Cloud Knowledge

Your Go-To Hub for Cloud Solutions & Insights

Advertisement
On Premise Active Directory

Active Directory migration from Windows Server 2019 to 2022

Shivam Tiwari 0

Active Directory Migration from Windows Server 2019 to 2022: 15-Step Proven Checklist

Active Directory migration from Windows Server 2019 to 2022 is a critical project for security, supportability, and compliance. In this guide, we’ll follow a practical 15-step side-by-side migration checklist, including domain controller deployment, FSMO role transfer, DNS and Global Catalog configuration, and post-migration validation. You’ll also find real-world PowerShell commands, basic Graph API checks for hybrid environments, key troubleshooting tips, and FAQs for each major phase.

Active Directory migration from Windows Server 2019 to 2022 architecture diagram
Conceptual diagram of Active Directory migration from Windows Server 2019 to 2022 (replace with your own architecture image).

Table of Contents

1. Overview: Why migrate Active Directory to Windows Server 2022?

Windows Server 2022 brings improved security (TLS 1.3, improved SMB, secured-core features), better performance, and a longer support lifecycle. Keeping your domain controllers (DCs) on older versions like Windows Server 2019 increases security risk and limits access to new features. A well-planned Active Directory migration from Windows Server 2019 to 2022 ensures:

  • Secure and supported platform for authentication and authorization.
  • Better integration with cloud services like Microsoft Entra ID (Azure AD).
  • Opportunity to clean up legacy configuration, deprecated protocols, and unused objects.
  • Minimal downtime for users and applications when using a side-by-side migration approach.

Key points – Why migrate now?

  • Security baselines and hardening templates are tuned for newer Windows Server versions.
  • Vendor support and compatibility often target latest or N-1 versions of Windows Server.
  • Migrating DCs gives you a chance to validate DNS, time, and replication health.
  • You can gradually decommission legacy servers and reduce operational risk.

FAQs – Overview

Q1. Can I do an in-place upgrade of a 2019 domain controller to 2022?

Technically, in-place upgrades are possible, but most architects prefer a side-by-side migration: build a new Windows Server 2022 DC, replicate, move roles, then demote the old DC. This reduces the risk of inheriting legacy issues into the new OS.

Q2. Do I have to raise the domain/forest functional level?

Not immediately. You can run a 2022 DC in a forest/domain functional level that still supports 2019 DCs. Once all DCs are on 2022 and tested, you can consider raising the functional level for new features.

Q3. Is Active Directory migration from Windows Server 2019 to 2022 disruptive?

When done correctly, disruption is minimal. User authentication continues through whichever DC is available. Risk mainly comes from DNS, replication, and time configuration errors—this guide will help you avoid those.

2. Pre-migration planning, prerequisites, and backup

Before touching any domain controller, spend time on planning, documentation, and backup. A structured approach will keep your Active Directory migration project safe and predictable.

2.1 Prerequisites checklist

  • Inventory of all domain controllers, including OS, roles (FSMO, DNS, GC), and site placement.
  • List of business-critical apps that depend on AD (SSO apps, LDAP integrations, file shares, printers, etc.).
  • Admin accounts with rights to introduce domain controllers and move FSMO roles.
  • Network design: IP addressing, VLANs, firewall ports, and site-to-site connectivity.
  • Hardware or VM resources for the new Windows Server 2022 DC(s).
  • Time synchronization strategy documented (PDC Emulator and upstream NTP).

2.2 Backup strategy (Step 15 from your checklist)

Always take a backup before starting migration. Ideally, use a system state backup of at least one Windows Server 2019 DC (preferably the one holding FSMO roles). You can use Windows Server Backup or enterprise backup tools. 

# Example: System state backup with wbadmin (run in elevated PowerShell or CMD)
wbadmin start systemstatebackup -backuptarget:E: -quiet

Store your backup on a different disk or shared location that is not impacted by a potential DC failure. Test restore procedures in a lab if possible.

Key points – Planning & backup

  • Have at least one recent system state backup of a DC before making changes.
  • Document FSMO role holders, DNS roles, and Global Catalog settings.
  • Plan a maintenance window even if you expect zero downtime.
  • Communicate clearly with application owners and support teams.

FAQs – Planning

Q1. How many new Windows Server 2022 DCs do I need?

At least two DCs per critical site are recommended for redundancy. For small environments, one DC per site may be acceptable, but avoid a single-DC forest.

Q2. Do I need a full VM snapshot?

Snapshots can be risky with DCs because of USN rollback issues. Prefer system state backup over hypervisor snapshots unless you fully understand the implications and follow Microsoft guidance.

3. Step 0: Check Windows Server 2019 Domain Controller health

Before joining a new Windows Server 2022 domain controller, verify that the existing Windows Server 2019 DC is healthy. Otherwise, you just replicate problems to the new DC.

