Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network

 

Prerequisites

To be able to configure Windows Server 2008 R2 Domain Controller within Windows 2003 network we need to check if Domain Functional Level is set up at least in Windows 2000 native mode. But preferable Domain Functional Level is Windows Server 2003. When it’s set up in Windows Server 2003 mode, and you have only one domain in a forest or each domains have only Windows 2003 Domain Controllers, you are also able to raise Forest Functional Level to Windows Server 2003 to use Read-Only Domain Controller (RODC) within your network.

We can check this in domain, where we want to install first 2008 R2 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (mixed mode), it means that you need to raise your Domain Functional Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like NT4.

If your environment doesn’t have any NT4, 2000 Domain Controllers, you can raise Domain Functional Level to Windows Server 2003 mode.

Now, when you checked that you do not have any pre-2000 OS, select appropriate level and click on “Raise” button

Raising Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning

information about successful change will be displayed

Information

After successful change, you should see changed domain operation mode.

Veryfication

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Follow the same steps as in previous console.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

Raising Forest Functional Level

You will be notified that it is also not reversible action. Confirm that you know what you are doing and then verify if your Forest Functional Level is set up to Windows Server 2003

Forest Functional Level

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2008 R2 DC are

  • Schema Master
  • Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

  • Active Directory Users and Computers and Active Directory Schema consoles

or

  • netdom command from Support Tools (Support Tools have to be installed from Windows 2000 Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with Administrative Tools installed in command-line

regsvr32 schmmgmt.dll

 to register Schema snap-in within OS.

Registration ActiveDirectory Schema console

Now, open MMC console from run box

MMC console

Within that console add Active Directory Schema snap-in

Active Directory Schema snap-in

Click RMB on “Active Directory Schema” node and choose “Operation Master

Write down or remember which DC holds it.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active Directory Users and Computers console, select your domain and click RMB on it. From pop up menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdom command installed from Support Tools. Open command-line and go to default installation directory:

C:Program FilesSupport Tools

then type: netdom query fsmo

and identify DC(s) from an output

netdom output

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /v

and check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

dcdiag

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

repadmin

After those checks, you can start with Active Directory preparation.

Active Directory preparation

Before we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are members of:

  • Enterprise Admins group or
  • Schema Admins group

and we have DVD with Windows Server 2008 R2

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Log on to Schema Master owner (we identified it in previous steps) on a user from one of mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:supportadprep

example:

d:supportadprep

You will find there two AD preparation tools:

  • adprep (64-bit application for 64-bit platforms)
  • adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master (because it is 32-bit OS) In case that you have 64-bit Windows Server 2003 then use adprep. So, type in command-line

adprep32 /forestprep

Forest preparation

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at least SP4 to start extending schema.

Warning

if you followed previous steps of this article, all of your DCs have SP4 installed or you have no 2000 DCs at all. You can continue by pressing C letter on a keyboard and wait until AD preparation tool will finish its actions.

adprep32 /forestprep

Your schema in a forest is extended.

You may also wish to run adprep32 /rodcprep if you have Windows Server 2003 at Forest Functional Level. If not, you would be able to do that any time in the future.

Preparing environment for RODC

If everything would go fine, you will see no errors.

/rodcprep output

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media into DVD-ROM. Open command-line and as previously go to supportadprep directory.

Type then adprep32 /domainprep /gpprep

Preparing domain

and wait until adprep will finish its actions

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor

Running ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”. You will see schema “Attribute Editor” tab. Check “Show only attributes that have values” and  search for “objectVersion” attribute.

Veryfying schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Veryfying schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to your network settings.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running dcpromo

Domain Controller promotion will start automatically. If you haven’t installed Active Directory: Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode during promotion process. So, please check “Use advanced mode installation” and let’s start.

Domain Controller promotion wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option and click “Next”

Adding new DC into existing domain

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding new DC into existing domain

Choose domain from a list

Adding new DC into existing domain

If you didn’t use previously /rodcprep switch with adprep, you will be notified that you won’t be able to add Read-Only Domain Controllers. To install RODC within network it’s required to have at least Windows 2003 Forest Functional Level and you can advertise this option later (before first RODC installation). Skip this warning and press “yes” to continue.

RODC warning

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

  • DNS
  • Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC within network.

