[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

You have a 2003 PDC and a 2008 secondary DC. What steps would you take to turn 2003 into 2008?

Posted on 2011-10-06
6
Medium Priority
?
332 Views
Last Modified: 2012-05-12
hi peeps,

If you've got a 2003 PDC, with a 2008 secondary DC, then what would be the smoothest, best approach to upgrading that primary DC into a 2008 PDC?

How would you go about it in a live production environment? Is there anything you would watch out for especially and be careful of whilst attempting this?

Thanks a lot
Yashy
0
Comment
Question by:Yashy
6 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 36923876
There is no PDC/BDC right now :) DCs are working in multi-master replication topology. The only one difference is that FSMO role holder. So, if you have 2003 and 2008 DCs existing in your network, now you can transfer FSMO roles from 2003 to 2008

Please check for that my blog at
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/

when you move your PDC Emulator master then you need to advertise new time server in your forest

[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

it's an extract from MVP blog at
http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

when you are sure that everything is replicated properly then you may to wish decommission the old 2003 DC
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

Regards,
Krzysztof
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 36924185
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1000 total points
ID: 36928486
It seems you have 2003DC and 2008DC in the network and you wamt to make Win2008 DC as primary server and Win 2003DC as secondary to acieve the same you need to just transfer the FSMO role Win2008 DC and you are done.

Refer this article:http://www.petri.co.il/transferring_fsmo_roles.htm

But if you are planning to add Win2008 Server in existing 2003 domain you need to promote the win2008 server as DC and transfer the FSMO role on 2008 DC to make it primary.

There are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.
--Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels.

--The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

--Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep /gpprep on the infrastructure master.In your case as there is a single Dc you need to run on the same server.


Steps to Install Windows 2008  DC

1.First prepare the domain.
Insert Win 2008 R2 DVD on windows 2003 DC and execute adprep as below
Ran D:\2008DVD\Support\Adprep\adprep32.exe /forestprep on the server holding the Schema Master role.
Ran D:\2008DVD\Support\Adprep\adprep32.exe /domainprep /gpprep on the server holding the domain master role.

Reference article:http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm

2.Install DNS role in win2k8
Reference KB article:http://technet.microsoft.com/en-us/library/cc725925.aspx

3.Once DNS role is installed.Ran dcpromo on win2k8 R2.
Reference KB article:http://technet.microsoft.com/en-us/library/cc753720(WS.10).aspx

4.After the Win2k8 Dc promotion is completed restart the win2k8 DC.

5.You must transfer the FSMO roles to the 2008 machine then the process is as outlined at http://www.petri.co.il/transferring_fsmo_roles.htm

6.Ran dcdiag /q and repadmin /replsum on DC to check for any errors.

7.Change all of the clients (and the new 2008 DC itself), to point to the 2008 DC for their preferred DNS server this may be in DHCP options or the TCP/IP settings.


0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Yashy
ID: 36930001
Firstly, thank you for the responses. Means a lot.

If we have a second site, located elsewhere that is part of our domain also and which are global catalog servers, then AD needs to replicate over the VPN right? So will any changes need to be made on the global catalog servers at the other end at all (they're on server 2008) once the FSMO role has been transferred from the 2003 to a 2008 server?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36930054
If you have promoted 2008 as DC then it by default is selected as GlobalCatalog and DNS server. When you don't change anything that you need to only wait for AD database replication between Sites.

FSMO roles are transferred transparently and they don't need time to replicate. When you click OK, FSMO role is on the specified DC in a second :)

However, before you will decommission the old DC run on one of your DCs (better on 2008 R2) in command-line

repadmin /syncall

to force AD database replication. Wait some time (depends on WAN lin between Sites; let's say 15-30 mins)

and then run

repadmin /showrepl /all /intersite /verbose

check if replication occurs without any errors

and as the last one

dcdiag /e /c /v

to see if there is no other forest/domain errors. After that you can start demoting old DC

Krzysztof
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36934990
Once the FSMO role is transfers wait for replication.Check all the DC are GC.
Ran dcdiag /q to check for any errors.
To force the replication between the DC ran repadmin /syncall /AdeP
Ran repadmin /replsum to check the replication summary.
If the health of the DC are OK you can proceed with removal of old DC if required.
Note:Kindly take the backup of DC before you proceed with demotion.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question