Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.

Solution

2008 to 2019 Domain Controller

2008 to 2016 Domain Controller

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure: Deploy a 2019 Domain Controller

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

2016-server-manager

I usually tick the ‘Skip this page by default’ option > Next.

2016 Server Adding Roles

Role Based… > Next.

Windows Server 2016 Roles

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

2016 Server Add Local Role

Select Active Directory Domain Services > Next.

2016 Active Directory Role

Next.

2016 Domain Controller Adding

Next.

Active Directory Services 2016

Ensure ‘Restart’ is selected > Next.

008-2016-add-active-directory

Next.

009-role-installed

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

010-2016-promote-to-domain-controller

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

011-2016-dcpromo

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

012-2016-dsrm-password

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

013-2016-dns-delegation

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

2016 Active Directory Install From Media

Unless you want to change the default AD install locations > Next.

2016 AD install Location

Next.

Review 2016 Domain Install

Read any warnings  > Install

2016 Domain Pre-Requisites

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

Reboot Domain Controller

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

Schema Version 88 2019

 

2016 Schema Version

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

96 Comments

  1. Amazing guide. Excellent Job.

    Post a Reply
  2. Thank you mister !
    Very clean guide.

    Post a Reply
    • You’re Welcome ThanQ 🙂

      Post a Reply
  3. Wow, this is what I would have expected to be available from Microsoft directly.
    Great Job, thank you!

    Post a Reply
  4. What about adprep commands? Should we be running them on the previous domain controller such as Server 2008 R2?

    Post a Reply
    • No not any more, it’s all handled for you 🙂

      Post a Reply
  5. Apologies if this qualifies as a non-smart question but is the process of adding a server 2016 DC to 2008r2 a solid process that should work without any caveats or warnings?
    I have a 2008r2 domain raised to highest FFL DFL.

    Hate tp be overly cautious but never hurts to ask.

    Post a Reply
  6. Excellent walkthrough. Thank You.

    Post a Reply
  7. The crucial part is to have a coffe after rebooting the machine 😀

    Many thanks, it was very helpful!

    Post a Reply
  8. This is very nice. Say, I have a Windows Server 2012 as my primary AD, and I do this steps, can I turn off my old 2012 AD and make 2016 my new primary, and add a 2nd 2016 as a backup, following all these steps again?

    Post a Reply
    • You would need to demote the 2012 DC before you powered it down, there’s not really a concept of Primary and Backup any more, that’s NT4 terminology. There are FSMO roles but they will move gracefully if you demote your old 2012 DC before you retire it.

      Pete

      Post a Reply
  9. It’s very helpful. Thanks for sharing

    Post a Reply
  10. just used this and it still works like a charm.

    Post a Reply
  11. Thank you VM! Great article

    Post a Reply
  12. in a Domain Controller running Windows 2003, can we introduce a Windows 2016 Domain Controller with no issues? Will servers running Windows 2003 (don’t ask 🙂 ) have issues ?

    We have 1 DC (windows 2003) plan is to raise Domain and Functional level to 2016.

    1. install 2016 server, raise as DC
    2. switch all the FSMO roles to the new server
    3. install a 2nd 2016 server, raise as DC
    4. demote the 2003 DC
    5. decommission the 2003 server
    6. Raise the Doamin and Functional level (in steps 1st to 2008 R2, then 2012 R2 and finally to 2016)

    question is if we have windows 2003 servers in the environment, will there be any issues

    Post a Reply
    • You should be fine a 2016 DC will support a 2003 Domain and Forest Functional Level, (check your’s is NOT set to 2000 or the upgrade will fail!)

      P

      Post a Reply
  13. Thank you for this how to.
    We currently have 4 DCs in our environment, 1 2008R2, 2 2012R2 and 1 2016.
    One of the warnings that appeared was about migrating from FRS to DRS. Will demoting and removing the 2008R2 resolve that issue on its own, or will a migration still happen? Also will the same happen with regards to the KB 942564?

