This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 7.000000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Hi All
i Have been given a task to migrate domain to new server, currently we have AD DS running on 2012 platform which will be upgraded to 2016. following would be the scenario
current setup:
Site A - primary domain controller running on 2008
Site B - additional DC running on 2012
New setup- (target)
installed new server at site B with 2016 server OS,
looking forward for an expert advice on this, kindly help me to accomplish this with minimal steps without much downtime,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Royal D Costa ,
Thank you for posting here.
First check something
Before we do any change in the existing AD domain environment, we had better do:
1.Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v.
Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
2.Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
3.Check we can update gpupdate /force on each DC successfully.
4.Back up all domain controllers if needed.
5.We had better perform the DC migration during downtime.
Second
If we want to add 2016 DC into the existing domain, the forest functional level must be at least 2003.
Third: steps
Then everything is working fine, we can do as below:
1.Installed a new WIndows server with 2016 server OS.
2.Add the server 2016 to the domain.
3.Add AD DS and DNS roles on this server 2016 (also as GC).
4.Promote this server 2016 as a domain controller. During promotion, we should select "add a domain controller to the existing domain" and put this DC to "Site B".
5.Check AD environment health again.
6.If everything works fine, we can transfer FSMO roles from 2008 to 2016.
7.If we want to upgrade Domain Controller in Site A - primary domain controller running on 2008 to 2016, we had better perform the same steps above. It is not recommended we perform in-place upgrade operating system from lower operating system version to higher operating system version. It is recommended we add a new Domain Controller to the existing domain and demote the old DC when needed.
8.If the old DCs is also DNS server, before we demote old DCs, we should:
If the old DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
If the old DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the old DC for name resolution.
9.Demote the old DC if needed.
10.Raise the functional level after demoting the old DC if needed.
Tip:
1.If AD replication is working fine, when we add new a DC to the existing domain, after AD replication is complete, all the AD data in all DCs should be the same.
2.If we have installed any other roles in the old Domain Controllers, migrate all the roles if needed.
3.Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
Ideally, a DC should be easy to replace, just by standing up another DC.
When we put other software and roles on one DC, maybe the DC is harder to replace it.
For example,
If we have a DC with AD CS(it is also a CA server), if there is some issues with this DC and we want to demote this DC, we need to remove AD CS first and then demote this DC.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello DaisyZhou-MSFT
Thanks for your valuable advice, you have explained whole task in simplified way. would refer Microsoft documentations as well for further info. continuing further i have a small concern regarding same and your advice will be more helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYJ%3C/text%3E%3C/svg%3E)
excellent article !!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The prerequisite before introducing the first 2016 domain controller is domain functional level needs to be 2003 or higher
I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2016, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.
--please don't forget to Accept as answer if the reply is helpful--
Hello @@Royal D Costa ,
**Q1:**can i add new server as AD DC without upgrading any of the servers in both sites.
**A1:**Yes, for upgrading the DC in the existing domain, we can add a new Windows server with higher OS to the domain and promote the server as DC, then demote the old DC.
Would you please tell us the concerns (maybe the Schema version)?
We can refer to the link below to check what we concerned.
Upgrade Domain Controllers to Windows Server 2016
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers
**Q2:**can the forest level be raised to 2012 after adding new DC, (most of client machines are running on windows 7 OS).
**A2:**Check the following two points, then we can raise forest level.
1.Ensure that all domain functional levels are equal to or higher than the forest functional level;
2.Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;
From the following link, we can see:
Forest and Domain Functional Levels
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Based on the understanding, if we have Exchange server in AD domain, for the Exchange version, AD forest functional level and AD Domain Controllers version, we can refer to the link below.
Exchange Server supportability matrix
https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019
References:
What is the Impact of Upgrading the Domain or Forest Functional Level?
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-is-the-impact-of-upgrading-the-domain-or-forest-functional/ba-p/399348
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.