• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 570
  • Last Modified:

Active Directory restructure from 2003 to 2008 R2

Hi we are planning to raise our domain functionality level to 2008 R2 from 2003 and I have a couple of questions.
This is our environment:

1 domain
3 2003sp2 DC's (all of them have dns with ad integrated zones) all of them are GC's

The plan is to install 3 new 2008 R2 DC's and demote all of the old ones.

I plan to take full backups (including sys state) of 2 of the DC's and take them offline before touching anything.

DC1  holds all of the fmso rolls is it the correct way to keep that one online?

After that i want to introduce a 2008 R2 member server and promote it to DC and transfer all of the fsmo rolls to it and to setup all replications and stuff with DC1.

When i get that working fine i will add 2 more 2008 R2 DC's and finally demote DC1 (old 2003).
Then I have to cleanup metadata of all the old 3 dc's right?

Recover plan:
If this goes wrong i want to be completely sure to be able to roll back everything, but i'm a little unsure of wich steps I have to go through in the forest recovery process.

Can I do it like this:
Take all DC's offline and power up one of the 2003 DC's that has been offline during the whole process (thus knowing nothing about any changes) and cleanup metadata of the other 2 2003 DC's + seizing the fmso rolls and make it the owner of all fsmo rolls, and after that install new DC's and just replicate everything to them. Sounds a little too easy so I guess I have to do more than this? :)

Please give me your thoughts about this, am i completely wrong and am i forgetting something?
  • 3
  • 2
  • 2
  • +2
3 Solutions
I would transfer your fsmos to your 1st 2008 DC as soon its available as a DC....

You need to prepare the schema, so it's ready to have a 2008R2 DC.  I would recommend you follow the steps bellow:
1. Update schema using adprep /forestprep - you do this on the schema master.  When doing this make sure the server is off the network.  Once the schema is updated you can then put it back on the network so it can replicate the changes to the other 2 DC's

2.  You need to run adprep /domainprep on the Infrastructure server.

3. If your new Win 2008 R2 DC's will have different names, then just promote the servers using DCPROMO.  Do one server at a time.  If they are keeping the names to ones you alread have, then just demote the server and remove from domain, then demote the 2008 r2 server giving it the DC name you just demoted, again do one at a time.

4. Transfer the FSMO roles to the new server(s) (Make sure you configure an external time source on the PDC)

5. Demote your old servers one at a time.

6. Raise your forest & domain function levels to enable the new features.

7. Once the function levels are raised, I would recommend enabling DFSR for sysvol replication.
You can try in this way (and whitout problem) :

If you can use a new/old pc/server, you can install 2008 R2 on this server, otherwise you can create a temporary virtual machine.

* Install the OS, add 2008R2 to the domain.
* Raise the forest and domain level to 2003 native
* Next, run Forest Prep and Domain Prep on primary domain controller
(FSMO:  http://www.petri.co.il/determining_fsmo_role_holders.htm  http://support.microsoft.com/kb/324801/en-us)
(run the adprep /forestprep command on the server that holds the schema master operations master; run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master role )
* Promote 2008R2 to Domain controller
* Transfer FSMO and Global Catalog to 2008R2 (Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox)
* To move DHCP to the 2008R2 server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager.
* Demote all 2003 domain controller to member server
* Format 2003 OS and install 2008R2
* Add and Promote new 2008R2 server
* Transfer FSMO and Global Catalog to 2008R2 (Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox)
* Demote 2008R2 (first server) and delete it.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Leon FesterSenior Solutions ArchitectCommented:
There is nothing wrong with your plan.
We do something similar for our DR recoveries.

A simple test, before migrating is,
unplug a workstation from your domain and move it to the test lab/lan.
In your test lab/lan; Use your backups and follow your rollback plan
Plug the workstation into the test lab/lan and see if everything works.

Worst Case scenario, is to set the burflags to say that it's an authoritative restore

If your recovery method works, then go ahead with your plan.
I'd recommend only recovering 1 DC during your rollback and promoting the 2nd/3rd DC's again.
It's the cleanest option
IT_PenserAuthor Commented:
Thanks guys,

Ah good idea to run adprep offline :)
So its better to use DFSR for sysvol i have heard that its not necessary?
Why are you deleting the first 2008R2 server?

So you think the upgrade plan will work, is it common to fail when you are doing this?
Regarding the recoveryplan, great idea with the test in the lab thanks for that :)

Just so I understand it right, If it goes wrong during the raise can I just bring one of the dcs that are offline up without doing a restore (authorative/nonauthorative) or is it more comnplicated than that?

If the raise goes fine is it the correct way to cleanup metadata to delete the old offline dc's or should i do an offline demote or something like that, and do I have to use ntdsutil to clean it up or can I do it from the gui (Heard that thats possible in 2008R2)

Thaks alot for your help Guys!

the only point where it might go wrong is the schema update, hence why you take the schema master off line.  If it was to fail, you just seize the role on one of the other DCs.
FRS is old technology, this has been upgraded to DFSR in 2008R2.  If you was to do a new AD installation of Win2008R2, FRS is not enabled; DFSR is.
IT_PenserAuthor Commented:
One more thought, we are using DFS what happens to it during this process?
Is your DFS  windows 2003 R2? The new DFS component was added to 2K3R2 which uses DFSR.  This has not changed in Win2k8R2.  If not it will be using FRS.  If its using FRS then the DFS will need be upgraded to the new engine DFSR.  If thats the case I would upgrade DFS when your DC's are upgraded, then do the SYSVOL upgrade to DFSR.
Why are you deleting the first 2008R2 server?

Because, in my answer, the First Win2008R2 is installed on a old server or virtual server . This type of server, you should not have it in production, as it could be corrupted causing damage to infrastructure.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now