When we stood the environment up, it was all done using Windows Server 1709. Note that this is the Semi-Annual Channel version of Windows Server. Windows Server 2016 is still the Long Term Service Branch version with Windows Server 2019 due out later this year. Since the release of 1709, Microsoft have now released Windows Server 1803 which includes some nice features such as Windows Defender Advanced Threat Protection built right in to the OS. This blog post will look at the process of upgrading the Domain Controllers to Windows Server 1803.
The upgrade from 1709 to 1803 is not scheduled to be released via Windows Update any time soon. To complete the upgrade, you will need the 1803 ISO. I used my MSDN subscription, you can use your resources to get the ISO.
I completed the upgrade on an Azure VM, note that this IS NOT SUPPORTED. OS Upgrades are not supported by Microsoft, their recommendation is to re-provision with the new OS. The process documented here worked and uses the standard upgrade procedure.
You can find details of the new features available in Windows Server 1803 on the Windows Server Blog. Not mentioned here is the fact that Windows Defender Advanced Threat Protection is also baked in to the OS
The AD Schema is updated from v87 (Windows Server 2016) to v88 (Windows Server 2019) with the 1803 upgrade. This upgrade includes an extra attribute named ms-DS-Preferred-Data-Location. This attribute is added to the objects User, Contact and Group. It appears this attribute is relating to Azure AD and more information can be found on Microsoft Docs.
One thing I found from testing was that it is not possible to upgrade an Active Directory Federation Services machine. When running the setup process, an error appears in the XML files advising to provision new servers in the existing farm.
BitLocker – We haven’t covered this yet however if you’re encrypting your DC’s with BitLocker, this needs suspending before continuing with the upgrade.
Group Memberships – Your administrative account will need to be in the Schema Admins and Enterprise Admins group before you start to perform a schema upgrade.
Upgrading a Domain Controller doesn’t automatically run ADPRep in the same way that installing a new Domain Controller does. As a result, from the 1803 ISO, navigate to DVDDRIVE:\Support\ADPrep\ and execute
This will complete a Schema upgrade. You then have to wait for replication to complete before you carry on. The ADPrep process can be completed from any machine on the network so long as the Schema Master is available and you have the relevant access and ISO.
Once the replication is completed, you’re able to upgrade your Domain Controller. First of all, mount the ISO. This can be based on a network share. When the ISO is mounted, an error will appear that there isn’t a program associated. From the root of your DVD drive execute the following
setup.exe /auto upgrade /dynamicupdate enable /showoobe none
On my small Azure VM, it took around an hour to complete the upgrade. Once the initial upgrade completed (about 10 mins) the server was offline for about 45 minutes. After two reboots, the server came up and I was able to login, running “ver” returned
Microsoft Windows [Version 10.0.17134.48]
This can also be verified with
Get-ADDomainController -Filter * | sort name | ft name, OperatingSystem, OperatingSystemVersion
name OperatingSystem OperatingSystemVersion
---- --------------- ----------------------
DC01 Windows Server Datacenter 10.0 (17134)
1709 has the version number 16299.
‘appy days, repeat the upgrade process on each of your Domain Controllers and enjoy the rewards from using the latest version of Windows Server.
Security Event Log
So, after using this for a little while, I noticed that the following issue has reappeared:
This issue was fixed in KB4056892 – January Update for 1709, however this fix has not been applied to 1803. I have raised the issue via the feedback feature for Windows 10, I have also raised this for the next version of Windows 10.