Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background while the wizard is doing the heavy lifting for you.

Solution

2008 to 2019

2008 to 2016

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

2016-server-manager

I usually tick the ‘Skip this page by default’ option > Next.

2016 Server Adding Roles

Role Based… > Next.

Windows Server 2016 Roles

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

2016 Server Add Local Role

Select Active Directory Domain Services > Next.

2016 Active Directory Role

Next.

2016 Domain Controller Adding

Next.

Active Directory Services 2016

Ensure ‘Restart’ is selected > Next.

008-2016-add-active-directory

Next.

009-role-installed

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

010-2016-promote-to-domain-controller

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

011-2016-dcpromo

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

012-2016-dsrm-password

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

013-2016-dns-delegation

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

2016 Active Directory Install From Media

Unless you want to change the default AD install locations > Next.

2016 AD install Location

Next.

Review 2016 Domain Install

Read any warnings  > Install

2016 Domain Pre-Requisites

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

Reboot Domain Controller

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

Schema Version 88 2019

 

2016 Schema Version

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

69 Comments

  1. Amazing guide. Excellent Job.

    Post a Reply
  2. Thank you mister !
    Very clean guide.

    Post a Reply
    • You’re Welcome ThanQ 🙂

      Post a Reply
  3. Wow, this is what I would have expected to be available from Microsoft directly.
    Great Job, thank you!

    Post a Reply
  4. What about adprep commands? Should we be running them on the previous domain controller such as Server 2008 R2?

    Post a Reply
    • No not any more, it’s all handled for you 🙂

      Post a Reply
  5. Apologies if this qualifies as a non-smart question but is the process of adding a server 2016 DC to 2008r2 a solid process that should work without any caveats or warnings?
    I have a 2008r2 domain raised to highest FFL DFL.

    Hate tp be overly cautious but never hurts to ask.

    Post a Reply
  6. Excellent walkthrough. Thank You.

    Post a Reply
  7. The crucial part is to have a coffe after rebooting the machine 😀

    Many thanks, it was very helpful!

    Post a Reply
  8. This is very nice. Say, I have a Windows Server 2012 as my primary AD, and I do this steps, can I turn off my old 2012 AD and make 2016 my new primary, and add a 2nd 2016 as a backup, following all these steps again?

    Post a Reply
    • You would need to demote the 2012 DC before you powered it down, there’s not really a concept of Primary and Backup any more, that’s NT4 terminology. There are FSMO roles but they will move gracefully if you demote your old 2012 DC before you retire it.

      Pete

      Post a Reply
  9. It’s very helpful. Thanks for sharing

    Post a Reply
  10. just used this and it still works like a charm.

    Post a Reply
  11. Thank you VM! Great article

    Post a Reply
  12. in a Domain Controller running Windows 2003, can we introduce a Windows 2016 Domain Controller with no issues? Will servers running Windows 2003 (don’t ask 🙂 ) have issues ?

    We have 1 DC (windows 2003) plan is to raise Domain and Functional level to 2016.

    1. install 2016 server, raise as DC
    2. switch all the FSMO roles to the new server
    3. install a 2nd 2016 server, raise as DC
    4. demote the 2003 DC
    5. decommission the 2003 server
    6. Raise the Doamin and Functional level (in steps 1st to 2008 R2, then 2012 R2 and finally to 2016)

    question is if we have windows 2003 servers in the environment, will there be any issues

    Post a Reply
    • You should be fine a 2016 DC will support a 2003 Domain and Forest Functional Level, (check your’s is NOT set to 2000 or the upgrade will fail!)

      P

      Post a Reply
  13. Thank you for this how to.
    We currently have 4 DCs in our environment, 1 2008R2, 2 2012R2 and 1 2016.
    One of the warnings that appeared was about migrating from FRS to DRS. Will demoting and removing the 2008R2 resolve that issue on its own, or will a migration still happen? Also will the same happen with regards to the KB 942564?

