This document and what comes with it are provided as-is with the blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document. 1. Install the latest service packs and run the Best Practice Analyzer on the Windows Server 2012 R2 (Essentials) Run Windows Update and make sure you have the latest service pack and updates installed. After having done that run the BPA. Anything that the BPA reports will need to be fixed before you start the migration. Start the BPA from the Server Manager for each role you have installed. Fix any issues you find before starting the migration. Start an elevated command prompt Run dcdiag /test:dns /dnsall /e /v The output must be all PASS. If it is not, investigate what is causing the problem and fix it. As there can be numerous reasons why you see errors or warnings we ask you to use the forums to get a solution or create a ticket. 2. Synchronize the Windows Server 2012 R2 (Essentials) time with an external time source Time synchronization between two domain controller is very important. If one of the domain controllers is out of sync with time you will encounter replication problems and if you do not fix those before you start the actual migration (read move FSMO roles and demote old server) you render your Active Directory useless. A time difference of more than 5 minutes between two domain controllers will cause disaster. If your installation is virtualized you may want to read Virtualization of your Windows Server 2016 (Essentials) and set time service on your virtualized domain controller. We want to make sure the Windows Server 2012 R2 (Essentials) gets the right time and therefore we follow this procedure. Log in to the Windows Server 2012 R2 (Essentials) with a domain admin account and password if you are not already logged on. Click Start Right-click Command prompt and choose Run as administrator. Click Yes in the User Account Control warning. At the command prompt use the w32tm command line tool to set time service. w32tm /config /syncfromflags:domhier /reliable:no /update Restart the time service with the new settings. net stop w32timenet start w32time 3. Backup your server with the app from the Essentials Dashboard You must have made a full backup for your server before you continue this migration. From the Essentials Dashboard click Start a backup for the server. The Numinous Travel company is already using the Windows Server Essentials 2012R2 for some years and runs backups according to the standard schedule for such a server. Click Yes to start the backup. Check if the backup was successful. 4. Make a System State backup to a dedicated USB drive You need to use a big USB drive for a System State Backup. Depending on your server this can take up to twice the size of the actual data included in the System State Backup. Together with the default backup, you made in Step 4, we will have everything to restore the server if things go wrong. Normally you will never this but you better be safe than sorry. Open an elevated command prompt and type wbadmin start systemstatebackup –backuptarget:e: in my case, the USB drive I am using is on Drive E. wbadmin start systemstatebackup –backuptarget:e: Type [Y] to continue Once completed you must see ‘successfully completed’. 5. Add the current Administrator to the Enterprise Administrators and Schema Admins Group On the Windows Server Essentials 2012 R2 you must check if the current Domain Administrator account is a member of the Enterprise Administrators and Schema Admins Group. If it is not you will end up with this error during the promotion of your new Windows Server Essentials 2016 server. Open Active Directory Users and Computers from the Server Manager. Right-click and choose Properties. Choose the tab members and click Add. Add the current Domain Admin to Enterprise Admins and Schema Admins. I have added the Admin account to the Enterprise and Schema Admins. We can also do this from Powershell with Add-ADGroupMember, see the screenshot. 6. Install Windows Server Essentials 2016 as a new replica domain controller This is our first step towards the migration of your Active Directory to the new server. We install the new Windows Server Essentials 2016 and join it as a member server, install it as a replica domain controller and after that, we promote the server to become a domain controller. After this, we have an exact copy of our Active Directory (sysvol) running on the new server. If you need more information on how to install Windows Server with a USB pen drive I suggest reading Create a bootable USB pen drive for your Windows 2012 R2 installation Click Next Click Install Now Type your product key and click Next Click Next Choose Custom. Choose the drive where you want to install the new server. If this is an array of a Raid adapter or just one big drive you may want to partition