Migrating FSMO roles from AD 2000 to AD 2003 (Native Mode)

Let me put a quick background to this question.
I'm maintain AD for a school district that has quite an unnecessarily complex environment (inherited it that way , and working on improving it), in more technical terms, following is what complex means:

- I have 36 school sites, connected via TLS 10mbps/100mbps connetions.
- Each site has a domain controller on it that is replicating from the forest root domain
- Each site is running DNS, and DHCP with different subnets on each site
- Some sites have additional domain controller, and child domains with 2 way trusts with the parent domain.

- The total child domains is somewhere around 25 or 26 at this time. I'm working on actually removing those.

The problem/question:
I cannot wait to remove all child domains before I'm able to upgrade my AD infrastructure, though I'm just doing some research to see what may be of important that I need to pay special attention to.

Another given:
- our AD schema has already been modified to accommodate 2003 (and was done spur of the moment a while back when one of the tech decided to install the first 2003 server in the environment.)
- a lot of our servers are running Windows 2000 Server at the moment, though all new installations are having Windows 2003 Server Standard.
- Some of the servers were at one point actually upgraded from Windows NT4 server to Windows 2000 Server.

Since my Schema  has already been upgraded to accommodate AD 2003, all that's left to do is to move over the FSMO roles from a server currently running Windows 2000 Server to a server running Windows 2003 Server.
Doing this move, would my Windows 2000 servers still operate normally? or if I'm all migrated to 2003, it means that i can't have any Windows 2000 Servers anymore??

Also, If I decide to start installing Windows 2003 Standard R2 , I understand that there will be new change to the Schema, is that going to require any other major considerations? or the schema modification the only thing that is required?

On slightly different angle, I was considering removing the DCs from most of my sites, especially that I now have fairly adequate high speed connections between the sites, and then keeping only a couple of DCs on some of my 100mbps sites, and the rest, keep them at the district office. my purpose for that, was to avoid delays in replications, and attempt to do most of my replications via RPC instead of IP.

The problem that I may have, however, lies in the "Sites and Services" piece. I currently do have a different subnet on each of my sites, which is being controlled by its own DHCP server, and the servers on that site are showing up.  
my question about that would be:
Is it possible to maintain different subnets, and a site without having a domain controller on it? I read mixed opinions about that, some say it's possible, and some strongly recommend that there would be a domain controller, that is a Global Catalog on the site. the only downside I read about not having the DC is that the %LOGONSERVER% will end up being chosen randomly if that is my case.

In relation to that, there is an Exchange migration question that I have, though I will post that in a different topic for the sake of ease of searching for people who may be interested.

Thanks in advance for any ideas that you may have.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Madison PerkinsConsultantCommented:
Short Answer
You can have 2000 servers in a native mode 2003 ad.  you just can't have 2000 servers as domain controllers. upgrade all you DC's to server 2003 with AD in 2000 Native mode until all DC's are upgraded to 2003.  Then upgrade the AD to native mode 2003.  

Microsoft answer
You can move FSMO roles from a server currently running Windows 2000 Server to a server running Windows 2003 Server without any problems. All Windows 2000 servers will continue to operate normally. If you need help about how to move any of the five FSMO roles, please feel free to ask for.

You shou review your Global catalog placement:
One of the new features of Windows Server 2003 is universal group membership caching. This
feature is available only when the domain is in the Windows 2000 Native Mode or a higher functional
level, and only Windows Server 2003 domain controllers provide this functionality. The benefit
of using universal group membership caching is that a domain controller does not have to be made
a Global Catalog server in order to provide the user with their universal group membership, which is
required to log on. As users authenticate, the domain controller contacts a Global Catalog server from
another site to retrieve the required information. The group membership is then cached on the
domain controller and is ready to be used the next time the user logs on. Because the domain controller
does not have to provide Global Catalog services, replication across the WAN link is reduced.

Your goal, in any upgrade, migration, or install, is to get to Windows Server 2003 Forest Functionality mode as soon as you can. Forest Functionality means that you are no longer backward-compatible with Windows 2000 servers. In return, because all of the domain controllers are at their highest level, you can take advantage of all of the advanced feature sets of Windows Server 2003. YOU MAY CONTINUE TO USE 2000 MEMBER SERVERS.

Is the WAN link reliable?
If the link is not reliable enough, you need to determine if you can get by without a domain controller for the site. I recommend that you do not allow a site to be left without a domain controller if the WAN link is unreliable. However, if security concerns are greater than the users ability to authenticate for a short period of time, or if the user base is small enough that you cannot justify the cost of a domain controller, you may choose to have them authenticate to a domain controller in another site away from the users.

If you are allowing authentication across the WAN link, is the logon performance acceptable?

If it is, you should be able to host a site without a dedicated domain controller. However, if users
complain about logon times, consider moving the domain controller to their site so that they can
authenticate more efficiently. You may have to consider a trade-off between local authentication
and replication traffic. Replication traffic in large domains or domains that have many Active
Directory updates could consume too much of the available bandwidth. If the logon traffic is less
than the replication traffic, it may make more sense to locate the domain controller so that it is not
within the site.

I've been using R2 for a while and besides all the new thinks it brings, I'm using it as a normal 2003 server.
One thing you'll get with 2003 is that replication is much more optimized. No more total replication because only one dns record change for example. Now only replicates those things that really changed.

If you need more help for now, please feel free to ask :)
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

I think this can be interest you :

Protocol Used for Replication
Two protocols (IP and SMTP) can be used for replicating
objects. When selecting IP, you are really specifying that you want to use RPCs to deliver the replicated
objects. You can select SMTP if the domain controllers that you are replicating data
between are not within the same domain. If the domain controllers are within the same domain,
the file replication service (FRS) has to use RPCs to replicate the Sysvol data. Because FRS
requires the same replication topology as the domain partition, you cannot use SMTP between the
domain controllers within a domain. You can use SMTP if you want to control the replication
between Global Catalog servers or domain controllers that are replicating the schema and configuration
partition data between domain controllers.
cvservicesAuthor Commented:
Thanks guys for the replies, and especially DCenaculo for the very details response. I really appreciate it.

So, now I'm in a dilemma here... I have spoke with Microsoft this morning, and their information provided and your information matches for the most part... here's the discrepancy, and it's possible that I may have misunderstood from Microsoft. fortunately, I have an advisory case open with them, so I can recheck. anyway...

1- Both of you guys mentioned that I can move the FSMO roles to 2003, and can keep the 2000 servers, however, only if they're operating as member servers, and not as DCs. this would  put a big kink in my timeline obviously, because I still have quite a few 2000 DCs.
    - 1a) I was told by Microsoft that I should be able to move the FSMO roles to 2003, and not have to worry about the 2000 domain controllers, as the initial domain functional level of 2003 will actually be mixed mode. and as soon as I get rid of my last 2000 domain controller, then I can raise the 2003 domain functional level to native mode. Would my understanding be accurate in this area? or is there a piece that I missed..?  I'm looking to do this ASAP, and my plan was to just build a new 2003 server,  promote it to DC, and move the FSMO roles to it, and take old FSMO role holder (2000) offline for a bit to make sure that all clients are actually pointing to the correct FSMO role holders.

2- Regarding authentication, I have re-thought that whole process, and I came to the conclusion, as you have suggested, that it may probably end up being better that I have  a DC at each site.  Bringing this issue up with MSFT, they said that the traffic that I'd be looking at if I don't have a DC and GC on site would be much more than just authentication traffic, but rather,  (and especially if I'm running exchange, which I am, on the main site), because there's constant AD attribute lookups for exchange, not to mention if I'm running some SQL servers, (which I am) ... so now, I'm looking at pretty high traffic without a local site DC, so I think I will go ahead and stick with that idea for now.

DCenaculo, thanks for the info about the IP and SMTP replication. Currently, Im' not doing any SMTP replication at all... for onsite DCs, with onsite replication partners, I amusing RPC for replication, and for the intersite FRS, I'm using IP. is there a specific need for me to use SMTP instead?  (i've never really looked into it, so I honestly don't really know how it works exactly, and whether it's purposed differently, than IP, or it's just an alternate method.

Again, thanks for your input! it's greatly appreciated!


you can have 2003 DC servers and 2000 DC servers at same time. It will be a network functioning at as native mode in Windows 2000, which already is very good.

Native mode in Windows 2000 is expanded into forest functionality and domain functionality in Windows 2003. This last functionall level is the desired one but it's not easy to achieve and that's not a problem.

Forest Functionality means that you are no longer backward-compatible with Windows 2000 DC servers. But this only happens when you have your network prepared for that and it may take all the time you need.

One day, if you get to the point of changing to Forest and Domain functional lever with 2003 server because all of the domain controllers are at their highest level, you can take advantage of all of the advanced feature sets of Windows Server 2003. Till there you are in 2000 native mode and you may have dcs 2000 and 2003 working together, at the 2000 native mode level. And that's good.

Some day, when all your DCs are migrated to 2003 you will find the Forest Functionality choice in Active Directory Domains and Trusts, till there you can use 2000 and 2003 dcs together working in 2000 native mode which is very good.
Even in Forest and Domain 2003 functional level you will be able to use windows 2000 server but only as member servers. But now, your functional level is 2000 native mode, so you can have 2000 server dcs working together with 2003 dcs. You just can't gain the features of the next level that having all dcs with 2003 offers.
I think you do not have a mixed mode. That only happens when you still have Windows NT backup domain controllers. And I think you have already upgraded all to 2000 server dcs. If you open AD Domains and Trust and right-clink your domain name and choose "Raise Domain Functional Level..." you will see what Fucntional Level you have now. I think it should be "Windows 2000 native" and you'll see also next to it a paragraph saying that you still can't raise your functional level (to forest and domain 2003 level) because some domain controllers are not running th appropriate version of windosw (you still have 2000 dcs and AD knos it). So, you had probably mixed mode functionality, but with only 2000 and 2003 domain controllers, you have 2000 Native mode and some day, when you have all DC's with 2003 you will be able no raise to Forest domain functionality.

When you had mixed mode, your baseline of work was NT4 capablities (more or less) even with 2000 DCs. Now happens the same, while you have 2000 DCs yur network can't use the so desired Forest level capabilities, but you can have both 2000 and 2003 domain controllers working together at 2000 Native mode level.
cvservicesAuthor Commented:
Thanks for the detailed explanation. You will be definitely getting the points on this one :) ... in fact, raising it to 500 for you once this is done :)

Anyway, so, I checked the Domain Functional Level, and it was exactly as you had suspected. it's running in Windows 2000 Native Mode. And if I understood you correctly, at this point, all I have to do is migrate my FSMO roles from my 2000 DC to a 2003 DC, and i'll STILL be in Windows 2000 Native mode at this point. and will not be able to raise that domain functional level to 2003 until I have removed the last 2000 server from my environment.

I think I got that right.... right? :)
I apologize if I'm reiterating the question, but I have 35,000 users under this forest, and I can't risk anything going wrong in this situation if you know what I mean.  (Unfortunately, I don't have the luxury of a lab in my environment... mostly a few VMs I can experiment with)
Is it exactly that. And you can move FSMO withou any fear. If you need help doing that just say it :)
cvservicesAuthor Commented:
That's great. Thanks so much for your assistance. I think at this point, I will accept this as a solution, and if any more help is required, I think I'll open a new question so that I can give you some more points for your help!
Use this command to see where they are (there many ways to do this things :):

Netdom query fsmo

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cvservicesAuthor Commented:
Good job on the explanation. you were clear and concise with your answer!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.