Solved

2008 into existing 2003 Active Directory

Posted on 2013-01-03
8
415 Views
Last Modified: 2013-03-04
I want to bring a single Server 2008R2 machine into an existing domain that has only 2003 domain controllers.  No immediate plans to upgrade/replace the 2003 servers.

Questions:
Will being the first/only 2008 DC make me the FSMO for all?
If I'm down, what happens?  Elections?  No impact?  Replication dies?

I'm not a fully equipped/staffed data center yet, so I don't want to become the master, while being the weakest link.

As a backup plan, I can always re-create my DHCP scopes, and install a 2003 server.  But I'd like to avoid that.  Not just the extra re-work.  But, as soon as I do that, I'm sure there will be a big push to get 2008+ deployed.
0
Comment
Question by:aleghart
8 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
Comment Utility
You can move all the roles to the New 2008 DC.
You also can keep the roles on the Windows 2003 DC's till you get another 2008 DC for a backup DC.

Remember if you have two DC's only one DC can own the roles at a time
If the DC with the roles fail then you need to sieze the roles very messy

Hope this helps
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
To add to what Trgrassijr55 mentioned.

You can have 2000, 2003 & 2008 DC all running in your environment, but you cannot raise the Domain level to 2003 until all 2000 DC are decommissioned and the same goes raising the level to 2008. You will need to have all 2003 DC decommissioned.

So if you add your 2008 Server to your Domain you will need to do a few things before your promote it to a DC.
1: you will need to do a Forest and Domain Prep  by running adprep /forestprep then adprep /domainprep.  If you are running Server 2003 on a 32 bit system you will need to run adprep32 rather than adprep.
http://technet.microsoft.com/en-us/library/cc733027(v=ws.10).aspx

2: Next is to do a DCPROMO of the 2008 Member Server.

3: You can then move all FSMO roles to the 2008 server even if you still have you DC 2003 as part of your domain.
http://www.petri.co.il/transferring_fsmo_roles.htm
To note: all roles do not have to be on a single DC.
http://support.microsoft.com/kb/223346

4: Once all 2003 DC are no longer in your environment and will not be anymore for any reason you can raise the FFL and DFL
http://technet.microsoft.com/en-us/library/cc730985.aspx
http://support.microsoft.com/kb/322692
0
 
LVL 32

Author Comment

by:aleghart
Comment Utility
I specifically don't want to move FSMO roles to this machine.  Those roles are fine in a better data center than mine.

My question is _must_ I transfer the roles to the highest/newest server OS?  Or can I leave them with the existing DC(s) that has these roles?
0
 
LVL 4

Expert Comment

by:palicos
Comment Utility
Hi well migration is easy but if concerned about the roles transfer then its been likely said yes it can be.

For more details refer this link.

http://www.petri.co.il/transferring_fsmo_roles.htm

http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-active-directory/5081138

http://serverfault.com/questions/424758/transfer-a-domain-controller-role-with-its-global-catalog-to-another-server

Moreover please Check this blog.
this contains all the information with videos related to migration.

http://thommck.wordpress.com/2010/03/03/how-to-merge-two-small-active-directory-domains-quickly-and-easily/

The downtime is related to the size of your AD. Creating the trust wont give much of the downtime but migrating the users one by one.........is surely going to create some.
Maybe.

Hope it helps you.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 11

Expert Comment

by:Venugopal N
Comment Utility
You can leave the FSMO roles on the 2003 DC ,nothing going to be make issue on keeping the Roles either on 2003 /2008.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
Comment Utility
FSMO roles placement recommendation is that the roles are held on the server with the best hardware. http://support.microsoft.com/kb/223346

Generally that is the newest server, and considering it's Windows 2008 it's probably going to be the best hardware, so that's why people often get the message wrong...it's not the highest OS, but most specifically the best hardware.

The idea of splitting FSMO roles is to spread the load/amount of work performed by each server. Of the 5 FSMO roles, the PDCe is the most critical.

However, there is no hard and fast rule as each environment is different.
Please note that without moving the PDCe role to the Windows 2008 DC you will find that some groups are missing.

Question
Is it ok to have FSMO roles running on a mixture of operating systems? For example, a PDC Emulator on Windows Server 2003 and a Schema Master on Windows Server 2008?

Answer
Yes, it’s generally ok. The main issue people typically run into is that the PDCE is used to create special groups by certain components and if the PDC is not at that component’s OS level, the groups will not be created.

For example, these groups will not get created until the PDCE role moves to a Win2008 or later DC:

•SID: S-1-5- 21 domain –498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
•SID: S-1-5- 21 domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the domain
•SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
•SID: S-1-5-21 domain –571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
•SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
•SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local machine.
•SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
And those groups not existing will prevent various Win2008/Vista/R2/7 components from being configured. From the most boring KB I ever had to re-write:

243330  Well-known security identifiers in Windows operating systems - http://support.microsoft.com/default.aspx?scid=kb;EN-US;243330

The above question and answer was taken from the AD Team blog.
http://blogs.technet.com/b/askds/archive/2010/08/13/friday-mail-sack-mostly-edge-case-edition.aspx#fsmo

If these groups are not created properly then you'll not be able to use some of the 2008 specific functionality. That being said, if you're not going to use the new Windows 2008 functionality then I suppose you don't need those groups.
0
 
LVL 32

Author Comment

by:aleghart
Comment Utility
dvt_localboy

I think that is the info I'm looking for.  I need to know my impact to the forest, and how I can remove as much inter-dependency as possible on my local DC.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
how I can remove as much inter-dependency as possible on my local DC
Without adding roles to the 2008 DC's or increasing the domain and forest functional levels your domain will still only be a 2003 domain. The 2008 DC won't have any problems being just a DC/DNS server.

In this case, CPU speed, OS, and RAM do not make it the better choice as master of anything beyond local DC/DNS for this site.
Not quite sure if I'm reading the above statement correctly, but the recommendation about best hardware is because you want to prevent FSMO role holders from going down unneccessarily, due to hardware issues, as well as ensuring that the server does not underperform when doing FSMO role related tasks. If the server becomes a bottleneck because it cannot perform all neccessary tasks when needed then you could end up with authentication delays against these DC's.

But remember it's a recommendation based on best practices in an ideal world. These should be applied as your circumstances or environment dictates.

So in your case it should be fine to run mixed mode without FSMO on 2008.
I too had them running like this for about 6 months before moving FSMO roles.

Just note the difference in dcdiag when running health checks/troubleshooting:
http://support.microsoft.com/kb/2512643
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now