this and create a System partition that does not take all space. It is important to keep System and User data separated from each other as we will see later on the Essentials Dashboard. The installation is running. Type a password for the Local Administrator account Login with the Local Administrator account If the ‘Configure Windows Server Essentials’ wizard kicks in, make sure you Cancel this. In the course of the guide, you will be asked to cancel this wizard multiple times and it is very important that you do this. Later on, we will finish the wizard and we will tell when this is. So, for now, CANCEL . From the Start Menu choose Server Manager Click Timezone Set the Time zone to your Time Zone. Next, choose the Ethernet adapter and click it. Right-click and choose properties Choose IPv4 and click Properties Set the server to a static IP address in the same subnet as the Windows Server Essentials 2012 R2 and set preferred DNS server to the IP address of the Windows Server Essentials 2012 R2. Click on Computer name Click change Choose a descriptive computer name (I choose wse2016 but your name may differ). Check Member of Domain and type the name of your domain and click OK. Type in the credentials of the Domain Admin and click OK The domain welcomes you, click OK If you see this error just click OK and ignore. Click Ok to start. Click Close Click Restart Now. You must login with the Domain Admin credentials Cancel the Configure Windows Server Essentials once again. From Server Manager choose Add Roles and Features. Next Next Next Click Active Directory Domain Services. Click Add Features Click Next Click Next Click Next Click Install Click to promote this server to a domain controller. This makes the server a replica Domain Controller. Choose to Add a domain controller to an existing domain and click Next Fill in the DSRM password (keep it in a safe place and remember this is not the same password as the Domain Admin password and when you change the Domain Admin password the DSRM password does not change automatically). Click Next. Click Next Click Next Click Next Click Next Click Next Click Install Just wait and the server will reboot automatically. Once you are logged in again with the Domain Admin account click Cancel again. 7. Check IP settings on the Windows Server 2016 (Essentials) and the Windows Server 2012 R2 (Essentials) This procedure should also be done on the Windows Server 2012 R2 (Essentials) and in that case point the Preferred DNS server to the new Windows Server 2016 (Essentials) . This way both servers point to each other and for the time being that both servers live in the network, this is not a bad idea. So, as a rule of thumb, you should set the Preferred to the other DNS server in your network and the Alternate DNS server to the loopback address 127.0.0.1. Open Server Manager on the Windows Server 2016 (Essentials) Server Click the Ethernet adapter Right-click and choose Properties Highlight Internet Protocol Version 4 and choose Properties Make sure Preferred DNS points to your new Windows Server 2016 (Essentials) Server and the Alternate DNS server points to the old Windows Server 2012 R2 (Essentials). Click OK and close Server Manager. You must also to the previous 5 steps on the Windows Server Essentials 2012 R2 but then the Alternate DNS server should point to the IP address of the Windows Server 2016 8. Check Active Directory Health and replication Now that we have both servers connected to each other we need to make sure that replication between the two Domain Controller is fully functional. Right-click the Start Menu and choose Command Prompt (Admin) Click Yes. Type repadmin /replsummary. The output must be clean, without errors. repadmin /replsummary Type repadmin /showrepl. The output must show a success 5 times. repadmin /showrepl Type DCDIAG /test:DNS /DNSALL /e /v DCDIAG /test:DNS /DNSALL /e /v All 7 checks on both Domain Controllers must PASS. Type DCDIAG /test:RegisterInDNS /DNSDomain:numinous.local DCDIAG /test:RegisterInDNS /DNSDomain:numinous.local Type ‘net share’ and confirm that you see an SYSVOL and NETLOGON share. Open an Explorer window and type \\localhost\sysvol. It should list your local domain name. If you browse into the \\localhost\sysvol\domain.local\Policies you should see a list with GUIDs (Global Unique Identifier) that represent your Group Policies. In my case, you see 4 because this is a default installation. You may have more. Right-click the Start Menu and choose Event Viewer. Check the DFS Replication log. There should be no resent errors listed. 