Upgrading AD to 2008 from existing 2003/2000 level

Hi There,

Currently we are running a Windows 2003 Server and a Windows 2000 Server as Domain Controllers.  As far as I remember the 2003 server is the FSMO role holder, but I will check this and make it so if it isn't.

I am looking to make our new Windows 2008 member server into a domain controller and demote the existing controller.

Having done some reading on this I want to confirm that the following steps are correct.

1. Ensure the 2003 server is the FSMO role holder and transfer the roles to it if not.

2. On the 2003 server run the forest prep and domain prep commands from the 2008 server DVD.

3. Promote the new 2008 server to be a DC.

4. Install and configure DNS on the new 2008 server.

5. Demote the 2000 server and uninstall the DNS role from it.

6. Install the DNS role on the new 2008 server and configure it.

7. Transfer the FSMO roles to the new 2008 server.

I know step 7 isn't required here but I also need to rename my existing 2003 server to bring it in line with parent company naming convention so I will have to demote it, rename it then promote it again.

If I have missed anything, or got the order wrong I would be very grateful for any corrections or hints.

Many Thanks

Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Hey Steve,

4 and 6 are duplicated :) 4 is the right position for this move in my opinion. Although I seem to remember that you'll be prompted for DNS installation as an optional role during promotion.

Renaming a DC is well documented here:


Don't forget to check the Forest and Domain functional levels in there. You need at least Windows 2000 (Native). The higher the better, but do remember that changes in functional level are not reversible.

tigermattConnect With a Mentor Commented:

I've posted my run-down which I usually post on Domain Controller Switches below. The main point I'd suggest you focus on is ensuring you are running AD-integrated DNS (links below); this makes the steps of DNS migrations over to the new server so much easier, because it replicates with Active Directory.

Renaming a DC isn't as difficult as requiring a demotion and repromotion. The article Chris posted pretty much details the steps, although remember a rename with Netdom will only work if your Domain Functional Level is set to Windows Server 2003 - impossible while you still have that Windows 2000 DC running! In critical cases where the DC cannot be promoted, I usually perform a Computer Name change in Control Panel, System, and restart the server to update DNS records; not the best solution, but it does the job.



Install Windows Server 2008 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of one of the Domain Controllers which is running the DNS server service on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Since you are upgrading the Operating System on the new Domain Controller, you will need to add some values to the existing Active Directory schema, in order for the new server to become a Domain Controller. Windows Server 2008 supports more functionality than before, so a schema upgrade for the domain and forest is required to facilitate this and make this new feature set fully functional on the domain. To make the necessary changes, you must be logged on as the built-in Administrator user account, or a user with Domain, Schema and Enterprise Admin privileges.

Insert the Windows Server 2008 media into your current server which is holding the Schema Master Operations Role (FSMO role). Open a command prompt and browse to sources\adprep folder within the Windows Server 2008 DVD media. Execute the command adprep /forestprep. Once complete, you must wait for the changes to be replicated to all domain controllers in the domain and forest before you can continue.

Next, execute adprep /domainprep . You must be logged on as a Domain Admin user for these steps to work correctly. Once these commands have run and replication has taken place your Active Directory schema will have been extended to support Windows Server 2008 as a Domain Controller.

Promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

Since you intend on removing the old Domain Controller from the domain, you need to transfer all the Operations (FSMO) roles to the new Domain Controller.

The current FSMO role configuration for your network can be found by running the command "netdom query fsmo" at a command prompt on a Domain Controller.

To transfer these FSMO roles to the new domain controller, follow the information detailed in the following Microsoft Support article: http://support.microsoft.com/kb/324801. Please ensure any other information you follow is information regarding the TRANSFER of FSMO roles. Seizing FSMO roles is an emergency operation which should not be performed during this procedure.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://technet2.microsoft.com/WindowsServer2008/en/library/3cf4d1b1-7a6e-4438-bf4f-22d9468c17321033.mspx You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.

To move DHCP to the new server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager. To correctly configure DHCP after the role is installed on your new server, you will need to ensure you configure it to distribute IP addresses which are in a different range to the IP scope defined on the other DHCP servers. You should also ensure the correct DNS and WINS servers are entered into the scope options. Remember that the only DNS servers which should be configured on workstations are the Domain Controllers which are also acting as DNS servers - no ISP DNS server should ever be set through DHCP.

Once all of these steps have been completed, you should have successfully transferred all of the Active Directory roles to the new domain controller. At this stage, I would suggest you shut down the old domain controller and check to ensure all services on workstations and servers are working correctly - including logins. If they are, you should be safe to switch the old DC back on, run dcpromo and demote it from its Domain Controller role. This will remove the DC as a Domain Controller, leaving it as a member server on the network.

To completely remove the DC from the network, you will need to remember that any other data - including folder redirection folders and user profiles - should be replicated or otherwise transferred to either the new server or another location on the network.
stevencUKDirectorAuthor Commented:
Thanks for all the help guys.

Chris, I must have had a "moment" when I duplicated the DNS bit. Doh!

Looking in AD Domains and Trusts I can see the forest functional level is currently 2000.  Obviously I can't raise that until I get rid of the old 2000 DC.  The domain functional level is currently 2000 mixed.  Should that be changed to Native and will there be any problems in doing this?

Matt, looking in the DNS manager I can see that my forward lookup zone is AD Integrated primary as are the 4 reverse lookup zones.  We have 4 different IP subnets across the company.  Hopefully this means that DNS won't be an issue.

Cheers so far.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Chris DentConnect With a Mentor PowerShell DeveloperCommented:

The forest functional level is fine as 2000 :) But getting out of Mixed mode is a good plan. I don't anticipate any problems with a change like this, at least I've yet to see one. Mixed mode is only required if you need to run NT4 BDCs.

stevencUKDirectorAuthor Commented:
OK, domain moved to native mode.  Nothing broken yet ;o)
stevencUKDirectorAuthor Commented:
Just checked the FSMO role holders and got this.

C:\>netdom query fsmo
Schema owner                2003 DC

Domain role owner           2003 DC

PDC role                    2003 DC

RID pool manager            2003 DC

Infrastructure owner        2000 DC

The command completed successfully.

Do I need to change the Infrastructure owner before I start the 2008 adprep?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

No, ADPrep only modifies the Schema and therefore the Schema Master :)

stevencUKDirectorAuthor Commented:
Cool.  I have looked into transferring the Infrastructure owner to the 2003 server, however when I tried to do it I got a warning that the 2003 server was a global catalog server and that the two shouldn't be the same.

Given that I will eventually demote the 2000 DC, will the infrastructure owner be transferred to either the 2003 DC or the new 2008 DC automatically?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

In my opinion you should make all DCs Global Catalogs. That's pretty standard for small networks. The rule for the Infrastructure Master doesn't apply if all DCs are Global Catalogs. You should find a statement to that effect in the MS description for the Infrastructure Master as well :)

It should attempt to transfer automatically, but I always do it as a separate step before beginning demotion just to be absolutely sure it won't bother me.

stevencUKDirectorAuthor Commented:
Thanks for all the help, especially to Chris.  Job Done. :o)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.