Tag Archives: domain

Update Domain Controller to Windows Server 2016/2019 and move FSMO roles to new domain controller

I’m still using Windows 2012R2 as my home lab’s domain controller. Since MS released Windows Server 2019, so I think it’s the time to upgrade my test lab to Windows Server 2019.
The first server I want to upgrade is my domain controller.

Even though you can mount the ISO and click setup.exe to upgrade Domain Controller to Windows 2016/2019, but after a test, I found that this kind of “upgrade” is a fresh installation…If you upgrade your DC in this way, you will find after reboot, your DC is gone…You will only have a standalone server running windows 2016/2019 which is in a workgroup… I don’t know why MS permit people doing “upgrade” in this way and don’t show any warning message at all…

So how to upgrade DC to Windows 2016/2019 in the right way?

The right way is to build a new server, and prompt it to domain controller, and then move all FSMO roles to it.

1. Install a new Windows 2016/2019 Server.
2. Install “Active Directory Domain Services” on the server
3. Promote the server to a domain controller. Make sure you also installed DNS services on it.
4. Reboot the server.
5. Once the serer is up and running. Open Server Manager, then open “Active Directory Module for Windows PowerShell”
6. Run below command:

Move-ADDirectoryServerOperationMasterRole -Identity "DC2019" -OperationMasterRole 0,1,2,3,4

Press Y to move all FSMO roles to this server.
7. Run below command to make sure all FSMO roles are migrated to the new domain controller

Get-ADDomain
Get-ADForest

8. demote the old domain controller and then remove the old DC from domain. And then shut down the old DC
9. Change the new DC IP address to the Old one. Then run below command to make sure all DNS records are updated and also no error.

ipconfig/registerdns
dcdiag /fix

Do not rename the only domain controller… And how to fix it if you have already done so..

Even though MS provide the document about how to rename domain controller, the thing is, if you only have one domain controller, the “rename” will break the AD service and you are not able to roll back.

The issue you will get is that after you rename domain controller, the AD DS services are still using the old hostname because you didn’t transfer the FSMO roles from the old name to the new name. And if you want to start any domain management tools you’ll get error said that domain is unavailable. And if you want to change domain controller name back you will get the same error because dc is not available and your renaming will failed too. And this issue won’t happen if your domain get two or more domain controllers.

Ok, how to fix this issue if you have already done so? What we can do now is to update registry and change the computer name back to the old one. Below are the four registry keys you need to update:

HKLM\System\CCS\Control\Computername "Computername"
HKLM\System\CCS\Control\Computername "ActiveComputername"
HKLM\System\CCS\Services\Tcpip\Parameters "Hostname"
HKLM\System\CCS\Services\Tcpip\Parameters "NVHostname"

Reset win2k8/2k12 domain admin password

My friend forgot his test lab domain admin password. And he only have a normal user account. So he asked me how can he reset his domain admin password.
It’s easy. Only a few steps

1. Boot the domain controller with a windows 2k8/2k12 installation CD
2. Press shift+f10 to start command line on the fist screen.
3. Run below command:

MOVE E:WindowsSystem32Utilman.exe e:WindowsSystem32Utilman.exe.bak
COPY E:WindowsSystem32cmd.exe e:WindowsSystem32Utilman.exe

You should replace E: with you local disk letter.
4. Restart the DC
5. When DC done booting up again and you are at the Logon screen click on the Ease of access icon. Then you should be able to open a command line.
6. Reset domain admin password

net user administrator *

Done

Verify Schema versions on all Domain Controllers

Usually we can use below batch file to check domain controller schema version.

ECHO OFF

REM Change the line below. Example: SET domain=dc=mydomain,dc=com

SET domain=dc=exampledomain,dc=com

ECHO.
ECHO Finding Schema Level on Domain Controllers in domain %domain%..

SET file=schemainput.txt
dsquery server -o rdn > %file%
FOR /f %%a IN (%file%) DO CALL :Loop %%a
REM Cleaning up the temporary file.
IF EXIST %file% DEL %file%
GOTO :eof

:Loop
SET dc=%1
ECHO.
ECHO %dc%
dsquery * cn=schema,cn=configuration,%domain% -scope base -attr objectversion -s %dc%|FIND /i /v "objectversion"
GOTO :eof

Another very quick way to check this with only one command line is using the repadmin tool:

repadmin /showattr * “cn=schema,cn=configuration,dc=yourdomain,dc=com” /atts:ObjectVersio

n