Side-by-Side Upgrade Guide: Windows Server Core 2019 PDC → Newest Server Core Version

 This is one I had not planned, I added it for a friend.

Side-by-Side Upgrade Guide: Windows Server Core 2019 PDC → Newest Server Core Version

Upgrading a primary domain controller (PDC) that holds all FSMO roles is one of the most sensitive operations in an Active Directory domain. The safest method — and Microsoft's recommended approach — is a side-by-side migration, where you build a fresh domain controller on the new OS and retire the old system gracefully.

This guide walks through a complete step-by-step process using Server Core, ensuring no GUI dependencies and fully compatible with production environments.

1. Overview of Side-by-Side Upgrade Process

Here’s the high-level flow:

  1. Prepare and health-check Active Directory
  2. Build a new Server Core host (2022 or 2025)
  3. Install AD DS and promote it to a domain controller
  4. Verify replication & SYSVOL health
  5. Transfer all FSMO roles to the new server
  6. Repoint services and infrastructure dependencies
  7. Demote the old 2019 PDC
  8. Decommission the server

This method ensures no downtime, no AD corruption risk, and easy rollback.

2. Step 1 – Pre-Upgrade Health Checks on the 2019 PDC

Before adding a new domain controller, verify the health of your environment. On the 2019 Server Core PDC, run:

Check domain / forest health

dcdiag /v /c /e > C:\dcdiag_2019_before.txt

repadmin /replsum

Check replication on all DCs

repadmin /showrepl *

Verify SYSVOL replication state

dfsrmig /getglobalstate

Confirm DNS health

dcdiag /test:dns

Back up the PDC

 Full bare-metal backup
 System State backup
 Export DHCP (if installed)
 Document static IP, DNS, and roles

If any errors appear in DCDiag or repadmin: fix them before continuing.

3. Step 2 – Deploy the New Server Core Host (2022/2025)

Create a brand-new Server Core VM or physical server with:

  • Same domain network/subnet
  • Static IP
  • DNS set to the existing 2019 PDC
  • Time synchronization enabled

Rename the server

Rename-Computer -NewName NEWPDC

Restart-Computer

Install AD DS Role

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

4. Step 3 – Promote the New Server to a Domain Controller

Promote the new OS to a domain controller and DNS server:

Install-ADDSDomainController `

 -DomainName "yourdomain.local" `

 -InstallDns `

 -NoGlobalCatalog:$false `

 -SiteName "Default-First-Site-Name"

Reboot when prompted.

5. Step 4 – Verify Replication & Domain Health

On both the new DC and the old PDC:

Check replication

repadmin /replsum

repadmin /showrepl *

Verify SYSVOL is shared

net share

You should see:

SYSVOL

NETLOGON

Check DNS registration

ipconfig /registerdns

Verify the new DC shows in Sites & Services

Make sure both DCs show under the correct site.

6. Step 5 – Transfer FSMO Roles to the New Server

On the new Server Core DC, run:

Move-ADDirectoryServerOperationMasterRole -Identity NEWPDC -OperationMasterRole 0,1,2,3,4 -Confirm:$false

FSMO roles include:

  • PDC Emulator
  • RID Master
  • Infrastructure Master
  • Schema Master
  • Domain Naming Master

Verify FSMO roles

netdom query fsmo

Once verified, the new Server Core OS is officially the PDC and schema master.

7. Step 6 – Repoint Infrastructure & Services

Double-check that necessary services now point to the new DC.

Items to verify:

 DHCP server authoritative target (if using AD authorization)
 Any RADIUS/NPS references
 Time server configuration
 Any LDAP-bound apps
 Backup software DC agents
 Monitoring tools
 DNS forwarders/scavenging settings

Make the new DC the authoritative time source

w32tm /config /manualpeerlist:"time.windows.com,0x9" /syncfromflags:manual /reliable:yes /update

net stop w32time && net start w32time

8. Step 7 – Demote the Old Server Core 2019 PDC

Once everything has been validated and replication is stable:

Demote the old DC

Uninstall-ADDSDomainController -RemoveApplicationPartition:$true -DemoteOperationMasterRole:$true

If the server also runs DNS:

Uninstall-WindowsFeature DNS

Reboot once demotion completes.

9. Step 8 – Remove the Server from the Domain & Decommission

After reboot:

Remove-Computer -UnjoinDomainCredential (Get-Credential) -PassThru -Verbose

Restart-Computer

Delete the old server record from:

  • Active Directory Computers
  • NTDS Settings (Sites & Services)
  • DNS A and SRV records
  • DHCP lease reservations
  • Monitoring tools

 

 

10. Cleanup Validation

On the new PDC:

Run domain health checks again

dcdiag /v /c /d /e

repadmin /replsum

Verify FSMO roles one last time

netdom query fsmo

Verify SYSVOL consistency

dfsrmig /getmigrationstate

All states should be “Global state: Eliminated”.

Location: Orangeburg, SC 29115, USA

Comments

Post a Comment

Got something to say? Drop a comment below — let’s chat!

Popular posts from this blog

Proxmox VE + full Kubernetes (kubeadm) step-by-step

  Production-ready guide: Proxmox VE + full Kubernetes (kubeadm) step-by-step A practical, end-to-end walkthrough to deploy a hardened Proxmox VE environment and run a production-grade Kubernetes control plane and worker nodes (kubeadm). Includes HA control-plane, etcd considerations, load-balancing, networking (Calico), storage (Longhorn + option for Ceph), security hardening, backups, and monitoring. This blog assumes you have basic Linux + virtualization familiarity and a small cluster of physical servers for Proxmox (3+ nodes recommended for HA). Where choices exist I explain trade-offs and give concrete commands and config snippets you can copy. Outline Goals & prerequisites Logical architecture (ASCII diagram) Prepare Proxmox VE hosts (install & base hardening) Proxmox networking and storage planning Create cloud-init VM template for Kubernetes nodes Deploy VMs for Kubernetes control plane and workers Provision HA load balancer for kube-api (H...
Read more

Monitoring Virtualized Environments with Graylog: A Complete Guide

  Monitoring Virtualized Environments with Graylog: A Complete Guide Virtualization has become the backbone of modern datacenters, but as environments grow, so does the challenge of monitoring them effectively. Whether you’re running VMware vSphere, Hyper-V, Proxmox, KVM, Xen, or Nutanix , log visibility is essential for performance, capacity planning, and security. Graylog , with its flexible pipelines, dashboards, and alerting capabilities, provides a powerful centralized logging solution for virtualized infrastructures of all sizes. This guide walks through everything you need to know to monitor your virtual environment using Graylog—from collecting hypervisor logs to building dashboards and alerts that actually matter. Why Graylog for Virtualization Monitoring? Virtualization platforms all generate significant amounts of structured and unstructured log data: Host health VM lifecycle changes Storage access Virtual network changes Failovers and migrations ...
Read more

Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability

  Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability In this guide, we’ll walk through setting up OPNsense 26.1 as a primary gateway in a virtualized environment using Hyper-V , with VLAN segmentation, a DMZ, staged VPN, and optional CARP failover for high availability. This architecture ensures strong isolation, centralized traffic control, and enterprise-grade security — all without joining the firewall or hypervisor to Active Directory , reducing the attack surface. 1️⃣ Architecture Overview Logical Design Internet │ [External vSwitch] │ WAN (OPNsense) ┌──────────────────┐ │ OPNsense │ │ VLAN Gateways + HA│ └──────────────────┘ │ [Internal vSwitch - Trunk] │ ┌───────────────┬──────...
Read more