Migrating Active Directory From Windows 2012 R2 to Windows Server 2016

This guide will walk you through the steps to migrate your active directory from Windows Server 2012 R2 to Windows Server 2016. We have one active directory domain running on Windows Server 2012 R2 and we will migrate it to Windows Server 2016 in our lab environment for this particle step by step guide.


  • One Windows Server 2016 (physical or virtual) machine joined to existing domain

Open up powershell on your windows server 2016 and execute the following command

Get-CimInstance Win32_OperatingSystem | FL *

As you can see, we have already added our Windows Server 2016 to existing Windows 2012 R2 domain.

Open up powershell on your existing Windows 2012 R2 domain and execute the following command to check current domain and forest functional level.

Get-ADDomain | fl Name,DomainMode

As you can see current domain and forest functional level of the domain is Windows Server 2012 R2.

Let’s begin with the migration process.

STEP1 - Installing Active Directory Roles on Windows Server 2016

  1. Log in to Windows Server 2016 as domain administrator or enterprise administrator
  2. Check the IP address details and set the IP address as the primary DNS and existing AD Server as secondary DNS. This is because after Active Directory installed, server itself will act as DNS server
  3. Run servermanager.exe form PowerShell to open server manager (there is also GUI to open it) 

4. Click on Add Roles and Features

5. It will start up the wizard, click next to continue

6. On the following screen, keep the default and click next

7. AD Roles will be installed on same server, so leave the default selection and click next to continue

8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed

 9. On the features windows keep the default and click next

10. Click next to proceed

11. Click on install to start the role installation process.

12. Once installation completed, click on promote this server to a domain controller option

13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.

14. Define a DSRM password and click next

15. Click on next to proceed

16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed.

17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. I will keep default and click next to continue

18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.

19. In the following window, it will list down the options we selected. Click next to proceed.

20. Now it will run prerequisite check, if all well click on install to start the configuration process.

21. Once the installation completes it will restart the server.

STEP2 - Migrating FSMO Roles to Windows Server 2016 AD

There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I'll be using PowerShell to move FSMO roles and to see its process. If you like to use GUI mode you can go for it.

  1. Log in to Windows Server 2016 AD as enterprise administrator
  2. Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner. 

3. As you can see above output, in our lab, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles to windows 2016, execute the following command

Move-ADDirectoryServerOperationMasterRole -Identity EXAMPLE-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

EXAMPLE-PDC01 is the Windows Server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers. Choose below input according to your domain environment. I am going with default and A as I have only one domain.

4. Once its completed, type netdom query fsmo again and you can see now its Windows Server 2016 DC is the new FSMO roles owner.

STEP3 - Uninstalling AD Role from Windows Server 2012 R2

Since we have moved FSMO roles but we still running system on Windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers.

  1. Log in to windows 2012 R2 domain server as enterprise administrator
  2. Open the PowerShell as administrator
  3. Then execute the following command 

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter.

It will ask for local administrator password, provide new password for local administrator and press enter. 

4. Once its completed it will restart the server.

Upgrading the forest and domain functional levels to Windows Server 2016

Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels.

  1. Log in to windows server 2016 DC as enterprise administrator 
  2. Open PowerShell as administrator
  3. Then execute the following command

Set-ADDomainMode –identity example.com -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.

4. Then execute Set-ADForestMode -Identity example.com -ForestMode Windows2016Forest to upgrade forest functional level.

5. Once finished you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level

All done.


We have demonstrated migration process from Windows 2012 R2 active directory to Windows Server 2016. I hope this guide was helpful for smooth migration of active directory domains within your environment.

Image credits: Rebeladmin


  1. When I enter this command Set-ADDomainMode -identity example.com -DomainMode Windows2016Domain. I got error like this

    Set-ADDomainMode : Cannot bind parameter 'DomainMode'. Cannot convert value "Windows2016Domain" to type
    "Microsoft.ActiveDirectory.Management.ADDomainMode". Error: "Unable to match the identifier name Windows2016Domain to
    a valid enumerator name. Specify one of the following enumerator names and try again: Windows2000Domain,
    Windows2003InterimDomain, Windows2003Domain, Windows2008Domain, Windows2008R2Domain, Windows2012Domain,
    Windows2012R2Domain, UnknownDomain"
    At line:1 char:54
    + Set-ADDomainMode -Identity nuggetlab.com -DomainMode Windows2016Domain
    + ~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-ADDomainMode], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.SetADDomain

    1. Replace example.com with your domain name.


Powered by Blogger.