2008 into existing 2003 Active Directory

I want to bring a single Server 2008R2 machine into an existing domain that has only 2003 domain controllers.  No immediate plans to upgrade/replace the 2003 servers.

Will being the first/only 2008 DC make me the FSMO for all?
If I'm down, what happens?  Elections?  No impact?  Replication dies?

I'm not a fully equipped/staffed data center yet, so I don't want to become the master, while being the weakest link.

As a backup plan, I can always re-create my DHCP scopes, and install a 2003 server.  But I'd like to avoid that.  Not just the extra re-work.  But, as soon as I do that, I'm sure there will be a big push to get 2008+ deployed.
LVL 32
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Leon FesterConnect With a Mentor Senior Solutions ArchitectCommented:
FSMO roles placement recommendation is that the roles are held on the server with the best hardware. http://support.microsoft.com/kb/223346

Generally that is the newest server, and considering it's Windows 2008 it's probably going to be the best hardware, so that's why people often get the message wrong...it's not the highest OS, but most specifically the best hardware.

The idea of splitting FSMO roles is to spread the load/amount of work performed by each server. Of the 5 FSMO roles, the PDCe is the most critical.

However, there is no hard and fast rule as each environment is different.
Please note that without moving the PDCe role to the Windows 2008 DC you will find that some groups are missing.

Is it ok to have FSMO roles running on a mixture of operating systems? For example, a PDC Emulator on Windows Server 2003 and a Schema Master on Windows Server 2008?

Yes, it’s generally ok. The main issue people typically run into is that the PDCE is used to create special groups by certain components and if the PDC is not at that component’s OS level, the groups will not be created.

For example, these groups will not get created until the PDCE role moves to a Win2008 or later DC:

•SID: S-1-5- 21 domain –498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
•SID: S-1-5- 21 domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the domain
•SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
•SID: S-1-5-21 domain –571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
•SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
•SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local machine.
•SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
And those groups not existing will prevent various Win2008/Vista/R2/7 components from being configured. From the most boring KB I ever had to re-write:

243330  Well-known security identifiers in Windows operating systems - http://support.microsoft.com/default.aspx?scid=kb;EN-US;243330

The above question and answer was taken from the AD Team blog.

If these groups are not created properly then you'll not be able to use some of the 2008 specific functionality. That being said, if you're not going to use the new Windows 2008 functionality then I suppose you don't need those groups.
Thomas GrassiSystems AdministratorCommented:
You can move all the roles to the New 2008 DC.
You also can keep the roles on the Windows 2003 DC's till you get another 2008 DC for a backup DC.

Remember if you have two DC's only one DC can own the roles at a time
If the DC with the roles fail then you need to sieze the roles very messy

Hope this helps
yo_beeDirector of Information TechnologyCommented:
To add to what Trgrassijr55 mentioned.

You can have 2000, 2003 & 2008 DC all running in your environment, but you cannot raise the Domain level to 2003 until all 2000 DC are decommissioned and the same goes raising the level to 2008. You will need to have all 2003 DC decommissioned.

So if you add your 2008 Server to your Domain you will need to do a few things before your promote it to a DC.
1: you will need to do a Forest and Domain Prep  by running adprep /forestprep then adprep /domainprep.  If you are running Server 2003 on a 32 bit system you will need to run adprep32 rather than adprep.

2: Next is to do a DCPROMO of the 2008 Member Server.

3: You can then move all FSMO roles to the 2008 server even if you still have you DC 2003 as part of your domain.
To note: all roles do not have to be on a single DC.

4: Once all 2003 DC are no longer in your environment and will not be anymore for any reason you can raise the FFL and DFL
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

aleghartAuthor Commented:
I specifically don't want to move FSMO roles to this machine.  Those roles are fine in a better data center than mine.

My question is _must_ I transfer the roles to the highest/newest server OS?  Or can I leave them with the existing DC(s) that has these roles?
Hi well migration is easy but if concerned about the roles transfer then its been likely said yes it can be.

For more details refer this link.




Moreover please Check this blog.
this contains all the information with videos related to migration.


The downtime is related to the size of your AD. Creating the trust wont give much of the downtime but migrating the users one by one.........is surely going to create some.

Hope it helps you.
Venugopal NCommented:
You can leave the FSMO roles on the 2003 DC ,nothing going to be make issue on keeping the Roles either on 2003 /2008.
aleghartAuthor Commented:

I think that is the info I'm looking for.  I need to know my impact to the forest, and how I can remove as much inter-dependency as possible on my local DC.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Leon FesterSenior Solutions ArchitectCommented:
how I can remove as much inter-dependency as possible on my local DC
Without adding roles to the 2008 DC's or increasing the domain and forest functional levels your domain will still only be a 2003 domain. The 2008 DC won't have any problems being just a DC/DNS server.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Not quite sure if I'm reading the above statement correctly, but the recommendation about best hardware is because you want to prevent FSMO role holders from going down unneccessarily, due to hardware issues, as well as ensuring that the server does not underperform when doing FSMO role related tasks. If the server becomes a bottleneck because it cannot perform all neccessary tasks when needed then you could end up with authentication delays against these DC's.

But remember it's a recommendation based on best practices in an ideal world. These should be applied as your circumstances or environment dictates.

So in your case it should be fine to run mixed mode without FSMO on 2008.
I too had them running like this for about 6 months before moving FSMO roles.

Just note the difference in dcdiag when running health checks/troubleshooting:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.