fsmo roles

Move FSMO Roles and Upgrade Domain to Windows Server 2016


In this article we will show you how to promote a new domain controller with Windows Server 2016 in the Active Directory domain, move FSMO roles from an old domain controller (running Windows Server 2012 R2/2008), raise the domain functional level to Windows Server 2016 and then demote the DC from Windows Server 2012/2008 to the domain member server.

We assume that you already have a new server running Windows Server 2016. Our task is to install the Active Directory Domain Services role on it. In our lab, we have an installed domain contoso.com with one PDC domain controller on Windows Server 2012 R2. We will add the second domain controller with Windows Server 2016 and transfer all the FSMO roles to it.

How to move FSMO Roles from old DC?

To install a domain controller and transfer FSMO roles, your account must be in the Domain Admins and Enterprise Admins groups. You can install the ADDS role from the Server Manager console GUI (screenshot below), but it’s much more convenient and easier to install a AD role from the PowerShell console.

active directory domain services roles

On a new server run elevated PowerShell command line. Import the ServerManager module to the PowerShell session and install the ADDS services and the management tools.

Import-Module ServerManager
Install-WindowsFeature -name AD-Domain-Services –IncludeManagementTools

Wait until the ADDS role and management tools have been installed. A server reboot is not required.

READ ALSO  Clean Out Temporary Outlook Files via PowerShell

import module powershell

To promote this server to a domain controller, run the following command (replace the domain, first DC and site names to your own!):

Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "contoso.com" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "dc.contoso.com" `
-SiteName "NewYork" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

install adds domain controller

You must specify the local DSRM password and confirm it. After the role is configured, the server will automatically reboot.

move fsmo roles powershell

Now you can transfer all (or only a part of) FSMO roles to the new DC.

You can transfer FSMO roles from one DC to another using GUI consoles or via PowerShell. By using PowerShell the transfer becomes much easier.

Make sure that all FSMO roles are located on the old (Windows 2012r2) domain controller:

netdom query fsmo

netdom query fsmo powershell

Now you can transfer all 5 FSMO roles to a new DC:

Move-ADDirectoryServerOperationMasterRole -Identity "dc3-2016" -OperationMasterRole 0,1,2,3,4

move addirectory server operation master role

After the transfer is complete, make sure that the new DC with Windows Server 2016 is the new FSMO roles owner:

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
Get-ADDomainController -Filter * |
Select-Object Name, Domain, Forest, OperationMasterRoles |
Where-Object {$_.OperationMasterRoles} |
Format-Table -AutoSize

get addomain powershell

After transferring all of the roles, you can remove the old DC by demoting it with the following Powershell commands:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

The command prompts you to specify a new password for the local server Administrator.

READ ALSO  Accessing Hyper-V Virtual Machine Console Using RDCMan

uninstall adds domain controller

After the command completes, reboot the server.

The last thing to do is update the functional level of your Active Directory domain to Windows 2016. Make sure that the current domain level is Windows2012R2Domain:

Get-ADDomain | fl Name,Domainmode

get ad domain powershell

To upgrade the functional level of you AD from 2012r2 to 2016, run the command:

Set-ADDomainMode –identity contoso.com -DomainMode Windows2016Domain

set ad domain mode

So, in this way we have successfully upgraded the Active Directory domain to Windows Server 2016.


You may also like:

Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on adding calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or you...
How to copy files with BITS using PowerShell If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...
Grant Full Access to All Mailboxes in Exchange 200... This is a short tutorial on how to add full access to all mailboxes in Exchange 2007 and 2010 for a an additional user. This can come in handy when sa...
Understanding Global Catalog (Active Directory) In addition to the 5 FSMO roles in Active Directory, there is the sixth (unofficial) domain controller role — Global catalog (GC). Unlike FSMO roles, ...
Fix Trust relationship failed issue without domain... In this article we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between workstation ...