Post migrated to: http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
i like to know how to Adding first Windows Server 2008 R2 Domain Controller within Windows 2008 network
Thank you very much for this guide – I have used it from start to finish and it has been incredibly detailed and helpful. A big thank you for all the screen captures and time you have taken to put this together!
thank You Ware Match. is Guide So help me
Thank you for posting this guide. You cut to the steps I needed.
Thank you so much for the guide 😀
You’re welcome 🙂 and thank you for reading my blog
Really helpful, I had a few errors along the way that I had to solve, but your guide worked great.
Thank you! Glad you could solve your issue and I hope that my article was somehow useful to you
Once I have done the above how do I retire the original 2003 DC. ? Great instructions. Thankyou
Thank you! I’m glad it could help you.
If you want to decommission the old 2003 Domain Controller, you need to firstly transfer FSMO roles from it to the new box.
For that, please follow this article on my blog at
when you transfer PDC Emulator role, you need to advertise new time server in your forest. Follow Meinolf’s suggestions to do that
[…]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW “w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update” where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run “w32tm /config /syncfromflags:domhier /reliable:no /update” and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. […]
it is an extract from his blog at
Now, if you have everything done properly, just wait for AD replication between all Domain Controllers. When AD data is replicated, you can start 2003 box decommission. Please also follow an article on my blog at
and everything should be fine.
Note! Remember, if you had other roles installed on your 2003 server and you want to remove it permanently from domain, you have to transfer them to the other servers.
Extremely helpful info. Exactly what I was looking for. Thanks.
Great guide! Thank you so much!
excellent technote. i had complete most of the tasks by searching through a lot of microsoft technotes. If i had found this article first it woudl ahve saved me a lot of time. Thanks
I’m glad I could help somehow over this article 🙂
We have a single forest with 3 domains – US, Europe and Asia.
For your US and Europe domain they already have win 2008 R2 domains up and running. The forest DC is located at US. Where as for Asia, we only have 2 DCs on windows 2003.
The current DNS is using AD integrated.
1) If I need to add a new DC with windows 2008 R2 on Asia domain with 2 DCs on windows 2003, do I need run the adprep preparation on schema master and infrastructure master? Note: The US and Europe in the same forest already have windows 2008 R2 domain running.
2) During the dcpromo, do I need to update the DNS with delegation?
The existing 2 DCs on windows 2003 already have DNS running. Will the dcpromo detect it and perform the necessary action.
so, I will try to shortly explain you necessary steps.
AD1) In case that you would like to add the first Windows Server 2008R2 Domain Controller in Asia domain where you have only Windows Server 2003 DCs, you need to run
for 2003 64bit DC
or in case that 2003 DC is 32bit
on a Domain Controller with Infrastructure Master operation master role for Asia domain. To identify which DC holds that role, just log on to any DC in Asia and type in command-line
netdom query fsmo
You will see on which server you have to run adprep command. Unfortunately, Windows Server 2003/2003R2/2008/2008R2 does not detect automatically necessary operation master roles, that’s why you need to do that manually before you can start promoting the first Windows Server 2008R2 DC in Asia domain.
You may ask why? Because, as you know we have 5 FSMO roles, 2 of them are forest-wide (Schema and Domain Naming) and 3 are domain-wide (PDC, RID, Infrastructure). Domain-wide roles mean that each domain in a forest has its own unique FSMO roles. Schema and Domain Naming are common for each domain in a forest but the rest is unique in each domain.
You mentioned that you ran adprep in US and Europe but not in Asia. What does it mean from administrative point of view?
When you ran adprep /forestprep in US domain then you prepared (extended) schema for new 2008R2 DCs. Schema is unique per forest and the rest domains have just read-only copy for that operation master. All changes were replicated between all domains in a forest and Schema is unique in the forest, so there is no need to run adprep /forestprep in the rest domains.
Additional switch /domainprep of adprep is required in each domain of the forest in which you want to promote new Windows Server 2008R2 as Domain Controller because each domain has its own Infrastructure Master operation master role. You need to prepare your environment for that DCs at 2 stages:
– forest by extending schema
– domain by preparing each domain for new DCs by configuring Infrastructure Master
US and Europe have already ran adprep /domainprep on their DC with Infrastructure Master role. If nobody did that in Asia, you have to do that now, before you can continue. But don’t worry if you do not know if it was done earlier. If not, you just simply do that (during DC promotion you will be informed that your Infrastructure Master is not prepared) or if it was done, you can simply run command once again, it won’t un-adprep environment. In this case, you should see a message that /domainprep is not necessary as it was performed before.
