Post migrated to: http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2012-domain-controller-within-windows-200320082008r2-network/
Are you assuming that in the post-install steps that people are adding the DNS server role to this new DC? Without that, why would you have them add the new DC as a DNS server in DHCP?
No, people should install DNS role during server promotion to DC. But after all, many of them forget to update DNS settings over DHCP server (when they are replacing the old Domain Controller).
That might lead to some functionality issues, that’s why I mentioned about this in the article
Thank you so much for posting the article in clearly!
Have you got steps to then promote it to the main dc and copy user roles and anything needed to make it primary and kill the old 2003 server all together?
Yes, but not in single article 🙂
After you have promoted new 2012 DC, you need to transfer FSMO roles (available on my blog) and advertise new time server in your forest. How to do that, you will find on MVP blog at
under section ([…]After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator[…])
After that, you can simply decommission Windows Server 2003 (available on my blog)
Can you tell me please, what do you mean by saying “and copy user roles” ?
Excellent article! I simply followed these steps to install Windows 2012 DC to our existing domain running on Windows 2003.
Thank you, Ethan!
This is an EXCELLENT article. Thank you for posting it. Really helped a lot.
Thank you so much for posting it. very useful
Very good notes!!
Very helpful article, thanks! One question I have relates to adding a 2012 domain controller into an existing Windows 2003 Native domain (currently 2x 2008R2 DCs and 1x 2003R2 DC). The end goal is to retire the 2003R2 DC with the addition of the 2012 one. The catch we have is that we have one legacy Windows 2000 member server (very important, dept drags feet to remove). If we keep the domain in Windows 2003 mode or even up it to Windows 2008 mode will we be OK having a 2000 member server?
The Microsoft docs say a 2000 client isn’t supported with 2012 DCs, but makes no mention of a mixed OS domain running in 2003/2008 mode. Would we be able to add the 2012 DC and keep the 2000 member server working?
Thank you for reading my blog!
Going back to your question about Windows Server 2012 Domain Controllers and Windows 2000 Server members. As you mentioned, you have only 2003+ Domain Controllers, there is no 2000 DC at all. That means you can freely decommission 2003 if you do not need them anymore and even you may raise your domain/forest functional level to Windows Server 2008R2 (the highest possible in your case).
This change affects only Domain Controllers, not member servers. That means, you can still use any of Windows 2000 Server as domain members. You are only unable to use Windows 2000 Server Domain Controllers and when you would raise DFL/FFL to higher mode then you would not be able to use Windows Server 2003 DCs too.
Please check more about this topic in my another articles on the blog:
Raising Domain Functional Level
Raising Forest Functional Level
When you would like to introduce Windows Server 2012 Domain Controller, you have to remove all Windows 2000 Server DCs before you can start. As you do not have any 2000 DCs and your Domain Functional Level is set up to Windows Server 2003 mode, you are ready.
All other servers, not acting as DC, would work fine even if they are based on older operating system like Windows 2000 Server.
Thanks Krzysztof. I had a chance to test this scenario and you’re correct, the Windows 2000 box worked normally even after removing the 2003 DC and raising the domain levels to 2008 R2.
Great Article! This has really helped me in planning the replacement of a SBS 2003 server with individual Server 2012 servers.
Thank you! I’m glad it could help you
Thank you, also the screen shots makes it easy. I used your blog as preparation material
Thank you for a very useful read, as it’s the first time I’m adding 2012 to our environment. I have a very simple domain with only a 2003 DC which I’d like to decomission after the 2012 DC is in place.
Is it as simple as you stated? Just transfer FSMO roles, reconfigure time service peer to new 2012 DC on both, then demote?
thank you for reading my blog. Yes, it is that simple as it is written 🙂
Just only prepare your environment for the first 2012 DC, transfer FSMO roles to it, advertise new time server in your environment and decommission the old 2003 DCs. That’s all!
I have a 2008 R2 Domian (dozen or so DCs) and want to add a 2012 Domain Controller. I do not want to change the servers that host my FSMO roles. Does adding a 2012 domain controller allow me to maintain my existing roles on the 2008 R2 domain controllers?
yes it does. However, Microsoft strongly recommends keeping FSMO roles on Domain Controller with the newest OS.
And when you transfer PDC Emulator and RID Operation Masters to 2012 DC then you would be able to use:
– Hyper-V 3.0 new features for Domain Controller cloning
– New extended RID space 2^31 instead of 2^30
Nice Article… I have one ? ..We have Server 2008R2 environment for all DC’s and want to introduce Server 2012 as RODC. Is it possible ? if yes ..do we really need to transfer FSMO roles to this RODC. During DC promotion ..will it update the schema as well ?
thank you! I’m really sorry for delayed answer but I was busy and I could not write to you.