    Post a Reply
  14. I am going to give these instructions a run for their money. This weekend I am adding a Windows 2016 server to a 2008 r2 domain. I will let you know how it goes. is there any consideration for the current desktops, or do they just go on as they were. I mean first they login to a 2008 domain, then when I am done they will be logging into a 2016 domain. Anything to be concerned about? thank you ahead of time. Wish me luck! TFI

    Post a Reply
    • That should be fine make sure the domain and forest functional levels are not something daft like windows server 2003 fist mind! Your clients wont really care, replacing old servers with new servers is not really a problem until you have OLD clients taking for shared folders on new servers, (as SMB1 no longer works). But that wont affect your domain controllers. In fact watch this space, I might put another video up in this post before the weekend to walk you though it.

      Post a Reply
  15. We have 2008R2 DC and i have already joined 2016 to the domain. The tree is 2008R2. The 2008R2 is DC and DNS but not DHCP. It does delegate printers with group policy, and has Windows Update Services working.

    My plan is to add the 2016 as a DC, move the master roles to the 2016, then demote the 2008R2, then finally remove it totally.

    Then finally format, and install 20016 on the old 2008R2, and add it back as a second dc.

    I can change the DNS setting in my DHCP server for the workstations to work.

    What about Windows Update Services?

    What about Printer Deployment — Group Policy 2008 is currently printer server.

    Post a Reply
    • I would simply instal WSUS from scratch on a new server? You can migrate printers by installing the print server role on the new server and doing an import/export from the NEW print server, though if the old one has a lot of x32 bit drivers on it, it’s usually quicker to start from scratch.

      Post a Reply
  16. What about the DNS nic settings on the new Windows 2016/2019 server that will become your new domain controller? I’ve got one 2008R2 DC and another 2012R2 DC. I will be demoting the 2008R2. For the new 2019 server, I will point the primary DNS to the 2012R2 DC initially to join the domain. At what point do you modify the Primary DNS on the 2016/2019 server to point to itself? Is this done before, or after adding Active Directory roles?

    Post a Reply
    • Typically after it’s promoted you will see 127.0.0.1 added automatically, (but it wont bye at the top of the list), I manually change this afterwards, to is looks to itself FIRST after it’s been promoted.
      P

      Post a Reply
  17. Hi , great video tutorial , but, i don’t undestand why , you don’t change the forest functional levels to at least Windows 2016 in the 2019 new DC in your video ( 2008 to 2016)

    Why we cannont choose 2019 forest functional level in the 2019 PDC
    We must change forest functional level step by step ?

    Thank you

    Post a Reply
    • Because in all my time, the only time I’ve ever needed to change a DFL or a FFL is when I’m ‘about’ to upgrade something, why change it ‘after’ I’ve upgraded something (as its non reversible), I’ve never been picked up in an audit because my DFL or FFL was to old. 🙂 Why potentially break something that cant be fixed, for the sake of cosmetics? (just my $0.02).

      Post a Reply
  18. Hello Pete. I realize this is an older article. But, i have a question regarding multiple domain controllers. we have 8 DCs in our domain. If I replace the Dc which holds the fsmo roles with a 2016 DC and transfer the fsmo roles to the 2016 Dc, do I have to upgrade the remaining 2008 DCs immediately? Or can that be done later?

    Thanks in advance for your help.

    Post a Reply
      • Thanks for your quick response. After adding the 2016 DC and transferring roles, does that in itself raise the functional levels? Or is that done manually?

        Also, a question that was posed to me today. Is it possible to change the IP address of a DC? I remember being told in the past that changing IP address was not allowed.we have some apps that point to the address of the dc which currently holds all of the fsmo roles. The thought is we could change the ip address of the current dc, assign that ip address to the 2016 dc and assign a new ip address to the 08 dc. is this just asking for trouble?

        Post a Reply
        • You need to raise the levels manually.

          If you change the IP on a DC (with or without FSM|O roles,) simply reboot it afterwards.

          Pete

          Post a Reply
          • Thanks a lot for your quick response. So, we will just wait until the last of the 08 DCs have been removed and raise the functional levels.

          • Correct.

  19. Another question. For the computer accounts that were using the old dc as a logon server, is there a quick way to point them to the new dc other than restarting each computer?

    Post a Reply
    • Theres no need to, Active Directory has been a multi master environment since Windows 2000.

      Post a Reply
  20. He PeteLong,
    Good afternoon,
    after demoting 2008R2 shall we use it as domain member as normal data server?

