG.
Domain Name System Configurations:
In the Internal DNS, point mail.contoso.com and autodiscover.contoso.com to Exchange 2013 server. And in Legacy.contoso.com new record points to Exchange 2007 Server. In the Public DNS, point mail.contoso.com and autodiscover.contoso.com to TMG listener and for Legacy.contoso.com point new record to TMG Listener.
7. Moving Mailboxes to Exchange 2013
Next you can use New-MoveRequest cmdlet to start mailbox or personal archive migration. To check mailbox readiness before starting to move mailboxes you can use WhatIf parameter. You can also create batch move if you want.
8. Moving Public Folders to Exchange 2013 and decommissioning old Exchange
To start with, take snapshot of the current Public Folders in Exchange Server 2007 EMS using the following commands: Get-PublicFolder, Get-PublicFolderStatistics and Get-PublicFolderClientPermission.
Next create CSV files using scripts (Export-PublicFolderStatistics.ps1 and PublicFolderToMailboxMapGenerator.ps1). In this way you will get the CSV file mapping PFs to new PF mailboxes.
In the Exchange 2013, create PF mailboxes using New-Mailbox –PublicFolder cmdlet. Migrate PF content using New-PublicFolderMigrationRequest cmdlet.
Before starting the final migration, lock down Exchange Server 2007 using the following cmdlets.
Set-OrganizationConfig –PublicFoldersLockedForMigration $True (In Exchange 2007)
Set-PublicFolderMigrationRequest <name> -PreventCompletion $False (In Exchange 2013)
Resume-PublicFolderMigrationRequest <name> (In Exchange 2013)
Test new public folders to ensure everything is alright. Then us the following cmdlet to unlock the PF migration.
Set-OrganizationConfig -PublicFolderMigrationComplete:$true
Decommissioning Exchange Server 2007
Open Exchange Server 2007 management shell and run the following command to remove mailbox databases.
Get-MailboxDatabase | Remove-MailboxDatabase
Remove the public database and in the cmd run the following command to uninstall Exchange:
Setup.com /mode:uninstall
Thus we complete the entire Exchange Server 2007 to 2013 migration process.

Migrating Domain Controllers From Server 2008 R2 to Server 2012 R2

In this article, I have documented the steps I took to update our two domain controllers to Server 2012 R2 from Server 2008 R2. While this can be considered a tutorial, it is more a reflection of what I did during my migration process. This guide assumes you have already made backups of your environment, all Windows Active Directory Domain Controllers in the forest are running Server 2003 or later, and we will be recycling (reusing) the same two servers you deployed. Last, Microsoft strongly recommends we do a clean install and not directly upgrade each server, so we will decommission a DC, reinstall windows, and then redeploy the DC until the entire environment has been upgraded.

  1. Prepare the AD Schema for Server 2012 R2
  2. Mount the Server 2012 R2 installation disk on one of your Domain Controllers
  3. Open up a command prompt with Administrative Privileges and navigate to the /support/adprep folder on the installation media.
  4. Click Start, type cmd, right click select Run as administrator
  5. Execute the command: d:
  6. Execute the command: cd d:\support\adprep
  7. Execute the following command (don’t close out of this until after we verify the schema version in an upcoming step):
  8. adprep /forestprep
  9. Type the letter C and press the enter key to begin the process
  10. Execute the following command:
  11. adprep /domainprep

  12. Verify the schema version has been updated
  13. Open up regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters
  14. Verify the Schema Version value matches the last entry shown in your upgrade results. In my case, the Schema Version should be 69.
  15. Demote and decommission secondary domain controller
  16. Click Start, Run… Type dcpromo and click OK
  17. Click Next > on the Welcome page
  18. If the domain controller has the global catalog service, make sure your primary DC also has the service enabled and click OK. This can be done by opening up Active Directory Sites and Services and viewing the services for each domain controller.
  19. Make sure the Delete this domain because this server is the last domain controller in the domain is UNCHECKED, and click Next > Type in a new password to be used for the Local Administrator account the machine will contain after it is demoted.
  20. Click Next > on the Summary page
  21. Check the Reboot on completion box to restart the server after the service has been removed
  22. Log back into the DC upon reboot and open up Server Manager

  23. In Roles Summary, click Remove Roles

  24. Click Next > on the Before You Begin page

  25. Uncheck Active Directory Domain Services and DNS Server (if the role is installed) and click Next >

  26. Click Remove

  27. Click Close Select Yes on the Do you want to restart now? dialog box
  28. Log back into the DC upon reboot and you should greeted by a Removal Results window. Let the process finish and select Close upon removal success.
  29. Disjoin the machine from the domain
  30. Click Start, right click Computer, select Properties Click Change settings

