Migrate SBS 2011 Standard to Windows Server 2016


Your trusty old SBS 2011 is finally being retired. It had a good run. It probably still works but you cant get the parts, and the cloud is so appealing and for whatever reason you have, you are putting in a new on premises DC.

Hey, you don’t have to justify it to me. Chances are you shipped Exchange off to the cloud long ago, your clients never really ‘got’ SharePoint and SQL was just used by the backup software and WSUS.

The only thing we want to migrate is Active Directory and File & Print services.

Moving to 2016 makes a lot of sense, even if it is not for the seven year slog many of us are used to with our client servers. It is an elegant OS for a less Civilised time. it also gives us plenty of options for cloud integrations that we just don’t have with 2008 R2.

Many of our SMB clients will have skipped over 2012, and 2012 R2, in fact I am just finishing up my last SBS 2008 migration this week. That client has 20 staff and 100mb leased line. They wanted an on premises solution. Now that they have Server 2016 running, we have a lot more scope to link in services like Azure AD even if they don’t know they want them yet.

That’s enough rambling. Lets migrate.

In my lab examples I have a Single SBS 2011 Standard DC, and a Server 2016 Hyper V Server, which will host a 2016 DC and a 2016 File & Print Server.

Prep SBS 2011

The secret to any migration is preparation. In that vein we need to spend a little time checking our 2011 server for anything that might cause us an issue later on.

First thing we are going to do is a System State backup.

I have attached a 120gb USB Hard Drive just for this backup.

Open an Elevated Command Prompt window on your 2011 and enter:

wbadmin start systemstatebackup –backuptarget:f:


When prompted select Y to continue the backup.


On my lab system it took about an hour to complete.


Now we have this, we can go ahead and make system changes and not worry too much about not being able to roll back. Of course this should be a supplement to your already robust backup regime.

Next we look at DNS.

Open up the DNS Manager and find your internal domain name.

We want to make sure we have no left overs from any previous SBS Servers or Domain Controllers.

Go to the properties of your zone, and click on the Name Servers tab.

Well this is embarrassing isn’t it, apparently I did have another server on this network at some point. Long since forgotten.

If you find anything here that does not belong, select the server in question then click the remove button.



Go through every folder in the zone to make sure there are no references to servers that do not belong.


Pay special attention here and don’t get click happy, because there will be multiple entries for the SBS 2011 server in the same folder which we want to keep!


Repeat the process for the zone named _msdcs,yourdomain.local, including checking the name servers tab.


Next we can run everyone’s favourite AD Test tool, DCDiag.

in our CMD window, enter:

dcdiag /e /v /f:dcdiag.log /c


Now we need to review the log.

notepad dcdiag.log


Of course I cannot review your log for you, so this next step is all on you. Chances are, in a single domain controller environment you won’t have any major problems. There is plenty of information out there to solve most things, including the dreaded Journal Wrap.

We can also run a quick netdom command to check the current FSMO role holders, this is unlikely to show up anything you didn’t already know, because SBS would have been complaining wildly about it if there was a problem.

netdom query fsmo


Do you know what functional level your domain and forest are on?

If you don’t have the ActiveDirectory PowerShell Module installed, you should install it right now.

In SBS 2011 the default is 2003 Forest, and 2003 Domain mode. For the next process we need to raise up to 2008.

If you have old 2003 era DCs, now is the time to destroy them.

In an elevated PowerShell, run the following:

import-module activedirectory


In my environment I had already raised the Domain functional level to make use of Fine Grained Password Policies.

Now I am going to upgrade both forest and domain to 2008R2.

$currentForest = get-adforest
$currentDomain = get-addomain
set-adforestmode $currentforest -forestmode 4
set-addomainmode $currentdomain -domainmode 4


Next we can migrate SYSVOL replication from FRS to DFSR which is nicely explained here.

The process consists of running a few commands, and waiting for them to finish, which is my kind of work!

dfsrmig /getglobalstate


This should return that the migration has yet to begin.

Proceed as follows:

dfsrmig /setglobalstate 1


Then wait a minute or two and run:

dfsrmig /getglobalstate


This should return that Step 1 has succeeded and the DFSR Globalstate is ‘prepared’.

