Adding first Windows Server 2008 R2 Domain Controller within Windows 2000 network

 

Prerequisites

To be able to configure Windows Server 2008 R2 Domain Controller within Windows 2000 network we need to check if we have installed Service Pack 4 on each of Domain Controllers based on 2000 Server. Additionally we have to check if Domain Functional Level is set up at least in Windows 2000 native mode.

To verify if Domain Controllers have installed the latest Service Pack, log on onto each of them and in run box type: winver

Running winver

check if you have installed SP4

winver

Alternatively, you can click right mouse button (RMB) on “My computer” and choose “Properties”.

My computer - properties

When you don’t want to log on to each DC, you can download PsInfo from SysInternals Suite and use this syntax structure for each DC

C:SysInternalsPsinfo.exe “Service Pack” \DC_Name

In example:

C:SysInternalsPsinfo.exe “Service Pack” \DC01

PsInfo output

If any of your Domain Controllers do not have installed SP4, you need to update it.

Now, we can check if Domain Functional Level for domain where we want to install first 2008 R2 DC is set up to at least Windows 2000 native mode. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click RMB on it. Choose “Properties” and verify it.

If you see screen like this (mixed mode), it means that you need to raise your Domain Functional Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like NT4.

Now, when you checked that you do not have any pre-2000 OS, click on “Change Mode” button.

Changing Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning message

After successful change, you should see changed domain operation mode.

Changed Domain Functional Level

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Properties”

Follow the same steps as in previous console.

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2008 R2 DC are

  • Schema Master
  • Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

  • Active Directory Users and Computers and Active Directory Schema consoles

or

  • netdom command from Support Tools (Support Tools have to be installed from Windows 2000 Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with Administrative Tools installed in command-line

regsvr32 schmmgmt.dll

to register Schema snap-in within OS.

ActiveDirectory Schema snap-in registration

Now, open MMC console from run box

Running MMC

Within that console add Active Directory Schema snap-in

Adding snap-in into MMC

Click RMB on “Active Directory Schema” node and choose “Operation Masters

Write down or remember which DC holds it. Additionally check its status.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active Directory Users and Computers console, select your domain and click RMB on it. From pop up menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdom command installed from Support Tools. Open command-line and go to default installation directory: C:Program FilesSupport Tools

then type: netdom query fsmo

and identify DC(s) from an output

netdom Operation Masters check

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /v

and check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

Part of dcdiag output

now run in command-line:

repadmin /showreps /verbose

 to check if your DCs are replicating data without errors.

repadmin output

After those checks, you can start with Active Directory preparation.

Active Directory preparation

Before we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are members of:

  • Enterprise Admins group

or

  • Schema Admins group

and we have DVD installation media with Windows Server 2008 R2

Important! Remember that all Windows 2000 Servers are only 32-bit platforms and Windows Server 2008 R2 is only 64-bit platform, so you need to use 32-bit version of adprep during preparation process to successfully extend Schema.

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Logon to Schema Master owner (we identified it in previous steps) on a user from one of mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:supportadprep

example:

d:supportadprep

You will find there two AD preparation tools:

  • adprep (64-bit application for 64-bit platforms)
  • adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master. So, type in command-line

 adprep32 /forestprep

Extending schema

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at least SP4 to start extending schema.

Warning before schema update

if you followed previous steps of this article, all of your DCs have SP4 installed. You can continue by pressing C letter on a keyboard and wait until AD preparation tool will finish its actions.

Schema extended

Your schema in a forest is extended.

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media into DVD-ROM. Open command-line and as previously go to supportadprep directory.

Type then adprep32 /domainprep /gpprep

Running adprep on Infrastructure Master

and wait until adprep will finish its actions

Domain prepared for Windows Server 2008 R2 DC

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor.

ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”. You will see schema “Attributes” tab. Expand “Select a property to view” and find “objectVersion

Schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to your network settings.

 Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running DC promotion tool

Domain Controller promotion will start automatically. If you haven’t installed Active Directory: Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role installation

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode during promotion process. So, please check “Use advanced mode installation” and let’s start.

dcpromo wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option and click “Next”

Adding DC

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding DC

Choose domain from a list

Domain for new DC

You will be informed that you won’t be able to install Read-Only Domain Controller (RODC) in your network because during ActiveDirectory preparation, you didn’t use /rodcprep switch. It’s not relevant here because our network contains 2000 Domain Controllers, so it means that the highest possible Forest Functional Level is Windows 2000. To install RODC within network it’s required to have at least Windows 2003 Forest Functional Level. Skip this warning and press “yes” to continue.

Warning about Read-Only Domain Controller

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

  • DNS
  • Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC within network.

AD data replication

Now, you can select from which Domain Controller data should be replicated or leave choice for the wizard (use the second option)

DC for AD data replication

Leave default folders for Directory Services data (or change path if you need)

Folders location

Set up Directory Services Restoration Mode password. Password should be different than domain administrator’s account and should be also changed periodically.

DSRM mode password

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on completion” checkbox and wait until it will be up and ready.

DC configuration

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP managementconsole and under server/scope options (it depends on your DHCP configuration) modify DHCP option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP configuration

It’s done

Author: Krzysztof Pytko


Facebooktwittergoogle_plusredditpinterestlinkedinmail

5 responses to “Adding first Windows Server 2008 R2 Domain Controller within Windows 2000 network”

  1. niche content says :

    Oh my goodness! an amazing article dude. Thank you However I am encountering issue with your rss . Have no idea why Struggle to subscribe to this. Is there any individual getting equivalent rss problem? Anyone who is aware of kindly act in response. Thnkx

     
  2. K_L says :

    Thanks mate. You made my work day so much easier.

     
  3. Anish says :

    Really cool, its helped a lot

     
  4. Marco says :

    dude I love you

     

Leave a Reply

Your email address will not be published. Required fields are marked *