2008 domain upgrade on top of 2003 Current Domain Forest

Posted on 2013-11-27
Last Modified: 2014-01-09
Want to ensure that all of my check and balances are in-place due to the critical data and architecture on hand. So want to have as many eyes on this as possible and indicate/explain where this may go wrong if implemented.  If you see a step, process that is not warranted or needs a different order, please explain why and the results.  Thank you in advance.
Question by:cgooden01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Accepted Solution

Mike Kline earned 250 total points
ID: 39681704
Were you going to post steps.   Are you planning on 2008 or 2008 R2.  I'd go with R2.  

High Level Steps

prep your forest for 2008 R2 (adprep32 /forestprep and adprep32 /domainprep)
install the 2008 R2 member server (can be done before the prep too)
use dcpromo to promote the box
make the box a global catalog (does it by default in the 2008 dcpromo process)
if you have DNS on your 2003 box install it on the 2008 box (same screen as the global catlalog just a check box)
At that point you have a fully functional 2008 DC
Transfer FSMO roles to 2008 R2 box
Point clients (static and DHCP) to the new box for DNS services.
Verify health of new DC with tools like dcdiag and repadmin

When you are ready to remove the 2003 box use dcpromo to demote it
once all your 2003 DCs are demoted you can raise the functional level.

There is a lot of great info on this subject already so I won't rewrite the book.  

The official Microsoft document



I also really like two blog entries by MVPs on the upgrade.  One is from Meinolf the other from Sander.  





Expert Comment

ID: 39681711
I am also waiting to see if you are posting what you believe to be the right process.

Please post.

LVL 37

Expert Comment

ID: 39681869
Before starting AD upgrade just check if your AD is free from errors
i.e. name resolution is working Properly across all domains in forest
intersite and intrasite Replication is working fine across all domains in forest.
Check AD for lingering object presense if any (Directory event IDs 1388, 1988, 2042

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 24

Assisted Solution

Sandeshdubey earned 250 total points
ID: 39683252
You can plan to have Win2012/2008/2008 R2 server as DC the choice is yours.

Difference between AD DS 2008 R2 and AD DS 2012

What's New in Windows Server 2012:

Below links will be helpful to setup new DC.Also ensure that health of exiting DC is good before you proceed with AD migration on new server.You can run dcdiag /q and repadmin /replsun,check event log for the same.

Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network

Step-by-Step Guide for Setting Up Windows Server 2012 Domain Controller

Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)

Remove an old DC and Introduce a new DC with the Same Name and IP Address

Author Comment

ID: 39685182
I have updated this as an attached file. Apparently, it was not attached.  I will simply add it in this section.  

Current Configuration

Windows Server 2003 SP1 hosting
    - Domain Controllers
    - Domain Naming System (DNS) Servers
    - Flexible Single Master Operation (FSMO ) Roles
    - Member Servers (Exchange, Sharepoint, File & Printer,etc)

    - All existing 2003 Servers will remain on Current Hardware
    - All new 2008 R2 servers will be built on new hardware
    - All 2008 R2 servers will be either physical or Virtual
    - LDAP queries are associated with AD not a specific Domain Controller host name

Proposed Upgrade

To maintain current user accounts and associated SID and all current file permissions to the existing structure.  

Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
- Transfer FSMO roles from 2003 to 2008 R2 Domain Controllers
- Demote (DCPROMO) exisiting 2003 Domain Controllers

At this point, existing architecture would be operating in a Server 2008 R2 with a Forest & Domain Functional level of 2003.  All user accounts, group membership, email permissions and file system access remain unchanged

Granular Steps......

- Join 2008 Servers to 2003 Domain
- Verify servers have received current domain policies
- Review audit logs
- Resolve critical errors identified in logs
- Allow servers to function on domain for 24 hours
- Recheck audit logs, resolve critical errors

- Install DNS server role on new 2008 R2
- Create Primary zone
- Establish zone replication
- Review DNS and audit logs for replication errors
- Verify DNS is functional (NSLOOKUP, etc)
- Reconfigure all host to use new DNS Server

- Promote 2008 R2 Servers to DC
- Select (1) 2008 Server
- DCPROMO to domain controller
- Verify successful DC Promotion
- Modify Primary DNS zone to AD Integrated
- Review Audit logs
- Verify Users can authenticate to new DC
- Verify DNS name resolution
- Allow server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Promote Second 2008 R2 Server to Domain Controller
- DCPROMO remaining 2008 R2 to domain controller
- Verify successful DC promotion
- Modify Primary DNS zone to AD integrated
- Review audit logs, etc
- Verify users can authenticate to new DC
- Verify DNS name resolution
- Allow Server to function on domain for 24 hours
- Review audit logs, resolve critical errors

Transfer Global Catalog Server Role
- Transfer GC role to new promoted 2008 R2 Domain Controller
- Verify Successful Transfer
- Review audit logs, etc

Transfer FSMO Roles
- Follow Best Practice for FSMO role replacement
- Transfer roles to newly promoted 2008 R2 DC
- Verify site replication and user authentication
- Review audit logs, etc
- Allow Server to function on Domain for 24 hours

Demote 2003 Domain Controllers
- Verify FSMO Roles and GC have been transferred from 2003 to 2008
- Verify all domain specific errors have been resolved
- Verify all host are using 2008 R2 servers for DNS resolution
- Verify current 2003 DC are not hosting file or printer shares
- Verify LDAP queries are functional
- RUN DCPROMO from Target 2003 DC and demote to member Server
- Verify domain operations
- Review 2008 DC audit logs
- Repeat steps until all 2003 DC are demoted
LVL 37

Expert Comment

ID: 39685280
I have one suggestion in above plan
Why don't you modify AD schema directly to 2012 \ 2012 R2 instead of 2008 R2

Once Schema upgraded, you can install 2008 R2 \ 2012 \ 2012 R2 DCs

Your Comment:

[Top level Process

- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated

1st of you cannot set DNS zone replication if its non ad integrated (Standard primary)
2nd, you don't need to create standard primary zone on either 2003 \ 2008 R2 servers.If you do that way, it will block replication of AD integrated zone from 2003 server due to conflict (Zone already exists).Then probably u would end up with deletion of primary zone copy on 2008 R2 and then again 2003 will replicate primary zone copy.

I believe, you must have AD integrated zones on 2003 DCs
When u promote 2008 R2 DCs, it will give you option to install AD integrated DNS and once installed it will replicate AD integrated DNS zones automatically

Rest of the Plan of action seems OK


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question