  31. Click Change… on the System Properties page Check Workgroup, type in a workgroup name, and click OK

  32. Click OK on the warning dialog
  33. Click OK on the Welcome to the workgroup dialog Click OK on the restart dialog
  34. Click Close on the System Properties window (oops, forgot to make a screenshot!)
  35. Click Restart Later on the Microsoft Windows dialog box
  36. Shutdown the machine
  37. Format the decommissioned machine, reinstall a clean copy of Server 2012 R2, and join the machine to the domain.
  38. Add first Server 2012 R2 Domain Controller
  39. At this point, you should have one Server 2008 R2 Domain Controller and a blank Server 2012 R2 machine joined to the domain ready for the Active Directory services. If you are at this point, continue on, if not, you might want to read back a couple steps and see where things ventured off course.
  40. Start Server Manager on your new Server 2012 R2 machine.
  41. Select Manage in the top right and select Add Roles and Features

  42. Click Next > on the Before you begin screen
  43. Click Next > on the Select installation type screen Ensure your new server is selected and click Next >

  44. Check the box next to Active Directory Domain Services

  45. On the Add features that are required for Active Directory Domain Services? dialog, click the Add Features button Click Next >

  46. Click Next >

  47. Check the box that says Restart the destination server automatically if required (Click Yes on the restart dialog if it pops up)
  48. Click the Install button
  49. Once the install is done, click the Close button
  50. Next, head back to the Server Manager screen and select the warning icon with the flag; then select Promote this server to a domain controller.

  51. On the Deployment Configuration page, make sure Add a domain controller to an existing domain is checked and hit Next >

  52. Check Domain Name System (DNS) server, Check Global Catalog (GC), and uncheck Read only domain controller (RODC). Enter a strong password to be used to access Directory Services Restore Mode and click Next >

  53. Click Next > on the DNS Options page
  54. Click Next > on the Additional Options page, or if you would like, you can manually select a domain controller to replicate data from and then hit Next >.
  55. Click Next > on the Paths page
  56. Click Next > on the Review Options page
  57. Click Install on the Prerequisites Check page
  58. Once the domain controller reboots after installation, open up Server Manager and select Tools, Active Directory Users and Computers

  59. Expand your Domain and select Domain Controllers; ensure your new machine shows up here.
  60. Next, verify DNS works properly
  61. Go back to Server Manager, select Tools, DNS

  62. Expand your server, Forward Lookup Zones, and right click on your domain name and select Properties

  63. Select the Name Servers tab and ensure all DCs are listed
  64. Next, we need to verify the FSMO (Flexible Single Master Operations) roles are stored on our other server 2008 DC
  65. On the new Server 2012 R2 DC we joined, open up a command prompt with administrative privileges.
  66. Execute the following command to verify FSMO roles are on our 2008 DC: netdom query fsmo

  67. Next, we need to transfer the FSMO roles from our primary DC to our new one
  68. Execute the following command using the same command prompt in the previous steps: ntdsutil Type roles when prompted and hit enter
  69. Type connections when prompted and hit enter
  70. Type connect to server server2012DC.mydomain.com, where server2012DC is the new DC we just deployed, when prompted and hit enter
  71. Type quit and hit enter
  72. Type transfer schema master and hit enter
  73. Click Yes on the Role Transfer Dialog for the Schema Master role
  74. Type transfer naming master and hit enter
  75. Click Yes on the Role Transfer Confirmation Dialog for the Naming Master role
  76. Type transfer PDC and hit enter
  77. Click Yes on the Role Transfer Configuration Dialog for the Primary Domain Controller role
  78. Type transfer RID master and hit enter
  79. Click Yes on the Role Transfer Configuration Dialog for the RID master role
  80. Type transfer infrastructure master and hit enter Click Yes on the Role Transfer Configuration Dialog for the Infrastructure Master role
  81. Type quit and hit enter
  82. Type quit and hit enter Execute the following command to ensure the FSMO services are on the new Server 2012 R2 machine: netdom query fsmo

  83. ould have a Server 2012 R2 DC with the FSMO roles and a secondary 2008 R2 Domain Controller. If not, please go back and complete the steps to get to this point.
  84. Optional Step: After upgrading the first DC, you may want to reconfigure the machine to keep its time in sync with an external source. To do this, please follow my guide here:
  85. Next, decommission the last Server 2008 R2 domain controller that used to function as the primary DC.
  86. Follow the same instructions in Step 2 above called Demote and decommission secondary domain controller
  87. Next, add the machine back to the domain
  88. Follow the same instructions in Step 3 above called Add first Server 2012 R2 Domain Controller
  89. At this point, your environment should be up and running with Windows Server 2012 R2! You can optionally transfer the FSMO roles back to your “primary” DC that you had before, or continue on with the roles left on the current DC.Official information on removing a domain controller from the domain can be found on Microsoft’s website here: http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx
  91. Notes

Recover from windows.old folder

To resolve this issue, follow the steps listed below to restore your computer back to a previous version of Windows using the Windows.OLD folder.

TIP: You may find it easier to follow the steps if you print this article first.

Step 1: Determine whether there is a Windows.old folder and whether there is sufficient free space on the Windows hard disk

  1. Click Start Start button , and then click Computer.
  2. On the View menu, click Details.
  3. In the Free Space column, note how much space is available for Local Disk (C:) under the Hard Disk Drives area.
  4. In the Hard Disk Drives area, double-click Local Disk (C:), and then determine whether the Windows.old folder exists.Important If the Windows.old folder does not exist, you cannot follow the steps in this article to restore the previous Windows installation to this computer. You must backup and restore or transfer your files to the previous operating system.
  5. Right-click the Windows.old folder.
  6. Windows 7 will determine the size of the folder after several seconds.