So, to summarize. Adprep /domainprep is required on every domain (in which you want to introduce the new DC) on Infrastructure Master but adprep /forestprep is required only once per forest on a Schema Master.
AD2) Accordingly to your existing DNS servers, the shortest answer is no 🙂 Why? Because your AD-I DNS zones already exist and you do not create any new ones. You just simply introducing the new DC with DNS role. AD-I zones are automatically replicated to all Domain Controllers with DNS role installed (if you started from 2003 DCs or when you changed that after removing Windows Server 2000 DCs in which AD-I zones were replicated to all DCs). All defined delegations are preserved, don’t worry, you don’t have to do anything else, unless you define new DNS zone namespace (by adding it in DNS or by adding the additional domain).
If I would recommed you something, I strongly encourage you to configure your new Windows Server 2008R2 Domain Controllers in Asia domain as DNS servers and also as Global Catalogs.
I hope I could help you somehow and you would be able to do introduce 2008R2 DCs in Asia domain.
Thanks for the reply. Do we have to installed the Active Directory Domain Services role first?
I have installed that but I found that Active Directory Domain Services, Intersite Messaging and Kerberos Key Distribution Center services are not stated?
Do I need to dcpromo first? Thanks.
No problem, you’re welcome 🙂
No, you don’t have to install AD:DS role first (but you can if you wish). The most important part of that is running dcpromo. It installs AD:DS role itself (if it is not present) then it starts promoting server to Domain Controller. But remember, if you install AD:DS role by yourself, you need to use dcpromo anyway to properly promote server to DC.
Thank you very much. I have managed to get it work. Great guide.
No problem, I’m glad I could help. Thank you for reading my blog
Can I use the same ip address which you mentioned in your Network Card settings? My ISP is providing me dynamic IP. I am not sure about the static IP address.
yes of course you can use also the same static IP I used in my article. But everything depends on your scenario 🙂
Please tell me more what you want to do? As public IP address for Domain Controller(s) is not a good idea for security reason :]
If you are playing with virtual software like VMWare, Hyper-V or other like Oracle VirtualBox, you can use any IP address. Everything depends on your virtual network card configuration.
Public IP address should be set up only on your edge router on which you have configured NAT and/or port forwarding/redirection. Domain Controllers should always use the internal IP range to disallow accessing them from the Internet.
Could you write something more about your case, please? I will try to help you setting up an environment.
Thank you very much for your quick reply. 🙂
I am using windows server 2008 R2 only for learning purpose. I already installed vmware workstation 9.0 on my PC. I will use the same ip address as your article and I will post the result soon.
When I run dcpromo it show me the following error:
An Active Directory domain controller for the domain “testenv.local” could not be contacted.
Ensure that the DNS domain name is typed correctly.
If the name is correct, then click Details for troubleshooting information.
After I installed windows server 2008 R2, I run “dcpromo” but before that I changed the ip address according to the article inside
Internet Protocol Version 4 (TCP/IPv4) properties —- >(Under VMware control panel )
can you tell me please what king of virtual network card have you used for that VM?
I would suggest to use vNIC “Host-only” and the try again. Of course change back those settings you have done over Control Panel on VMWare
Very important part for the first Domain Controller is settings up only one DNS server with 127.0.0.1 IP address
After that, please try promote server as DC again.
In case of any further issue, please let me know. We will try to fix that 🙂
We are looking at introducing our first windows 2008 DC into an existing Windows 2003 AD Infrastructure. i am comfortable with everything you have listed here (great guide and tallys up with other sources I have used and my own testing / experience)
I have a query with regards to changing the DHCP scopes for each scope to point to the new IP of the Windows 2008 DC.
We have multiple scopes (150+) is there any way of changing Option 006 (DNS) to the new IP of the windows 2008 DC?
or would it be better to:
1. transfer fsmo roles to new windows 2008 domain controller(s)
2. change IP of existing DHCP server (eek) and at the same time changing IP of Windows 2008 DHCP server to previous 2003 DHCP server.
thank you for reading an article on my blog and for nice words 🙂
Going back to your question. Yes, it is possible to change an option without manual change on each scope. For that you may use Windows netsh command-line tool
However, this is much more simple to migrate 2003 DHCP database to 2008 new DHCP server over dump option. This exports all current DHCP configuration from 2003 server into plain text file. You may simply remove/modify options there and import on your new DHCP server.
