Migrating 2003 DC to 2008r2 DC in mixed mode environment

[iceman14304]

I am currently running 2 DC servers, one is server 2003, the other is 2008r2. The r2 server is virtual and the 2003 is getting old at this point and is in need of an upgrade. What id like to do is migrate the 2003 server to a new physical server running 2008r2 and transfer all of the fsmo roles and set it up as the master dc to replace the 2003 server. What would be the best course of action to do so safely and ensure that the transfer goes smoothly? Is there any complications doing this in a mixed mode environment I need to worry about? From what ive read, this seems like a fairly straightforward process, I just want to make sure I do everything slowly and correctly.  

 

Id like to remove the Server 2003 DC, so that I can replace it with 2008 R2 server and make it a primary DC/DNS server. The virtual 2008r2 server had been running great for months now and id like to keep it as a secondary DC/DNS server. The 2003 DC is currently running AD and DNS.
 

Any advice as to how I should proceed from here? Is it as simple as doing it in native mode or are there pitfalls I need to be wary of?

 

Thanks in advance for your replies. 

[sc302 Veteran]

As you stated it is a straightforward process. 

 

Bring up the new 2008 dc, move the roles over, setup the dhcp scope, and you are up and running on the new dc.  Make the new dc the master browser, and disable the master browser off of the old dc.  Dcpromo the old dc server out by running dcpromo at a run prompt after the new dc is up and running.

 

As long as you get dns replicating properly, which is very easy to do.  If you get stuck ask.

[ITFiend]

The first rule of upgrading Active Directory: Proper backup which is confirmed as functional.

 

 

The second rule of upgrading Active Directory: Confirm your domain controllers and forest are in good health and recently synchronized.  If you have any errors at all, stop with your upgrade plans and fix them first. Don't upgrade a domain that's in an unhealthy state.  Don't promote new domain controllers in a domain that's in an unhealthy state.  Don't demote domain controllers in a domain that's in an unhealthy state.

   "repadmin /showrepl /verbose /all /intersite"

   "dcdiag /v /c /d /e /s:<domain controller>"

 

 

The third rule of upgrading Active Directory: Run "adprep /forestprep", "adprep /domainprep /gpprep", and "adprep /rodcprep" before promoting a higher level server to a domain controller. http://technet.microsoft.com/en-us/library/cc731728.aspx  You also should wait until adprep has replicated across your domain controllers, or use "repadmin /syncall /A /E /force" and "repadmin /replicate <destination> <source> <active directory forest distinguished name>" to force replication now.  Confirm that replication of adprep is up to date against all DC's with  "repadmin /showrepl /verbose /all /intersite" before adding your higher version DC.

 

 

The third rule is technically no longer rule so long as you are adding a Server 2012 DC, at least so far as adprep goes.

 

 

adprep is located on your new server media.

[Roger H. Veteran]

I did this last year, easy as pie (excepting I moved to 2012). The Exchange bits were the harder parts but even that was relatively easy. :)

 

Just follow what's been laid out above and you'll be golden.(y)

[sc302 Veteran]

It isn't that detrimental to verify good health. It does make life very easy if it is in good health. 

 

The third rule will have been already done prior to the existing 2008 r2 dc being added - can't add a 2008 DC to a 2003 AD forest without doing a forestprep and domainprep on the 2003 forest.  I haven't found a way to get around this easily, if the domain hasn't updated between the time that he posted and the time that he reads this there is something really wrong with his domain. 

 

First rule is always have a good backup or good image.  second rule is good practice but isn't necessary as roles can be seized if needed.

[ITFiend]

It isn't that detrimental to verify good health. It does make life very easy if it is in good health. 

 

The third rule will have been already done prior to the existing 2008 r2 dc being added - can't add a 2008 DC to a 2003 AD forest without doing a forestprep and domainprep on the 2003 forest.  I haven't found a way to get around this easily, if the domain hasn't updated between the time that he posted and the time that he reads this there is something really wrong with his domain. 

 

First rule is always have a good backup or good image.  second rule is good practice but isn't necessary as roles can be seized if needed.

 

So far as I'm concerned, the best practice in this scenario is the only practice. Seizing a role is an emergency procedure only, when you have no other choice in the matter. Do not rely on it just because you can do it, because you could easily put yourself in a much worse state than if you had taken time to make things healthy before you made major changes.

[sc302 Veteran]

anything broken can be rectified, not my first course of action but it is possible.

 

Don't think that I am new to this

 

https://www.neowin.net/forum/topic/796996-windows-2000-server-to-windows-2008/

[ITFiend]

anything broken can be rectified, not my first course of action but it is possible.

 

Bad advice is still bad advice.  Even if you can fix something that is broken, you cannot magically recover data a lost DC never replicated, and some problems can require a skilled engineer to fix. There is no good reason to recommend not following good procedure. Even if you could fix a problem, it doesn't mean other admins can, and they shouldn't have to pay a third party to fix stupid mistakes. 

 

 

Make the new dc the master browser, and disable the master browser off of the old dc.

 

Iceman, this is dead NetBIOS legacy. If you are not supporting Windows 2000 or below, you can probably safely disable the Computer Browser service domain wide. This service has been disabled by default since Vista.  DNS replaced it.

[sc302 Veteran]

I meant global catalog.  My lawyers will be standing by for a lawsuit coming from you...ie. sue me.

 

While you can't recover a lost dc that has never replicated, the solution to remove a tombstoned server would apply to remove the lost dc.  If it comes down to it, I can remote in and fix provided that tcpip isn't hosed..I don't charge for my services on this board especially for those willing to learn...I stand by stating if it is broken it can be rectified.

[iceman14304]

Turns out I was mistaken at the time of this post, the other server is not 2008r2 but in fact just 2008. Does this pose an issue if I want to replace the 2003 primary dc with a 2008r2 dc? Please advise. 

[sc302 Veteran]

in post 2 of the link that I posted will have all of the answers you need, regardless of what version AD forest you have.

[StrikedOut]

Many lessons learned from fixing broken things, not ideal but damn you learn things you don't get in the text books!

[sc302 Veteran]

There are at least two lessons learned by doing it, how to get yourself out of a jam and how not to do it again (sometimes, you only learn how to get yourself out if you get yourself in...that in itself is a very important lesson to learn).