How to Migrate Active Directory from Windows Server 2008 R2 to 2012 R2

How to Migrate Active Directory from Windows Server 2008 R2 to 2012 R2

Migrating an Active Directory environment from Windows Server 2008 R2 to Windows Server 2012 R2 is a multi-phase process that involves introducing new Domain Controllers, transferring FSMO roles, raising functional levels, and decommissioning old servers. Done correctly, the migration is non-disruptive — users continue to authenticate without interruption throughout the process. This guide provides a complete, tested migration path with rollback options at each phase.

Prerequisites

– Existing Windows Server 2008 R2 Active Directory forest (Forest Functional Level 2008 R2)
– One or more Windows Server 2012 R2 servers prepared for the DC role
– Complete, verified AD backup using Windows Server Backup
– FSMO role documentation (which DC holds which role)
– DNS zone documentation for all AD-integrated zones
– All client computers must support Windows Server 2012 R2 DCs (all modern OS versions do)
– Planned maintenance window for FSMO role transfers

Step 1: Document the Current Environment

Import-Module ActiveDirectory

# Document current forest and domain state
$forest = Get-ADForest
$domain = Get-ADDomain

Write-Host "=== Pre-Migration Documentation ===" -ForegroundColor Cyan
Write-Host "Forest Name: $($forest.Name)"
Write-Host "Forest Mode: $($forest.ForestMode)"
Write-Host "Domain Mode: $($domain.DomainMode)"
Write-Host ""
Write-Host "FSMO Roles:"
Write-Host "  Schema Master:         $($forest.SchemaMaster)"
Write-Host "  Domain Naming Master:  $($forest.DomainNamingMaster)"
Write-Host "  PDC Emulator:          $($domain.PDCEmulator)"
Write-Host "  RID Master:            $($domain.RIDMaster)"
Write-Host "  Infrastructure Master: $($domain.InfrastructureMaster)"
Write-Host ""
Write-Host "Domain Controllers:"
Get-ADDomainController -Filter * | 
    Select-Object Hostname, OperatingSystem, Site, IsGlobalCatalog, OperationMasterRoles |
    Format-Table -AutoSize

# Export all DC details to a report
Get-ADDomainController -Filter * | 
    Select-Object * | 
    Export-Csv "C:ADMigrationPreMigration_DCs.csv" -NoTypeInformation

# Document DNS zones
Get-DnsServerZone | Select-Object ZoneName, ZoneType, DynamicUpdate, IsDsIntegrated |
    Export-Csv "C:ADMigrationPreMigration_DNSZones.csv" -NoTypeInformation

# Document GPOs
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime, ModificationTime |
    Export-Csv "C:ADMigrationPreMigration_GPOs.csv" -NoTypeInformation

# Document OU structure
Get-ADOrganizationalUnit -Filter * -Properties * | 
    Select-Object DistinguishedName, ProtectedFromAccidentalDeletion |
    Export-Csv "C:ADMigrationPreMigration_OUs.csv" -NoTypeInformation

Write-Host "Pre-migration documentation complete"

Step 2: Back Up Active Directory

# Create a full system state backup of the existing DCs
# This MUST be done before any changes

# Install Windows Server Backup feature
Install-WindowsFeature -Name Windows-Server-Backup

# Perform system state backup on primary DC (2008 R2)
$backupPath = "\fileserverADBackups$(Get-Date -f yyyyMMdd)"
New-Item -ItemType Directory -Path $backupPath -Force

$policy = New-WBPolicy
$backupLocation = New-WBBackupTarget -NetworkPath $backupPath `
    -Credential (Get-Credential) -NonInheritAcl
Add-WBBackupTarget -Policy $policy -Target $backupLocation
Add-WBSystemState -Policy $policy
Start-WBBackup -Policy $policy

# Alternatively, use wbadmin for system state backup
wbadmin start systemstatebackup -backupTarget:"\fileserverADBackups" -quiet

Write-Host "Backup initiated. Monitor wbadmin logs for completion."

Step 3: Prepare the Schema for Windows Server 2012 R2

The Active Directory schema must be extended to support Windows Server 2012 R2 DCs before you can promote the first WS2012 R2 DC. Adprep handles this automatically when promoting via PowerShell, but it’s best practice to run it explicitly first:

# Run adprep to extend the schema
# This must be run on the Schema Master (from WS2012 R2 media)

# Mount or extract WS2012 R2 installation media
# Navigate to supportadprep

# Extend the schema (run on the Schema Master)
adprep.exe /forestprep

# Extend the domain (run on the Infrastructure Master)
adprep.exe /domainprep

# Prepare RODC if needed
adprep.exe /domainprep /gpprep

# If this is the first WS2012 R2 DC in the domain:
adprep.exe /rodcprep

# Verify schema version was updated
(Get-ADObject (Get-ADRootDSE).schemaNamingContext -Properties objectVersion).objectVersion
# WS2012 R2 schema version is 69

Step 4: Promote the First Windows Server 2012 R2 Domain Controller

# On the NEW Windows Server 2012 R2 server
Import-Module ServerManager

# Install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Join the existing domain and promote to DC
$safePwd = ConvertTo-SecureString "SafeMode$Pass1!" -AsPlainText -Force

Install-ADDSDomainController `
    -DomainName "corp.local" `
    -InstallDns:$true `
    -CreateDnsDelegation:$false `
    -DatabasePath "C:WindowsNTDS" `
    -LogPath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -SafeModeAdministratorPassword $safePwd `
    -Credential (Get-Credential "CORPAdministrator") `
    -Force:$true

# The server will restart after promotion
# After restart, verify the DC is functional:
Get-ADDomainController -Identity "WS2012R2-DC01" | 
    Select-Object Hostname, OperatingSystem, Site, IsGlobalCatalog

Step 5: Verify New DC Health Before Proceeding

# On the new WS2012 R2 DC, run comprehensive health checks

# Check AD replication
repadmin /replsummary
repadmin /showrepl

# Check DNS
dcdiag /test:DNS /v

# Run full dcdiag
dcdiag /test:Replications /test:Services /test:DFSRSysvol /v

# Verify SYSVOL is healthy
Get-DfsrBacklog -DestinationComputerName "WS2012R2-DC01" `
    -SourceComputerName "WS2008R2-DC01" -GroupName "Domain System Volume" `
    -FolderName "SYSVOL Share" | Select-Object BacklogCount

# Check event logs for AD-related errors
Get-WinEvent -ComputerName "WS2012R2-DC01" -LogName "Directory Service" `
    -MaxEvents 50 | Where-Object { $_.Level -le 3 } |
    Format-Table TimeCreated, LevelDisplayName, Message -Wrap

Step 6: Transfer FSMO Roles to Windows Server 2012 R2

Import-Module ActiveDirectory

$newDC = "WS2012R2-DC01.corp.local"

# Transfer domain-level roles
Move-ADDirectoryServerOperationMasterRole -Identity $newDC `
    -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster `
    -Confirm:$false

# Transfer forest-level roles (run from Schema Master or use -Force for seize)
Move-ADDirectoryServerOperationMasterRole -Identity $newDC `
    -OperationMasterRole SchemaMaster, DomainNamingMaster `
    -Confirm:$false

# Verify FSMO role transfer
$domain = Get-ADDomain
$forest = Get-ADForest
Write-Host "PDC Emulator:         $($domain.PDCEmulator)"
Write-Host "RID Master:           $($domain.RIDMaster)"
Write-Host "Infrastructure Master:$($domain.InfrastructureMaster)"
Write-Host "Schema Master:        $($forest.SchemaMaster)"
Write-Host "Domain Naming Master: $($forest.DomainNamingMaster)"

# Verify the new DC holds all target roles
if ($domain.PDCEmulator -like "*WS2012R2*") {
    Write-Host "FSMO transfer successful" -ForegroundColor Green
}

Step 7: Promote Additional WS2012 R2 DCs

# Promote a second WS2012 R2 DC for redundancy before decommissioning old DCs
$safePwd = ConvertTo-SecureString "SafeMode$Pass1!" -AsPlainText -Force

Install-ADDSDomainController `
    -DomainName "corp.local" `
    -SiteName "HQ-Chicago" `
    -InstallDns:$true `
    -GlobalCatalog:$true `
    -DatabasePath "C:WindowsNTDS" `
    -LogPath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -SafeModeAdministratorPassword $safePwd `
    -Credential (Get-Credential "CORPAdministrator") `
    -Force:$true

# After restart, verify both new DCs are replicating
repadmin /replsummary

Step 8: Raise Domain and Forest Functional Levels

Import-Module ActiveDirectory

# VERIFY: All 2008 R2 DCs must be removed BEFORE raising functional levels
Get-ADDomainController -Filter * | Select-Object Hostname, OperatingSystem | Format-Table

# Raise the Domain Functional Level to Windows Server 2012 R2
Set-ADDomainMode -Identity "corp.local" -DomainMode Windows2012R2Domain
Write-Host "Domain functional level raised to Windows2012R2Domain"

# Raise the Forest Functional Level
Set-ADForestMode -Identity "corp.local" -ForestMode Windows2012R2Forest
Write-Host "Forest functional level raised to Windows2012R2Forest"

# Verify
(Get-ADDomain).DomainMode
(Get-ADForest).ForestMode

# WARNING: Raising functional levels is IRREVERSIBLE
# Make sure ALL DCs (including any hidden/physical appliance DCs) are on WS2012 R2 first

Step 9: Decommission Windows Server 2008 R2 DCs

# Safely demote a WS2008 R2 DC
# MUST be run on the server being demoted (if it's accessible)
# or use the -LastDomainControllerInDomain switch if it's the last DC

# From the WS2008 R2 server (PowerShell 4.0 must be installed or use dcpromo)
# Using dcpromo remotely:
# dcpromo /unattend /demote /password: /AdministratorPassword:

# Or use Uninstall-ADDSDomainController on WS2012 R2 infrastructure to forcibly remove
# if the old DC is inaccessible:
Remove-ADDomainController -Identity "WS2008R2-DC01" -Force -LocalAdminPassword `
    (ConvertTo-SecureString "OldDCPass!" -AsPlainText -Force)

# Clean up metadata if DC was forcibly removed
# ntdsutil "metadata cleanup" "remove selected server WS2008R2-DC01"
# Or via PowerShell:
# This removes lingering DC metadata after forced removal

# Verify the old DC is removed
Get-ADDomainController -Filter * | Select-Object Hostname, OperatingSystem | Format-Table

Verification

# Post-migration verification checklist
Write-Host "=== Post-Migration Verification ===" -ForegroundColor Cyan

# Domain and Forest functional levels
$d = Get-ADDomain; $f = Get-ADForest
Write-Host "Domain FFL: $($d.DomainMode)"
Write-Host "Forest FFL: $($f.ForestMode)"

# All DCs are WS2012 R2
$oldDCs = Get-ADDomainController -Filter * | 
    Where-Object { $_.OperatingSystem -notlike "*2012 R2*" }
if ($oldDCs) {
    Write-Warning "Non-WS2012R2 DCs still present: $($oldDCs.Hostname -join ', ')"
} else {
    Write-Host "All DCs are Windows Server 2012 R2" -ForegroundColor Green
}

# Replication health
$replErrors = repadmin /replsummary | Select-String "error"
if ($replErrors) { Write-Warning "Replication errors detected" } 
else { Write-Host "Replication: Healthy" -ForegroundColor Green }

# FSMO roles
Write-Host "FSMO roles: PDC=$($d.PDCEmulator), Schema=$($f.SchemaMaster)"

# DNS test
Resolve-DnsName "corp.local" -Type SOA | Select-Object NameHost, TTL

Summary

Migrating Active Directory from Windows Server 2008 R2 to 2012 R2 is an in-place migration that requires no application downtime or user disruption when executed methodically. The process involves thoroughly documenting the existing environment, backing up AD, extending the schema with adprep, promoting new WS2012 R2 DCs, verifying their health, transferring FSMO roles, promoting additional DCs for redundancy, raising functional levels, and finally decommissioning the old 2008 R2 DCs. Each phase has a rollback path — the new DCs can be demoted before any functional level changes if problems are discovered. Post-migration, the Windows Server 2012 R2 domain and forest functional levels unlock new features including Authentication Policy Silos, improved KDC support, and enhanced DAC capabilities.