Adding first Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment
The first and the most important part within preparation phase is… installing Windows Server 2016 server. If you do not have it installed, you would not be able to promote it as DC 🙂
This topic does not cover Windows Server 2016 installation process, so you should do this by yourself.
To be able to configure Windows Server 2016 Domain Controller within Windows 2003/2008/2012 domain environment we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest allowed Forest Functional Level for Windows Server 2016 Domain Controller. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 and 2016 Domain Controllers. It’s time to forget about these old operating systems.
If you do not know how to identify current domain or forest functional level, please follow this article on my blog Determine DFL and FFL using PowerShell
In case of need to raise them, please follow:
You are ready to go with the first Windows Server 2016 Domain Controller installation process
Preparation for Domain Controller promotion
Just before we can go with Domain Controller promotion, we need to identify 2 FSMO Role owners for:
- Schema Master
- Infrastructure Master
These 2 role owners must be online and need to be accessible by our new Windows Server. It is required because from Windows Server 2012 forest and domain preparation is done in a background and the entire schema and domain extensions might be done by wizard itself, which is really convenient.
That’s right, there is no more adprep tool needed to be used manually by administrator. Everything can be covered by promotion wizard!
To check which Domain Controller(s) hold appropriate FSMO roles, you can follow one of below steps:
- use command line netdom utility
netdom query fsmo
and check the output
- use PowerShell cmd-lets
and check servers holding particular role
- you can give a try to my new C# application written recently
- follow any other way you wish, to enumerate the roles
We collected almost all necessary information to start AD preparation for the first Windows Server 2016 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:
- dcdiag tool for environment’s health status
- repadmin tool for environment’s replication status
Run in command-line on a DC:
dcdiag /e /c /v /f:c:\dcdiag.log
review log file and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)
now run in command-line:
repadmin /showrepl /all /verbose >c:\repadmin.log
to check if your DCs are replicating data without errors.
For more about Active Directory Troubleshooting Tools check one of my articles on this blog
After those checks, you can start with Active Directory preparation.
Adding first Windows Server 2016 Domain Controller
Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:
- Enterprise Administrators group
- Schema Administrators group
These 2 groups membership is required to extend forest schema and prepare domain(s) for new DC’s deployment.
Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.
Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!
The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS or any other DNS server responsible for your domain’s DNS zone.
After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore.
Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen
Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation
confirm you wish to install all required tools to manage domain from this server after promotion
Verify if check box is in proper place and go to the next step
On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier
Skip this step as it refers to Active Directory in Azure which is not part of this guide
Read information about role you are installing and go to confirmation screen to install it
Wait some time until selected role is being installed before you will be able to promote server to Domain Controller
Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required
Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully
OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.
As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected
On the screen when you are prompt to provide domain in which new Domain Controller is promoted click on select button
You will be asked to provide credentials to discover available domains. Provide Enterprise Administrator credentials and go to the next step
You can provide credentials using User Principal Name or user name followed by NetBIOS domain name
When your credentials are appropriate you get a window with all available domains. Select this one in which you want to introduce Windows Server 2016 Domain Controller and click “OK“
You should see a screen with all provided details from previous steps
Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC.
Important! DSRM password needs to be remembered as it is different than domain administrator’s and is unique for every Domain Controller (if not configured to be replicated from model account in a domain – this is not a part of this guide)
If you have DNS delegation in place, update it here, or skip and do this later
In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”
Important! If you wish to use IFM installation media, you need to be aware that it MUST be prepared on the same Windows Server version as promoted DC. It is not possible to promote Windows Server 2016 DC from Windows Server 2012 IFM or any other than 2016.
Note! As this is your first Windows Server 2016 DC in the environment, you cannot use IFM as deployment option.
Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step
Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you
You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you
PowerShell code for adding Domain Controller
# # Windows PowerShell script for AD DS Deployment # Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -Credential (Get-Credential) ` -CriticalReplicationOnly:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainName "testenv.local" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -ReplicationSourceDC "plwrow082wdc001.testenv.local" ` -SiteName "EUPLWROHQ01" ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation
As it was stated earlier, wizard needs to extend schema and prepare domain for the first Windows Server 2016 Domain Controller. You can see this during promotion process
wait until wizard will do its job and after server restart you will have new Windows Server 2016 Domain Controller logon screen
Log on into DC and enjoy its new features
Give DC some time to replicate Directory Services data to be fully operational.
You can check if everything is replicated over LDP utility. Open run box and type ldp
From menu select “Connection -> Connect”
Specify Windows Server 2016 Domain Controller’s name or leave it blank to connect to the DC itself
After connection verify at window bar if you are connected to appropriate Domain Controller
From Active Directory RootDSE context you can read Domain Controller’s functionality level, which in this case is 7 – Windows Server 2016
and search for
if both attributes have TRUE as a status, everything is up-and-running properly. If not, you need to wait some time to give replication finish its job.
Now, you need to do small changes within your environment configuration.
On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.
Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006
Add there IP address of your new Domain Controller as new DNS server.
Congratulations! You have promoted your first Windows Server 2016 Domain Controller in existing domain. Enjoy!
Author: Krzysztof Pytko