9. Transfer the operations master roles to the Windows Server 2016 (Essentials) The Active Directory in a typical windows network is a 'multi-master' enabled database. This means that there are multiple roles all on one server. In our case, the Windows Server Essentials 2012 R2 holds all FSMO roles and those will be migrated to the new server. If you want to read more about those Flexible Single Master Operation (FSMO) roles read Active Directory FSMO roles in Windows. In previous migration documents like Migrate from SBS 2011 Standard to Windows Server 2012 R2 Essentials and Migrate Windows Server 2012 (R2) Essentials to new hardware we used ntdsutil from an elevated command prompt but this time we are going to use Powershell. Before we go ahead with moving the FSMO roles I would like to have a look at where the roles are located now…just to be sure. It is important to understand that after you have moved FSMO roles to the new server the old server will complain about this. There is a grace period of 21 days you can have the old server installed in your network as a DC that does not hold all FSMO roles, this is a license issue. After 21 days the old server will shut itself down so it is important that you complete this migration within the next 21 days from now. From the Windows Server 2016 Essentials server start an elevated command prompt Click Yes to accept the UAC warning Type netdom query fsmo netdom query fsmo We can use ' Move-ADDirectoryServerOperationMasterRole' and name each role but there is a quicker way to do things. When we ran ' netdom query fsmo' it returned a list with roles and that order (0,1,2,3,4) would do just fine. Type [A] to move all roles at once. You won't get a confirmation. Move-ADDirectoryServerOperationMasterRole -Identity -Server 0,1,2,3,4 Move-ADDirectoryServerOperationMasterRole -Identity wse2016 -Server wse2016 0,1,2,3,4 Type netdom query fsmo once more to see if the FSMO roles have been moved. netdom query fsmo Type net share to confirm you see a sysvol and a netlogon share net share Type repadmin /showrepl and confirm replication is successful. Reboot the Windows Server Essentials 2016. repadmin /showrepl 10. Install the Windows Server Essentials Experience role on the new Windows Server 2016 The Essentials Experience role on our new Windows Server 2016 is the 'icing on the cake' and makes regular maintenance really easy. Even for non-technical staff, it is easy to create new users and assign permissions to share or Access Anywhere. If you are installing Windows Server 2016 Essentials version this is the last step to complete the installation of your new server. On a Windows Server 2016 Standard or Datacenter the Essentials Experience role is an extra role. Log in to the Windows Server 2016 (Essentials) server with your domain credentials. The wizard will start automatically and now we can run and finish it. Click Configure. This wizard does not automatically launch when you have a Windows Server 2016 Standard or Datacenter version, start Server Manager and use Add Roles to install the Essentials Experience role. Click Close. Do not click ‘Register with Microsoft cloud services’ at this moment, we can do that later. If you do that now you will run into issues. 11. Migrate DHCP settings to Windows Server 2016 (Essentials) server In a new installation of Windows Server 2016 (Essentials) most people will opt to use the DHCP server of their Firewall appliance and therefor not install the DHCP server role. Because we come from an old Windows Server 2012 R2 (Essentials) server on which we have installed the DHCP server role, we will migrate DHCP server settings and scope to our new server. From the Windows Server Essentials 2012 R2 run Powershell as Administrator Click Yes. Run Export-DHCPServer –Computername wse2012 c:\dhcp-export.xml Export-DHCPServer –Computername wse2012 c:\dhcp-export.xml Type Remove-WindowsFeature DHCP. This will remove the DHCP server from the old server and because of this, you must reboot. Remove-WindowsFeature DHCP Type Restart-Computer to reboot the server Restart-Computer On the new Windows Server Essentials 2016 run Powershell as Administrator Click Yes. Type Install-WindowsFeature DHCP. If you want to install the GUI also add –IncludeManagementTools Install-WindowsFeature DHCP Type netsh dhcp add securitygroups. netsh dhcp add securitygroups Run Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2 Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2 Type Restart-Service –Name DHCPServer –Force Restart-Service –Name DHCPServer –Force Type \\oldserver\c$ . That will get you the root of drive C on your old server. Copy the dhcp-export.xml file I have copied the file to the root of drive C on our new server Type Import-DHCPServer –Computername wse2016 c:\dhcp-export.xml –BackupPath c:\dhcpbackup Import-DHCPServer –Computername wse2016 c:\dhcp-export.xml –BackupPath c:\dhcpbackup Type [Y] and after that type Restart-Service –Name DHCPServer –Force Restart-Service –Name DHCPServer –Force Type Get-DhcpServerInDC. This will tell which DHCP servers are registered