Sensitive production systems: Migrating to Windows 2003 Server from WIndows 2000 Server

Posted on 2007-10-13
Last Modified: 2010-04-18
I've read though many of the solutions provided by the site and Microsoft on this topic.  So, I'm sorry if beating a dead horse yet again.  However, I'm a bit apprehensive about migrating my network to Windows Server 2003 at the moment.  I need to get off this old, flaky Windows 2000 Server that's been in production for roughly over 6 years now.  But, that server is a vital production box and I have to get this right the first time.   And to clarify, I DO NOT have any intention of upgrading the existing Domain Controller to Windows 2003 Server.  I simply want the new 2003 Server to take over as the Domain Contoller.  So, here's my scenario:

Server 1: Domain Controller / DNS: Windows 2000 Server SP4 <-- to-be replaced
Server 2: File Server: Windows 2000 Server SP4 (member server)
Server 3: MS SQL 2000 Server: Windows 2000 Server SP4 (member server)
Server 4: Terminal Server/Terminal Licensing: Windows 2003 Server SP2(member server)
Server 5: AVAYA Licensing Server: Windows 2003 Server SP2(member server)
Server 6: NEW: Windows 2003 Server <-- to-be Domain Controller

Note: DHCP is handled by another server and is not apart of the migration for those that are curious.

Let me know if I'm wrong here.  Or, suggestions to make this process go as smooth as possible are welcome.  The scenario is rather straight forward: (I think)  
    - Full System Backup of Server 1
    - Apply all security updates and service packs to Server 6
    - Connect Server 6 to the domain
    - Prep Server 1 for 2003 schema changes: adprep /forestprep  (is this seriously necessary here
       in my scenario? I could just run in 2000 compatability mode for a while.  Thoughts?)
    - Transfer DNS by setting Primary Zones to AD Integrated (currently Primary)
    - dcpromo the Server 6 adding Server 6 to AD
    - Wait for AD and DNS to replicate to Server 6 (pray hard here)
    - Transfer FSMO roles to Server 6
    - Test to be certain that Server 6 is now authenitcating users
    - Demote Server 1
    - Change DHCP Server to reflect new DNS Server IP
    - Down DNS on Server 1
    - Verify GPO's on OUs in AD
    - Move any remaining shares, folders and files from Server 1
    - Take Server 1 out of Service (because its old, and needs to be, could be months down the road)

I believe that to be the process I must follow after digesting the hundreds of pages of information I've read in the past few days.  However, darn near every last solution was different.  I just need to make certain that what I'm about to do is correct because I can't afford to be wrong.  I'm going to add a backup DC shortly after this is done when funds are available mostly because I want a backup DNS server here.  We'll be upgrading that 2000 SQL box in the next couple of years.  But, for the forseeable future it will remain SQL 2000 and 2000 Server.  The fileserver can just remain 2000 Server as it's just serving up files.  

Experts, please provide YOUR thoughts on the situation.  I don't need to read any more M$ documentation that only their engineers truely understand.  :)

Thanks in advance.  I apprecitate any information you can provide.  

Question by:trelectric
    LVL 70

    Accepted Solution

    The general procedure is:

    Install Windows 2003 on the new machine

    Assign the new computer an IP address and subnet mask on the existing network
    Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

    Join the new machine to the existing domain as a member server

    Insert the 2003 CD in the 2000 machine and run adprep /forestprep and adprep /domainprep adprep is in the i386 folder on the CD  (If the new Windows 2003 server is the "R2" version then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2)

    From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select "Additional Domain Controller in an existing Domain"

    Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

    Make sure the new DC is also a DNS server, install DNS. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

    All the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other - this some will machines will need this setting in the TCP/IP properties of the NIC, others will need to have it set via the DHCP options.

    Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. You now need to transfer the FSMO roles  - see

    You are now ready to remove the old DC (or you can leave it running to provide resilliance)


    DNS: Make sure that all of your clients are set to use the new DC as their Preferred DNS server (either by static entries or DHCP options)

    Power down to old DC and make sure that all is well.

    Once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status.

    If you want to remove the machine from the domain then you can do so one it's DC role has been removed.
    LVL 48

    Assisted Solution

    your process looks ok, you missed global catalog placement though....i would run through this, i wrote it ages ago, but it shoudl still get you out of trouble

    Author Comment

    Thanks to both KCTS and Jay_Jay70.  Both of your procedures were spot on and I've upgrade the network, transfered the roles and global catalog as outlined.  I have the old server online yet and will likely keep it that way until all shares and printers are transfered.  

    The new server replicated AD and DNS just fine and things look normal.  I ran dcdiag (on the new server) after the process and did see an error that maybe you could help me out with.  Every other test passed.  But the inital test and I am unsure why.  Like I said... I followed the procedure to a 'T'.  Here's the error:

    Performing initial setup:
       [JUPITER] Directory Binding Error -2146892976:
       The system detected a possible attempt to compromise security.  Please ensure
     that you can contact the server that authenticated you.
       This may limit some of the tests that can be performed.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\JUPITER
          Starting test: Connectivity
             [JUPITER] DsBindWithSpnEx() failed with error -2146892976,
             The system detected a possible attempt to compromise security.  Please
    ensure that you can contact the server that authenticated you..
             ......................... JUPITER failed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\JUPITER
          Skipping all tests, because server JUPITER is
          not responding to directory service requests



    Author Comment

    Also, noticed that the Domain Functional Level and Forest Function Level is at Windows 2000 mixed.  I assumed that adprep would bring the 2000 domain to the 2003 level.  Or, will the nework remain in Windows 2000 mixed until I demote the 2000 Server?  Not that it's a big deal.  I can certainly run this way for the time being then Raise Domain Functional Level later after demoting the prior DC.  
    LVL 48

    Expert Comment

    hmmmm, for one i would raise the forest to 2000 native, clear the logs and then restart the netlogon service on all DC's, wait about an hour and then run those diags again and see what we come up with

    Author Comment

    I understand why I needed to be in Mixed mode until now.  We DO have one Windows 98 SE system that runs a laser etching device in our shop that flat out requires Win98.  We're phasing it out as we speak.  So, next weekend I'll apply your suggestion Jay_Jay70 and create a new Question if the problem still exists.  Thanks for all the help.  ;)
    LVL 48

    Expert Comment

    cool cool. let us know if you need help :)

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now