Getty Images

How to set up a Windows Server 2022 domain controller

While the process to migrate from a legacy domain controller is not difficult, it does require advanced preparation to avoid connectivity issues and other problems.

Many organizations still have pockets of resistance in the form of outdated, legacy setups that are often in key areas of the on-premises infrastructure, such as domain controllers.

With the recent end of life for Windows Server 2012 and 2012 R2, organizations that have yet to migrate their domain controllers on these OSes should begin this process before the Extended Security Update program for those OSes ends in 2026. A domain controller is a critical piece of network security, and moving this workload to Windows Server 2022 benefits the organization from a management perspective with an improved Active Directory (AD) Administrative Center and enhanced security features.

Migrating domain controllers to Windows Server 2022 is not difficult, but it's important to follow the proper steps closely to avoid mistakes or introduce any security vulnerabilities during the upgrade process.

Prepare backups and documentation

When preparing for an upgrade to a Windows Server 2022 domain controller, document all the settings associated with the AD environment. For example, gather all the names and IP addresses of your legacy domain controllers. You should also note the domain controllers that act as global catalog servers, the domain controllers configured as read-only and the domain controllers that act as DNS servers.

It's also a good idea to record the remaining settings, including the domain hierarchy, Group Policy settings and other relevant items.

Create a backup of at least one domain controller in each domain just before the upgrade for the most current version possible. It is best to back up a domain controller that also acts as a DNS server and hosts Flexible Single Master Operation (FSMO) roles for the domain.

What are the Windows Server 2022 domain controller system requirements?

Before moving forward with the upgrade, it is a good idea to review the system requirements for Windows Server 2022.

At a minimum, you need a 1.4 GHz, 64-bit CPU that supports Second Level Address Translation, 512 MB of RAM -- or 2 GB of RAM when using Desktop Experience -- and 32 GB of disk space. For better performance, especially with larger domains, consider a faster CPU and 4 GB of RAM.

How to create a Windows Server 2022 domain controller

The most common method to upgrade an AD domain to Windows Server 2022 involves bringing a Windows Server 2022 VM online, promoting it to act as a domain controller and phasing out a legacy domain controller.

You can repeat the process until you upgrade all legacy domain controllers. The sections below provide an overview of this process.

How to set up the server's network configuration

Start by installing Windows Server 2022 onto a physical server or VM. When complete, log in to the server, and assign a static IP address within the same subnet as your existing legacy domain controllers. Configure the server to use the domain's existing DNS servers.

How to set the server name

The next step in the process is to assign the server an appropriate name. To do so, open an elevated PowerShell window, and enter the following command:

Rename-Computer -NewName "<new name>"

You need to restart the computer after renaming it.

domain controller name assignment
Figure 1. Assign the new server an appropriate name.

How to join the Windows Server 2022 domain controller to the domain

Next, install any available updates, and then join the server to your AD domain. Make sure the new server's time is correct since clock skew can cause problems with the domain join process.

To join Windows Server 2022 to the domain, open an elevated PowerShell session, and enter the following command:

$Cred=Get-Credential

Windows prompts you to enter a set of credentials for an account with the authority to join the domain.

Next, enter the following command:

Add-Computer -DomainName <your domain name> -Credential $Cred -Restart -Force

This joins the server to the domain and forces the computer to reboot once the domain join finishes. You can see the domain-join process in Figure 2.

join server to domain
Figure 2. Use PowerShell to join the server to the domain.

How to promote the Windows Server 2022 domain controller

Once the server reboots, log in with a domain account.

It's time to promote the server to a domain controller. For the purposes of this article, assume you also want to make the new domain controller a DNS server. Open an elevated PowerShell session, and enter the following commands:

Install-WindowsFeature AD-DomainServices -IncludeManagementTools
Install-WindowsFeature DNS
Import-Module ActiveDirectory
Install-ADDSDomainController -InstallDNS -DomainName "<domain name>"

The system prompts you to enter and then confirm a safe-mode password. When complete, the server is promoted to a domain controller and reboots automatically.

promote the server
Figure 3. Enter the commands to promote the server to a Windows Server 2022 domain controller.

How to transfer the FSMO roles

Since the goal is to upgrade a legacy AD domain, you typically want to transfer the FSMO roles from your legacy domain controllers to your Windows Server 2022 domain controller.

This procedure generally requires a bit of planning, but if you want to move existing roles to the new domain controller, then enter the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "<new domain controller name>" –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster
FSMO role transfer
Figure 4. Perform the FSMO role transfer.

How to update the DHCP server

At this point, the new domain controller is fully functional and also acts as a DNS server. Before you decommission any domain controllers, it's a good idea to update your Dynamic Host Configuration Protocol (DHCP) server. This avoids any potential issues when the DHCP server assigns IP addresses to devices or renews their leases, and they are pointed to the new DNS server rather than the one about to be retired.

As you work through this process, there are a few things to keep in mind. First, you may have some servers, particularly infrastructure servers, with static IP address assignments that require manual updating to adjust the DNS server assignments.

Second, most domains use at least two DNS servers, so you might want to add some additional Windows Server 2022 domain controllers online and configure them to act as DNS servers before updating your DHCP scope.

Third, DHCP leases are not instantly updated. It's common for IP address leases to be in effect for a week or more. After updating your DHCP server with the new DNS IP addresses, you have to wait for all existing leases to expire before you decommission the old DNS servers.

How to demote the legacy domain controller

The usual last step is to decommission the old domain controllers, but there may be additional tasks to perform prior to removing these legacy infrastructure components.

After upgrading the domain, you might undergo additional work, such as raising the forest and domain functional levels. Demoting an old domain controller involves using the Uninstall-ADDSDomainController cmdlet.

You can find Microsoft's documentation for the demotion process here.

Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.

Dig Deeper on IT operations and infrastructure management