3.1 dcdiag – Domain controller diagnostics

# Run from an elevated CMD or PowerShell window on the 2019 DC
dcdiag /v /c /e /f:%systemroot%\temp\dcdiag_2019.log

Review the report for DNS failures, replication errors, and security issues. Fix these before continuing your Active Directory migration from Windows Server 2019 to 2022.

3.2 repadmin – Replication summary

# Overall replication summary
repadmin /replsummary

# Detailed replication for a specific DC
repadmin /showrepl <2019-DC-NAME>

Replication failures (e.g., error 5, 1256, 1908) should be investigated and resolved before promoting a new 2022 DC.

Key points – Health checks

  • Never introduce a new DC into an unhealthy forest or site.
  • Use dcdiag and repadmin to validate DNS, replication, and connectivity.
  • Fix errors and warnings in event logs (Directory Service, DNS Server, System).

FAQs – Health checks

Q1. Can I ignore minor dcdiag warnings?

Some warnings (like informational messages) may be acceptable, but errors related to replication, DNS, or authentication must be fixed.

Q2. Do I run these tools on every DC?

At minimum, run them on FSMO role holders and DCs in critical sites. For small environments, running on every DC is recommended.

4. 15-Step Active Directory migration from Windows Server 2019 to 2022

Below is a detailed, practical walkthrough of the 15 steps you listed, aligned with Microsoft guidance and common field experience.

Step 1 – Install Windows Server 2022 and configure network settings

Install Windows Server 2022 (Desktop or Core) on new hardware or a VM. After installation:

  • Assign a static IP address in the appropriate subnet.
  • Point preferred DNS to an existing 2019 DC; alternate DNS can be another DC.
  • Set the correct computer name (e.g., DC2022-01).
  • Configure time zone and NTP settings (important for Kerberos).
# Example PowerShell: Rename computer and set static IP (run as admin)
Rename-Computer -NewName "DC2022-01" -Restart:$false

New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress "10.10.10.20" `
  -PrefixLength 24 -DefaultGateway "10.10.10.1"

Set-DnsClientServerAddress -InterfaceAlias "Ethernet0" `
  -ServerAddresses ("10.10.10.10","10.10.10.11")

FAQs – Step 1

Q1. Should the new DC use the old DC as DNS?

Yes, initially point DNS to an existing DC. After promotion, each DC typically points to itself and another DC for redundancy.

Q2. Static or DHCP?

Always use static IPs for domain controllers to avoid unexpected changes in DNS records.

Step 2 – Join Windows Server 2022 to the existing domain as a member server

Join the new server to the existing AD domain as a member server before you promote it to a domain controller. 

# Join domain (replace with your domain and OU)
Add-Computer -DomainName "corp.contoso.com" -OUPath "OU=Servers,DC=corp,DC=contoso,DC=com" `
  -Credential (Get-Credential) -Restart

Key points – Step 2

  • Ensure the 2022 server can ping DCs and resolve DNS names.
  • Confirm successful domain join before attempting promotion.

Step 3 & Step 4 – Validate 2019 DC health and apply latest patches

You already ran dcdiag and repadmin. Also ensure that the 2019 DC is fully patched and rebooted if required. This reduces the chance of schema or replication issues during the migration. 

# Optional: Check pending reboot status via PowerShell
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -ErrorAction SilentlyContinue

Step 5 – Add Active Directory Domain Services role on Windows Server 2022

On the 2022 server, open Server Manager > Add Roles and Features and add the Active Directory Domain Services (AD DS) role. You can also do this via PowerShell: 

# Install AD DS role on the 2022 server
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Step 6 – Promote Windows Server 2022 to a domain controller

After AD DS installation, use the post-deployment configuration wizard or PowerShell to add the server as an additional DC in the existing domain. 

# Example: Promote 2022 server to DC in existing domain
Import-Module ADDSDeployment

Install-ADDSDomainController `
  -DomainName "corp.contoso.com" `
  -Credential (Get-Credential) `
  -InstallDns:$true `
  -SiteName "Default-First-Site-Name" `
  -DatabasePath "C:\Windows\NTDS" `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -NoRebootOnCompletion:$false `
  -Force:$true

The server will reboot after promotion. Once it comes back online, it is a fully fledged domain controller.

FAQs – Promotion

Q1. Should I install DNS on the new DC?

In most environments, yes. Domain controllers typically run DNS for AD-integrated zones.

Q2. Do I need to run adprep manually?

If you are promoting from a newer OS (2022) into an existing forest, the promotion process normally handles necessary schema updates automatically, assuming your existing DCs are 2012 or later.

