Most of us will already be working on a network with a Windows 2003, Windows 2008 or Windows 2008R2 Forest deployed. So it will be our job to integrate Windows 2012 into the existing environment. This might be installing Windows 2012 to manage File and Print resources, or taking over the running of a service like DHCP or DNS. Or it might be that we want to start adding Windows 2012 Domain Controllers (DCs).
In this article I’ll talk through some things we need to think about before adding our first Windows 2012 DC to an existing Windows 2008 domain.
There are two ways to add Windows 2012 DCs to an existing domain:
1) Perform an in-place upgrade of an existing Windrows 2008 or Windows 2008 R2 domain controller
2) Install a new Windows 2012 Server, join it to the domain and promote it to be a domain controller.
Perform an in-place upgrade
Domain Controllers running Windows Server 2008 or Windows 2008 R2 can be upgraded to Windows Server 2012 Domain Controllers. You can upgrade a Windows 2008 DC to a comparable version of Windows 2012 operating system.
If you are running a Domain Controller on Windows 2008 Standard or Enterprise edition you can upgrade to Windows Server 2012 Standard or Datacentre edition. If you are upgrading from Datacentre edition you can only upgrade to Windows Server 2012 Datacentre edition. So if you’re running 2008, you have lots of choices!
However, you cannot upgrade from previous editions of Windows. So if you’re running Windows 2003 Domain Controllers they must be upgraded to Windows 2008 as an interim step, then upgraded to Windows Server 2012.
Install a new Windows 2012 Server
How to use the functional Levels
In order to add a Windows 2012 DC to an existing domain, the Forest functional level must be Windows 2003 or higher. Remember that all domains must be running the Windows 2003 domain functional level first, before we can go through the process of upgrading our Forest to the minimum functional level of Windows 2003.
With the introduction of Windows 2012 we also have the option of new Windows 2012 domain and Forest functional levels. Once ALL of our DCs are running 2012 in a domain, we can upgrade the domain functional level to 2012 - and once all domains are running 2012 we can upgrade our Forest to Windows 2012.
The Windows Server 2012 Forest functional level does not provide any new features, but it ensures that any new domain created in the Forest will automatically operate at the Windows Server 2012 domain functional level. The Windows Server 2012 domain functional level does not provide any other new features besides support for Dynamic Access Control and Kerberos armoring, but it ensures that any domain controller in the domain runs Windows Server 2012.
Before adding your new Windows 2012 Domain Controller, or attempting to perform an in-place upgrade of an existing Windows 2008 or 2008 R2 DC, you must make sure that the Schema is upgraded to support your new Windows 2012 DC, and that you prepare each domain where you plan to install Windows 2012 DCs. To do this we can use the ADPREP.exe tool found in the support\adprep folder on your installation media.
Starting with Windows 2012 there is only one version of ADPREP available, and that is a 64-bit version. When you install a domain controller the ADPREP commands are run automatically as needed - as long as you are logged in with an account that has the appropriate credentials.
The two ADPREP.exe commands are ADPREP.exe /forestprep (to prepare the Schema) and ADPREP.EXE /DOMAINPREP /GPPREP (to prepare each domain).
In order to run ADPREP.exe /forestprep you need to be a member of the following groups:
- Scheme Admins
- Enterprise Admins
- Domain Admins for the domain in which the Schema Master resides.
In order to run ADPREP.exe /domainprep /gpprep you need to be a member of the following group:
- Domain admins for the domain in which you are running ADPREP.exe.
As we said earlier, the ADPREP.exe command is now integrated with the DC promotion process. But if you’re performing an in-place upgrade, or not a member of the appropriate groups, then ADPREP.exe can be run separately.
The Windows Server 2012 version of adprep.exe can run on any server that runs a 64-bit version of Windows Server 2008 or later. The server needs network connectivity to the schema master for the Forest, and also to the infrastructure master of the domain where you want to add a domain controller. If either of those roles is hosted on a server that runs Windows Server 2003, then ADPREP must be run remotely. The server where you run ADPREP does not need to be a domain controller: it can be domain joined or in a workgroup.
Mike Brown, Windows Server Instructor at Firebrand Training