DC2003 and DC2008 combined

Posted on 2010-11-10
Medium Priority
Last Modified: 2012-05-10
I have windows 2003 domain and all domain controllers are windows 2003.
I wonder if I can install windows 2008 Domain controller in the same domain as other windows 2003 DCs.
Question by:jskfan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 27

Accepted Solution

KenMcF earned 1428 total points
ID: 34100861
Yes you can have both. You will need to run adprep to update your schema.
You will just need to leave the FFL and DFL at mixed mode until all DCs are 2008
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 288 total points
ID: 34100890
Yes you can here's a walk-though I wrote a while back http://www.petenetlive.com/KB/Article/0000239.htm


Assisted Solution

gentle0000 earned 284 total points
ID: 34100891

Of course you can install W2K8 to a W2K3 Domain Environment.

The Only thing you have to do is to prepare your W2K3 AD Forest and W2K3 AD Domain.

You have to know that the Domain Functional Level for the Domain must be at least Windows 2000 Native. So first check in AD Users and Computers to see the Domain Functional Level of your Domain is at Windows 2000 Native Mode. If not just Raise it, by right click at the Domain Name (AD Users and Computers) and choose Raise Domain Functional Level.

After that, follow the following procedure.
1. Logon to the DC with the Schema Master Role.
2. Insert the W2K8 DVD
3. Open a cmd prompt
4.. Go to d:\sources\adprep  (Where d:\ is your DVD drive letter)
5. Write:  adprep /forestprep
6. Write: adprep /domainprep

You are done.
Now you can promote any W2K8 machine to a DC in a W2K3 AD Enviroment.

With Regards.
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 34101008
what benefits do you get in this case. assuming the DFL and FFL are still windows 2003
LVL 27

Assisted Solution

KenMcF earned 1428 total points
ID: 34101202
One of the benifits you get if you have all 2008 DCs and FFL and DFL of 2008 is fine grained password policy. With you FFL and DFL you will not have this option.


Author Comment

ID: 34101655
I meant while still in windows 2003 DFL and FFL, what benefits can I get from windows 2008 domain controller.

If the benefits are gonna be the same as having windows 2003 DC, so why should I add w2008 DC at the first place.

I know if upgrading FFL and DFL to w2008, all DCs need to be upgraded to w2008

if there are other benefits in installing w2008 in a w2003 domain while keeping FFL and DFL to 2003, please provide those benefits.
LVL 27

Assisted Solution

KenMcF earned 1428 total points
ID: 34101782
It depends on what you are comfortable with I guess and what your plans are to upgrade. How long will the new server be around for? 2003 will end support soon so you may be upgrading anyway.  I would recommend install the new DC as 2008 or even 2008 R2 since that is the newest OS. and work on getting all of your DCs up to that level in the next few years.

One i of the biggest benefitsI think with having a 2008 DC is the AD snapshots. You do not have to have 2008 DFL or FFL for this.


There are no benefits keeping the DFL and FFL level in mixed mode, but you are not able to go to DFL or FFL 2008 until all of your DCs are 2008.

"Raising the domain and forest functional levels to Windows Server 2008 is a nonreversible task and prohibits the addition of Windows 2000–based or Windows Server 2003–based Domain Controllers to the environment. Any existing Windows 2000–based or Windows Server 2003–based Domain Controllers in the environment will no longer function, and in fact, the upgrading wizard will not allow you to continue with the operation. "




Author Comment

ID: 34103944
If I understand:

windows 2008 DC in DFL 2003, you get :
    * Fine-grained password policies – Allows multiple password polices to be applied to different users in the same domain.
    * Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
    * Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
    * Granular auditing – Allows history of object changes in Active Directory.
    * Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.
    * Last Interactive Logon Information – Displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

Windows 2008 DC in Windows 2003 FFL you get:
    * Forest trust.
    * Domain rename.
    * Linked-value replication – Changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit.
    * Deployment of an RODC.
    * Intersite topology generator (ISTG) improvements – Supports a more efficient ISTG algorithm allows support for extremely large numbers of sites.
    * The ability to create instances of the dynamicObject dynamic auxiliary class.
    * The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
    * The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
    * Deactivation and redefinition of attributes and classes in the schema.

LVL 27

Assisted Solution

KenMcF earned 1428 total points
ID: 34104351
you will not get FGPP, this needs to be all 2008 DCs. AD snapshots is not in the list. In my option this is a big one for the 2008 DCs.

    * Fine-grained password policies – Allows multiple password polices to be applied to different users in the same domain.

Author Comment

ID: 34104385
I guess the ADsnapshot requires Windows 2008 DCs DFL/FFL
LVL 27

Assisted Solution

KenMcF earned 1428 total points
ID: 34104408
no, AD snapshots only require a 2008 DC. You can still be in 2003 DFL and FFL

Author Closing Comment

ID: 34105646
thanks guys

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question