2008 into existing 2003 Active Directory

Posted on 2013-01-03
Last Modified: 2013-03-04
I want to bring a single Server 2008R2 machine into an existing domain that has only 2003 domain controllers.  No immediate plans to upgrade/replace the 2003 servers.

Will being the first/only 2008 DC make me the FSMO for all?
If I'm down, what happens?  Elections?  No impact?  Replication dies?

I'm not a fully equipped/staffed data center yet, so I don't want to become the master, while being the weakest link.

As a backup plan, I can always re-create my DHCP scopes, and install a 2003 server.  But I'd like to avoid that.  Not just the extra re-work.  But, as soon as I do that, I'm sure there will be a big push to get 2008+ deployed.
Question by:aleghart
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38742534
You can move all the roles to the New 2008 DC.
You also can keep the roles on the Windows 2003 DC's till you get another 2008 DC for a backup DC.

Remember if you have two DC's only one DC can own the roles at a time
If the DC with the roles fail then you need to sieze the roles very messy

Hope this helps
LVL 23

Expert Comment

ID: 38742569
To add to what Trgrassijr55 mentioned.

You can have 2000, 2003 & 2008 DC all running in your environment, but you cannot raise the Domain level to 2003 until all 2000 DC are decommissioned and the same goes raising the level to 2008. You will need to have all 2003 DC decommissioned.

So if you add your 2008 Server to your Domain you will need to do a few things before your promote it to a DC.
1: you will need to do a Forest and Domain Prep  by running adprep /forestprep then adprep /domainprep.  If you are running Server 2003 on a 32 bit system you will need to run adprep32 rather than adprep.

2: Next is to do a DCPROMO of the 2008 Member Server.

3: You can then move all FSMO roles to the 2008 server even if you still have you DC 2003 as part of your domain.
To note: all roles do not have to be on a single DC.

4: Once all 2003 DC are no longer in your environment and will not be anymore for any reason you can raise the FFL and DFL
LVL 32

Author Comment

ID: 38742710
I specifically don't want to move FSMO roles to this machine.  Those roles are fine in a better data center than mine.

My question is _must_ I transfer the roles to the highest/newest server OS?  Or can I leave them with the existing DC(s) that has these roles?
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Expert Comment

ID: 38742823
Hi well migration is easy but if concerned about the roles transfer then its been likely said yes it can be.

For more details refer this link.

Moreover please Check this blog.
this contains all the information with videos related to migration.

The downtime is related to the size of your AD. Creating the trust wont give much of the downtime but migrating the users one by surely going to create some.

Hope it helps you.
LVL 11

Expert Comment

by:Venugopal N
ID: 38743152
You can leave the FSMO roles on the 2003 DC ,nothing going to be make issue on keeping the Roles either on 2003 /2008.
LVL 26

Accepted Solution

Leon Fester earned 500 total points
ID: 38743179
FSMO roles placement recommendation is that the roles are held on the server with the best hardware.

Generally that is the newest server, and considering it's Windows 2008 it's probably going to be the best hardware, so that's why people often get the message's not the highest OS, but most specifically the best hardware.

The idea of splitting FSMO roles is to spread the load/amount of work performed by each server. Of the 5 FSMO roles, the PDCe is the most critical.

However, there is no hard and fast rule as each environment is different.
Please note that without moving the PDCe role to the Windows 2008 DC you will find that some groups are missing.

Is it ok to have FSMO roles running on a mixture of operating systems? For example, a PDC Emulator on Windows Server 2003 and a Schema Master on Windows Server 2008?

Yes, it’s generally ok. The main issue people typically run into is that the PDCE is used to create special groups by certain components and if the PDC is not at that component’s OS level, the groups will not be created.

For example, these groups will not get created until the PDCE role moves to a Win2008 or later DC:

•SID: S-1-5- 21 domain –498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
•SID: S-1-5- 21 domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the domain
•SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
•SID: S-1-5-21 domain –571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
•SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
•SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local machine.
•SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
And those groups not existing will prevent various Win2008/Vista/R2/7 components from being configured. From the most boring KB I ever had to re-write:

243330  Well-known security identifiers in Windows operating systems -;EN-US;243330

The above question and answer was taken from the AD Team blog.

If these groups are not created properly then you'll not be able to use some of the 2008 specific functionality. That being said, if you're not going to use the new Windows 2008 functionality then I suppose you don't need those groups.
LVL 32

Author Comment

ID: 38744940

I think that is the info I'm looking for.  I need to know my impact to the forest, and how I can remove as much inter-dependency as possible on my local DC.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
LVL 26

Expert Comment

by:Leon Fester
ID: 38749907
how I can remove as much inter-dependency as possible on my local DC
Without adding roles to the 2008 DC's or increasing the domain and forest functional levels your domain will still only be a 2003 domain. The 2008 DC won't have any problems being just a DC/DNS server.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Not quite sure if I'm reading the above statement correctly, but the recommendation about best hardware is because you want to prevent FSMO role holders from going down unneccessarily, due to hardware issues, as well as ensuring that the server does not underperform when doing FSMO role related tasks. If the server becomes a bottleneck because it cannot perform all neccessary tasks when needed then you could end up with authentication delays against these DC's.

But remember it's a recommendation based on best practices in an ideal world. These should be applied as your circumstances or environment dictates.

So in your case it should be fine to run mixed mode without FSMO on 2008.
I too had them running like this for about 6 months before moving FSMO roles.

Just note the difference in dcdiag when running health checks/troubleshooting:

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question