Upgrade Server 2016 Domain Controller to 2019 Server Core

Now that Server 2019 has been released I wanted to upgrade my lab's domain controllers from Server 2016 to Server 2019 Core. I wanted to do the non-desktop experience version because of the limited resources on my lab hardware.

I have 2 domain controllers named DC1 and DC2 that are only domain controllers with no other purpose or software, so I removed them from the domain.

Here are the steps I took. They will be the same if you are updating/removing from a full desktop experience version of windows. Except for assigning IP's.

1. Get the IP addresses of your domain controllers. I'm going to assume you know how to do that so I'm not going into detail. If you have IPv6 on your network, be sure to get that as well.

2. Replace the first domain controller, DC1

   1. Verify all domain roles are on the other domain controller DC2

      1. Open the Active Directory Users and Computers management console
      2. Right click your domain.
      3. Click Change Domain Controller.
      4. Select the domain controller you're not upgrading.
      5. Click OK
      6. Right click your domain again.
      7. Click Operations Masters
      8. Go through each tab and verify Operations Master is on the domain controller you're not updating, DC2
      9. If it is on the one you are doing, DC1, click Change, then Yes then Ok.
      10. Once you've verified that all the roles are on a domain controller other than the one you're updating, click Close.

   2. Demote the domain controller to a member server.

      1. Open Server Manager
         1. If you are running Server Manager on something other than the server being demoted and haven't managed it before, connect to the remote server.
            1. Click Add other servers to manage
            2. In the Name field, put in the name of the domain controller you want to demote
            3. Click Find Now
            4. Click your server, DC1
            5. Click the arrow pointing to the left
            6. Click Ok
      2. Remove the Active Directory Domain Services role
         1. Click Manage in the upper right of server manager
         2. Click Remove Roles and Features
         3. On the Before You Begin page, click next. This step may not apply to you if you have previously checked the Skip this page by default.
         4. In the Select destination server make sure the server you are demoting, DC1, is selected
         5. Click Next
         6. Uncheck Active Directory Domain Services
         7. Click Remove Features on the box that pops up asking about Removing features that require Active Directory Domain Services
         8. When the box pops up about demoting the domain controller, click Demote this domain controller
         9. Click Change to set the credentials to demote the controller. This should be a domain admin.
         10. Click Next
         11. Check the Proceed with removal box
         12. Click Next
         13. Leave Remove DNS Delegation checked and click Next
         14. Put in a new administrator password.
         15. On the Review Options page I recommend verifying that the correct server is being demoted. It's in the upper right corner.
         16. Click Demote
         17. It'll take a bit.
         18. If your on the server it'll reboot. If your running server manager remotely click Close and close the Server Manager.

   3. Remove the old domain controller from the domain

      1. Shutdown the old domain controller
      2. Open Active Directory Users and Computers
      3. Expand your domain
      4. Click Computers
      5. Right click your old domain controller DC1
      6. Click Delete
      7. If it comes up and says that it contains other objects, click Yes to delete it

   4. Install Server 2019 Core. There's generally not much of a need for the full-blown Desktop Experience on a domain controller. I also only give my DC's 2gig of ram and a single CPU core since it's a lab, so the lower resource requirements make that possible.

      ^{Note: I'm not going to walk you through the install of 2019, it's pretty easy and straight forward with plenty of other guides. Don't worry about anything other than the install part and getting to the first command prompt, we'll go through all the config stuff in a minute.}

   5. Now that you're at the command prompt right after logging in to your 2019 server for the first time, we need to set it's IP, DNS, join it to the domain, and rename it to the same name as your old DC. If you're using Server Core, follow these, otherwise there are many guides out there on about how to do these steps.

      1. Type in sconfig and press enter.
      2. Set the IPv4 Address and DNS.
         1. Type 8 and enter for Network Adapter Settings.
         2. Type the network adapter number (if a single NIC, press 1) and enter.
         3. Type 1 and enter for the Set Network Adapter Address
         4. Type S for Static and press enter
         5. Put in the IP address of the domain controller you're replacing DC1. For example, 192.168.0.253. And press enter.
         6. Put in the subnet mask for your network. For example, 255.255.255.0. And press enter.
         7. Put in the IP address of the gateway for your network. For example, 192.168.0.1 and press enter.
         8. Type 2 and enter for Set DNS Servers.
         9. Type the IP address of the domain controller you're not updating DC2. For example, 192.168.0.254. And press enter.
         10. Click Ok on the box that pops up saying Primary DNS server was set.
         11. Type 127.0.0.1 for the alternate DNS server and press enter.
         12. Click Ok on the box that pops up saying Secondary DNS server was set.
         13. Type 4 and press enter to Return to the Main Menu.
      3. Join it to the domain and set the computer name.
         1. Type 1 and enter for Domain/Workgroup.
         2. Type D for Domain and enter.
         3. Type your domain. For example, domain.lab. And press enter.
         4. Type in a valid domain admin user. For example, domain\edward. And press enter.
         5. A block box will pop up asking for the password of the user you just put in. Put it in there and press enter and the box will go away after a couple of seconds.
         6. A dialog will come up asking if you want to change the computer name. Click Yes.
         7. Type the name of the domain controller we are updating, DC1.
         8. Type in a valid domain admin user. For example, domain\edward. And press enter.
         9. A block box will pop up asking for the password of the user you just put in. Put it in there and press enter.
         10. A dialog will come up saying you need to restart your computer to apply the changes. Click Yes.
      4. If you IPv6 set the IPv6 address, if you're doing a core install follow these, otherwise use the network properties
         1. Log back in to your server.
         2. Type powershell and press enter.
         3. Get a list of the network adapters by typing get-netadapter and press enter.
         4. Next to the adapter you want to assign the address to is an ifIndex column, you'll need that number in the next command.
         5. Assign the address by typing New-NetIPAddress -IPAddress "<ipv6 address>" -PrefixLength <ipv6 address prefix length> -ifIndex <interface index from previous step>.
         6. Log off by typing logoff and press enter.

   6. Install DNS and promote to a domain controller.

      1. Open Server Manager a computer attached to the domain of your new domain controller.

         ^{Note: If you were using the `Server Manager` on your old domain controller, you will find that `Server Manager` is not on Server 2019 `Core`. You'll need to run it remotely. To connect to the new domain controller, follow the steps above in the `Demote the domain controller` section near the top. Note 2: If you need to install `Server Manager` on a Windows 10 desktop, there are other guides for that as well. Maybe I'll do a blog post on that. It's easy.}

      2. Click Manage.

      3. Click Add Roles and Features.

      4. On the Before You Begin page, click next. This step may not apply to you if you have previously checked the Skip this page by default.

      5. In the Installation Type screen, leave Role-based or feature-based installation selected and click Next.

      6. In the Select destination server make sure the server you are replacing, DC1, is selected.

      7. Click Next.

      8. Check Active Directory Domain Services

      9. Leave the Include management tools (if applicable) checked and click Add Features

      10. Check DNS Server.

          ^{Note: Even though I had static IPv4 and IPv6 addresses, it still popped up and said there were none found. I ignored it and clicked `continue`.}

      11. Click Next to go to the Select Features page.

      12. Click Next on the Active Directory Domain Services page.

      13. Click Next on the DNS Server page.

      14. Check the Restart the destination server automatically if required box.

      15. Click Install.

      16. This will take a bit.

      17. Click Close when it's done.

      18. If the server didn't reboot, reboot it.

      19. Log in.

      20. At the command line, type powershell and press enter.

      21. Type Install-ADDSDomainController -DomainName <your domain>

      22. It'll ask for a safe mode password, go ahead and put one in there and press enter.

      23. It'll ask for the password again as a confirmation, type the same one and press enter.

      24. It'll then ask Do you want to continue with this operation. Press Y then enter.

      25. The server will reboot and you're done.

3. Upgrade the second server

   1. Guess what, it's identical to the first one, just reverse the server your replacing/upgrading/promoting and move the roles to the server we just updated. That should be all there is to it.

Reminders:

• Remove the forwarders from the DNS servers on your upgraded domain controllers or you will have slow query times (default timeout is 3 seconds) as they forward the requests to each other in an endless loop before giving up and querying the root server.

Notes:

• The server manager stopped working when trying to promote the second server. I suspect it has something to do with DNS. So instead of using Server Manager I used powershell and changed the promote to domain controller steps to use powershell instead.
• Instead of using Server Manager to add the DNS/Active Directory Domain Services roles you could use powershell. I believe the command would be something like Add-WindowsFeature AD-DomainServices and Add-WindowsFeature DNS then reboot, then run Install-ADDSDomainController
• I spent more time writing this up than I did doing the actual upgrade of both servers. It's pretty quick and easy.
• Upgrading the domain controllers appeared to also update the domain functional level without needing to do it manually.