Determine whether the Windows.old folder is smaller than the free space that is available for Local Disk (C:) in step 1.2.

Note If the Windows.old folder is two times as large as the free space that is available for the Local Disk (C:) entry, you may be unable to restore the previous Windows installation.

Step 2: Start the Windows Recovery Environment

  1. Put the Windows 7 installation disc in the DVD drive, and then restart the computer.
  2. Press a key when you are prompted to restart from the disc.
  3. In the Install Windows window, select a language, a time, a currency, a keyboard input method or other input method, and then click Next.
  4. In the Install Windows window, click Repair your computer.
  5. In the System Recovery Options window, click the version of the Windows 7 operating system that you want to repair, and then click Next.
  6. In the System Recovery Options window, click Command Prompt.

The Command Prompt window opens, and it displays the command prompt. The command prompt is where you will type the commands that are described in the following steps.

Step 3: Move the Windows 7 folders to a new Win7 folder

Note When you type one or more of the commands at the command prompt in the following steps and press ENTER, you may receive the following message:

The system cannot find the file specified.

If you receive this message, go to the next step in this section, and then type the command in that next step.

Type the following commands and press ENTER after each command:

C:Md Win7

Move Windows Win7\Windows

Move “Program Files” “Win7\Program Files”

Move Users Win7\Users

Attrib –h –s –r ProgramData

Move ProgramData Win7\ProgramData

Rd “Documents and Settings”

Step 4: Copy the contents or move the contents of the Windows.old folder

Note When you type one or more of the commands at the command prompt in the following steps and press ENTER, you may receive the following message:

The system cannot find the file specified.

If you receive this message, go to the next step in this section, and then type the command in the next step.

Type the following commands and press ENTER after each command:

move /y c:\Windows.old\Windows c:\move /y “c:\Windows.old\Program Files” c:\

move /y c:\Windows.old\ProgramData c:\

move /y c:\Windows.old\Users c:\

move /y “c:\Windows.old\Documents and Settings” c:\

Step 5: Restore the boot sector for the previous Windows installation

Type one of the following commands at the command prompt, as appropriate for your situation.

Note In the following commands, D: represents the DVD drive. If the DVD drive on the computer is represented by a different letter, such as E:, use that letter in the command.

  • When the previous Windows installation was Windows Server 2003, Windows XP, or Microsoft Windows 2000Type the following command, and then press ENTER:
    D:\boot\bootsect /nt52 c:
  • When the previous Windows installation was Windows VistaType the following command, and then press ENTER:
    D:\boot\bootsect /nt60 c:

Step 6: Restore the Boot.ini file for the previous Windows installation of Windows XP or of Windows 2000

Note Follow these steps only when the previous installation is Windows XP or Windows 2000.

Type the following commands and press ENTER after each command:

Attrib –h –s –r boot.ini.savedCopy boot.ini.saved boot.ini

Step 7: Close the Command Prompt window, and then click Restart

  1. Type the following command at the command prompt, and then press ENTER:
    exit
  2. Click Restart to restart your computer.

How to fix a USN Rollback condition

How to fix a USN Rollback condition

a USN Rollback condition that had been caused by some virtualization work.  There has been some discussion in the comments in that post about what to do when you have a single domain controller that thinks it is in a USN Rollback condition (eg has disabled outbound replication and paused the Net Logon service).

First Demote all but one DC by force if necessary and it will most likely be necessary go to the last remaining DC launch computers and users, go to domain controllers and delete there computer objects, at that point any FSMO services will be transferred to the last DC.

Logic would suggest that once a DC knows it is the only DC in the Forest that it would shake off the USN Rollback blues and start humming away normally again.  Not the case unfortunately.

Apparently this fix is quite dangerous and not for the faint of heart.  My heart is not the least bit faint, particularly when it comes to my VMWare test environment, so I didn’t mind testing this out.  At the very least you should make sure you have a backup of the server you can go back to if this doesn’t work.

To get a single domain controller out of USN Rollback:

  1. Open Regedit
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. Locate the key “Dsa Not Writable”=dword:00000004
  4. Delete the entire key
  5. Enable replication by running repadmin /options servername -DISABLE_OUTBOUND_REPL and repadmin /options servername -DISABLE_INBOUND_REPL
  6. Reboot

Once your domain controller has rebooted you should find that NetLogon is running again and repadmin /options no longer shows replication as being disabled.

Disk drive shows up in device manager but not disk manager or diskpart

Drive used to be part of a storage pool Cannot Delete A Storage Pool Because It Is Read Only

with PowerShell. Get the name of the Storage Pool, also known as the friendly name – for example Pool1. Then run: Get-StoragePool –FriendlyName “Pool1” | Set-StoragePool –IsReadOnly $false Then if you are sure, you can delete the storage pool, thus cleaning the disks for reuse: Get-StoragePool –FriendlyName “Pool1” | Remove-StoragePool