So, modify optionvalue 006 or 6 (depends how it would be exported), modify server name from the old one to the new one and import config file on your new DHCP server over netsh exec
Here, you can find and MS article for that (use the second option with dump)
One more important thing. Enable on your new DHCP server on ipv4 on “Advanced” tab Conflict Detection Attempts to 2-3
This will prevent from issuing used IP addresses in your network (mostly, turned off devices would be treated as IP is released) and IP conflict should not arise.
If you have more questions, do not hesitate to ask
Hi, we have one server running windows 2003 standard edition in my bangkok office, subnet 10.0.0.xx .. and recently we have purchase a new server in singapore runnng windows 2008 Foundation R2, subnet 192.168.1.x.
We have employees in both Bangkok and Singapore office.
IPSec VPN was configured on our firewall so right now both my bangkok and singapore office are able to connect to each other directly without manually VPN.
A couple of questions and hope you can advise:
1)Is it okay for windows server 2003 to act as the main DC while Windows server 2008 R2 to act as backup domain controller? What kind of impact will it be?
2) My boss would like my singapore server to act as a backup domain controller, is it the same method to use for backup domain controller? If not, any steps which need to be edited and advise?
3) Once i raised the domain funcational level , do i need to run adprep /forestprep and adprep /domainprep on the windows server 2003, or should i just run this command on my new Windows 2008 R2 server or both?
4) when configuring the DNS, should the DNS point to the windows server 2003 in bangkok or the new Windows server 2008?
Thanks for your time and your instructions is great!
unfortunately, you cannot use Windows Server 2003 as FSMO role holder with Windows Server 2008R2 Foundation as this is not supported scenario. 2008 R2 Foundation Domain Controller must be at the top of the forest configuration and it must hold all FSMO roles. In other case, you would notice periodical server reboots (every one hour). For more about that, please read Microsoft article on Technet at http://technet.microsoft.com/en-us/library/dd744832%28v=ws.10%29.aspx
I hope it would clarify you the case
Hi Krzysztof, sorry it is me again..
Since my bangkok ip starts with 10.0.0.xx and my singapore internal ip is 192.168.1.x .. Do i need to set my ip as 10.0.0.xx in my singapore office? Will it make any different if i remains as it is?
Also on the DHCP, do i need to export the DHCP files from my bangkok to my singapore server?
Apologise for troubling you.
Hi Shawn again 🙂
no, you don’t have to use the same IP scheme for both locations. Just ensure if your routing is configured properly and these 2 locations see each other. I would leave that as it is and in case of the same domain, I would define separate Sites and Subnets for them. More about Sites, Site Links and Subnets in Microsoft article at http://technet.microsoft.com/en-us/library/cc754697%28v=ws.10%29.aspx
You don’t have to move DHCP server from one location to another. You are able to run 2 DHCP server, one per Site with appropriate scope(s) configuration.
But remember (as I wrote in previous answer), you cannot run 2003 and 2008R2 Foundation in mentioned configuration. That’s the limitation of Foundation version of Windows. You need to buy at least Standard to accomplish your scenario.
Thanks Krzysztof, I would like to know what is the reason which foundation version limits my scenario .. Pardon me for my ignorant. You mentioned that the foundation 2008 must be the top forest and hold all FSMO. I read the link you gave(thanks a lot:) but I still do not understand what limits the foundation version other than it can only support 15 AD users. And why I need at least standard 2008 to meet my scenario?
You are a great IT guru! 🙂
Shawn, this is all about money 🙂
Foundation is much more cheaper than Standard Windows Server version. When you would be able to simply switch FSMO roles from Foundation DC to Standard DC then limits about 15 users would be deactivated and you are no longer limited with numer of users 🙂 That’s why Microsoft disallowed for that. When FSMO roles are on Foundation DC then you are still limited to 15 users in your domain environment. Of course, you can add additional DCs for redundancy but those roles must be held on foundation DC to keep limits.
This is the same for Small Business Server (SBS) edition. As they are cheaper that “higher” Windows editions and (SBS) offers more features like Exchange, SQL which you need to buy separately for Standard and other Windows versions.
That’s reasonable, because you would be able to buy one more expensive OS (i.e. Standard) and then use only Foundation servers 🙂 Microsoft does not agree for that and you need to accept the terms of usage. Thanks to that, you may buy cheaper and legal OS to your institution.
