Hello @Royal D Costa ,
Thank you for posting here.
First check something
Before we do any change in the existing AD domain environment, we had better do:
1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v.
Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
2.Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
3.Check we can update gpupdate /force on each DC successfully.
4.Back up all domain controllers if needed.
5.We had better perform the DC migration during downtime.
Second
If we want to add 2016 DC into the existing domain, the forest functional level must be at least 2003.
Third: steps
Then everything is working fine, we can do as below:
1.Installed a new WIndows server with 2016 server OS.
2.Add the server 2016 to the domain.
3.Add AD DS and DNS roles on this server 2016 (also as GC).
4.Promote this server 2016 as a domain controller. During promotion, we should select "add a domain controller to the existing domain" and put this DC to "Site B".
5.Check AD environment health again.
6.If everything works fine, we can transfer FSMO roles from 2008 to 2016.
7.If we want to upgrade Domain Controller in Site A - primary domain controller running on 2008 to 2016, we had better perform the same steps above. It is not recommended we perform in-place upgrade operating system from lower operating system version to higher operating system version. It is recommended we add a new Domain Controller to the existing domain and demote the old DC when needed.
8.If the old DCs is also DNS server, before we demote old DCs, we should:
If the old DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
If the old DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the old DC for name resolution.
9.Demote the old DC if needed.
10.Raise the functional level after demoting the old DC if needed.
Tip:
1.If AD replication is working fine, when we add new a DC to the existing domain, after AD replication is complete, all the AD data in all DCs should be the same.
2.If we have installed any other roles in the old Domain Controllers, migrate all the roles if needed.
3.Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
Ideally, a DC should be easy to replace, just by standing up another DC.
When we put other software and roles on one DC, maybe the DC is harder to replace it.
For example,
If we have a DC with AD CS(it is also a CA server), if there is some issues with this DC and we want to demote this DC, we need to remove AD CS first and then demote this DC.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.