    Post a Reply
    • It’s not supported so retire it 🙂

      Post a Reply
  21. Hi Petelong,
    After success full addition of server2019 domain controller, i will demote domain controller from 2008R2 server we need to use this as domain member because we have some data on these older server.
    i can use access this server as normal domain member to access the data by changing the domain functional level? OR
    it cannot be connected to domain at all once after demotion?
    pls clarrify

    BR
    Pradeep

    Post a Reply
    • It CAN be used as a member server, But your modern operating systems wont be able to access SMB shares on it, (Windows 10 and never, and Windows 2016 and newer.) As they block SMB1.
      Move your files onto a newer server and get rid of this one. You can keep it if you want, but you just said theres something important on it, if it’s not important enough to put on a supported operating system, then that’s your call buddy.

      P

      Post a Reply
  22. Peter, my network contains five domain controllers. The one that holds FSMO role is running Windows Server 2008 R2, and there are three other DCs that run Windows server 2008, and the last DC runs Windows server 2008 R2. The current domain functional level is 2008 and the forest level is also 2008. I tried raising domain functional level to 2008 R2 but I got the message” ….because this domain includes Active Directory Domain Controllers that are not running the appropriate versions of Windows. I think I cannot raise domain functional level to 2008R2 becuse there exists three DCs that run Window server 2008.

    I plan to join a Server 2019 standard as a member server and then promote it to be a DC. As per your article, I think I should be able to promote my server2019 as a DC to my domain, correct?

    Post a Reply
    • I’ve deployed a 2019 DC with the functional levels at 2008 (not 2008 R2) and It worked.

      Post a Reply
      • Hi Peter, I also have similar scenario with promote 2019 server to 2012R2 AD, do we need to do something in 2012R2 primary Domain controller before adding 2019 as DC ? Thanks!!

        Post a Reply
        • No, as long as you functional levels are correct.

          Post a Reply
  23. Great article and instructions! However, I have a question about FSMO roles. Will all FSMO roles be automatically transferred to the newer DC if the schema is raised to the level of the new server during this process, i.e. Server 2019. This article is exactly the scenario that I will be performing within a couple of weeks when I install a 2019 server and retire an old 2008 server. Thank you in advance for your reply.

    Post a Reply
  24. Thanks for the great video. Quick question.
    I have a Windows 2012R2 DC with the below forest and domain functional level
    DFL:2012 r2
    FFL: 2008.
    Can I add a dc 2019 server without making any changes in the FFL?

    Post a Reply
    • I’ve done it myself, even though the documentation says 2008 R2, however why do you want to keep the FFL at 2008?

      P

      Post a Reply
  25. Everything seemed to work great until I tried to demote the 2008R2 server with dcpromo then I got a error. “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

    Post a Reply
    • Cancel DCPromo > Locate the FSMO role holders from the 2008 DC > Ensure replication between the new and old DCs is completing without error.

      Post a Reply
  26. Hi what is the estimate time to add Windows 2019 active directory to replace the Windows 2008 R2, prepare the forest and domain move all fsmo role raise functionnal domain and forest replication time (70 Users) and move the DHCP from Windows 2008 R2 and remove the Windows 2008 R2 I need a approximative time

    after that i will have to move the Azure AD connect (estimate time please)

    and NPS Migration from 2008R2 to 2019 (estimate time please)

    Post a Reply
    • Prep Forest/Domain & Add 2019 & migrate FSMO – 1.5 hours (Single Site, Add another couple of hours if you have a complex domain)
      Move DHCP – 20 minutes
      Move AD connect. – 40 minutes
      NPS Migration – Depends on what’s using NPS! You can backup an NPS config on one server and restore it to another, but changing all the things that use NPS will take the time.

      Post a Reply
      • Thanks Pete Do I have to pay attention to Something during the processus

        Post a Reply
        • just do them one job at a time

          Post a Reply
  27. Succinct! Extraordinarily helpful! Thanks enormously

    Post a Reply
  28. Hi PeteLong,

    Thank you for the detailed and clear explanation. We had 3 DC in the environment, 2 as a host on VM, and 1 additional DC (Non-VM) running Windows Server 2008 R2. Due to hardware failure, the VM’s are down and the ADC in now the Primary DC and holds all the fsmo roles. The current domain functional level is windows server 2003. I will be adding a new server with windows server 2019 standard. We will have a mix of windows 2010 and windows 7 client machines and my intention is to run both windows server 2008 R2 and windows server 2019 on the network. Will this work? just to confirm does the domain functional level need to be windows server 2008 before I promote windows server 2019 to DC.