I hope it’s much more clear, now 🙂
Hi Krzystof, thanks for the explanation… So am i right to say that because foundation 2008 only limits to 15 AD users; in this case my scenario is not going to work?
So adding DC on a new 2008 server means the all the Active Directory on the main server will be import to the new server as well?
Also, We will also need to setup this new server as website and applications and SQL. Will there be any problem doing so?
Thanks for your time.
yes, you’re right. Foundation version limits you to have maximum 15 users and when you combine these DCs into one domain, AD database would be replicated between them. All the same configuration is available on both DCs then. But you have to have all FSMO roles on Foundation DC to prevent server restarts.
The next question about other roles, I would not put them on any DC. If it is possible just use dedicated server for that. This is not good idea to put other roles than AD and DNS on a DC server. This might be a security issue or it might cause potential issues. Microsoft does not recommend using DC as other ( i.e. application ) server. You would have much more work when you put IIS and SQL on your DC. My suggestion is to have separate server for that 🙂
I hope you would choose the right direction and you would convince your boss to buy another HW or create VM for IIS and SQL 😉
PS. Shawn, thank you for your kind words 😀
Hi Krzysztof, if that is the case, what is your advise and recommendation (other than upgrade to windows server 2008 standard ? 🙂
We intend to setup a business continuity plan in case if either of our office was shut down due to riot, fire etc and users had to work from home to connect to connect to our server? We also need to ensure our website / database is up when client/user connects to them.
We will want such that, each server are like a mirror to each other, so in case of any ourbreak, we can switch our DNS to point to the another server.
We are only using IIS and SQL server on the server. I am more concerned with getting our website and database online ASAP in case of any of this event occurs.
Thanks for your precious advise and God bless your Family. 🙂
have you considered using NLB or clustering for that purposes ? You would be able to split cluster nodes between server room locations to prevent single point of failure. However, you need to remember that moving resources between locations might require faster WAN link speed to allow fast resources movement and this link must be reliable
Your blog has very good information.
I want some more information. I wanted to setup a child domain in an existing forest with only first root domain controller. (All are windows server 2008 r2 servers)
I wanted to know the pre-requisites for the below.
1. Network configuration settings for primary DC & the new server where i want to install child domain
2. Do I need to join the new server to the domain before I can install child domain?
3. Do I need to have the domain functional level at 2008 r2 or 2003?
4. Can I have my firewall’s enabled on the primary DC & the new server?
thank you! 🙂
Regarding your case:
AD1) Network configuration settings on your existing DC in the existing domain should not be changed at all. Your new server for the very new domain, should have its own IP address and you should configure only primary DNS server for it pointing to DNS server in forest root domain (existing AD/DNS server) only.
AD2) No, you do not have to join the server into domain first. Just after NIC configuration, run dcpromo to initialize server promotion.
Important! You need to have an Enterprise Administrator account to do that as you are creating new domain.
AD3) Domain Functional Level of the new domain depends on your current Forest Functional Level. FFL determines the lowest possible DFL, so you need to check that first. You may check an article about Domain and Forest Functional Levels on my blog
AD4) I would deactivate Windows firewall for that and use only physical one but normally, you don’t have to worry as necessary ports should be already opened. However, you need to verify if your physical firewall allows for these ports
Thank you, I never knew about the last step of adding your server as a dns server
You’re welcome 🙂 I’m glad I could help!
Hi Krzysztof, it is me again.. if we upgrade from Windows Foundation 2008R2 to Windows Standard 2012R2, is there any direct upgrade or we have to start/install from scratch? THanks for your time my friend. Take care and wish you a blessed a xmas
unfortunately, you cannot do in-place upgrade from 2008R2 Foundation to Windows Server 2012. However, I would not recommend doing any in-place upgrades as they may cause some issue later. It is always better (if possible) to have clean installation and after all data migration. That’s much more safe option
You take care too and marry X-mas to you too
You are incredible!!!Thanks for your guide and detailed explanation of everything!!!
appreciate for your perfect job and help!!!
Hi iSiek,thanks for your great advise and insights.
A bit sidetrack… I will like my server to have multiple names / netbios. I read that there are ways to do so by editing the registry and adding CNAME on the DNS server. Not sure what is your opinion or any better advise on this?
So when i enter my server name either ‘td-sg’ or ‘td-bkk’ internally, it will direct to my server
if you can show me steps that will be good. 🙂
Merry xmas my friend. If you coming to singapore one day i will treat you for a good meal. 🙂
sorry for delayed answer, I was bussy.
