Upgrade domain controllers to a newer version of Windows Server
This article provides background information about Active Directory Domain Services in Windows Server and explains the process for upgrading domain controllers (DCs) from an earlier version of Windows Server.
Prerequisites
The recommended way to upgrade a domain is to promote new servers to DCs that run a newer version of Windows Server and demote the older DCs as needed. This method is preferable to upgrading the operating system of an existing DC, which is also known as an in-place upgrade.
Follow these general steps before you promote a server to a DC that runs a newer version of Windows Server:
Verify the target server meets the system requirements.
Verify application compatibility.
Review recommendations for moving to a newer version of Windows Server.
Verify security settings.
Check connectivity to the target server from the computer where you plan to run the installation.
Check for availability of the necessary Flexible Single Master Operation (FSMO) roles in Active Directory. This step is required for the following scenarios:
- To install the first DC that runs the latest Windows Server version in an existing domain and forest, the machine where you run the installation needs connectivity to:
- The schema master to run
adprep /forestprep
. - The infrastructure master to run
adprep /domainprep
.
- The schema master to run
- To install the first DC in a domain where the forest schema is already extended, you only need connectivity to the infrastructure master.
- To install or remove a domain in an existing forest, you need connectivity to the domain naming master.
- Any DC installation also requires connectivity to the RID master.
- If you're installing the first read-only DC in an existing forest, you need connectivity to the infrastructure master for each application directory partition, which is also known as a non-domain naming context.
To find out which server or servers hold which FSMO role, run the following commands in an elevated PowerShell session by using an account that's a member of the Domain Admins group:
Get-ADDomain | FL InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | FL DomainNamingMaster, SchemaMaster
- To install the first DC that runs the latest Windows Server version in an existing domain and forest, the machine where you run the installation needs connectivity to:
Installation actions and required administrative levels
The following table provides a summary of the installation actions and the permissions requirements to accomplish these steps.
Installation action | Credential requirements |
---|---|
Install a new forest. | Local admin on the target server |
Install a new domain in an existing forest. | Enterprise admins |
Install another DC in an existing domain. | Domain admins |
Run adprep /forestprep . |
Schema admins, enterprise admins, and domain admins |
Run adprep /domainprep . |
Domain admins |
Run adprep /domainprep /gpprep. |
Domain admins |
Run adprep /rodcprep . |
Enterprise admins |
Supported in-place upgrade paths
Only 64-bit version upgrades are supported. For more information about supported upgrade paths, see Supported upgrade paths.
Adprep - forestprep and domainprep
For an in-place upgrade of an existing DC, you must run adprep /forestprep
and adprep /domainprep
manually. You need to run Adprep /forestprep
only once in the forest for each newer version of Windows Server. Run Adprep /domainprep
once in each domain in which you have DCs that you're upgrading for each newer version of Windows Server.
If you're promoting a new server to a DC, you don't need to run these command-line tools manually. They're integrated into the PowerShell and Server Manager experiences.
For more information on running adprep, see Running Adprep.
Functional-level features and requirements
Windows Server 2019 or later requires a Windows Server 2008 forest functional level as a minimum. Windows Server 2016 requires a Windows Server 2003 forest functional level as a minimum. If the forest contains DCs running an older forest functional level than the operating system supports, the installation is blocked. Those DCs must be removed and the forest functional level raised to a version that's supported before you add newer Windows Server DCs to your forest. For more information about supported functional levels, see Forest and domain functional levels.
Note
No new forest or domain functional levels have been added since Windows Server 2016. Later operating system versions can and should be used for domain controllers. They use Windows Server 2016 as the most recent functional levels.
Roll back functional levels
After you set the forest functional level to a certain value, you can't roll back or lower the forest functional level, with the following exceptions:
- If you're upgrading from Windows Server 2012 R2 forest functional level, you can roll back to Windows Server 2012 R2.
- If you're upgrading from Windows Server 2008 R2 forest functional level, you can roll back to Windows Server 2008 R2.
After you set the domain functional level to a certain value, you can't roll back or lower the domain functional level, with the following exceptions:
- When you raise the domain functional level to Windows Server 2016 and if the forest functional level is Windows Server 2012 or lower, you have the option of rolling the domain functional level back to Windows Server 2012 or Windows Server 2012 R2.
For more information about features available at each of the functional levels, see Forest and domain functional levels.
Active Directory Domain Services interoperability
Active Directory Domain Services isn't supported on the following Windows operating systems:
- Windows MultiPoint Server
- Windows Server Essentials
Active Directory Domain Services can't be installed on a server that also runs the following server roles or role services:
- Microsoft Hyper-V Server
- Remote Desktop Connection Broker
Administration of Windows Server
Use the Remote Server Administration Tools for Windows 10 or later to manage domain controllers and other servers that run Windows Server. You can run the Windows Server Remote Server Administration Tools on a computer that runs Windows 10 or later.
Add a new domain controller with a newer version of Windows Server
The following example shows how to upgrade the Contoso forest from a previous version of Windows Server to a later version.
Join the new Windows Server to your forest. Restart when you're prompted.
Sign in to the new Windows Server with a domain admin account.
In Server Manager, under Add Roles and Features, install Active Directory Domain Services on the new Windows Server. This action automatically runs adprep on the earlier version forest and domain.
In Server Manager, select the yellow triangle. From the drop-down, select Promote the server to a domain controller.
On the Deployment Configuration screen, select Add a domain controller to an existing domain and click next.
On the Domain Controller options screen, enter the Directory Services Restore Mode (DSRM) password and select Next.
For the rest of the screens, select Next.
On the Prerequisite Check screen, select Install. After the restart has completed, sign in again.
On the earlier version of Windows Server, in Server Manager, under Tools, select Active Directory Module for Windows PowerShell.
In the PowerShell window, use the
Move-ADDirectoryServerOperationMasterRole
cmdlet to move the FSMO roles. You can enter the name of each Operation Master Role or use numbers to specify the roles. For more information, see Move-ADDirectoryServerOperationMasterRole.Move-ADDirectoryServerOperationMasterRole -Identity "DC-W2K16" -OperationMasterRole 0,1,2,3,4
To verify the roles were moved, go to the new Windows Server. In Server Manager, under Tools, select Active Directory Module for Windows PowerShell. Use the
Get-ADDomain
andGet-ADForest
cmdlets to view the FSMO role holders.Demote and remove the earlier Windows Server DC. For information on how to demote a DC, see Demoting domain controllers and domains.
After the server is demoted and removed, you can raise the forest functional and domain functional levels to the latest version of Windows Server.