in the Active Directory. In the below screenshot you see the old Windows Server Essentials 2012 R2 is still listed. We need to remove that with Get-DhcpServerInDC | Remove-DHCPServerInDC. Get-DhcpServerInDCGet-DhcpServerInDC | Remove-DHCPServerInDC Now we need to add the new server. Type Add-DhcpServerInDC –DnsName wse2016.numinous.local –IPAddress 192.168.150.10. Check with Get-DHCPServerInDC if this worked. You need to change the IP address to something that is correct for your situation. Add-DhcpServerInDC –DnsName wse2016.numinous.local –IPAddress 192.168.150.10Get-DHCPServerInDC The Set-DhcpServerv4DnsSetting cmdlet configures how the Dynamic Host Configuration Protocol (DHCP) server service updates the DNS server by using the client-related information. This cmdlet modifies the effective DNS update setting and sets the setting on the server or the specified scope, policy or reservation. You can set this on scope level but in our case, I will set it on server level. Type Set-DhcpServerv4DnsSetting –Computername wse2016.numinous.local –DynamicUpdates “Always” –DeleteDnsRROnLeaseExpiry $True. This will keep DNS a bit more clean. Set-DhcpServerv4DnsSetting –Computername wse2016.numinous.local –DynamicUpdates “Always” –DeleteDnsRROnLeaseExpiry $True Type $Credential = Get-Credential. Type in the Domain Admin credentials and click OK $Credential = Get-Credential Type Set-DhcpServerDnsCredential –Credential $Credential –Computername “wse2016.numinous.local” Set-DhcpServerDnsCredential –Credential $Credential –Computername “wse2016.numinous.local” The old scope has settings that are wrong on the new situation. DHCP clients should get DNS server IP of the new server. Type Get-DhcpServerv4Scope to get more info on the scope you just migrated. Get-DhcpServerv4Scope Now type Get-DhcpServerv4OptionValue –ScopeId 192.168.150.0 and check the output. As you can see the DNS servers IP address is still on the old server. Get-DhcpServerv4OptionValue –ScopeId 192.168.150.0 Run Set-DhcpServerv4OptionValue –OptionId 6 –Value 192.168.150.10 –ScopeId 192.168.150.0 –Computername wse2016.numinous.local. Check if the new value is set with Get-DhcpServerv4OptionValue –ScopeId 192.168.150.0. If the value is correct type Restart-Service –Name DHCPServer –Force. Set-DhcpServerv4OptionValue –OptionId 6 –Value 192.168.150.10 –ScopeId 192.168.150.0 –Computername wse2016.numinous.localGet-DhcpServerv4OptionValue –ScopeId 192.168.150.0Restart-Service –Name DHCPServer –Force 12. Join computers to the new Windows Server 2016 (Essentials) server in your domain Although this chapter says that we are going to join the computers to the new server this is not really true. The computers are joined to the domain and that remains but we need to install the new 'connector' software from the Windows Server 2016 (Essentials) . Doing so upgrades the old connector software. Though the name of this chapter suggests that you will join already joined computers to the domain this is actually not true. Your clients are already connected and joined to the domain that you previously migrated to the new server. Running the Connector on a client machine installs software that allows the client to communicate with the server and updates the Dashboard. It will detect that a computer was already joined to the domain and only installs the Connector software. If the computer was not yet joined to the domain (new computer) the Connector will also join the computer to your domain and create a computer account. If you previously used Client Computer Backups on the old server and you are going to do that also on the new server please make sure you have moved the folder for those backups to a drive with enough place to hold the backups. Read How to move the default location of the server folders in the Dashboard on a new hard disk or partition . Old backups from the old server cannot be migrated to the new server, there is no support for migrating these. If you do not want to use Client Computer Backups it is a good idea to check if those are actually Turned Off on the new server. In the below screenshot you see how you set the Global behavior of Client Computer Backups. As a matter of fact, I will always make sure this is turned off when you are running the Connector software on many of your client computers in your network because you want to prevent that all of a sudden all those machines start making backups to your server! You can always turn that on later when the migration is completed and configure each client computer individually. Make sure you login to the clients with your Domain Admin account and if you run the Connector and it asks for credentials also use your Domain Admin account. Now we can start installing the 'connector' software from our new Windows Server 2016 Essentials. For this, you need to browse to