    Post a Reply
  14. I am going to give these instructions a run for their money. This weekend I am adding a Windows 2016 server to a 2008 r2 domain. I will let you know how it goes. is there any consideration for the current desktops, or do they just go on as they were. I mean first they login to a 2008 domain, then when I am done they will be logging into a 2016 domain. Anything to be concerned about? thank you ahead of time. Wish me luck! TFI

    Post a Reply
    • That should be fine make sure the domain and forest functional levels are not something daft like windows server 2003 fist mind! Your clients wont really care, replacing old servers with new servers is not really a problem until you have OLD clients taking for shared folders on new servers, (as SMB1 no longer works). But that wont affect your domain controllers. In fact watch this space, I might put another video up in this post before the weekend to walk you though it.

      Post a Reply
  15. We have 2008R2 DC and i have already joined 2016 to the domain. The tree is 2008R2. The 2008R2 is DC and DNS but not DHCP. It does delegate printers with group policy, and has Windows Update Services working.

    My plan is to add the 2016 as a DC, move the master roles to the 2016, then demote the 2008R2, then finally remove it totally.

    Then finally format, and install 20016 on the old 2008R2, and add it back as a second dc.

    I can change the DNS setting in my DHCP server for the workstations to work.

    What about Windows Update Services?

    What about Printer Deployment — Group Policy 2008 is currently printer server.

    Post a Reply
    • I would simply instal WSUS from scratch on a new server? You can migrate printers by installing the print server role on the new server and doing an import/export from the NEW print server, though if the old one has a lot of x32 bit drivers on it, it’s usually quicker to start from scratch.

      Post a Reply
  16. What about the DNS nic settings on the new Windows 2016/2019 server that will become your new domain controller? I’ve got one 2008R2 DC and another 2012R2 DC. I will be demoting the 2008R2. For the new 2019 server, I will point the primary DNS to the 2012R2 DC initially to join the domain. At what point do you modify the Primary DNS on the 2016/2019 server to point to itself? Is this done before, or after adding Active Directory roles?

    Post a Reply
    • Typically after it’s promoted you will see 127.0.0.1 added automatically, (but it wont bye at the top of the list), I manually change this afterwards, to is looks to itself FIRST after it’s been promoted.
      P

      Post a Reply
  17. Hi , great video tutorial , but, i don’t undestand why , you don’t change the forest functional levels to at least Windows 2016 in the 2019 new DC in your video ( 2008 to 2016)

    Why we cannont choose 2019 forest functional level in the 2019 PDC
    We must change forest functional level step by step ?

    Thank you

    Post a Reply
    • Because in all my time, the only time I’ve ever needed to change a DFL or a FFL is when I’m ‘about’ to upgrade something, why change it ‘after’ I’ve upgraded something (as its non reversible), I’ve never been picked up in an audit because my DFL or FFL was to old. 🙂 Why potentially break something that cant be fixed, for the sake of cosmetics? (just my $0.02).

      Post a Reply
  18. Hello Pete. I realize this is an older article. But, i have a question regarding multiple domain controllers. we have 8 DCs in our domain. If I replace the Dc which holds the fsmo roles with a 2016 DC and transfer the fsmo roles to the 2016 Dc, do I have to upgrade the remaining 2008 DCs immediately? Or can that be done later?

    Thanks in advance for your help.

    Post a Reply
      • Thanks for your quick response. After adding the 2016 DC and transferring roles, does that in itself raise the functional levels? Or is that done manually?

        Also, a question that was posed to me today. Is it possible to change the IP address of a DC? I remember being told in the past that changing IP address was not allowed.we have some apps that point to the address of the dc which currently holds all of the fsmo roles. The thought is we could change the ip address of the current dc, assign that ip address to the 2016 dc and assign a new ip address to the 08 dc. is this just asking for trouble?

        Post a Reply
        • You need to raise the levels manually.

          If you change the IP on a DC (with or without FSM|O roles,) simply reboot it afterwards.

          Pete

          Post a Reply
          • Thanks a lot for your quick response. So, we will just wait until the last of the 08 DCs have been removed and raise the functional levels.

          • Correct.

  19. Another question. For the computer accounts that were using the old dc as a logon server, is there a quick way to point them to the new dc other than restarting each computer?

