(PassRusher) 1

So, I am finally getting around to migrating my old 2012R2 Domain Controller / DHCP / DNS to a new version of Windows Server.

Though my research, it is known that you can’t directly migrate from 2012 to 2025. But you can set up 2025 as a DC and then copy users, DHCP, DNS, etc. to the 2025.

I did some AI research and it said this:

Manually migrating roles from Windows Server 2012 to Windows Server 2025 requires careful planning and execution. Since direct migration isn’t supported, you’ll need to set up the new server and transfer roles manually.

Steps for Manual Migration

  1. Set Up Windows Server 2025

    • Install Windows Server 2025 and configure it as a domain controller.
    • Ensure it has the necessary roles like Active Directory, DNS, and DHCP.

  2. Export Active Directory Data

    • Use PowerShell to export user accounts:
      Get-ADUser -Filter * | Export-Csv C:\ADUsers.csv
    • Import the data into the new server using PowerShell scripts.

  3. Migrate DNS and DHCP

    • Export DNS settings using dnscmd /ZoneExport.
    • Transfer DHCP configuration using netsh dhcp server export C:\dhcp.txt.

  4. Transfer FSMO Roles

    • Use PowerShell to move FSMO roles:
      Move-ADDirectoryServerOperationMasterRole -Identity "NewServer" -OperationMasterRole 0,1,2,3,4

  5. Verify and Test

    • Ensure all services are running correctly on the new server.
    • Test authentication, DNS resolution, and DHCP leases.

  6. Demote the Old Server

    • Once everything is migrated and verified, demote the Windows Server 2012 domain controller.

So questions:

  • Has anyone attempted this method and if so, how did it go?
  • Should we just do the hop to 2016, 2019 to 2025 methods?
  • Any other suggestions to make this easy?
  • And if we did the above method, does this also carry over all of the file permissions and security?
4 Spice ups
2

Would not even attempt it, nor would I do the multi hop method. It’s courting disaster, it’s bringing forward legacy garbage with it.

Deploy a new DC, migrate DHCP and FSMO roles, update DHCP to pass out the new IP address to client DNS, verify replication is working properly, shut off the old server for a day, make sure nobody screams. Bring it back online, let it replicate and demote.

Repeat for additional servers. Make sure DNS is set properly on your DCs

You don’t need to copy users. Users are stored in Active Directory which replicates to all DCs in the domain.

You should have more than 1 DC.

8 Spice ups
3

Really ?? I certainly have never came across this in my last 20+ years ??

For upgrading of DCs, all you need to do is

  • ensure that you have migrated DC2012 to DFSR
  • Add a server 2025, change or add the server IP config to include the current DCs, last DNS servers to be 127.0.0.1
  • Add the server as a DC in Domain (literally promote server 2025 to DC2025)
  • ensure all DCs (DC2012 & DC2025) have records in all the DNS servers
  • wait 24hrs to 72 hrs for replication to complete fully, check event logs for details or errors
  • note to add in at lease 2 DC2025 (recommended is to have at least 2 DCs per network)
  • if there are no errors, power down the DC2012. Wait a few days, if no users or servers have issues, demote the DC2012, remember to change the DNS server IPs of DC2025 and also remove DC2012s from DNS

To “migrate” DHCP
It would be good if you have 2x the number of IP address available

  • reduce the lease time to 1 hour (reduce the lease size if possible)
  • start the DHCP service on DC2025, using or copy rules from DC2012 DHCP (use the free address range)
  • stop DHCP service on DC2012, wait till next day when most users reboot or re-start their machines (this will free up DC2012)
  • when DC2012 DCHP have no more leases, expand DC2025 leases

Example : If I have 200 clients, I would set DC2012 to give out 10.1.1.xxx/23 and DC2025 to give out 10.1.2.xxx/23

3 Spice ups
4

Everyone seems to be missing the fact that Server 2025 requires a minimum domain functional level of 2016.

OP cannot join Server 2025 to the existing 2012R2 domain and promote to a DC. OP needs a higher domain functional level first.

Use the downgrade rights of your Server 2025 license to install a Server 2019 instance. Promote that to DC, transfer FSMO and other roles, demote the old Server 2012R2, upgrade domain/forest functional levels to 2019. Then repeat with Server 2025 (demoting server 2019).

Oh, and also make sure you’ve changed to DFSR Sysvol replication from FRS beforehand.

