Prepare Active Directory Windows Server 2016 DC Adprep
With the RTM release of Windows Server 2016, many will be thinking about and looking to introduce a Windows Server 2016 domain controller into their existing Active Directory environments. ย Let’s take a look at how to prepare Active Directory Windows Server 2016 DC Adprep and what steps are involved to introduce the first Windows Server 2016 into an existing environment.
If you are interested in an in place upgrade of Windows Server 2016 R2, check our post here.
Prepare Active Directory Windows Server 2016 DC Adprep
In my lab setup, I have an existing Windows Server 2012 R2 domain controller running a domain calledย TESTLAB.LOCAL. ย This is a single forest, single domain environment for testing purposes. ย The one Windows Server 2012 R2 DC holds all the FSMO roles.
The DCPromo Process
The DCPromo of a Windows Server 2016 server isn’t really DCpromo any longer as it wasn’t in 2012, but it seems like we all still affectionately call it that for a point of reference. ย Active Directory Domain Services is installed the exact same way in Windows Server 2016 through the Server Manager Add Roles wizard.
Select theย Active Directory Domain Services role.
It brings up the features informational box letting you know the additional features that will be installed with the role selected.
You can select for the server to be automatically restarted or not after installation completes if it needs to restart.
After the role complets, the wizard will tell you that additional configuration is needed to complete the promotion of the server to be a domain controller.
If you click the little flag in server manager with the yellow bang, you can then click the link toย Promote this server to a domain controller.
Here we want to choose toย Add a domain controller to an existing domain.
It is easy to miss the DSRM password field so be sure to enter and confirm. ย The wizard won’t let you move forward without it however.
Below are the DNS options. ย Notice the warning that “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found…”. ย If you are installing a forest root domain controller that is using Active Directory-integrated DNS, you typically do not need to be concerned about this warning message.
I ran into this error on the next screen – ย “Could not retrieve domain controllers. ย External component has thrown an exception”. ย As it turns out, the issue for me was that I was logged in as aย local administrator and not aย enterpriseย administratorย from the domain. I had quickly logged in after a reboot previous to launching the promotion wizard.
Update ย As mentioned in the comments below, this error also could have been avoided by entering in the “Supply the credentials to perform this operation” domain credentials on theย Deployment Configuration screen.
After logging back in as an enterprise administrator on the domain, the replicate from domain controller part of the wizard was error free.
You can verify that you can indeed “talk” to the domain by pulling down theย Replicate from combo box…you should see your domain controllers available.
Now for theย forestprep andย adprep wizards that we have all come to love and hate,ย as in Windows Server 2012 and higher, this is done for you in the Active Directory Domain Services Configuration Wizard. ย This is listed under theย Preparation Options page of the wizard. ย As noted it will perform:
- Forest and schema preparation
- Domain preparation
As mentioned above, make sure you are logged in as an enterprise administrator to perform these operations at a forest level.
As in Windows Server 2012 and higher, you can click theย View script button to see the code in Powershell for the configuration process you have defined in the wizard.
The contents of my View Script are below.
# # Windows PowerShell script for AD DS Deployment # Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -CriticalReplicationOnly:$false ` -DatabasePath "C:WindowsNTDS" ` -DomainName "TESTLAB.LOCAL" ` -InstallDns:$true ` -LogPath "C:WindowsNTDS" ` -NoRebootOnCompletion:$false ` -SiteName "Default-First-Site-Name" ` -SysvolPath "C:WindowsSYSVOL" ` -Force:$true
The wizard will perform one final prerequisites check.
After installing, you will have a functional Windows Server 2016 domain controller, functioning at the lowest functional level required for your legacy DCs (lowest being Windows 2008 level). ย This is mainly due to FRS being completely deprecated which is the replication service used to replicate SYSVOL contents. ย Windows Server 2016 only supports domain controllers that use DFS for replication.
UPDATE ย See the notes from Stuart Rowe below on his comments about Windows Server 2016 actually supporting FRS. ย This may prove useful in a handful of use cases.
Final Thoughts
Windows Server 2016 is an exciting operating system that is certainly next generation and allows so many cloud capabilities that they are almost too numerous to mention. ย If you are looking toย Prepare Active Directory Windows Server 2016 DC Adprep then hopefully this quick post will show how easy the process really is to introduce your first Windows Server 2016 domain controller.
The reason you hit you “Could not retrieve domain controllers” is because in your “Add a domain controller to an existing domain” step for the Specify Credentials piece you left your locally signed in account specified. You could have easily clicked “Change” and entered your testlab.local Enterprise Admin account and credentials.
The reason I say this is because I NEVER need to domain join a DC before promoting it. All you need to set the computer name and then run the Configuration wizard.
Chris, good catch…noted….will update the post to reflect.
A word about FRS. Windows 2016 will join a Windows 2003 domain. While the check box is not present under Roles, the Promo process will install the binaries. Took a support case and couldn’t believe my eyes that MS has done this. So, another 3 or so years of new technology allowing dead skin to hang off it. I was SO ready to flip the bird at FRS as the calls of “I can’t promote 2016 to a DC!” started coming in.
So what I’m saying is: Your statement about 2016 only supporting DFS as the mechanism to replicate SYSVOL is incorrect, sadly.
BAH.
Stuart, Thanks so much for the note about FRS and 2003. I didn’t run any tests myself with 2003 and was simply going from the documentation. That is what makes the tech community of engineers great…someone out there has experienced or tried just about everything. While it does maybe make life a bit easier for someone in that special use case scenario that must integrate with 2003, sadly as you mention, it kicks the rock further down the road. I will update the post to reflect your notes on this. Thanks again.
If I want to upgrade an existing DC from Windows 2012R2 to Windows 2016, can I try directly or should i demote it, upgrade and promote it back?
George,
I just posted a new post on an in place upgrade from 2012 R2 to 2016: http://www.virtualizationhowto.com/2016/11/upgrade-windows-server-2012-r2-domain-controller-to-windows-server-2016/
The process seems to work pretty well at least on a VM. If you are talking about physical hardware, make sure you have checked drivers, etc, before running the upgrade. Also, as always if possible test everything in a lab first.
Thanks! I run into a problem upgrading a physical machine, an hyperv host, however it doesn’t look like it is driver related. If I try to run gpupdate /force when logged as domain admin, I get computer polices updated succesfully, but I get an error while updating the user polices. Should I remove the machine and join it back to the domain? Or what?
Hi ALL.
I tried ADD new Windows 2016 as secondary DC in 2012 r2 domain/forest.
Wizard has error:
Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain.com
Exception: Class not registered.
Adprep could not retrieve data from the server PDC through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:Windowsdebugadpreplogs20170113104318-test directory for possible cause of failure.
Logs says:
[2017/01/13:10:43:18.808]
Adprep failed while performing Exchange schema check.
[Status/Consequence]
The Active Directory Domain Services schema is not upgraded.
[User Action]
Check the log file ADPrep.log in the C:Windowsdebugadpreplogs20170113104318-test directory for possible cause of failure.
[2017/01/13:10:43:18.809]
Adprep encountered an error.
Error code: 0x80040154 Error message: Class not registered
Help me pls