    Post a Reply
  29. Hi, Pete. I’m about to upgrade from a SBS2008 (Exchange 2007) domain to 2019. I was so happy to find this article, as I was thinking I’d have to completely rebuild the domain. My question is about Exchange. Can Exchange 2007 co-exist for a short amount of time with a 2019 DC or do I need to shut down and remove Exchange 2007 before installing ADDS on the 2019 server?

    Much thanks for all you do!

    Deb

    Post a Reply
    • I cant think of a reason why you would have a problem, but if your ‘risk averse’ do the Exchange migration first.

      Post a Reply
  30. Hello Pete ,my primary domain controller is a Server 2008 Standard Sp2 .I Have also another one as backup domain controller Server 2008 R2 ,Iam planning to upgrade to 2019 DC .But i Have in my enviroment also one Server 2008 R2 with Exhange 2010 Sp3 ,In Microsoft website i found that 2019 Dc is not compatible with Exhange 2010 sp3 ,what best practice you suggest in my case?

    Thank you in Advance

    Post a Reply
    • Exchange 2010 Went end of support in January! Upgrade that first.

      P

      Post a Reply
  31. Hi Pete,

    Many thanks for great article. I am planning to embark on the following journey but wanted final sanity check:

    CURRENT ENVIRONMENT
    2 DCs Windows 2012 R2 – Hyper V
    DFL & FFL – Windows 2008 R2
    All member servers in the domain mixture of 2012 R2 and 2019

    PLAN
    1. Raise DFL and FFL to 2012 R2
    2. Add 2019 DC
    3. Transfer FSMO roles
    4. Demote DC1 – that had the FSMO roles then decommission
    5. Add second 2019 DC
    6. Demote 2nd 2012 R2 DC
    7. Raise DFL and FFL to 2019

    Anything wrong with this? is this plan safe and workable?

    Many thanks

    Post a Reply
    • Looks good but point 7 you might struggle with, they don’t exist 🙂 2016 is as high as you can go, (at time of writing.)

      Post a Reply
      • Thanks Pete. Some more questions:

        1. Is there a benefit in actually doing step 1 and 7? I hear there is no value to gain since 2008 R2 and later are the same?

        2. Can I leave it as it is?

        3. btw, in your experience what can go wrong when raising FFL & DFL? we do not have exchange or anything that depend on those things.

        Post a Reply
        • Great Questions!
          1. They are not really the same, there were a few KDC updates with 2012, 2012R2 added additional security and NTFS improvements, etc.
          2. Realistically yes, as Long as you don’t need any claims based KDC, or extended SPN support.
          3. IN MY EXPERIENCE, I’ve never seen upgrading DFL/FFL break anything EVER, I’ve seen the upgrade procedure throw an error that needed things to be fixed before you can raise the levels properly, but I’ve never seen anything break. I’ve even raised clients DFL/FFL without telling them in the past, (because I know how risk averse they are, and it was easier to just get it done.)

          Post a Reply
          • Many thanks as ever Pete!

            Final questions:

            1. GUI or Powershell?
            2. Do I need to raise it to 2012 first or straight to 2012 R2 i.e. step increments?

          • 1. Not really fussed doesn’t matter.
            2. You can go to 2012R2 directly I believe, if its an option in the GUI then it’s available.

  32. Wow Pete! This is a great write up. You’ve obviously helped a lot of folks. Do you know of any tools that can help me trouble ADPrep issues that I’m running into? I’m going from Windows 2008 R2 DCs to Windows Server Standard 2019 DCs. Reviewing the ADPrep log indicates access denied issues and such, but I’ve exhausted all my troubleshooting and short of opening up a call to Microsoft – I’d thought I’d try to use some tool to assist me. Any suggestions are appreciated.

    Post a Reply
    • Problems are usually related to ‘rights’ and the server you are on can you run ADPrep on the Schema Master manually!

      P

      Post a Reply
  33. Cheers Pete.
    Haven’t seen any of your videos in years, saw a link to this page and thought, yep I remember following his guides donkeys ago for 2003 server when it first came out and seeing you when I was on experts exchange many moons ago. Nice to see your still at it and still creating nice simple but well documented how too docs and videos. Keep up the good work.