8 Spice ups
5

And it should go without saying, but please ensure that your existing AD is healthy BEFORE making any changes.

There’s been more than one post in the last few months about domain controller upgrades/migrations that have gone sidesways because AD wasn’t healthy.

3 Spice ups
6

I would do the “Extended” Multiple Hops:
Stand up a new 2016 or 19 server
Promote to DC.
Do all your AD stuff (DFSR, DNS, DHCP, FSMO, Forest Level) as needed.

But I would stop at Server 2022.
I have read some disheartening things about DCs on 2025.
I’ll be waiting a year or so before I start moving to 2025 for DCs
And still, it will be Stand up New and Promote.

1 Spice up
7

What are some good “health checks” we can do?

1 Spice up
8

My first go-to’s are

(run as administrator)
dcdiag
and
repadmin /replsum

2 Spice ups
9

dcdiag is your friend here.

The output kind of sucks to review, but there’s a wealth of information in there. Track down every warning - some may be benign, but you want to verify.

2 Spice ups
10

There are a number of topics on here and some KBS from Microsoft about DCs specifically with 2025.

I’m all for bleeding edge, but I don’t even run them in my lab yet because of their W11 24H2 vibe.

4 Spice ups
11

In my experience, set up a new server as a DC and add it to the domain. All the users and stuff in AD should automatically migrate. Move DHCP, DNS and FSMO, than shutdown the old DC.

1 Spice up
12

Yes, stay on 2022 for now if you can

3 Spice ups
13

This is 100% correct. To go from 2012 functional level to 2025, you will have to “Hop” at least once through 2016. No way around that short of a Domain Migration, which is a whole different animal.

3 Spice ups
14

Yes, I think I started one here, and that’s when I got the ear-full of warnings.

1 Spice up
15

Here is one persons nightmare

Windows Server 2025 - Upgrading hell! - Windows - Spiceworks Community

Known issues

Windows Server 2025 known issues and notifications | Microsoft Learn

2 Spice ups
16

LOL… I also did not know about that as I just recently stopped at DC2019 (literally last month)…

But OP should just hop to DC2019 or DC2022 using the same methods I described then demote DC2012s then add DC2025 so maybe he eventually have 2 DC2019 or DC2022 and 2 DC2025…then decide if he should demote DC2019 or DC2022 (if he has the OS licenses).

But he SHOULD NOT create 2 new DCs then “copy” users, DHC & DNS (from his research) ??

Then maybe also avoid performing in-place upgrades as well ??
Not only for DC2025 but any DCs as there were so many reported cases of entire Domains going FUBAR ?

17

Yes, OP’s best bet is to do a multi-hop “upgrade”. Upgrade in the sense of adding new domain controllers and decommissioning the old ones, not doing in-place upgrades of the domain controller OS.

First hop is to a version that can join their existing 2012R2 domain, and then second to the final Server version.

As pointed out by many, Server 2025 with the Domain Controller (AD-DS) role isn’t exactly ready for primetime. I agree that the desired state would be Server 2022 domain controllers. Server 2025 may be appropriate for some member servers (I imagine it’ll work as a print or file server without too much trouble - but maybe not! - I haven’t tried it at all yet), but not DC.

Technically, there’s nothing wrong with migrating as described by ChatGPT (or whatever gave that answer - it did pick up on the domain functional level incompatibility). There’s just far more that can go wrong if something is missed. Be risk averse - and don’t let your domain get that far behind again!

1 Spice up
18

As for migrating DHCP - you can export the DHCP config from the old server, and import it to the new one. No need to create extra scopes/ranges or modify lease times. Just make sure you update your VLAN IP Helper addresses to point to the new server as necessary. Ensure that you enable conflict detection (ping it before offering it) so that everything just works if the leases aren’t carried over.

How to Migrate DHCP Server to Another Windows Server Host – TheITBros

1 Spice up
19

We have a few 2025 app servers. No complaints yet.
Our SCCM admin has even done in-place upgrades and was thrilled with the ease.
I walked through an in-place upgrade from '16 to '25 once on a clone of a File and Print server with no apparent issues.

1 Spice up
20

I have a few 2025 as well, including my daily driver jump box. Other than the RDP issue which was an easy work around, no issues so far. DCs are all 2022 and have been for several years. No issues at all there. No rush to move them to 2025.