I need to check that because I did not test this scenario. I suppose that Windows Server 2012 RODC will update schema itself during promotion but I’m not sure if this would not require at least 1 Windows Server 2012 Read/Write Domain Controller as there might be some new features in comparision to RODC based on Windows Server 2008/2008R2.
However, you cannot transfer FSMO roles to any RODC as that kind of DC cannot support that scenario. It works in read-only mode and needs at least one writeable Domain Controller.
Let me check that RODC 2012 scenario with schema update for you and I will reply is few days with the results.
I’ve just checked this scenario for you in my test lab where I have Windows Server 2008 R2 Read/Write Domain Controller with Forest Functional Level at Windows Server 2003 mode and:
1) Introduction of Windows Server 2012 RODC automatically extended Schema and it also prepared domain for RODC.
2) RODC is working fine, however, you need to remember that I did that in and my test environment, so I cannot fully test all RODC features for Windows Server 2012
3) I did not notice any events in Event Log stating that no Windows Server 2012 Read/Write Domain Controller has been found. Looks like this is fixed since Windows Server 2008/2008 R2 were released. Previously, you had an event stating that no read/write DC for 2008 R2 was available (in case that 2008 is RWDC and 2008 R2 RODC)
4) and of course the last thing to confirm, you cannot transfer FSMO roles to the Read-Only Domain Controller.
I hope I could help you
My Domain and Forest is at 2003 level. I understand I can add a 2012 controller. But, I also happen to have windows 2000 SP4, their replacement to Windows-7 will take about a year. This is where I get uncomfy. Can I join a 2012 box as a DC, (and possibly also remove the 2003 DC’s?), while retaining the 2003 domain/forest levels, and, keep the windows 2000 SP4 machines running normally? I’ve done a lot of reading and I’m still unclear.
I’m really sorry for this delayed answer but I was really busy.
Yes of course, you may promote new Windows Server 2012 Domain Controller and do not change DFL/FFL from Windows Server 2003 to the higher level.
The same with your Windows 2000 client machines. They can be simply still in the environment but remember, you won’t be able to manage new functions over GPOs on those machines.
We just replaced all of our 2003 and 2008 R2 DC’s to 2012. Can we raise the FFL/DFL to 2012 or do we have to go to 2008 R2 level and then 2012. Our FFL/DFL is 2003.
We want to do 2003 –> 2012. Or do we have to do 2003 –> 2008R2 –> 2012
Thanks in advance,
that’s fine, you can directly go into Windows Server 2012 DFL/FFL. You don’t have to raise it to 2008R2 first. But you need to be sure that you would not use any Windows Server 2003/2008/2008R2 Domain Controllers in the future because DFL 2012 does not allow for that. When you raise FFL then you need to be sure that all your domains will have only 2012 Domain Controllers
Thank you for the quick response. I missed the email in my mailbox. I am actually doing the raise tomorrow. We have only 2012 domain controllers. Is there any reason why I would want to go back or use 2008 r2 over 2012?
What if i have Exchange 2010 SP1 running in my existing Windows 2008 R2 domain and I would like to upgrade only Domain environment to Windows 2012?
Hi, I was able to successfully follow the steps as laid out but I now have a scenario where the workstations log on very slowly when the old server is disconnected. I haven’t demoted it yet but is that the reason?
I would guess this is related with DNS server. Did you update DHCP server/scope configuration after you introduced new DC with DNS role?
You should update option no. 006 under server/scope options of DHCP server (depends on your configuration) and reboot workstations to get new lease with new DNS server’s IP address.
Additionally, you need to change IP address of DNS server undre NIC’s properties of every server with fixed IP address. Point them to the new IP address of your Domain Controller where DNS is probably also running (if you went step-by-step with my article)
Then check once again if you are experiencing this issue. Please let me know
I followed through up to adding new server 2012 to domain but am afraid to make it the Primary DC as it seems the users have roaming profiles pointing to a directory on current old DC , I want to stop roaming profiles totally how do I go about this ?
Oh, this is not too simple process, unfortunatelly. Roaming profiles are real pain when new server comes into the environment
You need to change your current GPO and move back profiles back to local workstations. When you are sure that all of users data is stored locally, you can go with server replacement.
You need to have appropriate disk space on the server where you are going to redirect users profiles and then re-create folders structure on the new server.
When it is done, you can create new GPO for roaming profiles pointing to the new location.
Remember! It is really good idea to do full backup of users data before you will start the action 🙂
A great article and is really useful!!