http://wse2016/connect and choose 'Download software for Windows' Click Run Click Yes Click Next Fill in the Domain Admin credentials and click Next Click No because we want to use the Domain Admin for this procedure. I choose to assign other users also to this client computer, click Next Jack and Susan will also use this desktop so we add them. Click Next I choose to not make normal users Local Administrators, this is best practice. Click Next Click Next I choose No. Click Next. If you click Finish you will be logged off. If this computer was previously connected to a Windows Server Essentials 2012 it does not look any different but the links in the Dashboard like Shared Folders and Remote Web Access will lead you to the new server. 13. Migrate files and folders The server in the office of Numinous Travel is configured for Folder Redirection and they have a file share called ‘Travel Expenses’ where the employees save copies of the receipts during their expeditions in Nepal and Patagonia. That ‘Travel Expenses’ share has been set up from the Essentials Dashboard on the WSE 2012 R2 as you can see in the below screenshot. On the new WSE 2016 server, we need to create the same shares as there are on the old WSE 2012 R2 and we need to make sure they are located on a drive that has enough space to migrate data. It is also considered 'best practice' that you move user data and shares away from the System drive that is most case Drive C. As you can see in the screenshot below I have done that and I created the ‘Travel Expenses’ share on the new WSE 2016 Server. User data and shares are now located on Drive E on my server. If you have created shares outside of the Dashboard you need to create those manually also. For the actual migration of files and folders, we are going to use a tool that has proven to be very effective and it is called Robocopy. This tool is part of the Windows Server Resource Kit and can be downloaded here Download Windows Server 2003 Resource Kit Tools from Official Microsoft Download Center . Yes, it shows 2003. The toolkit has not been changed since and we still use it. Install it on the old server, the Windows Server 2012 If you get this message during the installation click ‘Run the program without getting help’. Start an elevated command prompt Now you need to build the command for Robocopy. This is how mine looks if I copy all data within ServerFolders to the new server. Robocopy D:\ServerFolders \\wse2016\e$\ServerFolders /e /zb /Copyall /mir /secfix /sec /log+:C:\copy.log. Remember that this can take multiple hours to complete. Robocopy D:\ServerFolders \\wse2016\e$\ServerFolders /e /zb /Copyall /mir /secfix /sec /log+:C:\copy.log 14. Enable folder redirection on the Windows Server 2016 (Essentials) and clean up old group policies Enabling Group Policies in the Dashboard on the Windows Server 2016 (Essentials) sets the standard for all your clients and redirects user files and folders to your server. Before you turn Group Policies on it is a good idea to review the old Windows Server 2012 R2 (Essentials) Group Policies and any custom made changes. On the WSE 2012 R2 in the office of Numinous Travel company, they use Folder Redirection and they have a special Group Policy called WSE Travel Expenses Drive Mapping but on that later more in Chapter 13. On the new server start Group Policy Management from the Server Manager. In the below screenshot you see we have 5 Group Policies and they were all made on the old Windows Server Essentials 2012 but as we have introduced a new Windows Server Server 2016 as a replica Domain Controller everything in the Active Directory shows up also on the new server. It is a replica! On the new server open the Essentials Dashboard Click Next Click Next Click Finish Click Close Open Group Policy Manager again and notice that we have two policies that begin with WSE and a bit older. Those are created by the wizard on the Windows Server Essentials R2 Dashboard. It is considered best practice to NOT change those policies. If you need to create more policies create a new Group Policy instead of altering the ones made by the wizard. Right-click those policies and choose Backup. Set a location and a description, then click Back up. Click OK The older WSE policies have been selected, right-click and choose Delete. Click Yes to accept. Click OK Log in to a client in your network and you will see it is still getting Redirected Files from the old server. This could be different for you if the workstation was turned off and you just booted it because then it would have received the new policies already but in my case, the old server is still the location of the Redirected Folders. Start an elevated Command Prompt Run gpupdate /force. You must logoff and logon again. It can take a while before you can login, it is copying redirected