    Post a Reply
    • Theres no need to, Active Directory has been a multi master environment since Windows 2000.

      Post a Reply
  20. He PeteLong,
    Good afternoon,
    after demoting 2008R2 shall we use it as domain member as normal data server?

    Post a Reply
    • It’s not supported so retire it 🙂

      Post a Reply
  21. Hi Petelong,
    After success full addition of server2019 domain controller, i will demote domain controller from 2008R2 server we need to use this as domain member because we have some data on these older server.
    i can use access this server as normal domain member to access the data by changing the domain functional level? OR
    it cannot be connected to domain at all once after demotion?
    pls clarrify

    BR
    Pradeep

    Post a Reply
    • It CAN be used as a member server, But your modern operating systems wont be able to access SMB shares on it, (Windows 10 and never, and Windows 2016 and newer.) As they block SMB1.
      Move your files onto a newer server and get rid of this one. You can keep it if you want, but you just said theres something important on it, if it’s not important enough to put on a supported operating system, then that’s your call buddy.

      P

      Post a Reply
  22. Peter, my network contains five domain controllers. The one that holds FSMO role is running Windows Server 2008 R2, and there are three other DCs that run Windows server 2008, and the last DC runs Windows server 2008 R2. The current domain functional level is 2008 and the forest level is also 2008. I tried raising domain functional level to 2008 R2 but I got the message” ….because this domain includes Active Directory Domain Controllers that are not running the appropriate versions of Windows. I think I cannot raise domain functional level to 2008R2 becuse there exists three DCs that run Window server 2008.

    I plan to join a Server 2019 standard as a member server and then promote it to be a DC. As per your article, I think I should be able to promote my server2019 as a DC to my domain, correct?

    Post a Reply
    • I’ve deployed a 2019 DC with the functional levels at 2008 (not 2008 R2) and It worked.

      Post a Reply
      • Hi Peter, I also have similar scenario with promote 2019 server to 2012R2 AD, do we need to do something in 2012R2 primary Domain controller before adding 2019 as DC ? Thanks!!

        Post a Reply
        • No, as long as you functional levels are correct.

          Post a Reply
  23. Great article and instructions! However, I have a question about FSMO roles. Will all FSMO roles be automatically transferred to the newer DC if the schema is raised to the level of the new server during this process, i.e. Server 2019. This article is exactly the scenario that I will be performing within a couple of weeks when I install a 2019 server and retire an old 2008 server. Thank you in advance for your reply.

    Post a Reply
  24. Thanks for the great video. Quick question.
    I have a Windows 2012R2 DC with the below forest and domain functional level
    DFL:2012 r2
    FFL: 2008.
    Can I add a dc 2019 server without making any changes in the FFL?

    Post a Reply
    • I’ve done it myself, even though the documentation says 2008 R2, however why do you want to keep the FFL at 2008?

      P

      Post a Reply
  25. Everything seemed to work great until I tried to demote the 2008R2 server with dcpromo then I got a error. “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

    Post a Reply
    • Cancel DCPromo > Locate the FSMO role holders from the 2008 DC > Ensure replication between the new and old DCs is completing without error.

      Post a Reply
  26. Hi what is the estimate time to add Windows 2019 active directory to replace the Windows 2008 R2, prepare the forest and domain move all fsmo role raise functionnal domain and forest replication time (70 Users) and move the DHCP from Windows 2008 R2 and remove the Windows 2008 R2 I need a approximative time

    after that i will have to move the Azure AD connect (estimate time please)

    and NPS Migration from 2008R2 to 2019 (estimate time please)

    Post a Reply
    • Prep Forest/Domain & Add 2019 & migrate FSMO – 1.5 hours (Single Site, Add another couple of hours if you have a complex domain)
      Move DHCP – 20 minutes
      Move AD connect. – 40 minutes
      NPS Migration – Depends on what’s using NPS! You can backup an NPS config on one server and restore it to another, but changing all the things that use NPS will take the time.

      Post a Reply
      • Thanks Pete Do I have to pay attention to Something during the processus

        Post a Reply
        • just do them one job at a time

          Post a Reply
  27. Succinct! Extraordinarily helpful! Thanks enormously

    Post a Reply
  28. Hi PeteLong,

    Thank you for the detailed and clear explanation. We had 3 DC in the environment, 2 as a host on VM, and 1 additional DC (Non-VM) running Windows Server 2008 R2. Due to hardware failure, the VM’s are down and the ADC in now the Primary DC and holds all the fsmo roles. The current domain functional level is windows server 2003. I will be adding a new server with windows server 2019 standard. We will have a mix of windows 2010 and windows 7 client machines and my intention is to run both windows server 2008 R2 and windows server 2019 on the network. Will this work? just to confirm does the domain functional level need to be windows server 2008 before I promote windows server 2019 to DC.

    Post a Reply
  29. Hi, Pete. I’m about to upgrade from a SBS2008 (Exchange 2007) domain to 2019. I was so happy to find this article, as I was thinking I’d have to completely rebuild the domain. My question is about Exchange. Can Exchange 2007 co-exist for a short amount of time with a 2019 DC or do I need to shut down and remove Exchange 2007 before installing ADDS on the 2019 server?

    Much thanks for all you do!

    Deb

    Post a Reply
    • I cant think of a reason why you would have a problem, but if your ‘risk averse’ do the Exchange migration first.

      Post a Reply
  30. Hello Pete ,my primary domain controller is a Server 2008 Standard Sp2 .I Have also another one as backup domain controller Server 2008 R2 ,Iam planning to upgrade to 2019 DC .But i Have in my enviroment also one Server 2008 R2 with Exhange 2010 Sp3 ,In Microsoft website i found that 2019 Dc is not compatible with Exhange 2010 sp3 ,what best practice you suggest in my case?

    Thank you in Advance

    Post a Reply
    • Exchange 2010 Went end of support in January! Upgrade that first.

      P

      Post a Reply
  31. Hi Pete,

    Many thanks for great article. I am planning to embark on the following journey but wanted final sanity check:

    CURRENT ENVIRONMENT
    2 DCs Windows 2012 R2 – Hyper V
    DFL & FFL – Windows 2008 R2
    All member servers in the domain mixture of 2012 R2 and 2019

    PLAN
    1. Raise DFL and FFL to 2012 R2
    2. Add 2019 DC
    3. Transfer FSMO roles
    4. Demote DC1 – that had the FSMO roles then decommission
    5. Add second 2019 DC
    6. Demote 2nd 2012 R2 DC
    7. Raise DFL and FFL to 2019

    Anything wrong with this? is this plan safe and workable?

    Many thanks

    Post a Reply
    • Looks good but point 7 you might struggle with, they don’t exist 🙂 2016 is as high as you can go, (at time of writing.)

      Post a Reply
      • Thanks Pete. Some more questions:

        1. Is there a benefit in actually doing step 1 and 7? I hear there is no value to gain since 2008 R2 and later are the same?

        2. Can I leave it as it is?

        3. btw, in your experience what can go wrong when raising FFL & DFL? we do not have exchange or anything that depend on those things.

        Post a Reply
        • Great Questions!
          1. They are not really the same, there were a few KDC updates with 2012, 2012R2 added additional security and NTFS improvements, etc.
          2. Realistically yes, as Long as you don’t need any claims based KDC, or extended SPN support.
          3. IN MY EXPERIENCE, I’ve never seen upgrading DFL/FFL break anything EVER, I’ve seen the upgrade procedure throw an error that needed things to be fixed before you can raise the levels properly, but I’ve never seen anything break. I’ve even raised clients DFL/FFL without telling them in the past, (because I know how risk averse they are, and it was easier to just get it done.)

          Post a Reply
          • Many thanks as ever Pete!

            Final questions:

            1. GUI or Powershell?
            2. Do I need to raise it to 2012 first or straight to 2012 R2 i.e. step increments?

          • 1. Not really fussed doesn’t matter.
            2. You can go to 2012R2 directly I believe, if its an option in the GUI then it’s available.

Leave a Reply to Marvin Cancel reply

Your email address will not be published. Required fields are marked *