Proceed to run step 2.

dfsrmig /setglobalstate 2


Again waiting for this to arrive in the succeeded state.  We can then run a new command to check the status of the migration.

dfsrmig /getmigrationstate


With any luck you will see that ‘migration has reached a consistent state on all Domain Controllers’ which in my environment is great because I only have the one DC.

The final command is:

dfsrmig /setglobalstate 3


This completes our prep on our SBS Server. In summary we have cleaned up DNS of any values pointing to old servers. We have updated our domain functional level, and migrated NTFRS to DFS-R. You can perform another System State Backup at this point if you wish.

Install Server 2016

Next, install your Windows Server 2016 Hyper-V Server. Create a new Guest machine to serve as your Server 2016 DC, if you are not familiar with 2016 yet, I would suggest sticking to the Desktop Experience version.

When you get to Server Manager of your Server16 DC Box. go to local server, enable Remote Desktop.


Next open an Elevated PowerShell window. Enter the following to set your new servers IP Statically:

$currentIP = get-netIPConfiguration
ipconfig /release
New-NetIPAddress -interfaceIndex $currentIP.InterfaceIndex -IPAddress $currentIP.IPv4Address.IPAddress -PrefixLength $currentIP.IPAddress.PrefixLength -DefaultGateway $currentIP.IPv4DefaultGateway.NextHop
Set-DNSClientServerAddress -interfaceIndex $currentIP.InterfaceIndex -ServerAddresses $currentIP.DNSServer.serverAddresses
# end

This will take whatever IP was issued to it via DHCP and convert it to a Static IP.



If you run this command over RDP you will lose your connection temporarily, so i reccomend you run this from a direct VM Connection on the Hyper-V Server.

If you would prefer to manually set the IP of your Server, then do that.

Next we can rename our Server:

Rename-Computer Server16-DC0

rename server

After we restart the server we can install some roles and features.

From an Elevated PowerShell Window:

Add-WindowsFeature AD-Domain-Services,DHCP,DNS,FS-DFS-NameSpace,FS-DFS-Replication -includeAllSubFeature -IncludeManagementTools


Next we can promote our Server16 to be a domain controller.

$currentDomain = Read-Host -Prompt "Enter your internal domain name:"
$cred = Get-Credential -Message "Enter Domain Administrator Credentials"
Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName $currentDomain -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$true -SysvolPath "C:\Windows\SYSVOL" -credential $cred -Force:$true -Confirm:$false -SafeModeAdministratorPassword (ConvertTo-SecureString 'ntADRSM0deP@ssword!!' -AsPlainText -Force)

This will prompt you to enter your internal domain name, and your domain admin credentials.


Of course, with our expert preparation, the install will succeed and you will be prompted to reboot your server.




Logon as the Domain Admin.

Open an Elevated PowerShell window.

Now we can configure DNS Scavenging and a Reverse Lookup Zone if needed, and copy DNS forwarders from the SBS 2011.

$ipv4 = (Get-NetIPAddress -AddressFamily IPv4 | select *)
$ipA = $ipv4[0].IPAddress
$sMask = $ipv4[0].PrefixLength
$ipNet = $ipv4.IPAddress[0].Split(".")
$ipNet = $ipNet[0] + "." + $ipNet[1] + "." + $ipNet[2] + ".0"
$sNet = $ipNet + "/" + $sMask
Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -ScavengingInterval "7.00:00:00"
Add-DnsServerPrimaryZone -NetworkID $sNet -ReplicationScope "Forest" -errorAction Stop
Write-Output "Reverse Zone Already Exists"
$pdc = (get-addomain).pdcemulator
$forwarders = (get-dnsserverforwarder -computername $pdc).ipaddress.ipaddresstostring
set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders

You may receive an error if you already have a Reverse Lookup Zone for your subnet, but many people don’t have them.


Now we can set our Destination server to use itself for DNS.

$currentIP = get-netIPConfiguration
Set-DNSClientServerAddress -interfaceIndex $currentIP.InterfaceIndex -ServerAddresses $currentIP.IPv4Address.IPAddress


Referring back to an earlier post I did, i was reminded of another bit of PowerShell to setup DHCP.

Whilst that is certainly useful, I decided to spruce it up a bit and I have now built a new script that will pull all of your existing DHCP Configuration from the Source server using NETSH and then import that into the Destination server.

