Adding a Windows 2008 R2 server to an existing 2003 Domain

Posted on 2011-10-10
Last Modified: 2012-05-12
I am looking to add a new Windows 2008 R2 server as a DC (BDC - old term) into my existing 2003 domain.

My existing envirnoment:

1 Windows 2003 Standard server - DC
10 XP workstations (7 actuall users)

These are the steps I am planning on taking - sequential order:

Create a static IP on the 2008 server
Point to the existing domain controller for DNS
Join the 2008 server to the domian as a member server

Perform an Microsoft ASR backup

Promote both the Forest and Domain Functional Levels to Windows Server 2003
- from Server 2000 Mixed Mode

Taken from from the sources\adprep or the Support folder on the 2008R2 DVD

run ADPREP32 /forestprep on the 2003 DC
run ADPREP32 /domainprep on the 2003 DC
run ADPREP32 /domainprep /gpprep on the 2003 DC

Run DCPromo from the new 2008 server
Select the option for an additional domain controller in an existing domain

Promote the new 2008 server as an additional Global Catalog,

My questions:

Can I perform all the above while it's Live? I only have 7 actual users.

Am I OK with the above order?

Is a Microsoft ASR backup all I need as a backup if the above should fail?
Question by:GeeMoon
    LVL 3

    Accepted Solution

    All looks good to me. I do migrations live all the time.

    An asr is almost overkill but you can never be to safe with backups.

    Personally, I would go a step beyond and make the 2008 server the primary and leave the 2003 server as a BDC, but thats really just my preference for 2008.

    LVL 57

    Assisted Solution

    by:Mike Kline
    Looks good, is your 2003 box a DNS server.  I'm assuming yes so also make sure to check the box to  make the 2008 box a DNS server and update clients with its IP address.

    Not sure what you plan to do with the 2003 box but I'd keep two DCs up...even in a small domain like this.



    Author Comment

    Thanks mwiener1

    I agree (I will eventually make the 2008 the primary), but for now I am going to make this an application server running SQL 2003 standard. The 3rd party company, doing the implementation, stating that I would have no problems. I get mixed reviews from everyone else. I was told, if anything become the DC before installing SQL or I'll end up possibly destroying SQL accounts.

    Anyway, I am Ok doing the Domain functional level before the Forest/Domain prep?
    I know every envirnoment is different, but based on my situation, how long would you say it should take? I think the last time I performed this action was in NT4
    LVL 3

    Expert Comment

    Without moving data, if everything goes smoothly, this whole process takes 15-20 minutes.

    Of course this also depends on the hardware, but regardless it wont be an all day event.

    I agree that by promoting to a dc after installing SQL you could run into issues since the local accounts are no longer valid unless you are booted into DSRM.

    If the oldest OS you have running is 2003, then raising the functional lever to 2003 wont be a problem. You wont be able to raise it any higher than that as long as that server is still a domain controller though.

    Author Comment

    Good call MKLine71

    My thought process, while implementing this new SQL DB on my new 2008 server, is having a server to login to if the main 2003 DC goes down. I want my users to retain most of their LAN functionailty (in particular - SQL DB) as well as being able to gain access to the Internet (not happening w/o the DNS).

    I assume I will have problems if I can't restore the original 2003, in a timely fashion,  due to the lack of FSMO access
    LVL 3

    Assisted Solution

    I am in agreement as well!

    One point is on a network so small multiple GC's seems a little over kill.  Not that it will hurt anything.  You should not run into any problems doing this live, your users wont notice a thing.

    I also suggest making 2008 primary at some point.

    On a network your size bringing up a 2008 DC assuming the OS is already installed updated shouldn't take more the 15 or 20 minutes. Maybe even less, just depends on how fast you can click next!!

    Eventually to take full advantage of the new 2008 AD functionality you will need to get up to the 2008 functionality level, and to do that you will have to demote your 2003 DC.

    I would consider turning off IPV6 on your 2008 box as well, as you wont be needing it since you are running XP on the workstations and you have a 2003 box.  

    Are you runing DHCP?

    FYI - When you bring up the 2008 DC you will be asked to install DNS as well, you should do that.  DNS is integral to AD so the common practice today is to have all your DC's DNS servers as well (internal).  Another common practice is the use of Forwarders and NOT root hints for name resolution for IP's outside your local network.  Usually you would just use your ISP provided DNS Servers, but I love OpenDNS they are fast and secure, and even if with the free account you get pretty good network statistics, and get good control.  I would suggest blocking external traffic over Port 53 from ALL IP's except your DNS Servers.
    LVL 3

    Expert Comment

    If it goes down and you cant get it back up - you can always seize the FSMO roles on the new 2008 server with NTDSUtil. Not the cleanest way to do a migration, but it works in a pinch and everyone will still be able to log in.
    LVL 3

    Expert Comment

    I always use google public dns for a forwarder - easy to remember and its google, its not going down any time soon.
    LVL 24

    Assisted Solution

    You are good with step which you have mentioned also make sure that you have atleast two DC in the environment for redundancy .As it takes days to recover single DC if their is major corruption,it is always good practise to have additional DC.You can proceed to promote DC even in the production time.

    However below are the steps for 2008 DC migration.

    here are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.
    --Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels.

    --The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

    --Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep /gpprep on the infrastructure master.In your case as there is a single Dc you need to run on the same server.

    Steps to Install Windows 2008 R2 DC

    1.First prepare the domain.
    Insert Win 2008 R2 DVD on windows 2003 DC and execute adprep as below
    Ran D:\2008DVD\Support\Adprep\adprep32.exe /forestprep on the server holding the Schema Master role.
    Ran D:\2008DVD\Support\Adprep\adprep32.exe /domainprep /gpprep on the server holding the domain master role.

    Reference article:

    2.Install DNS role in win2k8
    Reference KB article:

    3.Once DNS role is installed.Ran dcpromo on win2k8 R2.
    Reference KB article:

    4.After the Win2k8 Dc promotion is completed restart the win2k8 DC.

    5.You must transfer the FSMO roles to the 2008 machine then the process is as outlined at

    6.Ran dcdiag /q and repadmin /replsum on DC to check for any errors.

    7.Change all of the clients (and the new 2008 DC itself), to point to the 2008 DC for their preferred DNS server this may be in DHCP options or the TCP/IP settings.

    Reference link:

    Author Comment

    Thank you all for your great comments.

    Can I hold off on installing the second DNS (on the new W2008 server) and promoting the W2008 server to the primary for another time????

    I am under a time constraint and want to give each process my full attention. I hav e to get this up and running as a BDC with SQL installed.

    If It is easier to move forward on adding the DNS during the DCPromo, am I looking at alot of configuration?  I am concerned about my existing DNS. Will I have a conflict? Can I slip by and worry about forwarding later?
    LVL 24

    Expert Comment

    If you DNS is ActiveDirectory integrated zone the same will be replicated to the new windows2008 DC.It will have the same replica copy.

    If you want to configure DNS on win2k8 later you can do the same.

    Author Closing Comment

    For the most part, everything went smoothly.

    I decided to opt for the DNS and Global Catalog option during the DCPromo.
    I wanted to ensure that my DNS was an AD Integrated zone. I did receive a message that has got me concern regarding my new 2nd DNS:

    A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain 'name of my domain' other wise, no action is required.

    I pushed forward. I might have to generate a new question on the above.

    Thank you all for your great insight!!!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now