    Roy from redcar

    Post a Reply
    • Hi Roy thanks for the feedback, I’m usually in Redcar on a Wednesday for my guitar lessons! Been a long journey since server 2003 🙂

      Post a Reply
  34. Hey Pete, lots of prompt responses in there, good on you. I believe my answer is in there in some form or another, but thought I’d ask directly if you could spare a moment.

    1. I’ve inherited a very locked down, 1 DC only isolated forest. Windows 2008 R2 physical. Has file server shares on it and printers. Very poorly Windows patched over years but I don’t believe that will impact AD update.

    2. I’ve added a Windows 2019 member server a month back to this isolated forest, Robocopying user files over and syncing daily, its a physical server. Going to promote it next week. DFRS is being used already. Ultimately I’ll add a second 2019 DC in due course.

    3. I was going to do the adprep and domainprep manually the day before, so that if anything goes wrong I know exactly where. I’ll have a system state backup ready locally on the old server. Finger-crossed no issues!

    To run it manually, do I need to run the adprep commands from the 2008R2 server?

    Reason I’m asking, is that i understand the Schema and Domain are updated automatically when you promote the windows 2019 member to a DC FROM the 2019 server using ADDS role, BUT what I’ve read elsewhere suggests you have to run the update commands from the 2008R2 box when you do a MANUAL upgrade….is that right?

    What I was going to do was copy the support folder from the Win2019 DVD over onto the windows 2008R2 box and run ADPREP from there….

    Any tips appreciated buddy,
    Coop

    Post a Reply
    • Your methodology seems sound – remember good backups first!
      And you should be able to run those commands from the 2019 box

      Post a Reply
  35. Hi, great article. Any issue having 2003 member servers in the domain, 2008r2 functional level, then adding 2019 DCs. I am not changing the functional level, just trying to get rid of the 2008 DCs

    Post a Reply
    • Cant see a problem remember you older servers might be running SMB1 so newer servers and client wont be able to access file shares etc. on them.

      Post a Reply
  36. Thanks for all your documentation. It has helped a lot of us. One question I have is can you re-use the same name and ip address of the domain controllers. Say I introduce a new 2019 DC and then demote an older one and then rename that 2019 DC to the demoted name and give it the same ip?

    Post a Reply
    • Yes you can – you will need to reboot the DC after the rename and let a full domain wide replication happen before you stop getting odd sync errors logged though.

      Post a Reply
  37. Appreciate the great write-up. A+

    Post a Reply
  38. Hello,

    General question. We currently have 2 2003 DC’s primary and backup. I’m installing a 2016 server to promote to the new primary DC. Do I need to demote and decommission the backup 2003 DC before I attempt the upgrade of the primary?

    Post a Reply
    • Your domain and forest functional levels need to be at 2008, so if they are your only domain controllers then put in a 2008 one first, then demote them.

      Post a Reply
  39. Hi Pete,

    Thanks for video, answers to comments are even better. Found lots of helpful info. Still I have mine :).

    My case is forest with 2 domains mixed with 2008/2008r2. 2x DCs in each. Forest x 2DC contains domain1 x 2DC, domain2 x 2DC

    1. What should I upgrade first? start with forest DCs or from domain DCs?
    2. At what time of upgrade it’s recommended to raise domain/forest levels?
    3. GPOs will sync correctly despite of such gap between of OS versions?

    Thank you for video and article. Hoping for the answer too.

    Post a Reply
    • Forest functional levels need to be updated before domain functional levels so that should answer #1
      #2 The you’ve finished, and removed any non comforting domain controllers.
      #3 I’m not sure why you think that may not?

      Post a Reply
  40. Hi Pete and all,
    Indeed an amazing and to-the-point article.
    Would you be so kind to let me know what would be the steps in our situation:
    We have 4 DC controllers with DNS and DHCP roles, two for one region and two for the other, all running 2008R2. One is main.
    How do I replace them one by one? Do I start with the main one as in this video and then move to replacing others? Does that mean that in one moment, I will be running all on single 2019DC, before I starting to add others?
    Any advice is good.
    Thank you.

