By Tushar Kumar, Alibaba Cloud Community Blog author
Assume the following scenario. Your current domain controller is running on a Windows 2012 server at your local on-premises data center, and you want to migrate your domain controller with flexible single master operation (FSMO) roles to Windows server 2016 active directory. Well, in this blog, we will show you how to do exactly that, walking you through the steps to accomplish all of this. In reality these steps can be applied for migrating Windows 2012, 2008, 2008 R2 Servers.
Using a domain controller with FSMO has its advantages. Flexible single master operation (FSMO) is a multi-master model that assigns clear roles and responsibilities to every domain controller while at the same time also giving you the flexibility to transfer roles if needed.
Flexible single master operation (FSMO) can be divided broadly into five roles, which are:
Another advantage of FSMO is that it mitigates the following issue: Migrating Root and Child domain controllers directly with an OS-level snapshot may cause errors in the domain controller, so it's always better to go for AD Sync and FSMO roles transfer.
Before you can precede to migrate your domain controller, you will need the following:
Before proceeding with any of the steps below, first you should check if you can ping your on-premises network with your Windows Server 2016 ECS instance.
If everything's fine, then add your ECS instance into the same domain in the active directory (AD). This is how you do it:
Control Panel > System and Security > System > Under Computer name, domain, and workgroup settings, Change Settings > Change Domain
Next, you can run the Get-ADDomain |fl Name, DomainMode
command on your ECS instance to retrieve the current domain functional level. After running this command, you'll see the on-premises DC mentioned as output.
Next to migrate, follow these steps:
Now we need to install the active directory role on the Alibaba Cloud ECS instance. This is how you do it:
Open Server Manager > Click on Add roles and features > On the wizard Click Next > Select Role-Based or feature-based installation and Click Next > Click Next >
Under Roles check Active Directory Domain Services.
Next, on the next Features tab, click Next, and on the AD DS description page, click Next, and on confirmation page, click Next. After that, wait for the installation to complete. Once it is done, this window will appear.
Click on Promote this Server to a domain Controller. You will be prompted with Active Directory Domain Services Configuration window,
Select the deployment operation: Add a domain Controller to an existing domain. Then, provide your AD Domain (for example, alibabapoc.com) and click Next.
On the next screen, provide a DSRM password, keep the rest as it is and click Next. Then, on DNS Options page, click Next. On the next window, select the source replication by choosing Select your On-premises DC.
Continue to click Next until you reach the Pre-requisites tab, and then click Install. Once the installation is completed, the server will automatically restart.
Now you can see all your users are now available on your new Active Directory on Cloud ECS instance, so check for our FSMO roles by running the netdom query fsmo
command:
From the above output, you can see the FSMO roles are still owned by on-premises DC. To change this, run the below command:
GEt-CimInstance Win32_OperatingSystem | Fl Csname
Note that you need to replace Csname to your own Csname.
Now your Alibaba ECS instance is ready. Let's transfer the FSMO Roles. Right now for Root domain controller, we have five FSMO roles as schema master and domain naming master roles, are only assigned once in the forest, so we'll not have those while moving child domain controller.
Now, run the following command on your on-premises data center. In the following command, replace Your_DC_CSName with Cloud Instance CSName)
Move-ADDirectoryServerOperationMasterRole -Identity YOUR_DC_CSNAME -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
Then, type A [Yes to all] once asked for permissions, and check if the roles are transferred by running the Netdom query fsmo
command:
Now your Roles are transferred. Let's prepare your on-premises machine to decommission:
Log on to your on-premises data center.
Run the following command in PowerShell (Administrator): Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition
This command will ask you for local administrator credentials. Then, after completion, the server will get restarted will restart the server, after which you can Decommission the server.
Now Log on to ECS instance on AlibabaCloud:
Update Domain functional level, and then run this command in PowerShell (Administrator): Set-ADDomainMode -identity YOUR_DOMAIN -DomainMode YOUR_WINDOWS_VERSION
For this command, replace YOUR_DOMAIN with your Domain name and YOUR_WINDOWS_VERSION with your server version running after migration. The values are as follows:
In my case domain my Cloud DC is running on Server 2016 and domain is alibabapoc.com, therefore, my command will be like this: Set-ADDomainMode -identity alibabapoc.com -DomainMode Windows2016Domain
Now update Forest Functional level. Run the following command in PowerShell (Administrator):
Set-ADForestMode -Identity YOUR_DOMAIN -ForestMode Your_windows_version
Change the command to fit your situation. Again, for the example above, Cloud DC is running on Server 2016 and domain is alibabapoc.com. Whereas, for instance, Set-ADForestMode -Identity alibabapoc.com -ForestMode Windows2016Forest means that your DC is up and running on Alibaba Cloud.
You can repeat the same steps to migrate your child domain controller just 2 FSMO roles will not be there (Schema master and Domain naming master).
2,599 posts | 764 followers
FollowAlibaba Clouder - September 20, 2019
5544031433091282 - June 29, 2022
Alibaba Clouder - April 22, 2019
Alibaba Clouder - July 1, 2020
Alibaba Clouder - September 27, 2018
Alibaba Cloud Native - March 28, 2024
2,599 posts | 764 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreAlibaba Cloud DNS is an authoritative high-availability and secure domain name resolution and management service.
Learn MoreSecure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups
Learn MoreMore Posts by Alibaba Clouder