One of the best ways to secure your systems is to ensure that your Active Directory (AD) domain controllers are running the latest version of Windows Server. Domain controllers are critical infrastructure because they provide security and access to all of your IT resources. If the DC is compromised, then you should assume that your entire network is compromised. Domain controllers are important targets for hackers, and you should take all reasonable steps to protect them.

Many organizations still use DCs on Windows Server 2012 R2. And while the OS is supported through Microsoft extended support until 10/10/2023, later versions of Windows Server are significantly more secure, offering features such as built-in malware protection in the form of Windows Defender, Credential Guard to protect local and remote domain credentials on compromised servers, as well as many additional security improvements, this makes new versions of Windows more secure.

It is often the case that organizations are licensed to upgrade to the latest version of Windows Server, but do not do so because they do not want to impact their production infrastructure. But due to the nature of AD, replacing an old domain controller with a new one is relatively easy. And without interrupting critical IT services.

What's new in Active Directory?

AD DS enhancements are related to the functional levels of its domain. Updating the operating system or adding domain controllers running Windows Server 2022 to your existing AD infrastructure will not automatically update your domain functional levels. We need to update it manually once the old domain controllers are decommissioned.

Active Directory Domain Services first came to the world with Windows Server 2000. AD DS has been helping organizations manage their digital identities for more than 21 years. However, today's access control requirements are complex. Nowadays, enterprises are using more and more cloud services. Most employees continue to work from home and access sensitive corporate data through unsecured networks. Most software providers are moving to a SaaS model. Cybercrime is on the rise and privacy is at stake. To meet these demands, we need to move beyond legacy access control. Azure Active Directory is a cloud-based managed identity-as-a-service (IDaaS) provider that can provide world-class security, strong authentication, and seamless collaboration.

One of the key themes of Windows Server 2022 is “security.” Enhanced multi-layered security in Windows Server 2022 provides comprehensive protection against advanced threats. It also adds an additional layer of security to roles running on Windows Server 2022, including Active Directory.

Active Directory Migration Checklist

Migrating FSMO roles to a new server and updating domain functional levels takes no more than a few minutes, but when it comes to migration, there are a few more things we need to consider.

  1. Assess your business requirements for Active Directory migration.
  2. Audit your existing Active Directory infrastructure to verify its health.
  3. Create a detailed implementation plan.
  4. Prepare physical/virtual resources for the domain controller
  5. Install Windows Server 2022 Standard/Data Center
  6. Install the latest Windows updates on your servers
  7. Assign a dedicated IP address to a domain controller
  8. Install the AD DS role
  9. Migrate application and server roles from existing domain controllers
  10. Migrate FSMO roles to new domain controllers
  11. Add new domain controllers to your existing monitoring system
  12. Add new domain controllers to your existing DR solution
  13. Retire old domain controllers
  14. Raise domain functional levels
  15. Perform routine maintenance (reviewing Group Policy, implementing new features, identifying and fixing Active Directory infrastructure issues, and more)

Domain controller migration steps

1. Set up a new server using Windows Server

The first step is to install a new Windows Server on a physical device or virtual machine. If you have more technical experience with Windows Server, you can choose to install Server Core and then perform the necessary steps using PowerShell or by remotely connecting to the new server using Server Manager or Windows Admin Center. Otherwise, install Windows Server with the Desktop Experience role enabled.

2. Join the new server to your existing Active Directory domain

Once the new server is up and running, join it to your existing AD domain. You can start the process from the “Local Server” tab in Server Manager by clicking “Workgroup” in the “Properties” section. You will need to restart the server to complete the process.

 3. Install the Active Directory Domain Services role

Wait until the server restarts, and then log in as a domain administrator. You can then install the Active Directory Domain Services (AD DS) server role by using Server Manager and the Add Roles and Features Wizard on the Manage menu.

4. Connect the new server to the domain controller

When the AD DS server role is installed, you will receive a notification in Server Manager asking you to assign the server to a domain controller. Clicking the yellow exclamation mark icon will launch the AD DS Setup Wizard. You must select “Add a domain controller to an existing domain” and follow the on-screen instructions.

5. Transfer FSMO roles to the new server

The next step is to log into the old domain controller and move the domain FSMO roles to the new domain controller. The easiest way to do this is to use PowerShell.

This article assumes that you have a domain with only one domain controller. In practice, it is likely that you will have more than one domain controller, so make sure you understand how FSMO roles work and which domain controllers they reside on in your domain.

On the new domain controller, confirm that the FSMO roles have been moved. Start by checking your domain's FSMO roles.

6. Demote your old domain controller

Now that you have moved the FSMO roles to the new DC, you can safely demote the old Windows Server domain controller. You can demote a domain controller using Server Manager.

7. Raise domain functional levels

Finally, you can increase the domain's functional levels.


Of course, any migration project involves risks and has many pitfalls. Therefore, look for a supplier that offers world-class service such as Fanetech, we work in Kazakhstan and the CIS countries. This will avoid complications, simplify the migration process and ensure success.


en_GBEnglish (UK)