Link to home
Start Free TrialLog in
Avatar of aleghart
aleghartFlag for United States of America

asked on

2008 into existing 2003 Active Directory

I want to bring a single Server 2008R2 machine into an existing domain that has only 2003 domain controllers.  No immediate plans to upgrade/replace the 2003 servers.

Will being the first/only 2008 DC make me the FSMO for all?
If I'm down, what happens?  Elections?  No impact?  Replication dies?

I'm not a fully equipped/staffed data center yet, so I don't want to become the master, while being the weakest link.

As a backup plan, I can always re-create my DHCP scopes, and install a 2003 server.  But I'd like to avoid that.  Not just the extra re-work.  But, as soon as I do that, I'm sure there will be a big push to get 2008+ deployed.
Avatar of Member_2_6492660_1
Flag of United States of America image

You can move all the roles to the New 2008 DC.
You also can keep the roles on the Windows 2003 DC's till you get another 2008 DC for a backup DC.

Remember if you have two DC's only one DC can own the roles at a time
If the DC with the roles fail then you need to sieze the roles very messy

Hope this helps
Avatar of yo_bee
To add to what Trgrassijr55 mentioned.

You can have 2000, 2003 & 2008 DC all running in your environment, but you cannot raise the Domain level to 2003 until all 2000 DC are decommissioned and the same goes raising the level to 2008. You will need to have all 2003 DC decommissioned.

So if you add your 2008 Server to your Domain you will need to do a few things before your promote it to a DC.
1: you will need to do a Forest and Domain Prep  by running adprep /forestprep then adprep /domainprep.  If you are running Server 2003 on a 32 bit system you will need to run adprep32 rather than adprep.

2: Next is to do a DCPROMO of the 2008 Member Server.

3: You can then move all FSMO roles to the 2008 server even if you still have you DC 2003 as part of your domain.
To note: all roles do not have to be on a single DC.

4: Once all 2003 DC are no longer in your environment and will not be anymore for any reason you can raise the FFL and DFL
Avatar of aleghart


I specifically don't want to move FSMO roles to this machine.  Those roles are fine in a better data center than mine.

My question is _must_ I transfer the roles to the highest/newest server OS?  Or can I leave them with the existing DC(s) that has these roles?
Avatar of palicos

Hi well migration is easy but if concerned about the roles transfer then its been likely said yes it can be.

For more details refer this link.

Moreover please Check this blog.
this contains all the information with videos related to migration.

The downtime is related to the size of your AD. Creating the trust wont give much of the downtime but migrating the users one by surely going to create some.

Hope it helps you.
You can leave the FSMO roles on the 2003 DC ,nothing going to be make issue on keeping the Roles either on 2003 /2008.
Avatar of Leon Fester
Leon Fester
Flag of South Africa image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

I think that is the info I'm looking for.  I need to know my impact to the forest, and how I can remove as much inter-dependency as possible on my local DC.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
how I can remove as much inter-dependency as possible on my local DC
Without adding roles to the 2008 DC's or increasing the domain and forest functional levels your domain will still only be a 2003 domain. The 2008 DC won't have any problems being just a DC/DNS server.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Not quite sure if I'm reading the above statement correctly, but the recommendation about best hardware is because you want to prevent FSMO role holders from going down unneccessarily, due to hardware issues, as well as ensuring that the server does not underperform when doing FSMO role related tasks. If the server becomes a bottleneck because it cannot perform all neccessary tasks when needed then you could end up with authentication delays against these DC's.

But remember it's a recommendation based on best practices in an ideal world. These should be applied as your circumstances or environment dictates.

So in your case it should be fine to run mixed mode without FSMO on 2008.
I too had them running like this for about 6 months before moving FSMO roles.

Just note the difference in dcdiag when running health checks/troubleshooting: