Migrate Microsoft domain controller (DC)

/ IT, Tutorials, Windows / By

Upgrading your Active Directory infrastructure isn’t a trivial task—but by following Microsoft’s recommended approach, you can migrate Domain Controllers (DCs) smoothly and securely. Here’s a clean, step-by-step guide to help you transition from Windows Server 2012 R2 DCs to fresh 2019 servers with minimal downtime.

1. Verify and Clean Up Current Environment

  • Ensure SYSVOL replication uses DFS‑Replication (DFSR), not the older File Replication Service (FRS).
  • Run dcdiag /v and repadmin /showrepl to audit domain health and replication status.
  • Address any errors or warning before proceeding.

2. Stand Up a New Windows Server 2019

  • Join the new server to the existing domain as a member.
  • Assign a static IP, patch it fully with Windows Update, and log in as a domain or enterprise administrator.
  • Install AD DS and DNS Server roles via:
Install-WindowsFeature AD-Domain-Services, DNS -IncludeManagementTools

After installing the AD DS server role, Server Manager will display a notification prompting you to promote the server to a domain controller. Click the yellow exclamation mark to launch the AD DS Configuration Wizard. Choose “Add a domain controller to an existing domain” and follow the prompts. As long as you’re signed in with a domain administrator account, the system will automatically run adprep to prepare the domain.

3. Move flexible single master operation (FSMO) roles to new server

The next step is to sign in to the old domain controller and transfer all five FSMO (Flexible Single Master Operations) roles to the new domain controller. The simplest way to do this is with PowerShell. In the command below, replace DC1 with the hostname of your new domain controller:

Move-ADDirectoryServerOperationMasterRole -Identity DC1 -OperationMasterRole 0,1,2,3,4

Note: This guide assumes a single-DC environment for simplicity. In most real-world scenarios, your domain will have multiple domain controllers. Be sure you understand how FSMO roles are distributed in your environment before proceeding.

After running the command, verify that the roles were successfully transferred.

To check the domain-level FSMO roles, run:

Get-ADDomain

Look for the following roles and confirm the server name listed next to them matches your new DC:

  • InfrastructureMaster
  • PDCEmulator
  • RIDMaster

Next, check the forest-level FSMO roles with:

Get-ADForest

Confirm the following roles are now assigned to your new domain controller:

  • SchemaMaster
  • DomainNamingMaster

This ensures the new server is fully in control of all FSMO operations.

4. Demote old controller

After successfully transferring the FSMO roles to the new domain controller, you can proceed to safely demote the old Windows Server 2012 R2 domain controller. This can be done through Server Manager by selecting Remove Roles and Features from the Manage menu and uninstalling the Active Directory Domain Services (AD DS) role. During this process, the Active Directory Domain Services Configuration Wizard will launch and guide you through the steps to demote the domain controller before the role is removed.

Alternatively, you can use PowerShell commands to accomplish this. The Uninstall-ADDSDomainController cmdlet demotes the DC, and the Uninstall-WindowsFeature cmdlet removes the AD DS server role.

Buy Me a Coffee