Yes, this is a good idea to use more host names (A) or aliases (CNAME) for your server. It is much more easy to manage resources over that. You may also consider using a separate IP address per resource on that server and put it into NIC’s configuration. When you would move a resource to another server, you may simply migrate its IP address too.
However, if you wish to use multiple CNAME or A records, you need to make some simple registry setting modification. You have to disable DisableStrictNameChecking in registry.
Please follow this MS guide at http://technet.microsoft.com/en-us/library/ff660057%28v=ws.10%29.aspx and everything would be fine.
Late Merry Christmas to you too and Happy New Year 🙂
The same to you, when you visit Wroclaw in Poland, just let me know 😀
Hello friends, good piece of writing and pleasant urging commented at this place, I am genuinely enjoying by
Thank you for visiting my blog.
Happy New Year!
I was excited to find this website. I need to to thank you for ones
time for this particularly wonderful read!! I definitely savored every bit of
it and I have you book marked to see new information on your website.
Thank you very much for reading my blog and for being a part of it!
I’m working on new posts and I hope that they would be published soon.
Happy New Year!
I am regular visitor, how are you everybody?
This article posted at this site is really nice.
Thank you very much!
I am sorry to sidetrack the title of this blog and i really need your expertise and advise on this.
We have bought a hyperV Dell server and setup 2 VMs on this machine
Everything works fine, but just that when i login using the domain administrator via RDP to these 2 VMs, it takes 2 mins to login (waiting at the “Welcome” ).
Login using locally takes only 10 secs to logon.
I have try to find answers on this however no results. These 2 VMs were newly installed and not much software were being installed.
can you please advise?
Most issues with logins are DNS related, I would ensure you are not using ISP DNS and ensure that your vms are pointing to the domain controller(s) IP addresses.
If these are ok, have a look of the user profiles of the accounts you are logging in with, are the paths accessible and have correct permissions.
Is there a locally cached profile or is this being deleted so is it having to create a new profile each login ( this will take a minute or two)
Thank you for your valuable comment on my blog!
Check DNS of the servers you are logging into, ensure points to domain controllers ip
Check profile path of user accounts and permissions of profiles if any
Thank you for your comment once again 🙂
Hey I would like to ask i have a 1 primary domain controller W2k3 and a secondary domain controller, W2k3. If I have already done a adprep32 forest and gpprep on the primary domain controller, I would be able to add the Windows 2008 standard 64 bit as a backup domain controller and decomission the W2k3 domain controller. Right? Any concern for a W2k3 as a Primary DC and a backup domain controller Windows 2008 standard?
yes you are right. When you use adprep32 from your Windows Server 2008 DVD then you would be able to promote your first Windows Server 2008 Domain Controller. There is no known issue with concurrent Windows Server 2003 and 2008 Domain Controllers. I would only recommend transferring all FSMO roles from 2003 DC into Windows Server 2008 as this is Microsoft best practices to hold FSMO roles on DC with the newest operating system.
When you transfer PDC Emulator role to another DC then you also need to advertise new time server in your forest/domain
Please refer to these MS articles
I’m having an error on the dns server on my secondary domain controller. Using nslookup on my primary domain controller, it display ****Cannot find server name for address 10.200.10.xxx: Non-existent domain.
But on my secondary domain controller using nslookup->name, it displays my primary domain controller with its address.
DNS request timed out (was 2 sec)
Request to primary domain timed-out
Please note i have done the adprep /forest and gp prep on your article, I have yet to add the Windows 2008 R2 to my domain.
What is wrong?
Hm, looks strange. Have you ran dcdiag tool before you started? If not, please run it on your Domain Controller in command-line
dcdiag /e /c /v /f:c:\dcdiag.log
and review output file if there are no errors. In case that you have too many DCs in your domain environment, please skip /e switch
Additionally, can you tell me please how did you configure DNS settings on those machines in NIC properties?
Thank you in advance
Great Article …..Thanks
I’ts ok now. I have added a reverse ptr to my secondary domain controller. I wonder why did it disppear.
Son derece işe yarar bilgiler hocam çok teşekkür ederim.
Thank you! (teşekkür ederim)
After I initially commented I appear to have clicked on the -Notify me when new comments
are added- checkbox and now each time a comment is added I receive four
emails with the exact same comment. There has to be a way you
are able to remove me from that service? Appreciate it!
I’m sorry but I also could not find any option to unsubscribe you from receiving new comments of this post
Greetings from Australia 🙂
This is the exact guide I was looking for. I have got windows 2003 infrastructure and I am planning to introduce windows 2008 R2 as back up domain controller to provide redundancy. Thanks for your great work.
Just to clarify in case my primary DC2003 went offline new 2008 RD will provide redundancy for my network is that right?
I have plan to retire primary 2003 DC later stage though.
Thanks heaps again
In windows sever 2008 R2 installation process I am gettting error
“To install a domain controller in this active directory doamin, your must first prepare the the domain using “adprep /domainprep”
What have I missed here? I did all according guide line including adprep32 /forestprep
I will Google for some help while you get back to me
I found it. As usual I have missed Infrastructure Master update on sever2003 and no error anymore
Great! I’m glad you found this issue 🙂
I’m sorry for delayed answer but I was really busy and I could not participate in life of community
I have two Wiindows 2003 DCs (Primary and Secondary) in my network. I would like to migrate to Windows 2008 DCs with new hardware and remove old 2003 servers but most importantly I would like to keep the same IP addresses for the DCs. May I know the migration procedure for that?
Thanks for your support.
yes of course you can 🙂 This requires a little bit more work but this is possible.
First of all, you need to deploy Windows Server 2008/2008 R2 Domain Controllers with new names and new IP addresses (You may find article for that process on my blog).
At thi point this is really important to install DNS services on both DCs and make them Global Catalogs too.
After all, you have to transfer FSMO roles to the new DC, advertise new time server in your forest/domain, wait for replications and decommission those old Windows Server 2003 DCs. Uninstall DNS services from them also.
When you are sure that replication took place, please ensure if your new DCs have configured DNS settings properly under NIC’s properties. They should point to new DNS servers only!
Now, you may start decommissioning the old Domain Controllers. After that, change IP address on the first Windows Server 2008/2008 R2 Domain Controller and open elevated command-line. Type below commands to refresh your DNS configuration for DC changes:
net stop netlogon
net start netlogon
or instead of using net sto and net start commands, reboot your Domain Controller. Check if communication between your DCs is working fine then verify replication. When you have no issues the you may start the same procedure for the next Windows Server 2008/2008 R2 Domain Controller.
If you have any other questions, do not hesitate to ask me
We have 3 DC’s, 2 running Win2008R2 and the 3rd running WIn2003 so the function level is Win2003 with one of the 2008R2 servers as “master”. My question is, can the existing 2008R2 servers be upgraded/configured as 2008R2 DC’s and then upgrade the bits on the 2003 system? Or is it necessary and/or safer to build new 2008R2 systems and add in?? I’d like to retain the current IP addresses of the existing DC’s.
Great write up, I plan to use it for the upgrade process.
Thanks in advance.
thank you for your question. As long as your Windows Server 2003 are 32-bit OSes you are not able to perform in-place upgrade This option is only supported on 64bit OSes because Windows Server 2008R2 is only 64bit OS.in-place upgrade
And I recommend to always install clean server/virtual machine and then promote it as Domain Controller. Remember, doing in-place upgrade does not do clean install, all other data is still on your HDD. All installed applications are also there, so it might mess your in-place upgrade installation. IN case of some issues there might be some difficulty to troubleshoot the server.
So, I would strongly suggest to perform clean servers installation.
Thanks very much, Krzystof!! Appreciate the advice greatly!
What about decommissioning the old Win2k3 BDC and removing the hardware and then adding Win2k8 system with the same name and IP address and then promoting it to a Domain Controller? This way we do not need to do all above?
Hope this will work.
perfect guide, great job
thank you very much.
well.thanks for your guide.I have server 2003 SP2 which is 32bit.I need to upgrade to server 2008R2 64 bit. and if possible 2012 64 bit.
is it possible i do an inhouse upgrade considering the the 32bit and 64bit variation..
If not..what procedures should i follow..?
unfortunatelly, you cannot do in-place upgared because this is not supported in this scenario. You cannot do that on 32bit OS. Windows Server 2008R2 and Windows Server 2012 are only 64bit Operating Systems. So, if you wish to use in-place upgrade option, you need to do that on earlier 64bit OSes. However, I would not recommed doing this kind of upgrade. It’s always better to do clean install and promote new DC. You may save a lot of time in the future in case of any issue(s).
If you plan to introduce Windows Server 2012 Domain Controller(s) you are able to skip introducing Windows Server 2008R2 DC(s). With Windows Server 2003 DCs (Domin Functional Level must be raised to Windows Server 2003 mode) you can do that directly to promote 2012 DC and it’s much more convenient method that going to 2008R2 and after that to 2012
I have an existing Windows 2003 std AD Infrastructure. The environment has two servers DC2 (FSMO\DNS\DHCP) & DC1 (Exchange Server) I also removed an old orphaned Domain Controller (DC3). I followed your instructions and introduced a Windows Server 2008 (DC2008) enterprise within my Windows 2003 network and everything completed successfully.
Some of the issues I have are as follows:
1. When I force replication via AD Sites & Services I get access denied (from DC2 and DC2008)
2. Sometimes I can log on to DC2 and DC1 because of time clock conflict.
3. I can access the shared folders on both servers from DC 2008 but when I try from DC2 and DC1 access is denied.
4. On my DC2008 server when I try to turn on network discovery it’s not working.
Let me know your thoughts.
Thanks in advance,
OK, looks like some issue arose during promotion of your 2008 Domain Controller. This would be hard to resolve the issue without some additional diagnostic tools. Could you run those commands below in command-line on your DCs, please? Send the output to my mail: kpytko at go2 dot pl I will try to analyze those logs and will try to help you
On DC1 type:
netdom query fsmo >c:\fsmo.log
ipconfig /all >c:\dc1_ipconf.log
dcdiag /e /c /v /f:c:\dc1_diag.log
repadmin /showrepl /intersite /all /verbose >c:\dc1_rep.log
repadmin /replsummary >c:\dc1_replsum.log
On DC2 type:
ipconfig /all >c:\dc2_ipconf.log
dcdiag /e /c /v /f:c:\dc2_diag.log
repadmin /showrepl /intersite /all /verbose >c:\dc2_rep.log
repadmin /replsummary >c:\dc2_replsum.log
When we gather all those logs, we could try to start solving the issue
Thank you in advance and regards,
I have new scenario that I want to implement. Appreciate your advice.
I got DC running on cloud (remote data-center). I need setup on site domain controller ti synchronization with remote DC on cloud. So on-premise domain controller act as a a backup/addition domain controller.
Have you done anything smiler to my requremnt ? I mean specially integration on premise with cloud environment .
thank you for writting me. I’m sorry I haven’t done similar case, so I could not be able to help you.
However, some security issues may arise, so please carefully plan this environment. While your cloud DC is avalable in the Internet, so maybe you should consider using Windows Server 2008/2008R2/2012 Read-Only Domain Controller (core version is more secure) in your DMZ ? That would be better solution than placing standard read/write DC. You need to remember that you still require some AD-related ports to be opened on your firewall(s)
If you’re interested operating this way, we may try to prepare some guide for this scenario
Its really a good article…
myself having some doubts like we are having 10ADC(10 different areas) with 1 common PDC all running on the windows 2003 sp1 OS with forest functional level:windows 2000 & domain funtional level:windows 2000 mixed
doubts:1-Is it able to add new windows 2008 r2 server as a member in any ADC(different area level)?
doubt:2-If i made the new ADC with windows 2008 r2 then shall it replicate with our common PDC.
Pls help me
Doubt 1) – as long as you do not promote this Windows Server 2008R2 member server into Domain Controller then yes, you are able to have it added to your domain. Member servers are not affected by Forest or Domain Functional Level. You need to be aware that you won’t be able to fully manage Windows Server 2008R2 over GPOs. There are many new policies related with 2008R2 which are unavailable in Windows Server 2003.
Doubt 2) – First of all, to be able to promote your first Windows Server 2008 R2 Domain Controller, you need to raise Domain Functional Level to Windows 2000 native mode. Domain Controllers based on Windows Server 2008 do not support NT4 domains. So, in your case, DFL must be raised before you may promote new DC. When you prepare your environment and promote 2008R2 as DC then you need to keep active connection between Site in which it is placed and other Site(s). Replication requires active connection between Site(s) where other Domain Controllers are running. For Active Directory replication does not have to be necessarilly DC with FSMO roles (that’s why you probably said “PDC” 🙂 ) Any other DC would be enough.
This is a fantastic blog. So concise and easy to follow. Thank you very much for taking the time to write and post it.
I’m hoping you can help me with a couple of queries regarding adding a 2008 R2 domain controller.
We have a 2003 Forest in which there are several domains. The schema level is at 47 so I assume the adprep /forestprep has been run at some stage.
I wish to add a 2008 R2 domain controller to one of the domains in the forest. I do not know if the Adprep /domainprep has been run on this domain.
This domain controller will eventually become the Operations master and anothe 2008 R2 domain controller will added. Finally the old 2003 domain controllers (3 total) will be decommissioned.
So my questions:
i) Is there any harm in running Adprep /domainprep in the domain I wish to add the 2008 R2 domain controller?
ii) Will I require enterprise domain administrator permissions to run dcpromo or will domain administrator rights be sufficient?
iii) Would it make sense to add a 2012 domain controller instead?
Excellent article Krzysztof:
I’ve been chasing down a problem in our small environment and wanted to see if you could point me toward what I am missing.
We had two Win 2003 R2 domain controllers, one of which was also Exchange 2003 server (traditionally, budget out weighs best practices).
An outside firm upgraded our exchange from 2003 to 2010 and introduced a new DC Win 2008 R2 standard (DC with FSMO roles and Exchange 2010)
The old DC/Exchange was demoted to member server. FSMO was moved from remaining Win 2003 R2 domain controller to new Win 2008 R2 Standard domain controller. DHCP is running from the remaining Win 03 R2 DC. Most operations coexist correctly. Mixed environment with 2 DC’s Win 2008 R2 Standard & Win 2003 R2 Enterprise.
Problem occurs when the former Domain Master (Win 03 R2) is undergoing maintenance and has to be rebooted, communication goes down in the network. Email becomes inaccessible on the other new Domain Master (Win 2008 R2 Standard). Remote access to the network goes down. We expect the new domain master (Win 2008 R2 Standard) would keep communications in place, while the former Master is down, but it does not.
One other communication symptom present is that on the Win 2008 R2 Standard domain controller, the Active Directory Administrative Center is unable to access the domain object in DNS. AD Sites & Services works fine on the 2008 R2 DC. AD Users & Computers works fine. But ADAC cannot access the object – the domain in active directory. This at one time was also working fine. Unable to find the cause. But shared it here as it is a symptom in the environment experiencing a communication issue.
Would appreciate any insight you can share.
An update on the issue I was experiencing. Activating DHCP on the new DC appears to resolved the blackouts when the former Master is down for maintenance. Our upgrade left us with only one DHCP instance. Tom
Thank you much great guied
Perfect guide, thank you very much !!!
Thanks for the detailed guide.
I have successfully added my Windows Server 2008 R2 as a DC to my existing SBS 2003 network, and replication is occurring fine. I am planing on decommissioning the existing SBS in the future.
I have noticed one thing, it seems the the new 2008 R2 server is not authentication logon requests. It always seems to be the SBS 2003 server that authenticates.
I am checking via the >echo %logonserver% command after a use logs in.
Any ideas as to why the new 2008R2 server is never showing up in the command output? They can reach each other and they are resolving DNS inquiries fine on bother servers.
Any ideas would be greatly appreciated. Thanks!
I’m really sorry for delayed answer. A lot of work
Is this case still valid or you fixed that?
See kb247811 for further information how domain controllers are located.
SBS servers should be FSMO holders and GC servers but this shouldn’t impact DC locating.
Additionally you could always temporarily remove the network cable from the SBS and login to a client to see whether it locate the 2008 DC
Excellent instruction. Really helpful! I have successfully added my Windows Server 2008 R2 as a DC to my existing Windows 2003 network. If I don’t plan to retire my old Windows 2003 server, do I need to transfer the 5 FSMO roles to the new Windows 2008 DC? It’s a small network and we have only one Windows 2003 DC before adding this Windows 2008 R2 server.
Great! I’m glad I could help you.
Yes, I would recommend transferring FSMO role to the newest Windows Server 2008R2 Domain Controller. It is good to have FSMO roles on the lates OS release becasue some features might rely on FSMO with specific Windows Server version.
if i already installed the windows server 2008 using DCPROM and again i again tried to installed it using DCPROMO.What will be the result????????????????????????????
If you run dcpromo on the same DC once again, you will decommission it.
Hello. What if I want to add a Windows Server 2008 SP2 domain controller to existing Active Directory 2003? Are there any differences between adding Windows Server 2008 SP2 and R2?
Hi, no. All steps are exactly the same. First you need to extend schema and prepare Infrastructure Master using adprep. All steps are the same, please follow an article.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.
Enter your email address to follow this blog and receive notifications of new posts by email.
Join 63 other followers
iSiek's blog about Microsoft Windows services
Blog at WordPress.com.