Windows Server 2003 - How can I retire this and prmote a Win 2008 R2 Srv to PDC?

Posted on 2014-01-02
Last Modified: 2014-01-14
Hi Experts
We have a Windows 2003 Std Server on our school network.  We also have a Windows Server 2008 Std R2 server that we are not using at the moment.  The Windows 2003 Server is the domain controller but it's giving us problems and I want to retire it. I would like to setup the Windows 2008 Server to take over the roles of the Windows Server 2003 box.  How can I do this?
Question by:freshfordian
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 39

Accepted Solution

Krzysztof Pytko earned 350 total points
ID: 39751052
First of all, you need to prepare your environment for that. If you wish you may follow an article from my blog for that at

After you promote your new Windows Server 2008R2 Domain Controller you need to meet some prerequisites to be able to decommission the old DC. One of them you met by transferring FSMO roles and advertising new time server.

When you transfer PDC Emulator role, you need to advertise new time server in your domain

Now, you need to be sure if AD database and SYSVOL were fully replicated to Windows Server 2008 R2 DC. If so, you are almost ready for decommissioning.

All servers/workstations configured with fixed IP address, should be checked because in NIC's properties under DNS configuration, you have probably configured your old 2003 DC as DNS server. You need to replace that for your new Windows Server 2008 R2 IP address.

Additionally, you need to check your DHCP Server configuration. Under server/scope options (depends on DHCP configuration) you have to modify option no 006 where DNS server IP address(es) is/are defined. Just replace the old IP with the new one.

Turn off your 2003 DC for few days and check if everything is working fine. After 2003 DC was shut down, restart all of your workstations (devices with IP from DHCP server).

When your environment works fine without 2003 DC, turn it back and start decommissioning procedure.

If you wish, you may also read another article on my blog, showing how to decommission Windows Server 2003 Domain Controller
I hope it would allow you to do that without pain :)

After all, if you do not plan adding any 2003 Domain Controllers in the future, you may consider raising Domain Functional and Forest Functional Levels to get more AD features and advantages.

Please check also these articles on my blog about DFL and FFL

In case of any other questions, do not hesitate to ask.

LVL 22

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 100 total points
ID: 39751053

Prep the forest and domain using adprep from the 2008 media.
Join the 2008 server to the domain as a member server and install all roles now served by the 2003 box.
DCPromo the 2008 box it to become a domain controller and move all 5 FSMO roles to the new box.
Give it some time to replicate and all AD info will be mirrored. Have it run in dual DC mode for some time before you decide to retire the old machine using DCPromo again.
LVL 18

Assisted Solution

by:Andrej Pirman
Andrej Pirman earned 50 total points
ID: 39751139
Well, the base fact you need to know before you proceed is that (unless you have DFS configured and in use) your SHARED documents paths will change for all users. Shares pointing to \\OldServer\Something will become \\NewServer\Something.

Now, base principle to do what you need to is:
- first, apply all PATCHES/UPDATES to your old 2003 server, reboot and let it run for a while to see if any errors occur
- next, do the same for 2008R2 server
- pick a NAME for new server 2008R2 now, as it is strongly advised to not change it later!
- also set a static IP address for 2008R2 now, with DNS pointing to 2003 server. You will change DNS later without a problem (to point to itself), but again it is strongly advised to not change IP address later!
- disable IPv6 protocol under TCP/IP settings, if you do not intend to use it.
- issue following commands on 2008R2 command prompt:
ipconfig /flushdns
Then try to resolve your 2003 server:
nslookup 2003server.domain.local
(should display IP address of 2003 server)
ping 2003server.domain.local
(should ping the same IP)
If both tests pass, proceed.
- now, join the new server 2008R2 to your existing domain, just like you would join any other workstation into domain. This is not essential, but I would recommend.

Let it settle down for 20-30 minutes.
Reboot 2008 server after pause and login with domain administrator.

Now you can start with PROMOTING it as 2nd domain controller.
Run from command prompt:

Some checks will be run and will warn you about DOMAIN and FOREST preparation for 2008R2 domain. Follow instructions, which are nice described here:

In brief:
- prior to DCPROMO successful run, you will need to raise domain and forest functionality level to at least 2000 scheme
- you will need to run FORESTPREP to prepare metabase for 2008R2 functionality
- same run DOMAINPREP
- and DCPROMO will then pass without problems

You will now have 2 domain controllers.
Then again, let it settle down an hour or so.

Then you will proceed with FSMO roles assignment, which are now assigned to old 2003 server, and you want them moved to 2008R2 server.

Check on both controllers in DNS if both, Forward and Reverse records are present for the new 2008R2 server.

Now it is time to transfer all shares and applications to new 2008R2 server. There are many methods you can use to transfer shares and documents, but one I prefer is:
- make a BACKUP of all shares on old 2003 server
- RESTORE files to new server 2008R2 and make sure you select "restore file permissions", so you will have functional shares
Then manually go one-by-one share and look at SHARING properties on old 2003 server and create same share name on new 2008R2. If you do not have gozillion of shares, you should finish quickly.

Then let users CHANGE all share names from \\OldServer\Share to \\NewServer\Share.
If you have mapping rules set in Gproup Policy, change there and let it run for a day or two, so all users will Log-out and log-In.
Check on old 2003 under Shares if NO files are opened and noone maps to it anymore.

Power down old server 2003 and see for user complaints. I there is nothing wrong for a day or two and no significant errors in 2008R2 Event Logs, proceed:
- turn server 2003 back on
- let it run for few hours and check Event Log for NTFRS and replication errors. Should replicate with no issues
- now you can DE-PROMOTE old 2003 server. Run from command prompt on 2003 server:
Wizard will de-promote 2003 and it will become the regular workstation in domain.

Again, let it run for few hours to replicate properly.
Check on new 2008R2 under Domains and Trusts and in ADUC under Domain controllers if there is no sign of old 2003 server anymore. IT should be listed under SERVERS, but NOT under domain controllers anymore.

If all goes fine, you can put old 2003 server out of domain back to Wrokgroup, or you can safely turn it off.
But essential part is that you properly finish DE-PROMOTION of old server, because if you somehow just lose connectivity with old 2003 server before it is de-promoted, you WILL have problems after few months.
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 39758744
Hi Experts

There were two Windows 2003 servers on the domain ( server01 and server 02). When I arived in this morning I discovered that Server 02 has failed completely and will not boot thus leaving me with server01. I attemped to join the new 2008 server to the domain and I get the message that domain does not exist although I can clearly see AD on Server01. When I go to Active Sirectory Domains and trusts and check the operations master it says ERROR in Domain Naming Operations Master box and I cannot conntect to the domain.  Any suggestions welcome!
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 350 total points
ID: 39761413
Please type in command-line on the remaining DC

netdom query fsmo

Open in new window

and check where FSMO roles are held. If you cannot see server name just only an error that means the broken DC had FSMO roles on it. Then you have to repiar and bring back that server or if this is not possible you have to seize all roles with ERROR message to the existing DC and do metadata cleanup for the broken Domain Controller.

After that, you should be able to start promotion for new OS as DC.

All these articles are available on my blog, if you wish you may see them:

Please check if that solves your issue and if you have more questions, do not hesitate to ask


Author Closing Comment

ID: 39781500
Thanks to All experts, I managed to resolve the problem

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group Policy & Netlogin Services 5 58
Inserting a column in a table that creates an ID and row number 4 69
AD Replications issues 12 123
DNS/WINS in a domain 10 45
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question