2008 domain upgrade on top of 2003 Current Domain Forest

Posted on 2013-11-27
Last Modified: 2014-01-09
Want to ensure that all of my check and balances are in-place due to the critical data and architecture on hand. So want to have as many eyes on this as possible and indicate/explain where this may go wrong if implemented.  If you see a step, process that is not warranted or needs a different order, please explain why and the results.  Thank you in advance.
Question by:cgooden01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Accepted Solution

Mike Kline earned 250 total points
ID: 39681704
Were you going to post steps.   Are you planning on 2008 or 2008 R2.  I'd go with R2.  

High Level Steps

prep your forest for 2008 R2 (adprep32 /forestprep and adprep32 /domainprep)
install the 2008 R2 member server (can be done before the prep too)
use dcpromo to promote the box
make the box a global catalog (does it by default in the 2008 dcpromo process)
if you have DNS on your 2003 box install it on the 2008 box (same screen as the global catlalog just a check box)
At that point you have a fully functional 2008 DC
Transfer FSMO roles to 2008 R2 box
Point clients (static and DHCP) to the new box for DNS services.
Verify health of new DC with tools like dcdiag and repadmin

When you are ready to remove the 2003 box use dcpromo to demote it
once all your 2003 DCs are demoted you can raise the functional level.

There is a lot of great info on this subject already so I won't rewrite the book.  

The official Microsoft document



I also really like two blog entries by MVPs on the upgrade.  One is from Meinolf the other from Sander.  





Expert Comment

ID: 39681711
I am also waiting to see if you are posting what you believe to be the right process.

Please post.

LVL 37

Expert Comment

ID: 39681869
Before starting AD upgrade just check if your AD is free from errors
i.e. name resolution is working Properly across all domains in forest
intersite and intrasite Replication is working fine across all domains in forest.
Check AD for lingering object presense if any (Directory event IDs 1388, 1988, 2042

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 24

Assisted Solution

Sandeshdubey earned 250 total points
ID: 39683252
You can plan to have Win2012/2008/2008 R2 server as DC the choice is yours.

Difference between AD DS 2008 R2 and AD DS 2012

What's New in Windows Server 2012:

Below links will be helpful to setup new DC.Also ensure that health of exiting DC is good before you proceed with AD migration on new server.You can run dcdiag /q and repadmin /replsun,check event log for the same.

Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network

Step-by-Step Guide for Setting Up Windows Server 2012 Domain Controller

Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)

Remove an old DC and Introduce a new DC with the Same Name and IP Address

Author Comment

ID: 39685182
I have updated this as an attached file. Apparently, it was not attached.  I will simply add it in this section.  

Current Configuration

Windows Server 2003 SP1 hosting
    - Domain Controllers
    - Domain Naming System (DNS) Servers
    - Flexible Single Master Operation (FSMO ) Roles
    - Member Servers (Exchange, Sharepoint, File & Printer,etc)

    - All existing 2003 Servers will remain on Current Hardware
    - All new 2008 R2 servers will be built on new hardware
    - All 2008 R2 servers will be either physical or Virtual
    - LDAP queries are associated with AD not a specific Domain Controller host name

Proposed Upgrade

To maintain current user accounts and associated SID and all current file permissions to the existing structure.  

Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
- Transfer FSMO roles from 2003 to 2008 R2 Domain Controllers
- Demote (DCPROMO) exisiting 2003 Domain Controllers

At this point, existing architecture would be operating in a Server 2008 R2 with a Forest & Domain Functional level of 2003.  All user accounts, group membership, email permissions and file system access remain unchanged

Granular Steps......

- Join 2008 Servers to 2003 Domain
- Verify servers have received current domain policies
- Review audit logs
- Resolve critical errors identified in logs
- Allow servers to function on domain for 24 hours
- Recheck audit logs, resolve critical errors

- Install DNS server role on new 2008 R2
- Create Primary zone
- Establish zone replication
- Review DNS and audit logs for replication errors
- Verify DNS is functional (NSLOOKUP, etc)
- Reconfigure all host to use new DNS Server

- Promote 2008 R2 Servers to DC
- Select (1) 2008 Server
- DCPROMO to domain controller
- Verify successful DC Promotion
- Modify Primary DNS zone to AD Integrated
- Review Audit logs
- Verify Users can authenticate to new DC
- Verify DNS name resolution
- Allow server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Promote Second 2008 R2 Server to Domain Controller
- DCPROMO remaining 2008 R2 to domain controller
- Verify successful DC promotion
- Modify Primary DNS zone to AD integrated
- Review audit logs, etc
- Verify users can authenticate to new DC
- Verify DNS name resolution
- Allow Server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Transfer Global Catalog Server Role
- Transfer GC role to new promoted 2008 R2 Domain Controller
- Verify Successful Transfer
- Review audit logs, etc

Transfer FSMO Roles
- Follow Best Practice for FSMO role replacement
- Transfer roles to newly promoted 2008 R2 DC
- Verify site replication and user authentication
- Review audit logs, etc
- Allow Server to function on Domain for 24 hours

Demote 2003 Domain Controllers
- Verify FSMO Roles and GC have been transferred from 2003 to 2008
- Verify all domain specific errors have been resolved
- Verify all host are using 2008 R2 servers for DNS resolution
- Verify current 2003 DC are not hosting file or printer shares
- Verify LDAP queries are functional
- RUN DCPROMO from Target 2003 DC and demote to member Server
- Verify domain operations
- Review 2008 DC audit logs
- Repeat steps until all 2003 DC are demoted
LVL 37

Expert Comment

ID: 39685280
I have one suggestion in above plan
Why don't you modify AD schema directly to 2012 \ 2012 R2 instead of 2008 R2

Once Schema upgraded, you can install 2008 R2 \ 2012 \ 2012 R2 DCs

Your Comment:

[Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated

1st of you cannot set DNS zone replication if its non ad integrated (Standard primary)
2nd, you don't need to create standard primary zone on either 2003 \ 2008 R2 servers.If you do that way, it will block replication of AD integrated zone from 2003 server due to conflict (Zone already exists).Then probably u would end up with deletion of primary zone copy on 2008 R2 and then again 2003 will replicate primary zone copy.

I believe, you must have AD integrated zones on 2003 DCs
When u promote 2008 R2 DCs, it will give you option to install AD integrated DNS and once installed it will replicate AD integrated DNS zones automatically

Rest of the Plan of action seems OK


Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question