folders from the old server to the new server. Please, be patient! gpupdate /force Check the event log and look for Event Id 501 from source Folder Redirection. You must see the same amount as the number of folders you choose to redirect in the Dashboard wizard. If you see errors in the event log read this thread in our forums Ask a question > Group Policy not applying on one workstation after migration Now check if the folders are redirected to the new server and they are! 15. Migrate mapped drives The Numinous Travel company has a mapped drive that is used for an Access Database that holds all travel expenses. That mapped drive is created by a policy that was made a long time ago on the Windows Server Essentials 2012 R2. From within Group Policy Manager click on WSE Travel Expenses Drive Mapping (obviously this policy will be named different on your server if you have drive mappings) and choose the tab Settings. Browse a bit down to User Configuration | Preferences … Drive Map. You see we have mapped drive T to \\wse2012\TravelExpenses . Right-click the policy and choose edit Choose User Configuration | Preferences | Drive Maps and right-click the drive mapping, choose Properties. It points to the old WSE 2012 R2 and that needs to be changed. Open an Explorer window and type in the Address bar the name of your local domain like \\numinous.local . It will list all shares that are available in the domain name space. This is different from using the host namespace like \\wse2016\share and is the better way of doing things. Those shares in the domain name space are created by the Dashboard wizard. I am going to use the \\numinous.local\TravelExpenses Click to copy the share name Make the settings as in the screenshot and choose to apply and then OK. In this example, I set the policy to ‘Replace’ the current value but remember that this can cause issues with connecting and reconnecting mapped drives because the policy is refreshed every 90 minutes by default. In a migration scenario, it may be a good idea to set ‘Replace’ for a few days and if you are sure everything works just set it to ‘Create’. Any new clients that are joined to the domain will get the new mapping as soon as the policy is applied. Read Group Policy refresh interval for users and William Stanek: Applying Group Policy Preferences with CRUD – Microsoft Press blog Now go to a client and type gpupdate /force and check if the drive mapping changed to the new location. 16. Make shares on the old server read-only Once this has been changed and all workstation have the new drive mapping policy and the new Folder Redirection policies applied we will make shares on the old server read-only. Remember that if you do this while some client computers do not have the new WSE Group Policy Folder Redirection applied it will fail because during the actual migration of the Group Policy it will remove files from the old server, read-only makes that impossible. The only way you know everything has been migrated is by logging on to each workstation and check the logs and folder path. From the Windows Server Essentials 2012 R2 choose the folder you want to make read-only. Remember that you can only make folders read only that you created plus the Company folder. Set Access Level per user. 17. Migrate printers We assume that you have deployed printers on the old server according to How to deploy and install printers using group policies . As you can see in the screenshot we have deployed our Brother HL-L2340D series with a Group Policy on the WSE 2012 R2. And this is how that printer shows up on a Windows 10 workstation joined to the domain. Open an elevated Powershell prompt Click Yes. With Get-WindowsFeature –Name *Print* we can have a look what is installed. We need to install Print and Document Services. Get-WindowsFeature –Name *Print* With Install-WindowsFeature –Name Print-Services, Print-Server –IncludeManagementTools we install all the tools needed to migrate printers. Install-WindowsFeature –Name Print-Services, Print-Server –IncludeManagementTools Start Print Management from Server Manager Right-click and choose Add/Remove Servers Type the Hostname of the old server and click add to list Click OK Right-click the old server and choose Export printers to a file Click next Click browse Give it a name Click next Click Finish Right-click Import printers from a file from the hive with new servers Hostname Click Browse Choose the export file and click Open Click Next Click Next Click Finish The imported printers are list under the new server Go to deployed printers and right-click the printer that was deployed on the old server Click Remove Click OK Click OK Click OK I am going to deploy the HP Color Laserjet in this example Right-click and choose Deploy with Group Policy Click Browse Choose the WSE Printer Deployment