Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article provides background information about Active Directory Domain Services in Windows Server and explains the process for upgrading domain controllers (DCs) from an earlier version of Windows Server.
The recommended way to upgrade a domain is to promote new servers to DCs that run a newer version of Windows Server and demote the older DCs as needed. This method is preferable to upgrading the operating system of an existing DC, which is also known as an in-place upgrade.
Follow these general steps before you promote a server to a DC that runs a newer version of Windows Server:
Verify the target server meets the system requirements.
Verify application compatibility.
Review recommendations for moving to a newer version of Windows Server.
Verify security settings.
Check connectivity to the target server from the computer where you plan to run the installation.
Check for availability of the necessary Flexible Single Master Operation (FSMO) roles in Active Directory. This step is required for the following scenarios:
adprep /forestprep
.adprep /domainprep
.To find out which server or servers hold which FSMO role, run the following commands in an elevated PowerShell session by using an account that's a member of the Domain Admins group:
Get-ADDomain | FL InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | FL DomainNamingMaster, SchemaMaster
The following table provides a summary of the installation actions and the permissions requirements to accomplish these steps.
Installation action | Credential requirements |
---|---|
Install a new forest. | Local admin on the target server |
Install a new domain in an existing forest. | Enterprise admins |
Install another DC in an existing domain. | Domain admins |
Run adprep /forestprep . |
Schema admins, enterprise admins, and domain admins |
Run adprep /domainprep . |
Domain admins |
Run adprep /domainprep /gpprep. |
Domain admins |
Run adprep /rodcprep . |
Enterprise admins |
Only 64-bit version upgrades are supported. For more information about supported upgrade paths, see Supported upgrade paths.
For an in-place upgrade of an existing DC, you must run adprep /forestprep
and adprep /domainprep
manually. You need to run Adprep /forestprep
only once in the forest for each newer version of Windows Server. Run Adprep /domainprep
once in each domain in which you have DCs that you're upgrading for each newer version of Windows Server.
If you're promoting a new server to a DC, you don't need to run these command-line tools manually. They're integrated into the PowerShell and Server Manager experiences.
For more information on running adprep, see Running Adprep.
Windows Server 2019 or later requires a Windows Server 2008 forest functional level as a minimum. Windows Server 2016 requires a Windows Server 2003 forest functional level as a minimum. If the forest contains DCs running an older forest functional level than the operating system supports, the installation is blocked. Those DCs must be removed and the forest functional level raised to a version that's supported before you add newer Windows Server DCs to your forest. For more information about supported functional levels, see Forest and domain functional levels.
Note
No new forest or domain functional levels have been added since Windows Server 2016. Later operating system versions can and should be used for domain controllers. They use Windows Server 2016 as the most recent functional levels.
After you set the forest functional level to a certain value, you can't roll back or lower the forest functional level, with the following exceptions:
After you set the domain functional level to a certain value, you can't roll back or lower the domain functional level, with the following exceptions:
For more information about features available at each of the functional levels, see Forest and domain functional levels.
Active Directory Domain Services isn't supported on the following Windows operating systems:
Active Directory Domain Services can't be installed on a server that also runs the following server roles or role services:
Use the Remote Server Administration Tools for Windows 10 or later to manage domain controllers and other servers that run Windows Server. You can run the Windows Server Remote Server Administration Tools on a computer that runs Windows 10 or later.
The following example shows how to upgrade the Contoso forest from a previous version of Windows Server to a later version.
Join the new Windows Server to your forest. Restart when you're prompted.
Sign in to the new Windows Server with a domain admin account.
In Server Manager, under Add Roles and Features, install Active Directory Domain Services on the new Windows Server. This action automatically runs adprep on the earlier version forest and domain.
In Server Manager, select the yellow triangle. From the drop-down, select Promote the server to a domain controller.
On the Deployment Configuration screen, select Add a domain controller to an existing domain and click next.
On the Domain Controller options screen, enter the Directory Services Restore Mode (DSRM) password and select Next.
For the rest of the screens, select Next.
On the Prerequisite Check screen, select Install. After the restart has completed, sign in again.
On the earlier version of Windows Server, in Server Manager, under Tools, select Active Directory Module for Windows PowerShell.
In the PowerShell window, use the Move-ADDirectoryServerOperationMasterRole
cmdlet to move the FSMO roles. You can enter the name of each Operation Master Role or use numbers to specify the roles. For more information, see Move-ADDirectoryServerOperationMasterRole.
Move-ADDirectoryServerOperationMasterRole -Identity "DC-W2K16" -OperationMasterRole 0,1,2,3,4
To verify the roles were moved, go to the new Windows Server. In Server Manager, under Tools, select Active Directory Module for Windows PowerShell. Use the Get-ADDomain
and Get-ADForest
cmdlets to view the FSMO role holders.
Demote and remove the earlier Windows Server DC. For information on how to demote a DC, see Demoting domain controllers and domains.
After the server is demoted and removed, you can raise the forest functional and domain functional levels to the latest version of Windows Server.
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Module
Active Directory Domain Services migration - Training
Determine the best approach to moving domain controllers to Windows Server 2025. Learn how the Active Directory Migration Tool can consolidate domains within a forest or migrate domains to a new AD DS forest.
Certification
Microsoft Certified: Windows Server Hybrid Administrator Associate - Certifications
As a Windows Server hybrid administrator, you integrate Windows Server environments with Azure services and manage Windows Server in on-premises networks.