Once processed it then proceeds to disable DHCP on the Source server. It leaves the scope and settings intact, so if you want to roll back simply enable the DHCP Server service on the Source server and you are back where you started.


It seems even though we have configured DHCP with PowerShell we need to complete the post install wizard in Server Manager.

Just click through the pages without changing anything.


Next we take a look at something I had to learn the hard way.

You may be familiar with EFS, Encrypted File System. Ok, you may have heard of EFS but in practice I think people using it are few and far between. EFS provides an interface from within File Explorer to Encrypt your files and folders. EFS uses digital certificates as the keys to encrypt and decrypt the files.

As a precaution to potential data loss, EFS provides something called a Data Recovery Agent, which is a nominated account that also has a key to unlock the files. By default the built-in Administrator account is recognised as the EFS recovery Agent.

That is relatively straight forward, however…. Did you know that the EFS Recovery Agent Certificate is only available on the FIRST Domain Controller promoted into that domain.

It is fair to say a topic like this really deserves its own post, of which there are plenty from folks much smarter than me.

I can, however, show you how to backup this certificate and keep it safe, which you can read here.

Once we have dealt with the drama of our EFS Recovery Agent, we can look at migrating our Certificate Authority.

The migration article is quite straight forward to follow.

We start off by backing up some data from our Source Server, tweak some settings and then restore the data to our Destination server.

First on our SBS Server we will backup the CA Database and Private Key, from an elevated command prompt:

certutil -backupDB c:\caBackup
certutil -backupKey c:\cabackup


Next, stop the CA Services.

net stop certsvc

Next backup the CA registry settings.

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc c:\cabackup\CA.reg


The next step in the TechNet article relates to using a custom CA Policy.inf file, on my SBS I did not have one so I will assume you also do not have one, so move along.

We now come to uninstall our Source CA. From an elevated PowerShell Window:

Import-Module ServerManager
Remove-WindowsFeature AD-Certificate


As the output suggests we should now reboot our SBS 2011.

I have copied the CA Backup folder from my Source server to my Destination server and Now we can begin restoring things.

On our Destination server we can Add the Certificate Services role.

Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools


Next, we can use this command to complete the install of our new CA.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CertFile C:\cabackup\trsbs11-SERVER-CA.p12 -CertFilePassword (read-host "Set user password" -assecurestring)


Next we can restore our DB Backup.

net stop CertSvc
certutil -f -restoreDB c:\cabackup


Open your Source CA.reg file in notepad.

The TechnetArticle on this process is uncharacteristically vague about this next step.

Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

In my Source CA.reg I modified two lines only.

"DisplayName"="Active Directory Certificate Services"


Save your changes to the CA.reg file and import the file.

reg import c:\cabackup\CA.reg


Now start the service.

 Start-Service CertSvc


You can test the issuance of a certificates by requesting a new certificate from MMC Certificates for the Local Computer. I requested a new DC Certificate and it was issued without any problem!


At this point it might be a good idea to let the dust settle for a week before moving on to remove the SBS from the network.


A few days have now passed and I am ready to proceed with the decomission on the SBS Server.

As I said at the beginning of the post, I am assuming you have already taken care of removing Exchange and SharePoint, to the degree that either they are uninstalled, or there is no data left in them you need to keep.

Moving the FSMO Roles is one of the last tasks you should do, because as you may recall SBS must be the FSMO Holder for your domain.

Once we have transferred the roles to our Destination server, we can shut down the SBS Server for another few days to make sure everything still functions as expected.

From an elevated PowerShell window:

Move-ADDirectoryServerOperationMasterRole -Identity $env:ComputerName -OperationMasterRole 0,1,2,3,4 -confirm:$false
netdom query fsmo


Once you are happy your environment can sustain the loss of your SBS Server, it is time to run that final DCPromo, and commit the SBS to the great Data Center in the sky.

On the SBS itself we want to put the DNS Server address to the Destination Server, which we cannot do with PowerShell but we can use NETSH.

netsh int ip set dnsservers "Local Area Connection" static primary

set dns client 1

Then run DCPromo.

Make sure to leave the ‘Last DC in the Forest unchecked’ and complete the wizard.




Goodnight, sweet prince.