Policy Check ‘The user that this GPO applies to (per user) and click Add Click OK Click OK Click OK again Login to a workstation that previously had the printer deployed, the printer from the old server is still shown Open an elevated Powershell prompt Click Yes Type gpupdate and hit enter. You will see at the same moment the policy is updating that the printer will flip to the new server 18. Migrate Access Anywhere and certificates for remote.domain.com This procedure depends on what kind of certificate you have. If you have previously installed a Lets Encrypt certificate, see Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it then we also need to copy the files from the location in the screenshot below after we installed Certify the Web client. From the old server, type Manage Computer Certificates and choose it as in the screenshot There is our ‘remote.numinous-travel.com’ we want to re-use on the new server. Right click and choose Export Next Click Yes, to export the private key Click Next Type a password and click Next Specify a location and click Next Click Finish Click OK I have copied the pfx file to the new server and started the Windows Server Essentials Dashboard. Click settings Click Configure Anywhere Access Click Next Click Next Check I have manually configured my domain name Type the name of your domain and click next Check ‘I want to use an existing SSL certificate’ and click Next Browse to the pfx file, type the password and click Next Click Next 19. Backup the Certification Authority Database, log and private key In 99% of all cases I have not seen a small business that needs the CA to be migrated. If you use certificates from a trusted party like Comodo or Lets Encrypt for Access Anywhere there is really no need to migrate the Certificate Authority but we better backup the CA just in case. Better be save then sorry! A System State backup also includes the Certification Authority database and the private key if Active Directory Certificate Services is installed but it is sometimes useful to backup CA components separately in the case you want to migrate those. As I said we do not actually migrate the CA in this guide but it always a good to have a backup in the case you must migrate. Future guides, like from 2016 to 2019 we will include full migration support for the CA. So, if you want skip this chapter you can do that but IMHO it is a good idea to get acquainted with the Certificate Authority! From the Server Manager start Certification Authority from the Tools menu. Right click and choose Backup CA Next Make the choices as in the screenshot and choose Next Type a password and choose next Click Finish Check in the CABackup folder if the backup is created. Open an elevated command prompt Type net stop certsvc Type reg export HKLM\System\CurrentControlset\Services\Certsvc\Configuration “c:\CABackup\CAregistrysettings.reg” Check the C:\CABackup folder to make sure the export has been completed. 20. Backup the EFS Recovery Agent Certificate The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent. See How to back up the recovery agent Encrypting File System (EFS) private key in Windows for more info. This means that the default Administrator account that mostly is disabled contains that EFS Recovery Agent Certificate and that if you have migrated from another server like SBS 2011 to your current Windows Server 2012 and you did not migrate the EFS certificate you to create a new one but that is outside of the scope of this guide. We assume that the Windows Server 2012 R2 Essentials was a new installation. You may skip this chapter if you never used EFS (Encrypting File System) Open Group Policy Manager to locate the actual policy that does the work. Right click the Default Domain Policy and click Edit Open Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System. You see in the column Intended Purposes that is the certificate we need to export. It says File Recovery and with this certificate we can decrypt any file that has been encrypted by any user on our domain. Right click and choose Export. Click Next Choose Yes, export the private key and click Next Choose options as in the screenshot and click Next Set a password and click Next Specify the name and click Next Click Finish Click OK 21. Uninstall Active Directory Certificate Services Before we can demote and remove the Windows Server 2012 R2 (Essentials) server from the domain we must uninstall Active Directory Certificate Services. This is a two step procedure. First we remove Certification Authority Web Enrollment and then Active Directory Certificate Services. From Server Manager choose Manage > Remove Roles and Features Next Next Uncheck Certification Authority Web Enrollment It is unchecked and click Next Next Click Remove Click Close Again choose Remove Roles and Features from the Server Manager Click Next Next Uncheck Certification Authority Click Remove Features. Click Next Next Click Remove Click Close 22. Uninstall the Essentials Experience role Our next step is to remove the Essentials Experience role but as you will see it will ask us first to run the ‘cleanup wizard’. From Server Manager choose Remove Roles and Features. Next Next Uncheck ' Windows Server Essentials Experience'. Click ' Run Windows Server Essentials Cleanup'. Check ' I confirm' and click Run Click Close Again choose Remove Roles and Features. Next Next Uncheck 'Windows Server Essentials Experience'. Next Next Click Remove Close and reboot the server. 23. Demote the Windows Server 2012 R2 (Essentials) and uninstall Active Directory Domain Services and DNS Say goodbye to the good old Windows Server 2012 R2 (Essentials). Before Windows Server 2012 was released we used a tool called ‘dcpromo’ to demote the DC but that tool was deprecated since Windows Server 2012. We now ‘dcpromo’ the server during the removal of the ADDS role. In one of the first steps of this tutorial we moved all Flexible Single Master Operations roles to the new Windows Server 2016 (Essentials) so no worries, all will be just fine without the ADDS role installed on the Windows Server 2012 R2 (Essentials). Choose Remove Roles and Features from the Server Manager. Next Next Uncheck ' Active Directory Domain Services'. Click Remove Features. Click ' Demote this Domain Controller'. This does what dcpromo does on Windows Server versions before Windows Server 2012. Next Check ' Proceed with removal' and click Next Next Click Demote Relax and wait until the server restarts, you cannot delay or cancel this. Extra: This procedure can also be done with Powershell. Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force:$true Now we can remove the ADDS role and other roles from the old Windows Server 2012 R2 Essentials. It is a good idea to remove ADDS, DNS, Remote Access, RDP Gateway and if it was installed and not yet uninstalled DHCP (some use DHCP from the router and don’t need to uninstall). Next Next Uncheck Active Directory Domain Services Click Remove Features. Uncheck DNS Click Remove Features. Uncheck 'DirectAccess and VPN (RAS)' and 'Remote Desktop Gateway'. Next Next Click Remove Click Close and restart the server 24. Remove the Windows Server 2012 R2 (Essentials) from the domain and put it in a WORKGROUP After we have moved all FSMO roles and demoted the Windows Server 2012 R2 (Essentials) we can no longer use it in our network, not even as a member server because the license does not allow that. We will put the server in a workgroup and decommission the server and possibly install another OS on it. Click on the computer name or on the domain name Click Change Make this server a member of the workgroup called ' WORKGROUP' and click OK You need to know the local admin password and click OK. Click OK Click OK Click OK again. Click Close. Click Restart Now 25. Cleanup the Active Directory and DNS This is a very important step. Unfortunately demoting and uninstalling ADDS on the Windows Server 2012 R2 (Essentials) does not cleanup DNS in such a way that we could speak of a clean action. Luckily we have some great tools that can help us find issues before they can become real issues. DCDiag is one them and that tool will be used now to see if there are issues. Before you start running these tests make sure the preferred DNS server on your Network Connection points to 127.0.0.1 and NOTHING else. You should not have any public DNS server listed in the settings of your network connection, you can add those as forwarders in the DNS Server settings. Before we run the final dcdiag report we do some cleaning up. From Server Manager open Active Directory Sites and Services. There is our old server listed, righ click and choose delete Click Yes to confirm Click Yes. Open DNS server manager from the Server Manager console Right-click server name and choose Properties. On tab Forwarders we still have the old server listed, click Edit. Choose to delete the entry of the old server Click OK And OK again. In the hive as shown in the screenshot you will see that the old server is still listed, click Edit. This is just an example of where you will find old incorrect DNS settings, you must check each value in each hive in all Forward Lookup Zones listed in your DNS server. Change the name to the name of the new server And hit Resolve. It should show a green checkmark with the IP address of your new Windows Server 2016 (Essentials) Hit OK to complete New server is now listed Open an elevated Powershell prompt Click Yes. From the elevated Powershell prompt run. dcdiag /test:dns /dnsall /e /v Be patient, it will take awhile to complete but the output must show all 'PASS'. Congratulations, you have finished your migration!