I have a Windows SBS 2003 domain server. Can I use this procedure to install a DC then demote the SBS 2003 server?
Yes of course, you may use it as for regular Windows Server 2003
Thanks for your help. Just a confirmation. I have a network with an SBS server 2003 that is my domain server with all roles and two additional DCs. If I install the Windows 2012 server as a DC, I can move all the roles from SBS 2003 to Windows 2012 and demote SBS 2003. Now Windows 2012 will perform all the required adprep to the system when install begins. True?
Sorry for the questions. I just want to be sure.
Yes, exactly, but adprep is being done during promotion process to DC, so it is performed before SBS demotion 🙂
All the rest steps are exactly as you wrote.
Important! When you transfer FSMO roles from SBS to 2012 DC, you need to demote it because you will get regular SBS reboots (behavior as designed)
Thanks so much for your help. One last thing. I have Microsoft Exchange 2007 not on the SBS 2003 server but separate. This server promotion should have not affect on the Exchange, correct?
I have a domain in Windows 2003 domain functional level. Two DCs running windows 2003. No more domains.
I just added a windows 2012 r2 std, added roles and dcpromo it as per your article. The schema got upgraded to version 69.
All is fine. I will be transferring all FSMO roles to new DC shortly.
Do I need to raise domain functional level to windows 2012 assuming that will be available after the dcpromo of winodws 2012?
I do not see this option, and I am not sure I should see it. Or just DCpromo down the two domain controllers running windows 2003.
No, everything at this stahe is fine. You cannot raise DFL/FFL at this moment because you still have Windows Server 2003 DCs. Do FSMO transfer, decommission old DCs and the you would be able to raise DFL/FFL
As others have noted: Excellent article!
Quick question, at what point must one consider the *security implications* of upgrading AD?
For example, I have a 2k3 AD today and wish to upgrade to 2k8 (or 2k12). If I follow your steps above, I will have successfully “upgraded” my 2k3 AD, but what about new OS settings such as NT4crypto (which will break NT4 trusts) or NTLM or DES changes that will occur? Or even the Default Domain GPO and Default Domain Controllers GPO?
At what point do such default security settings (of the upgraded DC OS) take over and change the domain function?
When you promote new DC then you might expect that 🙂
I have only one question about your blog post, which is great!
This guide is for Windows Server 2012 domain controller. I would like to ask you if it is also supported to add Windows Server 2012 R2 domain controller to the 2003 domain and forest functional level if all other controllers are Windows Server 2003?
If I want to raise functional level to 2012 R2, do I need to remove Windows Server 2003 servers and after that raise the level or are there any other steps to do this safely?
Also, I have read in the comments that having Windows Server 2000 server as a member server is supported in this scenarion, even when I remove 2003 DCs and raise functional level to 2008 R2 (but I cannot to 2012 R2, because Windows Server 2000 member server is not supported in 2012 R2). Is this correct.
Yes, it is also valid for this configuration.
Yes, exactly, when you wish to raise DFL you need to decommission all 2003 DCs first. If you wish you may check this article on my blog at
No, as domain member servers you can still use Windows 2000 But you need to know that OS is no longer supoprted and many GPOs would not fit to this kind of OS
Great article, thank you for taking the time to post it. Could you maybe add this one caveat if adding a 2012 DC to a 2003 Forest?
Check the Remote Registry service on the 2003 domain controller is configured as follows:
Startup type: Automatic
Service Status: Started
Security context: NT Authority\LocalService (In Log On tab of remote registry service)
Then promote the 2012 server again.
Thanks a lot for this article and to the asked questions because has solved my problems. We have windows 2000 clients and windows 2003, we will create domain controllers with windows server 2012 and we maintain the DFL and FFL to windows 2003 to maintain compatibility with windows 2000 clients, when we have all domain controllers with windows 2012 and all windows 2000 migrated to windows xp or later we will raise the functional level of domain and forest to use new features.
I’m glad I could help you!
I have a Windows 2003 domain. It has two DCs. both windows 2003 R2. The DFL and FFL are 2003.
I have added a Windows 2012 DC. I followed your steps. They were great. Thx. The Schema got upgrade fine to 69 (Windows 2012 r2).
I am stuck here; When I go back to the Windows 2003 DC, I do not see the option to raise the level to Windows 2012. Is that something I should expect? Do I go ahead and transfer FSMO roles to new DC and demote the win2k3 servers?
Great! I’m glad that all went well.
Do you know why you cannot do that? 🙂 Because, you need to decommission all non Windows Server 2012 R2 Domain Controllers. The lowest OS as Domain Controller defined the highest possible Domain Functional Level. And the lowest DFL determines the highest possible Forest Functional Level.
So, to raise DFL/FFL into Windows Server 2012 R2 you have to decommission every 2003/2008/2008R2/2012 Domain Controllers. Then it would work fine!
Hi there.. This article is brilliant and very helpful.. Easy to understand.. There is however one thing that is not mentioned and I am concerned about.. Windows 2003 domains use FRS to replicate the sysvol and Group Policy.. If you migrate from a 2003 domain you had the option of convering to DFRS replication in 2008… Should this be done first or can you still do the FRS to DFRS migration once the 2012 servers are in.. ?
Thanks very much..
No you don’t have to migrate FRS into DFS-R first. Windows Server 2008/2012 still support FSR for SYSVOL.
This step may be done later when you are ready to migratio FRS to DFS-R for SYSVOL. This is 4 phase action which requires much more time that admins think of 😀
I’m still trying to add a new DC with W2012 to a Domain under W2008r2, but I can not fix the problems that appear after I run the dcdiag as this post explains, in the W2008r2 Server. That server (Srv01) has also the roles: DNS, DHCP, File Srv and Routing and Remote Acces (we have a VPN).
I’m new in the Servers world, but I read that there are many things that can allows the error that I see when I try to add this new DC to our network. This error says that the AD DC can not be contacted.
Here is a peace of info provided by the dcdiag command:
Doing initial required tests
Testing server: Default-First-Site-Name\SRV01
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 40b7c03b-d287-403e-ad6c-9d5e2d904be0._msdcs.DOMAINNAME.dom could not be resolved to an IP address.
Check the DNS server, DHCP, server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
……………………. SRV01 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SRV01
Skipping all tests, because server SRV01 is not responding to directory service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes…
See DNS test in enterprise tests section for results
……………………. SRV01 passed test DNS
If there is any thing that I can do…… or should I just go ahead and creat a new ADDC in the new DC (luckily there are no more than 16 users, and a few folders to share).
Hope you can help me.
Thanks for your time
is this still valid issue?
Great tutorial… I just seen a video that details out a complete domain upgrade from 2008 to 2012 http://youtu.be/uZB-1kCOEBU and I think I’m ready to upgrade now. Thank you!
You mention Windows Server “20012” thrice. At least you are consistent 🙂
Typo fixed. It’s good to know that other readers are carefully reading posts 🙂
I did all these steps, including transferring of FSMO roles. Everything looked OK at first. When checking Group Policy, it too, looked OK on the surface but when I checked the SYSVOL folder on the new Windows 2012 domain controller, there was nothing there. I gave it ample time to replicate, if that was needed, but no existing policy folders ever showed up. Group Policies continued to work but stopped after I demoted the older Windows 2003 server. It was almost as if “c:\windows\sysvol” on Server2012 was actually pointing to “c:\windows\sysvol” on the old windows 2003 domain controller. Any ideas on what happened or what to do? This was all done a test environment.
Looks like SYSVOL did not replicate to your new DC. I don’t know what might happen wrong at this stage.
Before you demoted 2003 DC, you could initiate non-authoritative SYSVOL restore on your 2012 DC to see if SYSVOL would replicate policies.
Do you remember your lab configuration? Maybe we could reproduce the issue and track what happened?
Good tutorial, thank you iSiek…
I hope you don’t mind the following questions:
– do i need to make the 2012 machine a member for the domain prior to step 1?
– is there a way to remove an offline backup dc? i’m under the impression that i need to issue the demote command on the backup dc itself…quite difficult if it’s not talking anymore…
– any additional 2012 server steps for DNS before adding it as a secondary DNS server in the DHCP scope option?
– any thoughts on running this as a virtual machine on a production environment?
Hi, thank you for reading my blog.
If these questions are still valid, pleasde take a look at below answers.
1) No, you don’t have to add your Windows Server 2012 into domain first. When you want to promote it as Domain Controller, you may do that withou being a domain member server.
2) Yes of course it is. You need to do metadata cleanup of it. If you wish you may read an article on my blog for that at http://kpytko.pl/2011/08/29/metadata-cleanup-for-broken-domain-controller/
3) Nope, if you installed DNS server role on 2012 too, that’s all. But when you would like to remove the old DC with DNS from the environment, you need to define appropriate forwarders on your new DNS server to allow users accessing the Internet
4) You can simply run 2012 Domain Controller in virtual environment without any issue. This OS has built-in feature which saves you from USN rollback when restoring from snapshot (you still should not use that 🙂 just use system state backup for that) but this requires new generation hypervisor supporting VM Generation ID invocation (Hyper-V on Windows Server 2012 or VMWare ESXi 5.1 at least)
Nice, detailed writeup! I have a question, though: I vaguely remember reading somewhere that, for successful integration of 2008 DCs into a 2003 domain, the schema needs to be updated/patched.
