Migrating from SBS 2003 to a Windows Server 2008 Domain Controller

Just so we're clear.

Although we have an SBS server, we also have a full blown Exchange 2003 server.  So we do not use the SBS 2003 email function, we use the actual Exchange 2003.

I need to introduce a new DC into the domain running Windows Server 2008, and demote the SBS Server.

Is it just that simple?  Or is there more to it?  FSMO roles?  Etc?  Files and printers have already been migrated from the SBS 2003 server.  So really it's just acting as a DC for now.  My Windows Server 2008 box is ready to be DCPROMO and take over, but I wanted to ensure there wasn't something else I was missing.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can, but you must deploy first the transition pack.

That's not easy to do, I will be posting a step by step guide on how to do it on my blog in a few days, as it is a very common question.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Small Business Server has a lot of tight restrictions and integrations into Active Directory, which means you cannot just demote the SBS out of the domain as you would a standard Domain Controller. Take one of the restrictions - the 75 user limit - as an example. Without first removing that restriction, it is going to cause problems and could even be transferred to your new, non-SBS limit.

The correct way to remove the role is as already mentioned. You have to purchase the transition pack from Microsoft, which you run on the SBS itself to remove all the restrictions and essentially convert it back to a standard domain controller. Once that is done, you then have to correctly transfer all of the critical Active Directory roles across to the new Domain Controller before dcpromo'ing the SBS out of the domain. The procedure for doing this is at the end of this comment.

Do remember throughout this procedure that you CANNOT run dcpromo on any server which is also an Exchange Server - whether it is to promote or demote it. Running dcpromo on an Exchange Server WILL break Exchange. If any part of your procedure involves doing this (it appears that it doesn't though) you must uninstall Exchange, dcpromo then reinstall Exchange.

Here's the procedure for promoting your 2008 Server to DC after you have run the transition pack.


Install Windows Server 2008 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of the existing domain controller on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Since you are upgrading the Operating System on the new Domain Controller, you will need to add some values to the existing Active Directory schema, in order for the new server to become a Domain Controller. Windows Server 2008 supports more functionality than before, so a schema upgrade for the domain and forest is required to facilitate this and make this new feature set fully functional on the domain. To make the necessary changes, you must be logged on as the built-in Administrator user account, or a user with Domain, Schema and Enterprise Admin privileges.

Insert the Windows Server 2008 media into your current SBS server . Open a command prompt and browse to sources\adprep folder within the Windows Server 2008 DVD media. Execute the command adprep /forestprep.

Next, execute adprep /domainprep . You must be logged on as a Domain Admin user for these steps to work correctly. Once these commands have run your Active Directory schema will have been extended to support Windows Server 2008 as a Domain Controller.

The next step is to promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

Since you intend on removing the old SBS Domain Controller from the domain, you need to transfer all the Operations (FSMO) roles to the new Domain Controller.

The current FSMO role configuration for your network can be found by running the command "netdom query fsmo" at a command prompt on a Domain Controller. At present, all the FSMO roles will be present on the SBS server.

To transfer these FSMO roles to the new domain controller, follow the information detailed in the following Microsoft Support article: http://support.microsoft.com/kb/324801. Please ensure any other information you follow is information regarding the TRANSFER of FSMO roles. Seizing FSMO roles is an emergency operation which should not be performed during this procedure.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://technet2.microsoft.com/WindowsServer2008/en/library/3cf4d1b1-7a6e-4438-bf4f-22d9468c17321033.mspx You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.

To move DHCP to the new server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager. To correctly configure DHCP after the role is installed on your new server, you will need to ensure you configure it to distribute IP addresses which are in a different range to the IP scope defined on the other DHCP server. You should also ensure the correct DNS and WINS servers are entered into the scope options. Remember that the only DNS servers which should be configured on workstations are the Domain Controllers which are also acting as DNS servers - no ISP DNS server should ever be set through DHCP.

Once all of these steps have been completed, you should have successfully transferred all of the Active Directory roles to the new domain controller. At this stage, I would suggest you shut down the old domain controller and check to ensure all services on workstations and servers are working correctly - including logins. If they are, you should be safe to switch the old DC back on, run dcpromo and demote it from its Domain Controller role. This will remove the DC as a Domain Controller, leaving it as a member server on the network.

To completely remove the DC from the network, you will need to remember that any other data - including folder redirection folders and user profiles - should be replicated or otherwise transferred to either the new server or another location on the network. It would appear from what you have posted that this has already been carried out.


derrickonlineAuthor Commented:
Very detailed, in-depth, and informative.  Before I accept your solution I will need time to start the process.  Thank you for your assistance.

PS:  My Exchange 2003 server runs separately so it will never be DCPROMOed.  Thank you!
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

You're welcome, once you've got the transition pack sorted the rest of it is really quite easy and straight forward!
derrickonlineAuthor Commented:
Quick question.... must I do this transition pack?  What if we already have the necessary CALS to operate under Windows Server 2008?  We purchased them with the software (well our consultant did).  We just want to get rid of SBS and go to Server 2008.  Can't I bypass the transition pack and follow the rest of the steps?
As tigermatt commented, you can't transfer roles between the Domain Controlers without using the transition pack.
derrickonlineAuthor Commented:
When you say roles you mean FSMO roles?  I just spoke with someone else (and I'm not trying to say you all are wrong, I'm trying to avoid paying for a transition pack when we have paid for CALS and software already under the new Windows Server 2008).

The person I spoke with said they would transfer the services DHCP, DNS, etc to new DC.  Do a domainprep then cut off the SBS server.  

The only thing we use the SBS server for is strictly DNS, DHCP, and domain login (Domain Controller).  We don't use the Exchange portion of it, or anything else.  

So with that in mind I still MUST pay for and run Transition Pack?
derrickonlineAuthor Commented:
PS:  I have member 2003 servers in the domain already.  And a full blown Exchange Server 2003 box.  Not sure if that makes any difference.
Is is joined to a SBS domain. You need to transfer roles in order to keep your current domain.
If you just dcpromo windows server 2008, you are creating a new domain, you can't just add windows server 2008 in the new domain and transfer the roles. That's one of the SBS limitations.
derrickonlineAuthor Commented:
What a major pain!  I'm sure MS will charge a nice arm and a leg for a transition pack.  Thank you....will keep you all posted.
SBS has several limitations - it must hold all the FSMO roles, there can only be a maximum of 75 user accounts in Active Directory, you can only have 1 SBS server on a domain and the list goes on. The transition pack as stated is required to remove these limitations - allowing you to effectively convert the SBS back to a standard server, which can then be migrated across as necessary.
derrickonlineAuthor Commented:
I'm being told my Microsoft MVP that the transition pack is not necessary if I plan to decommision the server in it's entirety.  The transition pack assumes I want to protect my investment in SBS CALS and upgrade that server to a full blown Windows Server 2008 box.  In this case I simply want to retire the old SBS box and move to Windows Server 2008 which doesn't require a transition pack but does require a bit of other work.

I do appreciate all of your assistance.

I deleted your comments re: shutting off SBCore (as well as tigermatt's replies to those comments explaining why you ought not have posted those on EE).  The reason is that EE does not permit postings that advise people to violate software EULAs.  Please desist from such behavior in the future.
EE Moderator
As I said in my comment, you CAN have another domain controler in a SBS 2003 domain for a period of 7 days (grace period, this period can be extended by an official patch(http://support.microsoft.com/default.aspx?scid=kb;EN-US;943494 )
nevertheless sometimes the server shut down before the 7 days every hours it's why I've put the inforamtion about the registry.
Tigermatt gave information about migrating an SBS 2003, The question was adding a new DC and removing the SBS 2003.
derrickonlineAuthor Commented:
A little confused as to what the issue was but nevertheless my issue was resolved and an answer accepted.  Thank you gentleman.
Can anyone say if the SBS 2003 Transition Pack is available for download from TechNet?  We've got every Microsoft software package and ISO available there, but I can't find the Trans Pack  there at all.
I see that the last post was over a year ago so I am hoping somebody will be able to respond.
 Tigermatt's guide was very helpful to me in a "mock" situation where I was using an old SBS server out of commission and a new Foundation 2008 R2 server to test this out. A couple of questions for whoever might be able to help me.
1. I did not use the transition pack and was wondering if that would limit me to only two terminal service administrator sessions on the Foundation box as one of the SBS limitations transferred over?
2. When I promoted the Foundation box to a domain controller it looks like everything (the global catalog, FSMO and DNS) were already automatically transferred over. So are TigerMatt's steps at the bottom necessary?
3. Can I demote the SBS server even though it has exchange if I do not want to use exchange with the new box?
For completeness sake, I think its important to add that the Transition Pack IS NOT required. You have 7 days to transfer FSMO roles to the new server and decommission the old SBS box without any impact to the networ. As mentioned this window can be extended to 21 days via use of microsoft's patch.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Thanks to blaslett and sorry for posting in such an old post but people DO reference these posts (someone just did) and I felt it appropriate to clarify - you CANNOT transfer the 75 user restriction or really any of the SBS restrictions to a non-SBS server.  There SBS related services and registry settings that enforce them, nothing in the AD Schema.  The Transition Pack has (and had) not been sold for years and it is simply not required.

The Transition pack is ONLY required if you want to remove the SBS restrictions from the SBS server itself, not the domain.  If you're willing to "throw away" the SBS license, the transition pack is not at all required.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.