Move FSMO Roles and Upgrade Domain to Windows Server 2016

In this article we will show you how to promote a new domain controller with Windows Server 2016 in the Active Directory domain, move FSMO roles from an old domain controller (running Windows Server 2012 R2/2008), raise the domain functional level to Windows Server 2016 and then demote the DC from Windows Server 2012/2008 to the domain member server.

We assume that you already have a new server running Windows Server 2016. Our task is to install the Active Directory Domain Services role on it. In our lab, we have an installed domain with one PDC domain controller on Windows Server 2012 R2. We will add the second domain controller with Windows Server 2016 and transfer all the FSMO roles to it.

How to move FSMO Roles from old DC?

To install a domain controller and transfer FSMO roles, your account must be in the Domain Admins and Enterprise Admins groups. You can install the ADDS role from the Server Manager console GUI (screenshot below), but it’s much more convenient and easier to install a AD role from the PowerShell console.

active directory domain services roles

On a new server run elevated PowerShell command line. Import the ServerManager module to the PowerShell session and install the ADDS services and the management tools.

Import-Module ServerManager

Install-WindowsFeature -name AD-Domain-Services –IncludeManagementTools

Wait until the ADDS role and management tools have been installed. A server reboot is not required.

READ ALSO  Using WhatIf Parameter in PowerShell

import module powershell

To promote this server to a domain controller, run the following command (replace the domain, first DC and site names to your own!):

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

-DatabasePath "C:WindowsNTDS" `

-DomainName "" `

-InstallDns:$true `

-LogPath "C:WindowsNTDS" `

-NoRebootOnCompletion:$false `

-ReplicationSourceDC "" `

-SiteName "NewYork" `

-SysvolPath "C:WindowsSYSVOL" `


install adds domain controller

You must specify the local DSRM password and confirm it. After the role is configured, the server will automatically reboot.

move fsmo roles powershell

Now you can transfer all (or only a part of) FSMO roles to the new DC.

You can transfer FSMO roles from one DC to another using GUI consoles or via PowerShell. By using PowerShell the transfer becomes much easier.

Make sure that all FSMO roles are located on the old (Windows 2012r2) domain controller:

netdom query fsmo

netdom query fsmo powershell

Now you can transfer all 5 FSMO roles to a new DC:

Move-ADDirectoryServerOperationMasterRole -Identity "dc3-2016" -OperationMasterRole 0,1,2,3,4

move addirectory server operation master role

After the transfer is complete, make sure that the new DC with Windows Server 2016 is the new FSMO roles owner:

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator

Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Get-ADDomainController -Filter * |

Select-Object Name, Domain, Forest, OperationMasterRoles |

Where-Object {$_.OperationMasterRoles} |

Format-Table -AutoSize

get addomain powershell

After transferring all of the roles, you can remove the old DC by demoting it with the following Powershell commands:

Import-Module ADDSDeployment

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

The command prompts you to specify a new password for the local server Administrator.

READ ALSO  PowerShell: Switch Statement Usage

uninstall adds domain controller

After the command completes, reboot the server.

The last thing to do is update the functional level of your Active Directory domain to Windows 2016. Make sure that the current domain level is Windows2012R2Domain:

Get-ADDomain | fl Name,Domainmode

get ad domain powershell

To upgrade the functional level of you AD from 2012r2 to 2016, run the command:

Set-ADDomainMode –identity -DomainMode Windows2016Domain

set ad domain mode

So, in this way we have successfully upgraded the Active Directory domain to Windows Server 2016.

Cyril Kardashevsky


  1. Is there any risk involved in doing an upgrade to Domain Functional Level? Should it be done in a maintenance window?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.