Step 7 & Step 8 – Wait for AD replication and verify with repadmin

After promotion, give replication some time (depending on your site links and schedules). Then verify using repadmin: 

# Run on any DC to get an overview
repadmin /replsummary

# Show replication partners for the new 2022 DC
repadmin /showrepl DC2022-01

Ensure there are no persistent replication errors before proceeding to FSMO transfer or demotion of old DCs.

Step 9 – Move FSMO roles to the 2022 server (PowerShell & GUI)

To complete the Active Directory migration from Windows Server 2019 to 2022, you should transfer all FSMO roles to the new 2022 DC: 

# Check current FSMO role holders
netdom query fsmo

# Import AD module
Import-Module ActiveDirectory

# Move all roles to the new 2022 DC (run on 2022 DC)
Move-ADDirectoryServerOperationMasterRole -Identity "DC2022-01" `
  -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster `
  -Confirm:$false

Always verify after transfer: 

netdom query fsmo

Step 10 & Step 11 – Configure DNS and enable Global Catalog

On the 2022 DC:

  • Verify AD-integrated zones are present and replicating.
  • Ensure forwarders, conditional forwarders, and root hints match the design.
  • In Active Directory Sites and Services, confirm the DC is marked as a Global Catalog (GC) if required.
# PowerShell: Verify DNS service on the DC
Get-Service DNS

# Optional: Re-register DNS records
ipconfig /registerdns

# Verify Global Catalog (example using AD module)
Get-ADDomainController -Identity "DC2022-01" -Discover -Service "GlobalCatalog"

Step 12 – Demote the old Windows Server 2019 Domain Controller

Once the 2022 DC is stable, holds FSMO roles, and DNS/GC are configured correctly, you can demote the 2019 DC. Before demotion:

  • Update DHCP scopes or other services that point to the old DC for DNS.
  • Ensure the 2019 DC no longer holds FSMO roles.
  • Check replication health one last time.
# Demote DC via PowerShell on the 2019 server
Import-Module ADDSDeployment

Uninstall-ADDSDomainController `
  -DemoteOperationMasterRole:$true `
  -IgnoreLastDCInDomainMismatch:$true `
  -RemoveApplicationPartitions:$true `
  -ForceRemoval:$false `
  -Credential (Get-Credential) `
  -Force:$true

The server will reboot and become a member server. You can later remove it from the domain and decommission it after final checks.

Step 13 & Step 14 – Test logons, AD functions, and review event logs

Test typical authentication and authorization flows:

  • Interactive logon to workstations and servers.
  • Access to file shares, printers, and common applications.
  • Group Policy processing on clients (gpupdate /force, gpresult /h).
  • SSO to cloud or internal apps that rely on LDAP/Kerberos.

Review the following event logs on the new 2022 DC:

  • Directory Service log
  • DNS Server log
  • System and Security logs

Key points – Post-promotion testing

  • Perform tests from multiple sites and networks (VPN, branch, etc.).
  • Have business owners validate application behavior.
  • Monitor logs for at least a few days before fully decommissioning old DCs.

5. Troubleshooting replication with dcdiag, repadmin, and event logs

Even in a well-planned Active Directory migration from Windows Server 2019 to 2022, you may hit replication or DNS issues. Here are helpful commands and patterns.

5.1 Quick replication health script

# Basic health check script (run on any DC)
Write-Host "==== DCDIAG ====" -ForegroundColor White
dcdiag /q

Write-Host "`n==== REPLICATION SUMMARY ====" -ForegroundColor White
repadmin /replsummary

Write-Host "`n==== SHOW REPL FOR NEW 2022 DC ====" -ForegroundColor White
repadmin /showrepl DC2022-01

5.2 Common replication issues

  • Error 5 – Access is denied: check permissions, secure channel, and time synchronization.
  • Error 1256 – Remote system not available: network or firewall issue blocking RPC or LDAP.
  • Error 1908 – Could not find the domain controller: DNS and SRV records often at fault.

5.3 Event logs snapshot via PowerShell

# Grab recent Directory Service errors
Get-WinEvent -LogName "Directory Service" -MaxEvents 50 |
  Where-Object {$_.LevelDisplayName -eq "Error"} |
  Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

FAQs – Troubleshooting

Q1. What if replication never succeeds to the 2022 DC?

Check DNS, firewalls, and security policies. As a last resort, you may demote the faulty 2022 DC and re-promote it after fixing root causes.

Q2. Can I seize FSMO roles instead of transferring them?

Seizing roles is only recommended when the current FSMO holder is permanently offline. In a planned migration, always transfer, not seize.

6. Moving FSMO roles to Windows Server 2022 (PowerShell & ntdsutil)

FSMO roles are special tasks performed by certain DCs. During an Active Directory migration from Windows Server 2019 to 2022, you will typically move all five FSMO roles to a primary 2022 DC.