PS. You can go ahead and remove it out of the domain into a workgroup, or just turn it off and delete the account from AD.

delete account

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

70 Responses to Migrate SBS 2011 Standard to Windows Server 2016

  1. Ben says:

    Hi thank you for the great article. It helped me with a sbs migration go smoothly. One question, now that I have server 2016 standard running, I need to install Windows Essentials Experience role. When I start it won’t let me finish b/c it says I have CA role installed. When I google the issue it says I have to remove the role. Will that effect the server in anyway if I remove it?

  2. Richard says:

    @Ben indeed that is a good question, i am wondering the same thing as we would like to use the Essentials Experience Role also.
    @Robert Pearman in thuis guide u are assuming that Exchange and Sharepoint are already removed correctly, for us this is not the case do u have a guide for this aswell?

  3. David Moen says:

    Hi Robert, the Essentials Experience Role will not install on a Server 201 Std box if the CA role is already present. In my case, I removed the CA Role, installed WSE Role, which apparently installs the CA Role as well because it’s there after the WSE installation completes.

    • Ben says:

      Hi David,
      My roles are greyed out in server 2016 so I cannot uninstall the CA role. Did you do it via powershell or the GUI?

      • David Moen says:

        Are you sure you are clicking on “Remove Roles and Features” when you launch the wizard in Server Manager?

  4. Al BeVier says:

    OK, nicely done!! Quick two questions: It seems that you moved to Server 2016 Std instead of 2016 Essentials. If so, is there are reason why you did it that way? And if so can the above process be used to move from SBS 2008 to 2016 Essentials?

    I guess that was three questions…

    • Is there a reason? I think Essentials 16 is quite buggy.
      Following this procedure you end up with a single 2016 DC, chances are you got 2016 Standard, so 1 VM is the DC you can make the second VM an Essentials server.
      Yes I think you can pretty much follow this for sbs 08.

  5. brianmyrick says:

    Will this procedure work with 2008R2 Foundations?

  6. Ian Maylin says:

    Robert, many thanks for this, first time I have attempted a SBS2011 to Server 2016 and it went without a hitch.

  7. Francois says:

    This is one awesome article, extremely helpful and well written. Thank you so much.

  8. Mark Hellemons says:


    Great help! Really a very good guide on how to.
    I’ve only ran into a problem now, doing exactly as you say above:

    PS C:\Users\localadmin> $ipv4 = (Get-NetIPAddress -AddressFamily IPv4 | select *)
    PS C:\Users\localadmin> $ipA = $ipv4[0].IPAddress
    PS C:\Users\localadmin> $sMask = $ipv4[0].PrefixLength
    PS C:\Users\localadmin> $ipNet = $ipv4.IPAddress[0].Split(“.”)
    PS C:\Users\localadmin> $ipNet = $ipNet[0] + “.” + $ipNet[1] + “.” + $ipNet[2] + “.0”
    PS C:\Users\localadmin> $sNet = $ipNet + “/” + $sMask
    PS C:\Users\localadmin> Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -ScavengingInterval “7.00:00:00”

    Set-DnsServerScavenging : Failed to set property ScavengingInterval on server FS.
    At line:1 char:1
    + Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -Scav …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (ScavengingInterval:root/Microsoft/…erverScavenging) [Set-DnsServerS
    cavenging], CimException
    + FullyQualifiedErrorId : WIN32 5,Set-DnsServerScavenging

    Set-DnsServerScavenging : Failed to set property DefaultAgingState on server FS.
    At line:1 char:1
    + Set-DnsServerScavenging -ScavengingState $true -ApplyonAllZones -Scav …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (DefaultAgingState:root/Microsoft/…erverScavenging) [Set-DnsServerSc
    avenging], CimException
    + FullyQualifiedErrorId : WIN32 5,Set-DnsServerScavenging

    PS C:\Users\localadmin>

    What is causing this and how can I fix this? I hope you can help. I tried to go on with the rest of your guide but DHCP is failing because of (this) DNS error. I’m stuck at the moment although everything is still running on the SBS2011.

    Kind regards Mark

  9. Mark Hellemons says:

    Darn.. when joined to domain I needed to open Powershell ‘as administrator’.!… That was all.

    However, I get a different error as I am at the last line of the DNS forwarder;
    PS C:\Windows\system32> set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders
    Set-DnsServerForwarder : Cannot validate argument on parameter ‘IPAddress’. The argument is null or empty. Provide an
    argument that is not null or empty, and then try the command again.
    At line:1 char:67
    + … erverforwarder -computername $env:computername -ipaddress $forwarders
    + ~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Set-DnsServerForwarder], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Set-DnsServerForwarder

    Is this a bad thing?

  10. Mike says:

    Great information and thanks for taking the time to share it! However, one question, I don’t see the adprep command being used on the SBS2011 server. Our reseller has some communication with Microsoft that seems to indicate this is one of the first steps on SBS. I see in the screenshots when you promote the 2016 server to a DC, there is some output from adprep saying it updated the forest and domain information. Is the 2016 server recognizing the need for it to be done and then doing it for you?

  11. David Moen says:

    I’ve done a half dozen SBS2008 and SBS2011 migrations using this methodology and some tips from Mariette over at server-essentials.com and have never run into the need to adprep a server. I would think that would even be destructive – isn’t it used to sanitize Windows back to “as initially installed” condition?

    • No adprep and forest prep were for schema extensions for the new OS DCs. I was thinking it was automatically done for you now but really didn’t remember, seems like I would have included it if it was a step I had done.

  12. Yadi says:

    The command has completed successfully
    ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… …………………….
    ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ………………………………………………………………………………………………………… ……………………………………………………………………………………………
    Adprep successfully updated the forest-wide information.

    Adprep successfully updated the domain-wide information.

    WARNING: Windows Server 2016 domain controllers have a default for the security setting named “Allow cryptography
    algorithms compatible with Windows NT 4.0” that prevents weaker cryptography algorithms when establishing security
    channel sessions.

    For more information about this setting, see Knowledge Base article 942564

    WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to
    its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses
    should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es)
    assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.

    WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
    does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
    create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
    “hill.local”. Otherwise, no action is required.

    Does not come with require a reboot or Success status and its been like that for two hours. Any advice will be helpful

  13. Mark Hellemons says:

    Hello, I’ve ued this script before and it went perfect, Now however I have a DNS problem with the lvery last command and I can’t continue with DHCP because it gives errors. I hope somebody can help me.

    With this command I get this error:
    PS C:\Windows\system32> set-dnsserverforwarder -computername $env:computername -ipaddress $forwarders

    Set-DnsServerForwarder : Cannot validate argument on parameter ‘IPAddress’. The argument is null or empty. Provide an
    argument that is not null or empty, and then try the command again.
    At line:1 char:67
    + … erverforwarder -computername $env:computername -ipaddress $forwarders
    + ~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Set-DnsServerForwarder], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Set-DnsServerForwarder

    • Do you get a result for this command?
      $pdc = (get-addomain).pdcemulator
      $forwarders = (get-dnsserverforwarder -computername $pdc).ipaddress.ipaddresstostring

  14. Mike Gibbs says:

    Great article Robert. Just one dumb question. Can the second server have the same name as the SBS Server after it has been decommisoned so that you can “swing” the shares to a link with the same name? There’s nothing to stop the initial data migrations to go to the DC together with the Essentials role right? The change of folder redirection and drive maps through group policy is fine but with 50+ PCs connecting to a LOB app it is going to need some manual intervention at each desktop. Just thinking aloud but wondered if you have ever tried?

  15. Hey Robert,

    great write-up as per usual, did run into an error when running your DHCP migration script, maybe have a look at that:
    Add-DhcpServerInDC : Cannot process argument transformation on parameter ‘IPAddress’. Cannot convert value “System.Object[]” to type “System.Net.IPAddress”. Error: “An invalid IP address was specified.”
    At C:\_install\Migrate-DHCP.ps1:85 char:57
    + Add-DhcpServerInDC -DnsName $destination -IPAddress $destIP
    + ~~~~~~~
    + CategoryInfo : InvalidData: (:) [Add-DhcpServerInDC], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-DhcpServerInDC

    On another note, not quite sure on how much you want this to be a complete guide, but maybe do refer to some moving of the data to the new server and some of the SBS specific features like redirected folders and how to get those to the 2016 server?

  16. Jordan Grogan says:

    Great article Robert thank you. Ill be looking to do this very soon with our SBS domain.

  17. Jens Berggren says:

    Hi, how can I delete the OUs under MyBusiness and the group policies from SBS after migration?
    I testet this in my lab and have no rights to do so.

    • They may be set to prevent accidental deletion. Which is a check box in the OU properties.

      • Jens Berggren says:

        The checkbox was unchecked.
        But there is an attribute in the attribut-editor section of the prperties, this attribute is called “systemflags” with a text-valuwe of “DISALLOW_DELETE …”, the real value is -1946157056. I can not edit this, nice editor …

      • Do you have any objects inside these OUs still?

      • Jens Berggren says:

        All objects are moved to a new OU.
        Ill try another setup in my lab, but it is not possible to setup a SBS2008 on Hyper-V 2016, so I have to setup this on my slow Hyper-V 2008R2 machine, it takes some time.

  18. Jens Berggren says:

    Finally I decided to not migrate, I will establish a new domain.
    With all this stuff, deinstall Exchange eg. and afterwards you will have objects (admins, groups and policies) in your AD, that you do not need and you partial can not delete, this is more work, than to make it new and clean.

    SBS is wasting of lifetime!


  19. rdismuke says:

    I may have run into a snag. After running command “dfsrmig /setglobalstate 2”, which was successful, I ran dfsrmig /getmigrationstate and received the following result:
    The following Domain Controllers are not in sync with Global state :
    Domain Controller – DC Type
    – Primary DC
    Migration has not yet reached a consistent state on all Domain Controllers
    State information might be stale due to AD latency.

    I have only the one SBS 2011 server and that is the only DC on the network since it was created. Any help would be appreciated. Thanks!

    • How long did you leave it before running GetmigrationState?

      • it was over 24 hours, but we resolved it. The DFSR service was in Starting state. Our guys glanced and thought it showed Started. Ugh! We were able to get the service started and the process completed and SYSVOL migration process completed. Thanks for the quick reply

        Another question:
        The command to promote the Server 2016 server to a DC was started about 30 min ago. All the results match your documentation, but the last line that should state that a restart is required has not yet shown up. How much time should we allow for this command to complete? Thanks in advace!!

      • Robert – To be clear on my question about promoting the server to DC using your PS commands, the last lines I see are:

        Adprep successfully updated the forest-wide information.

        Adprep successfully updated the domain-wide information.

        followed by the paragraph:

        “WARNING: A delegation for this DNS server cannot be created……..”

        It seems all I am missing is the message:

        “You must restart this computer…”

        It only shows a blinking prompt where the line should be that requires a restart/

        It appears that all was successful and that I should be able to restart the server but wanted to get your thoughts first. Thanks in advance for all the help!!!

      • Sorry for slow reply, hope all is well.

  20. When you run this command:

    $cred = Get-Credential -Message “Enter Domain Administrator Credentials”

    It is _absolutely vital_ that when you type in the username that you are prompted for, you include the domain name, for example:


    and not just administrator (or whatever the administrative username is in your situation.

    If you omit the domain name, it will hang at the last step and you’ll have to remove the server from the domain and add it back in as per the link in the Joshua Nash comment on January 4, 2018 at 2:03 am

    I went through this pain too. @Robert Pearman, you could update this page to the following:

    $cred = Get-Credential -Message “Enter Domain Administrator Credentials in the form yourdomain\adminusername”


    • Chris Somerville says:

      It seems to be hanging for me anyways. It prompts me for the credentials, which I enter. Then it just displays the last command and keeps flashing. I don’t see a progress screen like it’s doing anything. Any thoughts ?

  21. Thank you very much for this great piece of work! You helped me a lot!

  22. Hi Rob, thanks for a great article which some of us are still using.

    A quick question: What is the best way to handle shares on SBS server and moving them to new Server? in our case it is new DC server which will also be a file sharing server.

  23. Jens Berggren says:

    I want to unsubscribe this.
    How can I do it????

  24. Charlie Zheng says:

    Hi Rob, migrated all FSMO roles and shutdown the old SBS(DC) for a few days, occassionally domain clients get permission denied errors and have to restart computers a few times to fix it. Clients have security-kerberos errors and seems they are trying to talk to the SBS server (AD). I suppose this is because the old SBS is shutdown so that AD sync is not working properly and will be fixed after SBS is depromoted? thank you.

  25. zheyizheng says:

    Hi Rob, I think you miss some steps, after FSMO transfer, the root domain time service may not be transferred to new PDC. I would assume it’s better to make sure time service is correct before de-promo the old SBS?

  26. Hi Rob, in our case SBS server is also RDP License server. How do I move RDP gateway/ license server over to new Server 2012 r2?


  27. pducharme says:

    Do you have any article if I want to keep a Exchange 2016 on premise (on a different Win2016 VM) ? My client has an aging SBS2011 that we will change for a brand new Dell PowerEdge 7425 with 2 x EPYC 7281 (32 cores) :D (will be fun to play with!). The plan is to build the new server with Server 2016 Standard on it, then Install the Hyper-V role, and create 2 VM, one for the DC and one for the Exchange 2016. They also have a 2nd server (2012) that is a RDP server & File+Print Services that will keep those role.

    I’m looking for a good article on that scenario and Unfortunately I can’t pay 500$ for server-essentials.com article… (that was free before!) since I only have 1-2 clients and that will eat too much of my profit :O

  28. Joe says:

    Can this guide be followed for a regular Server 2008 R2 domain controller that is not SBS 2011?

  29. Bill says:

    Robert – first of all thanks so much for your very helpful step-by-step migration – don’t know what I’d do without it. Hit one snag & have one other question.

    1) Running the DHCP script I got an error because the 2016 server has 2 NICs and I’d only connected one, so I went back and disabled #2, then tried to temporarily re-enable/start DHCP at source server but entire scope & settings were GONE (which you said the script leaves intact). I re-ran the script anyway & it DHCP seems OK except there was no DNS Server address (which I did manually) and there are NO address leases showing. So please tell me it’ll be OK when the users try to log in on Thursday morning – or is there something I need to do? Addresses do show in DNS Manager.

    2) The EFS steps – necessary? I don’t think it was ever used on the SBS 2011 server or was it enabled there by default when the server was installed? Can I skip the whole section without harm – because all files from source server have been on the W2016 box for a month now – email moved to O365 – & the last thing I need is to mess all that up by adding something that’s not necessary.


    • Hello Bill,
      Check your source server, is DHCP service still running? If it is not (which i expect) disable DHCP on the new server, then start DHCP on the source server, and you should see the settings are still there.

      The leases should start to appear when your clients renew their existing leases. You can test that ahead of time with a reboot of a client pc.

      EFS – if the certificate is available i would make sure to back it up, its better to have it and never need it than just skip it and find out one day someone encrypted a file that you now cannot recover.

  30. Bill says:

    BTW, when I looked under Users/Administrator/ Appdata/Roaming/Microsoft/ Crypto/RSA there is a folder there with 4 private keys (all at least 5 years old), but when I opened the MMC/Certificates/Personal there’s nothing there, so no exporting the private key and if anyone encrypted a file 5 years ago, SOL. I’ll back up what I can but I really don’t think there’ll be a problem going forward. And you were correct on the DHCP. Thanks again.

  31. John says:

    Hi Robert, Is it the same process from SBS2011 to windows server 2012R2

  32. Glenn says:

    Thank you for writing this comprehensive guide, you saved me a lot of typing.

  33. Stefanie says:

    Thank you for the comprehensive article. My migration went without a hitch. I turned off the SBS server and have not looked back. Today I am trying to modify some group policies that came over from the SBS and I did not complete the DC Promo step to remove it from AD. I also see that my 2016 server still has domainMode=Windows 2008R2Domain and forestMode=Windows2008R2Forest. Is there a way to raise these modes?

    • 2008R2 Mode is fine, you can raise that at any time.

      You mention the GPOs, do you have an issue editing those?

      • Stefanie says:

        I have removed the SBS server from the network. I am setting up brand new workstations and they are having trouble with windows updates because “Some settings are managed by your organization”. I had Windows updates running through GPO on the old server with the older server being the WSUS. I decided it was more trouble than it was worth especially now that our bandwidth is so much better. But I cannot see where the GPO migrated to the new server. In the GPME, Computer Configuration->Policies->Administrative Templates->Windows Components->Windows Updates and all settings are “Not Configured”. Is there somewhere else I should look?

  34. Thank you for the great article! It helped me to do my migration with great deal of success!

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: