Go Premium for a chance to win a PS4. Enter to Win


2008 into existing 2003 Active Directory

Posted on 2013-01-03
Medium Priority
Last Modified: 2013-03-04
I want to bring a single Server 2008R2 machine into an existing domain that has only 2003 domain controllers.  No immediate plans to upgrade/replace the 2003 servers.

Will being the first/only 2008 DC make me the FSMO for all?
If I'm down, what happens?  Elections?  No impact?  Replication dies?

I'm not a fully equipped/staffed data center yet, so I don't want to become the master, while being the weakest link.

As a backup plan, I can always re-create my DHCP scopes, and install a 2003 server.  But I'd like to avoid that.  Not just the extra re-work.  But, as soon as I do that, I'm sure there will be a big push to get 2008+ deployed.
Question by:aleghart
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38742534
You can move all the roles to the New 2008 DC.
You also can keep the roles on the Windows 2003 DC's till you get another 2008 DC for a backup DC.

Remember if you have two DC's only one DC can own the roles at a time
If the DC with the roles fail then you need to sieze the roles very messy

Hope this helps
LVL 24

Expert Comment

ID: 38742569
To add to what Trgrassijr55 mentioned.

You can have 2000, 2003 & 2008 DC all running in your environment, but you cannot raise the Domain level to 2003 until all 2000 DC are decommissioned and the same goes raising the level to 2008. You will need to have all 2003 DC decommissioned.

So if you add your 2008 Server to your Domain you will need to do a few things before your promote it to a DC.
1: you will need to do a Forest and Domain Prep  by running adprep /forestprep then adprep /domainprep.  If you are running Server 2003 on a 32 bit system you will need to run adprep32 rather than adprep.

2: Next is to do a DCPROMO of the 2008 Member Server.

3: You can then move all FSMO roles to the 2008 server even if you still have you DC 2003 as part of your domain.
To note: all roles do not have to be on a single DC.

4: Once all 2003 DC are no longer in your environment and will not be anymore for any reason you can raise the FFL and DFL
LVL 32

Author Comment

ID: 38742710
I specifically don't want to move FSMO roles to this machine.  Those roles are fine in a better data center than mine.

My question is _must_ I transfer the roles to the highest/newest server OS?  Or can I leave them with the existing DC(s) that has these roles?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Expert Comment

ID: 38742823
Hi well migration is easy but if concerned about the roles transfer then its been likely said yes it can be.

For more details refer this link.




Moreover please Check this blog.
this contains all the information with videos related to migration.


The downtime is related to the size of your AD. Creating the trust wont give much of the downtime but migrating the users one by one.........is surely going to create some.

Hope it helps you.
LVL 11

Expert Comment

by:Venugopal N
ID: 38743152
You can leave the FSMO roles on the 2003 DC ,nothing going to be make issue on keeping the Roles either on 2003 /2008.
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 38743179
FSMO roles placement recommendation is that the roles are held on the server with the best hardware. http://support.microsoft.com/kb/223346

Generally that is the newest server, and considering it's Windows 2008 it's probably going to be the best hardware, so that's why people often get the message wrong...it's not the highest OS, but most specifically the best hardware.

The idea of splitting FSMO roles is to spread the load/amount of work performed by each server. Of the 5 FSMO roles, the PDCe is the most critical.

However, there is no hard and fast rule as each environment is different.
Please note that without moving the PDCe role to the Windows 2008 DC you will find that some groups are missing.

Is it ok to have FSMO roles running on a mixture of operating systems? For example, a PDC Emulator on Windows Server 2003 and a Schema Master on Windows Server 2008?

Yes, it’s generally ok. The main issue people typically run into is that the PDCE is used to create special groups by certain components and if the PDC is not at that component’s OS level, the groups will not be created.

For example, these groups will not get created until the PDCE role moves to a Win2008 or later DC:

•SID: S-1-5- 21 domain –498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
•SID: S-1-5- 21 domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the domain
•SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
•SID: S-1-5-21 domain –571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
•SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
•SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local machine.
•SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
And those groups not existing will prevent various Win2008/Vista/R2/7 components from being configured. From the most boring KB I ever had to re-write:

243330  Well-known security identifiers in Windows operating systems - http://support.microsoft.com/default.aspx?scid=kb;EN-US;243330

The above question and answer was taken from the AD Team blog.

If these groups are not created properly then you'll not be able to use some of the 2008 specific functionality. That being said, if you're not going to use the new Windows 2008 functionality then I suppose you don't need those groups.
LVL 32

Author Comment

ID: 38744940

I think that is the info I'm looking for.  I need to know my impact to the forest, and how I can remove as much inter-dependency as possible on my local DC.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
LVL 26

Expert Comment

by:Leon Fester
ID: 38749907
how I can remove as much inter-dependency as possible on my local DC
Without adding roles to the 2008 DC's or increasing the domain and forest functional levels your domain will still only be a 2003 domain. The 2008 DC won't have any problems being just a DC/DNS server.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Not quite sure if I'm reading the above statement correctly, but the recommendation about best hardware is because you want to prevent FSMO role holders from going down unneccessarily, due to hardware issues, as well as ensuring that the server does not underperform when doing FSMO role related tasks. If the server becomes a bottleneck because it cannot perform all neccessary tasks when needed then you could end up with authentication delays against these DC's.

But remember it's a recommendation based on best practices in an ideal world. These should be applied as your circumstances or environment dictates.

So in your case it should be fine to run mixed mode without FSMO on 2008.
I too had them running like this for about 6 months before moving FSMO roles.

Just note the difference in dcdiag when running health checks/troubleshooting:

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question