MWeber's Blog - Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server

2008 R2 9/3/2014

MWEBER'S BLOG
My blog about Active Directory and some more ……. MVP for Directory Services in the years 2008 2009 2010 2011 2012 2013

Home

CATEGORIES
Upgrading an Active Directory Domain from Feb
Search for:
Windows Server 2003 to Windows Server 2008 10 Active Directory (11)
2010
or Windows Server 2008 R2 Search ADMT (1)
Published by mweber under Active Directory,Windows Server 2003,Windows Exchange Server (2)
Server 2008,Windows Server 2008 R2 Windows 2000 (3)
RECENT POSTS
Windows 7 (1)
!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF Import Microsoft C ustom
Windows Server 2003 (6)
YOUR DATA/MACHINE!!! Support Agreement
updates into WSUS Windows Server 2008 (8)

Upgrading an Active Windows Server 2008 R2

If you have installed Exchange 2003 in the domain see the follow ing
Directory Domain from (7)
article first, Exchange requirements otherw ise follow the steps below
Windows Server 2003 or Windows Server 2012 (4)
Windows Server 2003 R2
Windows Server 2012 R2
- On the old server open DNS management console and check that you to Windows Server 2012
(4)
are running Active directory integrated zone (easier for replication, if you or Windows Server 2012
R2 WSUS (1)
have more then one DNS server)
Upgrading an Active
Directory Domain from
MONTHLY
- run replmon from the run line or repadmin /show repl(only if more then Windows Server 2008 or August 2014 (1)
one DC exist), dcdiag and netdiag from the command prompt on the old Windows Server 2008 R2
July 2012 (2)
machine to check for errors, if you have some solve them first. For this to Windows Server 2012
tools you have to install the support\tools\suptools.msi from the 2003 or Windows Server 2012 February 2011 (1)
installation disk. R2 June 2010 (1)
Possible Error messages May 2010 (2)
on Windows Server 2008
- run adprep /forestprep and adprep /domainprep and adprep /rodcprep April 2010 (1)
and Windows Server 2008
from the 2008 installation disk against the 2003 schema R2 Domain C ontrollers March 2010 (1)
master(forestprep) / infrastructure master(domainprep/rodcprep), w ith Time configuration in a February 2010 (6)
an account that is member of the Schema/Enterprise/Domain admins, to Windows Domain
upgrade the schema to the new version (44) or 2008 R2 (47). On the PAGES
W indow s Server 2008 R2 disk are adprep32.exe (32bit) and adprep.exe RECENT COMMENTS
(64bit) located, so make sure to use the correct version. META
Smithg76 on Upgrading an
Active Directory Domain Log in
- see here about adprep in detail (http://technet.microsoft.com/en-
from Windows Server XFN
us/library/cc731728(W S.10).aspx) 2003 to Windows Server
2008 or Windows Server
- you can check the schema version w ith “schupgr” or “dsquery * 2008 R2
cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr Tony Holopainen on
objectVersion” w ithout the quotes in a command prompt Upgrading an Active
Directory Domain from
Windows Server 2008 or
- if the first installed DC in the domain should be removed or replaced Windows Server 2008 R2
w ith another one, doesn’t matter if new or same OS version, then make to Windows Server 2012
sure that you export the recovery agents EFS certificate private key from or Windows Server 2012
the DC BEFORE you demote/retire it. Details how to do this are listed in R2
(http://support.microsoft.com/kb/241201) and Pete Mathews on Active
(http://technet.microsoft.com/en-us/library/cc755157(W S.10).aspx) if Directory Metadata
C leanup
you do not save the it, you w ill not be able to encrypt data in case of
JuanM on Time
problems.
configuration in a Windows
Domain
- Install the new machine as a member server in your existing domain
Michel on Time
configuration in a Windows

http://blogs.msmvps.com/mweber/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2/ 1/4
MWeber's Blog - Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 9/3/2014

- configure a fixed ip and set the preferred DNS server to the old DNS Domain
server only, if you think about disabling IPv6 as you are not using it or it
w as recommended to you, keep attention to the UPDATE. Follow ARCHIVES
(http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-
August 2014
ipv6-on-w indow s-2008.aspx) to disable it, if really required
July 2012
February 2011
UPDATE for IPv6 02.06.2011: Keep in mind that IPv6 w ill become the
June 2010
future protocol and you should get familiar w ith it. Also the
recommendation from Microsoft is to let IPv6 enabled, as some new May 2010

features/services or applications already require IPv6 to be enabled. April 2010

Exchange 2010 and DirectAccess are some examples. March 2010
February 2010
- run dcpromo and follow the w izard to add the 2008 server to an
existing domain, make it also Global catalog and DNS server.

- for DNS give the server time for replication, at least 15 minutes.
Because you use Active directory integrated zones it w ill automatically
replicate the zones to the new server. Open DNS management console
to check that they appear

- if the new machine is domain controller and DNS server run again
replmon, dcdiag and netdiag (copy the netdiag from the 2003 to 2008,
w ill w ork) on both domain controllers

- Transfer, NOT seize the 5 FSMO roles to the new Domain controller
(http://support.microsoft.com/kb/324801) applies also for 2008), FSMO
should alw ays be on the new est OS DC

- after transfer of the PDCEmulator role, configure the NEW PDCEmulator

to an external timesource and reconfigure the old PDCEmulator to use
the domainhierarchie now . Therefore run on the NEW “w 32tm /config
/manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update”
w here PEERS w ill be filled w ith the ip address or
server(time.w indow s.com) and on the OLD one run “w 32tm /config
/syncfromflags:domhier /reliable:no /update” and stop/start the time
service on the old one. All commands run in an elevated command
prompt w ithout the quotes.

- you can see in the event view er (Directory service) that the roles are
transferred, also give it some time

- reconfigure the DNS configuration on your NIC of the 2008 server,

preferred DNS itself, secondary the old one

- if you use DHCP do not forget to reconfigure the scope settings to

point to the new installed DNS server

- if needed move the DHCP database to the W indow s server 2008

machine, follow (http://support.microsoft.com/kb/962355), for more
details see (http://technet.microsoft.com/en-us/library/cc772372.aspx)

Demoting the old DC (if needed)

- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC

- to be sure that everything runs fine, disconnect the old DC from the
netw ork and check w ith clients and servers the connectivity, logon and
also w ith one client a restart to see that everything is ok

- then run dcpromo to demote the old DC, if it w orks fine the machine
w ill move from the DC’s OU to the computers container, w here you can
delete it by hand. Can be that you got an error during demoting at the

http://blogs.msmvps.com/mweber/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2/ 2/4
MWeber's Blog - Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 9/3/2014

beginning, then uncheck the Global catalog on that DC and try again

- check the DNS management console, that all entries from the machine
are disappeared or delete them by hand if the machine is off the
netw ork for ever

- also you have to start AD sites and services and delete the old
servername under the site, this w ill not be done during demotion

9 responses so far

9 Responses to “Upgrading an Active Directory Domain from

Windows Server 2003 to Windows Server 2008 or Windows
Server 2008 R2”

# Master Tech on 18 Feb 2011 at 15:44

Hi MWeber
Great article that I just used and upgraded my network from 2003 to 2008
R2. One thing, I followed your instructions to the “T” but didn’t know that
time.windows.com is no longer a good url for a time server. But I see you
now have other articles about that subject that state to use pool.ntp.org. So I
got that little problem fixed.
I think I’m going to have to start reading all of your articles!!!
Thanks a $1,000,000.
Reply

# kedir on 11 Mar 2013 at 07:43

nice
Reply

# Jeff on 04 Apr 2013 at 16:46

This guide is worth a million for sure…a pure lifesaver just to make sure
nothing is missed. I couldn’t thank you more for writing it. Many thanks!
Reply

# Jude on 05 Apr 2013 at 07:43

This is excellent – thank you! I have successfully added my 2008 domain

controller to my environment (2003 domain controller). Eventually I will
transfer the FSMO roles to the 2008 server, but to begin with I only added the
ADDS roles. My question is should I wait until I’m ready to transfer FMSO
roles to add other server roles like ADFS, ADLDS, ADRMS etc?
Thanks very much!
Reply

# Smithg76 on 24 May 2014 at 21:43

Normally I do not read post on blogs, but I wish to say that this writeup very
compelled me to try and do it! Your writing style has been surprised me.
Thanks, quite great article. caeeddegfdfkdebf
Reply

http://blogs.msmvps.com/mweber/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2/ 3/4
MWeber's Blog - Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 9/3/2014

Trackback URI | Comments RSS

Leave a Reply
Nam e (required)

Mail (hidden) (required)

W ebsite

Submit Comment

MWeber's Blog C opyright © 2014 All Rights Reserved. Provided by WPMU DEV -The WordPress Experts Hosted by Microsoft MVPs Site Admin

http://blogs.msmvps.com/mweber/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2/ 4/4