6.1 PowerShell method (recommended)

# Confirm AD module
Import-Module ActiveDirectory

# Move all roles to DC2022-01
Move-ADDirectoryServerOperationMasterRole -Identity "DC2022-01" `
  -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

6.2 ntdsutil (alternative)

# ntdsutil example (run from elevated CMD)
ntdsutil
roles
connections
connect to server DC2022-01
quit
transfer schema master
transfer naming master
transfer RID master
transfer PDC
transfer infrastructure master
quit
quit

Key points – FSMO migration

  • Always transfer FSMO roles in a healthy environment.
  • Verify role holders afterwards using netdom query fsmo.
  • Ensure the new FSMO DC is on reliable hardware and well protected.

7. Configuring DNS and Global Catalog on the new domain controller

DNS and Global Catalog configuration often make or break a migration.

7.1 DNS checklist

  • AD-integrated zones replicate correctly to the 2022 DC.
  • Clients receive the new DC’s IP in DHCP DNS settings when appropriate.
  • Reverse lookup zones are created and accurate.
  • Forwarders and conditional forwarders are correctly configured.

7.2 Global Catalog checklist

  • At least one Global Catalog per site (for multi-site forests).
  • New 2022 DC marked as GC if it will replace a previous GC.
  • Universal group membership caching configured correctly for remote sites.

8. Optional: Hybrid identity and Entra ID checks (Graph API)

If you use Microsoft Entra Connect (Azure AD Connect) for hybrid identity, you should validate that synchronization continues to work after your Active Directory migration from Windows Server 2019 to 2022.

8.1 Graph PowerShell – Basic tenant checks

# Install Microsoft Graph module if needed
Install-Module Microsoft.Graph -Scope AllUsers

# Connect to Microsoft Graph with directory read permissions
Connect-MgGraph -Scopes "Directory.Read.All"

# Check synced domains
Get-MgDomain | Select-Object Id, IsVerified, IsDefault

# Optional: Check a synced user (replace UPN)
Get-MgUser -UserId "user@contoso.com" | Select-Object Id, DisplayName, UserPrincipalName

These checks ensure that cloud identity continues to reflect on-premises changes after migrating DCs.

FAQs – Hybrid

Q1. Do I need to reinstall Entra Connect after migration?

Usually no, but you must ensure the Entra Connect server can still resolve and authenticate against the new DCs. Update any hard-coded DC names in your configuration if necessary.

9. Post-migration validation checklist

After completing your Active Directory migration from Windows Server 2019 to 2022, run through this quick validation list:

  • All FSMO roles confirmed on Windows Server 2022 DC(s).
  • No persistent replication errors in repadmin /replsummary.
  • dcdiag shows clean health on 2022 DCs.
  • DNS zones and records present and resolving correctly.
  • Users and computers can log in, access resources, and apply Group Policy.
  • Hybrid sync (if used) continues without errors.
  • Old 2019 DCs demoted and removed from Sites and Services and DNS.

10. Best practices and common pitfalls

10.1 Best practices

  • Use side-by-side migration with new Windows Server 2022 DCs instead of in-place upgrades.
  • Keep at least two domain controllers per critical site.
  • Regularly run dcdiag and repadmin as part of operational health checks.
  • Maintain strong backups and documented recovery procedures.
  • Harden DCs according to Microsoft security baselines.

10.2 Common pitfalls

  • Forgetting to update DHCP DNS options to point clients to the new DCs.
  • Demoting the old DC before replication is healthy.
  • Leaving stale DNS A and SRV records for decommissioned DCs.
  • Using snapshots instead of system state backup for rollback.

11. Global FAQ: Active Directory migration from Windows Server 2019 to 2022

Q1. How long does an Active Directory migration from Windows Server 2019 to 2022 take?

Small, single-site environments can often be migrated in a few hours of hands-on work. Larger, multi-site forests may plan for several days or weeks of phased migration and testing.

Q2. Can I run 2019 and 2022 domain controllers side by side?

Yes. Mixed DC versions are fully supported as long as the forest and domain functional levels support both. This is the recommended way to transition.

Q3. Is it mandatory to move all roles to a single 2022 DC?

No. You can distribute FSMO roles across multiple DCs for resilience. Many small environments keep them all on a single, well-resourced primary DC.

Q4. What if I need to roll back?

This is where system state backups are critical. You can restore a DC to a previous state in an isolated environment to recover lost data or troubleshoot—but avoid regularly rolling back production DCs as it can cause USN rollback issues.

12. Useful tools, scripts, and reference links

12.1 Internal resources (cloudknowledge.in)

12.2 External official documentation

By following this structured 15-step checklist, using the provided PowerShell scripts, and validating each phase with health checks and FAQs, you can complete a safe and predictable Active Directory migration from Windows Server 2019 to 2022 with minimal risk and downtime.

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *