active directory migration cover

Active Directory Migration to Windows Server 2016


In this article we’ll take a closer look on how to migrate Active Directory domain from Windows Server 2012 R2 to Windows Server 2016.

Suppose you have an Active Directory domain named contoso.com and one domain controller dc.contoso.com. You want to install a new DC dc01.contoso.com with Windows Server 2016, upgrade the Active Directory schema to Windows Server 2016, transfer the FSMO roles to it, and remove the old domain controller. Below you will find a short manual on how to do this.

Install Windows Server 2016 on a new server, assign it a static IP address and host name dc01. Join it to the AD domain.

Using Server Manager install on the new server role Active Directory Domain Services.

active directory migration

After the installation, you need to promote the role of the new server to the domain controller (add a domain controller to the existing domain). To do this, you will need an account in the existing domain with Enterprise Admins rights.

active directory migration server

Next, specify that this server will act as a DNS server and a global catalog (GC) and set a FSRM restore password.

migrate active directory

On the Additional Options screen, you need to specify from which domain controller replication will be performed.

ad migration

Then you can’t change anything without special need. Press Next > Next > Next > Install.

READ ALSO  Active Directory FSMO Roles

Wait for the role to be installed and restart the server. As a result, you will have a new domain controller in the AD.

Start the KCC service to create new connections with the new domain controller:

repadmin /kcc

On each DC check that the synchronization passes without errors:

Repadmin /syncall /AeS
repadmin /replsum

active directory domain migration

Start the Active Directory Users and Computers snap-in, and verify that a new domain controller has been added to the root OU Domain Controllers.

ad migration server

After adding a new DC with Windows Server 2016, the AD Schema Version automatically switches to 87 (Upgrading Active Directory Schema).

Now you can migrate the Active Directory FSMO roles to the new DC. The easiest way is to transfer all FSMO roles using PowerShell:

Move-ADDirectoryServerOperationMasterRole -Identity “dc01” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

Using the following command, you can make yourself sure that all the FSMO roles successfully moved to the new DC:

netdom query fsmo

ad migration server

Once again, start replication on all DCs:

repadmin /syncall /AeS

Now you can start deleting the old domain controller. First you need to disable the role Global Catalog on it. To do this, open the Active Directory Sites and Services snap-in, expand the Sites folder, then Default-First-Site-Name, then Servers, and finally select your old DC.

READ ALSO  FSMO Role: PDC Emulator

Click NTDS Settings for the old server and select Properties. In the newly appeared window, you must remove the checkbox from the Global Catalog item and click OK.

migrate active directory domain

This completes the migration of Active Directory. Now you can uninstall the ADDS role from the old domain controller. After that when you open the Active Directory Users and Computers snap-in, you will see that there is only one (new) domain controller left – running Windows Server 2016.

how to migrate active directory domain

After decommission the old server, do not forget to run:

repadmin /kcc
repadmin /syncall /AeS
repadmin /replsum

That’s all. You’ve successfully moved your domain to the Windows Server 2016!

You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...

Add Your Comment