    Post a Reply
    • The model is “multi master’ so it does not matter what order you do them in, personally I would do the FSMO role holding servers first. but you don’t have to!

      Post a Reply
  41. Hi Pete.
    I only had 1 dc (2012R2). I have joined another dc (2019) and plan to join another 2019 after moving all the fsmo roles to the new one.
    My question is, should I untick the global catalog option from the new DC I plan to move the fsmo roles to ?
    Currently both the old and the 1 new dc are global catalog enabled.

    Im a bit lost here, based on the MS article:

    Do not put the Infrastructure master role on the same DC as the global catalog server. If the Infrastructure master runs on a global catalog server, it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

    To test whether a DC is also a global catalog server follow these steps:

    Select Start > Programs > Administrative Tools > Active Directory Sites and Services.
    In the navigation pane, double-click Sites and then locate the appropriate site or select Default-first-site-name if no other sites are available.
    Open the Servers folder, and then select the DC.
    In the DC’s folder, double-click NTDS Settings.
    On the Action menu, select Properties.
    On the General tab, view the Global Catalog check box to see whether it is selected.

    Post a Reply
    • You only really need one GC in a ‘site’ so yes you can untick the option from subsequent DCs. With that said, 99.9% of every client I visit, all their DCs are also GCs and the world is not on fire.

      P

      Post a Reply
  42. Thank you for your service!
    SBS 2008 with Exchange running. We have migrated exchange to the cloud already. Any issues with adding 2019 and or demoting the SBS server while that is still part of AD?

    Thank you.

    Post a Reply
    • Wow SBS I’ve not encountered that for a while! Make sure all the roles on the SBS server are migrated, Cert Services, SQL If In use, SharePoint if in use, DHCP, etc. Transfer your FSMO roles off the SBS Box then demote it (make sure you remove Exchange gracefully, and as you’re in 365 I’m assuming you have an additional on premises Exchange server? (Otherwise you may rip out all the domain exchange schema extensions). (If that happens its a quick fix, supposedly).

      P

      Post a Reply
  43. Hello Pete, This an incredible article and what i like the most is your prompt responses to everyone’s query. Salute Man!

    I need to do a quick check for my next project. The environment has 3 2K12R2 DC’s and FFL/DFL are set to 2K8R2.I require at least windows server 2016 in order to support Windows hello for Business Key trust.

    I guess based on this article, I just need to add windows server 2016 and promote as DC,transfer the FSMO role and might raise the functional levels to 2K12. I hope it would not impact the existing infrastructure in any way. Please provide your feedback.

    Post a Reply
    • Hi, It’s been about twenty years since I’ve actually seen raising a functional level break something (Exchange 2000!) I see no flaw in your plan 🙂

      P

      Post a Reply
  44. Hi, great article as usual, ive got a strange issue where ive got a 2012 R2 domain with 4 sites that all have 2012 R2 domain controllers, i have created 4 new 2019 servers and promoted them to DC’s with no issues and everything replicates fine etc, im at the point now i would like to demote and retire off the old 2012 R2 servers, i tried this at one site and no one could log in, rebooted their laptops and still the same just sat whirling on welcome, reboot the 2019 server and log in while its rebooting with no issues as it picks up a 2012 r2 server at the other sites, but as soon as the 2019 server at that site is up they restart and try to login and back to the same, replication is working fine with no issues but i have noticed users will only ever have a 2012 r2 server as their logoin server it never seems to use the 2019 ones, the FSMO roles all still sit on a 2012 r2 server but that wasn’t the one i wa strying to demote, is there anything you could think of that would cause this? for instance do the FSMO roles need to sit on a 2019 server for the other 2019 server to be able to be used as logon servers

    Post a Reply
    • DHCP scopes sending out the wrong DNS severs?

      Post a Reply
  45. does raising the Domain and Forest Functional levels break anything? for instance some UNIX/Linux services requiring to use keytabs for kerberos auth broke unless remediated first when raising the FFL/DFL from Server 2003 to Server 2008. Am interested to know if similar issues exist with domain and functional level uplift from Server 2008 to Server 2016 from your expereince?

    Thank you.

    Post a Reply
    • I’ve not seen DFR/FFR raising break anything since the days of Exchange 2000. Raising from 2008 stopes you using ADMT – so that had to make some fundamental changes (but was reversible regardless of what you read).

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *