Solved

Migrating from SBS 2003 to a Windows Server 2008 Domain Controller

Posted on 2008-06-16
19
10,606 Views
Last Modified: 2013-04-30
Just so we're clear.

Although we have an SBS server, we also have a full blown Exchange 2003 server.  So we do not use the SBS 2003 email function, we use the actual Exchange 2003.

I need to introduce a new DC into the domain running Windows Server 2008, and demote the SBS Server.

Is it just that simple?  Or is there more to it?  FSMO roles?  Etc?  Files and printers have already been migrated from the SBS 2003 server.  So really it's just acting as a DC for now.  My Windows Server 2008 box is ready to be DCPROMO and take over, but I wanted to ensure there wasn't something else I was missing.
0
Comment
Question by:derrickonline
  • 7
  • 3
  • 3
  • +6
19 Comments
 
LVL 6

Accepted Solution

by:
dnudelman earned 250 total points
ID: 21794977
You can, but you must deploy first the transition pack.
http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=bbcf7319-4947-4fd2-a2ea-145588765e68&displaylang=en

That's not easy to do, I will be posting a step by step guide on how to do it on my blog in a few days, as it is a very common question.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 21795181
The Small Business Server has a lot of tight restrictions and integrations into Active Directory, which means you cannot just demote the SBS out of the domain as you would a standard Domain Controller. Take one of the restrictions - the 75 user limit - as an example. Without first removing that restriction, it is going to cause problems and could even be transferred to your new, non-SBS limit.

The correct way to remove the role is as already mentioned. You have to purchase the transition pack from Microsoft, which you run on the SBS itself to remove all the restrictions and essentially convert it back to a standard domain controller. Once that is done, you then have to correctly transfer all of the critical Active Directory roles across to the new Domain Controller before dcpromo'ing the SBS out of the domain. The procedure for doing this is at the end of this comment.

Do remember throughout this procedure that you CANNOT run dcpromo on any server which is also an Exchange Server - whether it is to promote or demote it. Running dcpromo on an Exchange Server WILL break Exchange. If any part of your procedure involves doing this (it appears that it doesn't though) you must uninstall Exchange, dcpromo then reinstall Exchange.

Here's the procedure for promoting your 2008 Server to DC after you have run the transition pack.

--

Install Windows Server 2008 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of the existing domain controller on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Since you are upgrading the Operating System on the new Domain Controller, you will need to add some values to the existing Active Directory schema, in order for the new server to become a Domain Controller. Windows Server 2008 supports more functionality than before, so a schema upgrade for the domain and forest is required to facilitate this and make this new feature set fully functional on the domain. To make the necessary changes, you must be logged on as the built-in Administrator user account, or a user with Domain, Schema and Enterprise Admin privileges.

Insert the Windows Server 2008 media into your current SBS server . Open a command prompt and browse to sources\adprep folder within the Windows Server 2008 DVD media. Execute the command adprep /forestprep.

Next, execute adprep /domainprep . You must be logged on as a Domain Admin user for these steps to work correctly. Once these commands have run your Active Directory schema will have been extended to support Windows Server 2008 as a Domain Controller.

The next step is to promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

Since you intend on removing the old SBS Domain Controller from the domain, you need to transfer all the Operations (FSMO) roles to the new Domain Controller.

The current FSMO role configuration for your network can be found by running the command "netdom query fsmo" at a command prompt on a Domain Controller. At present, all the FSMO roles will be present on the SBS server.

To transfer these FSMO roles to the new domain controller, follow the information detailed in the following Microsoft Support article: http://support.microsoft.com/kb/324801. Please ensure any other information you follow is information regarding the TRANSFER of FSMO roles. Seizing FSMO roles is an emergency operation which should not be performed during this procedure.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://technet2.microsoft.com/WindowsServer2008/en/library/3cf4d1b1-7a6e-4438-bf4f-22d9468c17321033.mspx You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.

To move DHCP to the new server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager. To correctly configure DHCP after the role is installed on your new server, you will need to ensure you configure it to distribute IP addresses which are in a different range to the IP scope defined on the other DHCP server. You should also ensure the correct DNS and WINS servers are entered into the scope options. Remember that the only DNS servers which should be configured on workstations are the Domain Controllers which are also acting as DNS servers - no ISP DNS server should ever be set through DHCP.

Once all of these steps have been completed, you should have successfully transferred all of the Active Directory roles to the new domain controller. At this stage, I would suggest you shut down the old domain controller and check to ensure all services on workstations and servers are working correctly - including logins. If they are, you should be safe to switch the old DC back on, run dcpromo and demote it from its Domain Controller role. This will remove the DC as a Domain Controller, leaving it as a member server on the network.

To completely remove the DC from the network, you will need to remember that any other data - including folder redirection folders and user profiles - should be replicated or otherwise transferred to either the new server or another location on the network. It would appear from what you have posted that this has already been carried out.

--

-tigermatt
0
 

Author Comment

by:derrickonline
ID: 21795288
Very detailed, in-depth, and informative.  Before I accept your solution I will need time to start the process.  Thank you for your assistance.

PS:  My Exchange 2003 server runs separately so it will never be DCPROMOed.  Thank you!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21795295
You're welcome, once you've got the transition pack sorted the rest of it is really quite easy and straight forward!
0
 

Author Comment

by:derrickonline
ID: 21804558
Quick question.... must I do this transition pack?  What if we already have the necessary CALS to operate under Windows Server 2008?  We purchased them with the software (well our consultant did).  We just want to get rid of SBS and go to Server 2008.  Can't I bypass the transition pack and follow the rest of the steps?
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 21805048
As tigermatt commented, you can't transfer roles between the Domain Controlers without using the transition pack.
0
 

Author Comment

by:derrickonline
ID: 21805229
When you say roles you mean FSMO roles?  I just spoke with someone else (and I'm not trying to say you all are wrong, I'm trying to avoid paying for a transition pack when we have paid for CALS and software already under the new Windows Server 2008).

The person I spoke with said they would transfer the services DHCP, DNS, etc to new DC.  Do a domainprep then cut off the SBS server.  

The only thing we use the SBS server for is strictly DNS, DHCP, and domain login (Domain Controller).  We don't use the Exchange portion of it, or anything else.  

So with that in mind I still MUST pay for and run Transition Pack?
0
 

Author Comment

by:derrickonline
ID: 21805243
PS:  I have member 2003 servers in the domain already.  And a full blown Exchange Server 2003 box.  Not sure if that makes any difference.
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 21805456
Is is joined to a SBS domain. You need to transfer roles in order to keep your current domain.
If you just dcpromo windows server 2008, you are creating a new domain, you can't just add windows server 2008 in the new domain and transfer the roles. That's one of the SBS limitations.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:derrickonline
ID: 21805782
What a major pain!  I'm sure MS will charge a nice arm and a leg for a transition pack.  Thank you....will keep you all posted.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21805808
SBS has several limitations - it must hold all the FSMO roles, there can only be a maximum of 75 user accounts in Active Directory, you can only have 1 SBS server on a domain and the list goes on. The transition pack as stated is required to remove these limitations - allowing you to effectively convert the SBS back to a standard server, which can then be migrated across as necessary.
0
 

Author Closing Comment

by:derrickonline
ID: 31467628
I'm being told my Microsoft MVP that the transition pack is not necessary if I plan to decommision the server in it's entirety.  The transition pack assumes I want to protect my investment in SBS CALS and upgrade that server to a full blown Windows Server 2008 box.  In this case I simply want to retire the old SBS box and move to Windows Server 2008 which doesn't require a transition pack but does require a bit of other work.

I do appreciate all of your assistance.
0
 
LVL 1

Expert Comment

by:modus_operandi
ID: 22474373
butor69,

I deleted your comments re: shutting off SBCore (as well as tigermatt's replies to those comments explaining why you ought not have posted those on EE).  The reason is that EE does not permit postings that advise people to violate software EULAs.  Please desist from such behavior in the future.
 
modus_operandi
EE Moderator
0
 
LVL 1

Expert Comment

by:butor69
ID: 22474631
As I said in my comment, you CAN have another domain controler in a SBS 2003 domain for a period of 7 days (grace period, this period can be extended by an official patch(http://support.microsoft.com/default.aspx?scid=kb;EN-US;943494 )
nevertheless sometimes the server shut down before the 7 days every hours it's why I've put the inforamtion about the registry.
Tigermatt gave information about migrating an SBS 2003, The question was adding a new DC and removing the SBS 2003.
0
 

Author Comment

by:derrickonline
ID: 22478047
A little confused as to what the issue was but nevertheless my issue was resolved and an answer accepted.  Thank you gentleman.
0
 
LVL 4

Expert Comment

by:Dimarc67
ID: 25570810
Can anyone say if the SBS 2003 Transition Pack is available for download from TechNet?  We've got every Microsoft software package and ISO available there, but I can't find the Trans Pack  there at all.
0
 

Expert Comment

by:Shrikant_c
ID: 35207004
I see that the last post was over a year ago so I am hoping somebody will be able to respond.
 Tigermatt's guide was very helpful to me in a "mock" situation where I was using an old SBS server out of commission and a new Foundation 2008 R2 server to test this out. A couple of questions for whoever might be able to help me.
1. I did not use the transition pack and was wondering if that would limit me to only two terminal service administrator sessions on the Foundation box as one of the SBS limitations transferred over?
2. When I promoted the Foundation box to a domain controller it looks like everything (the global catalog, FSMO and DNS) were already automatically transferred over. So are TigerMatt's steps at the bottom necessary?
3. Can I demote the SBS server even though it has exchange if I do not want to use exchange with the new box?
0
 
LVL 3

Expert Comment

by:blaslett
ID: 37918058
For completeness sake, I think its important to add that the Transition Pack IS NOT required. You have 7 days to transfer FSMO roles to the new server and decommission the old SBS box without any impact to the networ. As mentioned this window can be extended to 21 days via use of microsoft's patch.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39125765
Thanks to blaslett and sorry for posting in such an old post but people DO reference these posts (someone just did) and I felt it appropriate to clarify - you CANNOT transfer the 75 user restriction or really any of the SBS restrictions to a non-SBS server.  There SBS related services and registry settings that enforce them, nothing in the AD Schema.  The Transition Pack has (and had) not been sold for years and it is simply not required.

The Transition pack is ONLY required if you want to remove the SBS restrictions from the SBS server itself, not the domain.  If you're willing to "throw away" the SBS license, the transition pack is not at all required.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now