This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 38%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWC%3C/text%3E%3C/svg%3E)
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust (Hybrid Cloud Trust Deployment (Preview))
In the above article, one of the prerequisites is listed as "Fully patched Windows Server 2016 or later Domain Controllers".
In our on-premise, both our PDC and Secondary DC are still running server 2012 r2 though we just spun up a new DC server 2016.
To comply with the prerequisites, do we have to upgrade all DCs to server 2016, or do we only need one server 2016?
Appreciated!
Woody
Since any DC can be used, I would ensure they are at the required 2016 level plus latest updates.
Thanks for your quick Andy.
We should also raise the domain functional level to Server 2016 after upgrading our Server 2012 r2 servers prior to proceeding to install the on-premise Azure Kerberos server object, correct?
I dont see that as a requirement, but if you are upgrading the DCs to 2016, then I would raise to the forest and domain to 2016 as well - as that is the latest and you and take advantage of any new features now and down the road:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels#windows-server-2016-domain-functional-level-features
@Woody Chiu at RASI
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi Andy,
Thank you!
We are in the progress of upgrading all DCs to Server 2016 prior to installing the Kerberos Server Object.
Any one of the DCs can be used to install the Kerberos Server Object as long as that particular DC has the Azure AD Kerberos PowerShell module loaded for executing the PowerShell commands, correct?
Woody