Is it true?
Thank you fo reading my blog!
Yes, exactly, you’re right.
To introduce any new operating system as Domain Controller you need to extend schema once.
To do that, you need to use adprep tool included on install media. Since Windows Server 2012, Microsoft introduced trasnparent adpreping, which means, the whole process is done automatically by Domian Controller promotion wizard.
Of course it still requires appropriate privileges to do that – Enterprise Administrator or Schema Admins group membership.
Dear Krzysztof, Thnks for yours great advices. I need to install a 2 new windows 20121 R2 dc in a Windows 2008R2 domain. After the installation I will demote the 2008R2 dc. The main problem is that the new DC must have the IP of the old DC. Is it better to change the IP address of the old 2008 DC and install the new 2012DC with this address or to install the new DC 2012 with a new address and then switch the addresses? Thanks in advance
is this still valid request? If so, please let me know I will try to help you with that process.
Below just short overview for the steps:
1) Do not change current DCs configuration
2) Install and promote new 2012R2 DCs with new IP addresses
3) Wait for AD database and SYSVOL replication between those new DCs
4) Transfer FSMO roles
5) Introduce new time server in your environment
6) Reconfigure DNS servers and DHCP scopes
7) Decommision old 2008R2 DCs if everything is working fine
8) Clean up DNS records for old DC
9) Replace IP address on one of the new DCs with that previous one
and in elevated command-line type:
net stop netlogon
net start netlogon
or just reboot DC
Verify if it is working then repeat these steps for the second DC
Thank you for your post, just an word: you wrote erroneously windows server 20012 instead of 2012 =)
Thanks to you I could fix that typo 🙂 Now, it is 2012 definitively 🙂
Hi, thanks for the excellent write-up.
Quick question. Will this work if i have an exchange server 2003 in the domain (i intend to put a new 2013 server and migrate psts). Just want to know; when i promote new 2012 DC to ADDS, and migrate roles will it nor break my exchange 2003?
Hi, thank you fo reading my blog.
Unfortunatelly, Exchange 2003 does not support Windows Server 2012/2012R2 Domain Controllers. So, you cannot replace your older DCs with Server 2012/2012R2.
You have to plan migrating Exchange 2003 first.
I have a similar concers as Daniel.
I have a similar concers as Daniel. I have an environment where there are 4 dc’s. All are Win2k3 r2’s.
We will be upgrading them to Win2k8 r2 by the begining of next year.
DC1 is the main DC with all the FSMO roles on it. Is it possible to keep the same name and IP for this?
Here’s what we have planned.
We will be migrating this first and transfer the roles from DC1 to DC2.
Demote DC1 and unplug from network.
Join the new win2k8 r2 to the domain, promote and transfer the roles back to the new DC1.
Once replication has happened we rename the new DC1
For DC3 and DC4 I can probably follow the steps you listed for Daniel?
Your guidence is much appreciated.
Thanks you so much.
I too have run into the issue where the sysvol from windows 2003 std did not replicate over to the windows 2012 r2. Aside from running the non-authoritative restore, is there any other options?
Hi, you can always, repromote 2012R2 Domain COntroller 🙂 But to be serious, no, non-auth restore in this case is the most usable method.
If you wish, you may also ask experts by posting a new thread at my new forum at http://kpytko.pl/forum
My 2012 R2 DC will reside in a Hyper-V VM, When I install DNS on the DC and change it’s NIC settings what do I do about the quandary of the Hyper-V Host virtual switch pointing to the old DC for DNS, I realize it could be set to point to the new Hyper-V DC but if there’s a restart of the host how can it contact the DC for DNS as the DC is not available until the host machine/vm’s are up and running?
Yes, this is a good case where you need to have another Hyper-V host with additional Domain Controller with DNS role or install physical machine and promote it to DC with DNS for redundancy to avoid single point of failure..
But if you do not make your Hyper-V host a member of domain, just use it as workgroup member, you would not need to worry about box restart and contact with AD.
If you would have more questions, please open new thread on my forum at http://kpytko.pl/forum and we’ll try to help you. Raise new topic under Hyper-V category.
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
You are commenting using your Google+ account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.
Enter your email address to follow this blog and receive notifications of new posts by email.
Join 63 other followers
iSiek's blog about Microsoft Windows services
Create a free website or blog at WordPress.com.