Alex - stock.adobe.com
Plan your domain controller migration to Windows Server 2025
Windows Server 2025 offers a slew of new Active Directory features, but users must migrate their domain controllers before they can realize the benefits.
Upgrading an Active Directory forest to run on Windows Server 2025 isn't overly difficult, but the process requires preparation.
In its latest Windows Server release, Microsoft introduced several Active Directory enhancements, including new features and improved functionality that will appeal to organizations. Before they can implement these features, though, they'll need to migrate their domain controllers to Windows Server 2025.
This article provides a walkthrough of the planning required before an AD domain controller migration and then covers the steps involved in performing the actual upgrade.
Why upgrade Active Directory?
One major development in Windows Server 2025 is the increased database page size. Since the days of Windows 2000, Active Directory has relied on an Extensible Storage Engine database with an 8 KB page size. While this might have been fine 25 years ago, today the page size limitations hinder overall AD scalability. Microsoft has removed these limitations by increasing the page size to 32 KB. Additionally, AD now takes advantage of non-uniform memory access nodes and can support up to 64 CPU cores.
Microsoft has also taken steps to improve AD security. As an example, the lightweight directory access protocol used by Active Directory now supports TLS version 1.3. Similarly, Active Directory blocks legacy Security Account Manager Remote Procedure Call protocols in favor of more secure alternatives, such as Kerberos. The Microsoft Learn website offers a full list of the latest AD enhancements.
Prepare for your domain controller migration
Before upgrading your domain controllers to Windows Server 2025, take the following steps to help ensure a smooth and successful migration.
Assess replication process
The first step involves checking Active Directory to make sure the domain controllers are properly replicating with one another and that the replication process is healthy. This step will also need to be performed again later as part of the migration process. To check the replication status, open PowerShell and enter the command RepAdmin /ReplSummary. Make sure there are no replication errors, as shown in Figure 1.
Create an Active Directory backup
This backup should be done at the last minute to ensure capture of all the latest AD changes. Practice restoring your backups to a lab environment so that you can test their integrity. This process helps familiarize the recovery process in case anything goes wrong.
Audit legacy protocols, applications
Evaluate NT LAN Manager usage throughout your organization. NTLM is a legacy protocol that you should ideally phase out as part of the upgrade process. However, you might still have legacy applications that require NTLM, which might force you to continue using the protocol.
Evaluate hardware requirements
These requirements are relatively modest: 1.4 GHz 64-bit CPU; 2 GB of RAM, or 4 GB as recommended for the Desktop Experience; and 32 GB of storage.
You should also review the hardware that your existing domain controllers currently use, since domain controllers will almost always require more than just the minimum hardware. This would be a good time to assess whether your existing hardware allocations are sufficient or if you need to allocate more hardware to your domain controllers.
Consider raising functional levels
Finally, decide whether you want to upgrade to the latest domain and forest functional levels. Prior to Windows Server 2025, the highest available functional level was Windows Server 2016. Upgrading to the Windows Server 2025 domain functional level lets you take advantage of all the latest enhancements, but you cannot perform the upgrade until all of the domain controllers within the domain are running Windows Server 2025.
Note that upgrading the domain functional level is a one-way operation. Once you upgrade the functional level, you will no longer be able to deploy domain controllers running older versions of Windows.
The same basic concept also applies to forest functional level upgrades. Raising the forest functional level to Windows Server 2025 requires all of your domains to be operating at the Windows Server 2025 domain functional level. Once again, this is a one-way operation; once you raise the forest functional level, you can no longer deploy domains at lower functional levels.
The importance of having a good AD backup increases exponentially when upgrading functional levels. It's a good idea to create a new one just before raising a functional level.
Domain controller migration, step by step
Once all the prep work has been completed, it's time for the actual domain controller migration. While you can perform an in-place upgrade from Windows Server 2012 R2 or newer Windows Server OSes, the following steps will be for a clean installation onto physical or virtual hardware, as this is usually the preferred option.
1. Install the OS and Domain Services
The first step is to install Windows Server 2025. You will need to join the machine to the AD domain where it will eventually serve as a domain controller before continuing. Take this opportunity to install any available updates.
With the OS ready to go, next you will need to install Active Directory Domain Services. From the GUI, open Server Manager and then choose the Add Roles and Features command from the Manage menu. Work your way through the wizard until you reach the Roles screen. Here, you will need to select the Active Directory Domain Services role. When prompted, be sure to install any required dependency services.
2. Deploy DNS services
Although not technically a requirement, consider where you plan to host the DNS services. Active Directory cannot function without DNS. As such, there is a strong possibility that some of your legacy domain controllers are also functioning as DNS servers. If you are completely doing away with these legacy servers, then you will need to deploy DNS elsewhere.
One option is to run the DNS services on your new domain controllers. You can do so by selecting the DNS Server checkbox, shown in Figure 2. You will also need to install the dependency features when prompted. If you are migrating DNS to a new server, remember to modify the IP address configuration used throughout your organization so that it points to the new DNS server.
3. Promote new domain controllers
When the role deployment process is complete, click on the Promote This Server to a Domain Controller link. This will launch the Deployment Configuration Wizard. Select the option to add a new domain controller to an existing domain and then verify that the correct domain is selected. Click Next, and the following screen will ask you to select the capabilities for the new domain controller. Unless you are deploying a read-only domain controller, select the default options. While you are at it, you will need to enter and confirm a Directory Services Restore password. Click Next until you complete the wizard. At that point, the server will be configured to act as a domain controller. A reboot is required at the completion of this process.
When the reboot is complete, give your new domain controller some time to receive copies of all the objects that currently exist within your Active Directory. Before moving forward, check the replication health using the same method discussed earlier. Make sure that AD replication is functioning properly and the initial replication process is complete before proceeding. If you encounter replication errors, verify that DNS name resolution is working properly and that all the domain controller clocks are correct.
4. Deprovision legacy domain controllers
If you plan to deprovision your legacy domain controllers, it's a good idea to transfer Flexible Single Master Operation (FSMO) roles. The role transfer should occur automatically as part of the deprovisioning process, but transferring roles ahead of time can help avoid any surprises. The easiest way to do this is to open an elevated PowerShell session and enter the following command:
Move-ADDirectoryServerOperationMasterRole -Identity $env:COMPUTERNAME -OperationMasterRole 0,1,2,3,4 -Confirm:$FalseThis command, shown in Figure 3, will transfer all of the operation master roles to your new domain controller. If you only wish to transfer some of the roles, you can change the numbers listed at the end of the command. Each of these numbers represents a role:
- 0: Primary domain controller emulator.
- 1: Relative identifier master.
- 2: Infrastructure master.
- 3: Schema master.
- 4: Domain naming master.
You can verify that the roles have been successfully transferred with the netdom query fsmo command.
The next step in the process is to begin deprovisioning your legacy domain controllers. The exact steps involved will vary slightly depending on the version of Windows Server in use. At a high level, however, the deprovisioning process involves opening Server Manager and removing the AD Domain Services role.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
