Domain Controllers Upgrade

I currently have a win2k3/win2k8 environment.  I have a win2k3 DC (BDC) and a win2k8 DC GC (PDC).  We now have a win2k12 server with three VMs, one being a DC with win2k12 as the OS replacing the win2k3 DC.  Should the win2k12 DC be the GC server with the FSMO rules or should I leave that on the win2k8 box and change that when the win2k8 server is being replaced?  What would be your recommendation?
Who is Participating?
Seth SimmonsConnect With a Mentor Sr. Systems AdministratorCommented:
there is no such thing as PDC and BDC roles as it existed in NT back in the 90s
all domain controllers are equal read/write (unless it is a specific read-only domain controller)
the PDC emulator role was primarily for legacy systems though today with modern windows versions it has a different purpose (mainly for ntp)

now, as far as the 2012 server is concerned, you are not required to move the FSMO roles
if they are already on the 2008 server, they can stay there
if the 2008 server will eventually go away you can move the FSMO roles then, but by no means are you required to do so now

if your 2012 server is working fine on the domain then go ahead and gracefully remove the 2003 server
RantCanConnect With a Mentor Sr. Systems AdministratorCommented:
Check domain functional level: must be 2003 before you can introduce the 2012 DC.  I am always in favor of being the least intrusive as possible. If the goal here is to remove the 2K3 DC and replace it with the 2012, then leave the 2K8 GC well alone.  

Does the 2K3 server do anything else, like DHCP?
Is host hypervisor clustered (Hyper-V or ESX)?
Is the 2K8 bare-metal? How long until server is at end-of-life?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
There are no specific requirements where you HAVE TO move the FSMO roles from the 2008 server to the 2012 server. There really is no benefit other then if your 2012 DC has more resources. However, if you move the FSMO roles now to the 2012 DC you will not have to do it in the future when you are ready to remove the 2008 DC.

Your Functional level will not matter based on where the FSMO roles are because you still have a 2008 DC in your environment so you can only raise the functional level to the oldest DC OS in your environment.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mcurran1Author Commented:
Hi thanks all for getting back to me.  I am at the 2003 functional level.  At this point, should I up the functional level to a the 2008?  @Rantcan the 2k3 also functions as a terminal server (which I realize should not be done on a DC, but hardware was not available to put it somewhere else at the time, so had to make do with that configuration) and also as a file server, the 2k8 DC does DHCP and yes the 2k8 is a bare metal box and I am not clustering and I am using hyper-v.  When raising the functional level to 2k8 I must first gracefully remove the 2k3 box and then up the functional level correct?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Yes you can only raise the functional level to the lowest OS operating system, which is 2003. You will need to successfully demote the 2003 server and when all of the 2003 servers are removed you will then be able to raise the domain and forest functional levels to 2008.

To raise to 2012 you will need to remove all 2008 DC first then you can raise the functional level again to 2012.

Also in regards to GC, it's generally best practice nowadays to make all DCs a GC.
SommerblinkConnect With a Mentor Commented:

It may be a best practice to make all DCs GCs, but only in a specific environment:  single domain/single forest.

In multiple domain forests, then the Infrastructure Master FSMO role holders CANNOT be a GC too. Doing so will cause problems.
footechConnect With a Mentor Commented:
@Sommerblink - Given the question, I took it as a given that this is a single domain environment.  I think your first statement is debatable.

However, your 2nd statement is not quite correct.
In multiple domain forests, then the Infrastructure Master FSMO role holders CANNOT be a GC too
...but only if not all DCs are GCs.  You can still have all DCs as GCs, even in a multi-domain environment.

Additional reading:
I'll quote one bit from the last link.
- Single domain forest:
   In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
- Multidomain forest:
   If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.
    If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.
Will SzymkowskiSenior Solution ArchitectCommented:
@Footech -
Also in regards to GC, it's generally best practice nowadays to make all DCs a GC.
I would have to agree with Footech here.


Because when you add your domain controllers to your environment you want them all to be equally service-able. Meaning if you only have specific DC that are also GC's then the domain controllers that only hold the DC role only will continually have to reference other GC's for forest wide information. In certain scenarios like having Exchange in your environment this would be putting all of the load on the GC's in the envrionment.

You want all of the DC's to act as equal's in regards to providing authentication services. This also provides redundancy for the GC role and simplicity as well known all of your DC's are GC as well.

Any deployment recommendations I always state that having all DC's as GC is a good practice going forward.

I stand corrected Footech.

Good luck!
If all domain controllers are GCs in multi domain, then it does not matter where the Infrastructure master role resides

Also you can run below command on PDC and ADCs to get difference between them

Net accounts

This command will show each server role:
For PDC it is "primary"
For ADC it is "Backup"
For member servers it is "server"

Even if practically no difference between PDC and ADC except PDC is having PDC FSMO role, theoretically command distinguish them

Others have already given appropriate answers
mcurran1Author Commented:
Well thank you for the abundance of advice here... not sure how to give credit here for a solution though...  I know I can do multiple, but it seems crazy to do them all... what would be a suggested solution for this?
General guidelines, from my point of view.
I would pick each post that
1) provided useful info applicable to the main question
2) didn't repeat previous posts, unless additional meaninful info was given

Then among those, do your best to assign points based on how much of your original question it answered.  Get suspicious if you're accepting more than 3 posts.  More than 5 posts and you're practically guaranteed it's probably too many.
All Courses

From novice to tech pro — start learning today.