Active Directory restructure from 2003 to 2008 R2

Posted on 2011-05-09
Last Modified: 2012-05-11
Hi we are planning to raise our domain functionality level to 2008 R2 from 2003 and I have a couple of questions.
This is our environment:

1 domain
3 2003sp2 DC's (all of them have dns with ad integrated zones) all of them are GC's

The plan is to install 3 new 2008 R2 DC's and demote all of the old ones.

I plan to take full backups (including sys state) of 2 of the DC's and take them offline before touching anything.

DC1  holds all of the fmso rolls is it the correct way to keep that one online?

After that i want to introduce a 2008 R2 member server and promote it to DC and transfer all of the fsmo rolls to it and to setup all replications and stuff with DC1.

When i get that working fine i will add 2 more 2008 R2 DC's and finally demote DC1 (old 2003).
Then I have to cleanup metadata of all the old 3 dc's right?

Recover plan:
If this goes wrong i want to be completely sure to be able to roll back everything, but i'm a little unsure of wich steps I have to go through in the forest recovery process.

Can I do it like this:
Take all DC's offline and power up one of the 2003 DC's that has been offline during the whole process (thus knowing nothing about any changes) and cleanup metadata of the other 2 2003 DC's + seizing the fmso rolls and make it the owner of all fsmo rolls, and after that install new DC's and just replicate everything to them. Sounds a little too easy so I guess I have to do more than this? :)

Please give me your thoughts about this, am i completely wrong and am i forgetting something?
Question by:IT_Penser
    LVL 7

    Expert Comment

    I would transfer your fsmos to your 1st 2008 DC as soon its available as a DC....

    LVL 14

    Assisted Solution

    You need to prepare the schema, so it's ready to have a 2008R2 DC.  I would recommend you follow the steps bellow:
    1. Update schema using adprep /forestprep - you do this on the schema master.  When doing this make sure the server is off the network.  Once the schema is updated you can then put it back on the network so it can replicate the changes to the other 2 DC's

    2.  You need to run adprep /domainprep on the Infrastructure server.

    3. If your new Win 2008 R2 DC's will have different names, then just promote the servers using DCPROMO.  Do one server at a time.  If they are keeping the names to ones you alread have, then just demote the server and remove from domain, then demote the 2008 r2 server giving it the DC name you just demoted, again do one at a time.

    4. Transfer the FSMO roles to the new server(s) (Make sure you configure an external time source on the PDC)

    5. Demote your old servers one at a time.

    6. Raise your forest & domain function levels to enable the new features.

    7. Once the function levels are raised, I would recommend enabling DFSR for sysvol replication.
    LVL 9

    Assisted Solution

    You can try in this way (and whitout problem) :

    If you can use a new/old pc/server, you can install 2008 R2 on this server, otherwise you can create a temporary virtual machine.

    * Install the OS, add 2008R2 to the domain.
    * Raise the forest and domain level to 2003 native
    * Next, run Forest Prep and Domain Prep on primary domain controller
    (run the adprep /forestprep command on the server that holds the schema master operations master; run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master role )
    * Promote 2008R2 to Domain controller
    * Transfer FSMO and Global Catalog to 2008R2 (Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox)
    * To move DHCP to the 2008R2 server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager.
    * Demote all 2003 domain controller to member server
    * Format 2003 OS and install 2008R2
    * Add and Promote new 2008R2 server
    * Transfer FSMO and Global Catalog to 2008R2 (Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox)
    * Demote 2008R2 (first server) and delete it.
    LVL 26

    Accepted Solution

    There is nothing wrong with your plan.
    We do something similar for our DR recoveries.

    A simple test, before migrating is,
    unplug a workstation from your domain and move it to the test lab/lan.
    In your test lab/lan; Use your backups and follow your rollback plan
    Plug the workstation into the test lab/lan and see if everything works.

    Worst Case scenario, is to set the burflags to say that it's an authoritative restore

    If your recovery method works, then go ahead with your plan.
    I'd recommend only recovering 1 DC during your rollback and promoting the 2nd/3rd DC's again.
    It's the cleanest option

    Author Comment

    Thanks guys,

    Ah good idea to run adprep offline :)
    So its better to use DFSR for sysvol i have heard that its not necessary?
    Why are you deleting the first 2008R2 server?

    So you think the upgrade plan will work, is it common to fail when you are doing this?
    Regarding the recoveryplan, great idea with the test in the lab thanks for that :)

    Just so I understand it right, If it goes wrong during the raise can I just bring one of the dcs that are offline up without doing a restore (authorative/nonauthorative) or is it more comnplicated than that?

    If the raise goes fine is it the correct way to cleanup metadata to delete the old offline dc's or should i do an offline demote or something like that, and do I have to use ntdsutil to clean it up or can I do it from the gui (Heard that thats possible in 2008R2)

    Thaks alot for your help Guys!
    LVL 14

    Expert Comment


    the only point where it might go wrong is the schema update, hence why you take the schema master off line.  If it was to fail, you just seize the role on one of the other DCs.
    FRS is old technology, this has been upgraded to DFSR in 2008R2.  If you was to do a new AD installation of Win2008R2, FRS is not enabled; DFSR is.

    Author Comment

    One more thought, we are using DFS what happens to it during this process?
    LVL 14

    Expert Comment

    Is your DFS  windows 2003 R2? The new DFS component was added to 2K3R2 which uses DFSR.  This has not changed in Win2k8R2.  If not it will be using FRS.  If its using FRS then the DFS will need be upgraded to the new engine DFSR.  If thats the case I would upgrade DFS when your DC's are upgraded, then do the SYSVOL upgrade to DFSR.
    LVL 9

    Expert Comment

    Why are you deleting the first 2008R2 server?

    Because, in my answer, the First Win2008R2 is installed on a old server or virtual server . This type of server, you should not have it in production, as it could be corrupted causing damage to infrastructure.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now