Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 281
  • Last Modified:

2008 domain upgrade on top of 2003 Current Domain Forest

Want to ensure that all of my check and balances are in-place due to the critical data and architecture on hand. So want to have as many eyes on this as possible and indicate/explain where this may go wrong if implemented.  If you see a step, process that is not warranted or needs a different order, please explain why and the results.  Thank you in advance.
2 Solutions
Mike KlineCommented:
Were you going to post steps.   Are you planning on 2008 or 2008 R2.  I'd go with R2.  

High Level Steps

prep your forest for 2008 R2 (adprep32 /forestprep and adprep32 /domainprep)
install the 2008 R2 member server (can be done before the prep too)
use dcpromo to promote the box
make the box a global catalog (does it by default in the 2008 dcpromo process)
if you have DNS on your 2003 box install it on the 2008 box (same screen as the global catlalog just a check box)
At that point you have a fully functional 2008 DC
Transfer FSMO roles to 2008 R2 box
Point clients (static and DHCP) to the new box for DNS services.
Verify health of new DC with tools like dcdiag and repadmin

When you are ready to remove the 2003 box use dcpromo to demote it
once all your 2003 DCs are demoted you can raise the functional level.

There is a lot of great info on this subject already so I won't rewrite the book.  

The official Microsoft document

·     http://www.microsoft.com/downloads/details.aspx?familyid=FA629DE2-F4DD-47AC-8D80-3DB46B2877A2&displaylang=en


I also really like two blog entries by MVPs on the upgrade.  One is from Meinolf the other from Sander.  

·     http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

·     http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx


I am also waiting to see if you are posting what you believe to be the right process.

Please post.

Before starting AD upgrade just check if your AD is free from errors
i.e. name resolution is working Properly across all domains in forest
intersite and intrasite Replication is working fine across all domains in forest.
Check AD for lingering object presense if any (Directory event IDs 1388, 1988, 2042

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

You can plan to have Win2012/2008/2008 R2 server as DC the choice is yours.

Difference between AD DS 2008 R2 and AD DS 2012

What's New in Windows Server 2012:http://technet.microsoft.com/en-us/library/hh831769

Below links will be helpful to setup new DC.Also ensure that health of exiting DC is good before you proceed with AD migration on new server.You can run dcdiag /q and repadmin /replsun,check event log for the same.

Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network


Step-by-Step Guide for Setting Up Windows Server 2012 Domain Controller

Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)

Remove an old DC and Introduce a new DC with the Same Name and IP Address
cgooden01Author Commented:
I have updated this as an attached file. Apparently, it was not attached.  I will simply add it in this section.  

Current Configuration

Windows Server 2003 SP1 hosting
    - Domain Controllers
    - Domain Naming System (DNS) Servers
    - Flexible Single Master Operation (FSMO ) Roles
    - Member Servers (Exchange, Sharepoint, File & Printer,etc)

    - All existing 2003 Servers will remain on Current Hardware
    - All new 2008 R2 servers will be built on new hardware
    - All 2008 R2 servers will be either physical or Virtual
    - LDAP queries are associated with AD not a specific Domain Controller host name

Proposed Upgrade

To maintain current user accounts and associated SID and all current file permissions to the existing structure.  

Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
- Transfer FSMO roles from 2003 to 2008 R2 Domain Controllers
- Demote (DCPROMO) exisiting 2003 Domain Controllers

At this point, existing architecture would be operating in a Server 2008 R2 with a Forest & Domain Functional level of 2003.  All user accounts, group membership, email permissions and file system access remain unchanged

Granular Steps......

- Join 2008 Servers to 2003 Domain
- Verify servers have received current domain policies
- Review audit logs
- Resolve critical errors identified in logs
- Allow servers to function on domain for 24 hours
- Recheck audit logs, resolve critical errors

- Install DNS server role on new 2008 R2
- Create Primary zone
- Establish zone replication
- Review DNS and audit logs for replication errors
- Verify DNS is functional (NSLOOKUP, etc)
- Reconfigure all host to use new DNS Server

- Promote 2008 R2 Servers to DC
- Select (1) 2008 Server
- DCPROMO to domain controller
- Verify successful DC Promotion
- Modify Primary DNS zone to AD Integrated
- Review Audit logs
- Verify Users can authenticate to new DC
- Verify DNS name resolution
- Allow server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Promote Second 2008 R2 Server to Domain Controller
- DCPROMO remaining 2008 R2 to domain controller
- Verify successful DC promotion
- Modify Primary DNS zone to AD integrated
- Review audit logs, etc
- Verify users can authenticate to new DC
- Verify DNS name resolution
- Allow Server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Transfer Global Catalog Server Role
- Transfer GC role to new promoted 2008 R2 Domain Controller
- Verify Successful Transfer
- Review audit logs, etc

Transfer FSMO Roles
- Follow Best Practice for FSMO role replacement
- Transfer roles to newly promoted 2008 R2 DC
- Verify site replication and user authentication
- Review audit logs, etc
- Allow Server to function on Domain for 24 hours

Demote 2003 Domain Controllers
- Verify FSMO Roles and GC have been transferred from 2003 to 2008
- Verify all domain specific errors have been resolved
- Verify all host are using 2008 R2 servers for DNS resolution
- Verify current 2003 DC are not hosting file or printer shares
- Verify LDAP queries are functional
- RUN DCPROMO from Target 2003 DC and demote to member Server
- Verify domain operations
- Review 2008 DC audit logs
- Repeat steps until all 2003 DC are demoted
I have one suggestion in above plan
Why don't you modify AD schema directly to 2012 \ 2012 R2 instead of 2008 R2

Once Schema upgraded, you can install 2008 R2 \ 2012 \ 2012 R2 DCs

Your Comment:

[Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated

1st of you cannot set DNS zone replication if its non ad integrated (Standard primary)
2nd, you don't need to create standard primary zone on either 2003 \ 2008 R2 servers.If you do that way, it will block replication of AD integrated zone from 2003 server due to conflict (Zone already exists).Then probably u would end up with deletion of primary zone copy on 2008 R2 and then again 2003 will replicate primary zone copy.

I believe, you must have AD integrated zones on 2003 DCs
When u promote 2008 R2 DCs, it will give you option to install AD integrated DNS and once installed it will replicate AD integrated DNS zones automatically

Rest of the Plan of action seems OK


Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now