Transitioning a very old AD to a current version.


I have been running an Active Directory server for a very long time without any updates.  It is time to upgrade it, or more accurately, to abandon it.  By that I mean to install a new AD, hopefully synchronize to the old one, and then retire the old one.  This is one area I've never had to become particularly competent in and that has come home to roost.

I'm looking for advice on how to do this gracefully so stuff doesn't break all over the place.  While I have very few users, I do have lots of servers and services that depend on that to work.

I have access to Windows servers vintage 2008 R2, 2012 and 2016.


Ben ConnerCTO, SAS developerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

what is your current ad version ?
And what version you want to upgrade?
Ben ConnerCTO, SAS developerAuthor Commented:
Technically it is running on a 2008 R2 server but I -believe- it is emulating a 2000 AD.  How can I verify that?

The only thing I use it for is for machine authentication and dns resolution.  I have another non-Windows server I use for domain names we host.  I have a half dozen or fewer users but the issue will be the services that run on each server.   I have about 8 servers that tie in to it and 3-4 workstations.  

I could probably migrate to a 2008 R2 AD but don't know what the pros and cons are for each variant.  

These are all VMs running under VMWare vSphere, so I could test things in isolation if that would be helpful.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

yo_beeDirector of Information TechnologyCommented:
Open Active Directory Users and Computers | Right click the domain | select properties.  Here it will tell you what Domain Level you are at.  

If you are at 2000 and you don't have any 2000 Domain Controllers you can easily raise this to the highest level  that is acceptable (2008)

Once you are at the level 2008 you can add a second domain controller and have all the major roles (FSMO) to the new DC. With a newly added DC replication will happen giving you redundancy and the ability to stage for the decommissioning of the old DC.  

Once these steps are completed. I would leave both DC's running in parallel for a bit.

Once this has been running for a week or so and there are no errors you can safely decommission the old dc.

  How to check Domain Function Level:

Steps to transfer FSMO roles.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben ConnerCTO, SAS developerAuthor Commented:
Ok, the Domain functional level is: Windows 2000 native.  The Forest functional level is Windows 2000.
This is the only AD I have running in the network.  
Tried to raise the active level and got the following error:

You cannot raise the domain functional level because this domain includes Active Directory Domain Controllers that are not running the appropriate version of Windows.

Doing a 'Save As' on that screen produced a file with the server in question, which was  That server hasn't been active for years.  Can I drop it somewhere and proceed?  If I manage the servers and bring up Domain Controllers, the only one I see is NEWPDC (the current one).

Peter HutchisonSenior Network Systems SpecialistCommented:
You need to run the ntdsutil to do a metadata cleanup and remove old DCs from the AD configuration.

Ben ConnerCTO, SAS developerAuthor Commented:
Thanks to all for helping straighten this out.  I should have asked how to do this years ago.  Much appreciated!!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.