Adding new DC into existing domain

Now, you can select from which Domain Controller data should be replicated or leave choice for the wizard (use the second option)

Adding new DC into existing domain

Leave default folders for Directory Services data (or change path if you need)

Adding new DC into existing domain

Set up Directory Services Restoration Mode password in case that you would need to use this mode. Password should be different that domain administrator’s account and should be also changed periodically.

DSRM password set up

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on completion” checkbox and wait until it will be up and ready.

Installing Directory Services

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC available

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP reconfiguration

It’s done

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

117 responses to “Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network”

  1. Bino says :

    Great!!!!

    i like to know how to Adding first Windows Server 2008 R2 Domain Controller within Windows 2008 network

     
  2. Matt D says :

    Thank you very much for this guide – I have used it from start to finish and it has been incredibly detailed and helpful. A big thank you for all the screen captures and time you have taken to put this together!

     
  3. kote says :

    thank You Ware Match. is Guide So help me

     
  4. Johnston says :

    Thank you for posting this guide. You cut to the steps I needed.

     
  5. Don says :

    Thank you so much for the guide 😀

     
  6. JoyousMN says :

    Really helpful, I had a few errors along the way that I had to solve, but your guide worked great.

     
  7. Stuart says :

    Once I have done the above how do I retire the original 2003 DC. ? Great instructions. Thankyou

     
  8. Michael says :

    Extremely helpful info. Exactly what I was looking for. Thanks.

     
  9. tscribner@gmail.com says :

    Great guide! Thank you so much!

     
  10. jflavin says :

    excellent technote. i had complete most of the tasks by searching through a lot of microsoft technotes. If i had found this article first it woudl ahve saved me a lot of time. Thanks

     
  11. Steven says :

    We have a single forest with 3 domains – US, Europe and Asia.

    For your US and Europe domain they already have win 2008 R2 domains up and running. The forest DC is located at US. Where as for Asia, we only have 2 DCs on windows 2003.

    The current DNS is using AD integrated.

    Questions:
    1) If I need to add a new DC with windows 2008 R2 on Asia domain with 2 DCs on windows 2003, do I need run the adprep preparation on schema master and infrastructure master? Note: The US and Europe in the same forest already have windows 2008 R2 domain running.

    2) During the dcpromo, do I need to update the DNS with delegation?
    The existing 2 DCs on windows 2003 already have DNS running. Will the dcpromo detect it and perform the necessary action.

    Thanks
    Steven

     
    • iSiek says :

      Hello Steven,

      so, I will try to shortly explain you necessary steps.

      AD1) In case that you would like to add the first Windows Server 2008R2 Domain Controller in Asia domain where you have only Windows Server 2003 DCs, you need to run

      for 2003 64bit DC
      adprep /domainprep
      or in case that 2003 DC is 32bit
      adprep32 /domainprep

      on a Domain Controller with Infrastructure Master operation master role for Asia domain. To identify which DC holds that role, just log on to any DC in Asia and type in command-line
      netdom query fsmo

      You will see on which server you have to run adprep command. Unfortunately, Windows Server 2003/2003R2/2008/2008R2 does not detect automatically necessary operation master roles, that’s why you need to do that manually before you can start promoting the first Windows Server 2008R2 DC in Asia domain.

      You may ask why? Because, as you know we have 5 FSMO roles, 2 of them are forest-wide (Schema and Domain Naming) and 3 are domain-wide (PDC, RID, Infrastructure). Domain-wide roles mean that each domain in a forest has its own unique FSMO roles. Schema and Domain Naming are common for each domain in a forest but the rest is unique in each domain.

      You mentioned that you ran adprep in US and Europe but not in Asia. What does it mean from administrative point of view?
      When you ran adprep /forestprep in US domain then you prepared (extended) schema for new 2008R2 DCs. Schema is unique per forest and the rest domains have just read-only copy for that operation master. All changes were replicated between all domains in a forest and Schema is unique in the forest, so there is no need to run adprep /forestprep in the rest domains.

      Additional switch /domainprep of adprep is required in each domain of the forest in which you want to promote new Windows Server 2008R2 as Domain Controller because each domain has its own Infrastructure Master operation master role. You need to prepare your environment for that DCs at 2 stages:
      – forest by extending schema
      – domain by preparing each domain for new DCs by configuring Infrastructure Master

      US and Europe have already ran adprep /domainprep on their DC with Infrastructure Master role. If nobody did that in Asia, you have to do that now, before you can continue. But don’t worry if you do not know if it was done earlier. If not, you just simply do that (during DC promotion you will be informed that your Infrastructure Master is not prepared) or if it was done, you can simply run command once again, it won’t un-adprep environment. In this case, you should see a message that /domainprep is not necessary as it was performed before.

      So, to summarize. Adprep /domainprep is required on every domain (in which you want to introduce the new DC) on Infrastructure Master but adprep /forestprep is required only once per forest on a Schema Master.

      AD2) Accordingly to your existing DNS servers, the shortest answer is no 🙂 Why? Because your AD-I DNS zones already exist and you do not create any new ones. You just simply introducing the new DC with DNS role. AD-I zones are automatically replicated to all Domain Controllers with DNS role installed (if you started from 2003 DCs or when you changed that after removing Windows Server 2000 DCs in which AD-I zones were replicated to all DCs). All defined delegations are preserved, don’t worry, you don’t have to do anything else, unless you define new DNS zone namespace (by adding it in DNS or by adding the additional domain).

      If I would recommed you something, I strongly encourage you to configure your new Windows Server 2008R2 Domain Controllers in Asia domain as DNS servers and also as Global Catalogs.

      I hope I could help you somehow and you would be able to do introduce 2008R2 DCs in Asia domain.

      Regards,
      Krzysztof

       
      • Steven says :

        Thanks for the reply. Do we have to installed the Active Directory Domain Services role first?

        I have installed that but I found that Active Directory Domain Services, Intersite Messaging and Kerberos Key Distribution Center services are not stated?

        Do I need to dcpromo first? Thanks.

         
        • iSiek says :

          No problem, you’re welcome 🙂

          No, you don’t have to install AD:DS role first (but you can if you wish). The most important part of that is running dcpromo. It installs AD:DS role itself (if it is not present) then it starts promoting server to Domain Controller. But remember, if you install AD:DS role by yourself, you need to use dcpromo anyway to properly promote server to DC.

          Regards,
          Krzysztof

           
  12. Steven says :

    Krzysztof,

    Thank you very much. I have managed to get it work. Great guide.

     
  13. Rubina says :

    Hi Krzysztof,

    Can I use the same ip address which you mentioned in your Network Card settings? My ISP is providing me dynamic IP. I am not sure about the static IP address.

    Thanks

    Rubina

     
    • iSiek says :

      Hey Rubina,

      yes of course you can use also the same static IP I used in my article. But everything depends on your scenario 🙂
      Please tell me more what you want to do? As public IP address for Domain Controller(s) is not a good idea for security reason :]

      If you are playing with virtual software like VMWare, Hyper-V or other like Oracle VirtualBox, you can use any IP address. Everything depends on your virtual network card configuration.
      Public IP address should be set up only on your edge router on which you have configured NAT and/or port forwarding/redirection. Domain Controllers should always use the internal IP range to disallow accessing them from the Internet.

      Could you write something more about your case, please? I will try to help you setting up an environment.

      Regards,
      Krzysztof

       
  14. Rubina says :

    Hi Krzysztof,

    Thank you very much for your quick reply. 🙂

    I am using windows server 2008 R2 only for learning purpose. I already installed vmware workstation 9.0 on my PC. I will use the same ip address as your article and I will post the result soon.

    Thanks

    Rubina

     
  15. Rubina says :

    Hi,

    When I run dcpromo it show me the following error:

    An Active Directory domain controller for the domain “testenv.local” could not be contacted.

    Ensure that the DNS domain name is typed correctly.

    If the name is correct, then click Details for troubleshooting information.

    ————————
    After I installed windows server 2008 R2, I run “dcpromo” but before that I changed the ip address according to the article inside

    Internet Protocol Version 4 (TCP/IPv4) properties —- >(Under VMware control panel )

    Any suggestion?

    Thanks

    Rubina

     
    • iSiek says :

      Hey Rubina,
      can you tell me please what king of virtual network card have you used for that VM?
      I would suggest to use vNIC “Host-only” and the try again. Of course change back those settings you have done over Control Panel on VMWare

      Very important part for the first Domain Controller is settings up only one DNS server with 127.0.0.1 IP address
      After that, please try promote server as DC again.

      In case of any further issue, please let me know. We will try to fix that 🙂

      Regards,
      Krzysztof

       
  16. Rob says :

    We are looking at introducing our first windows 2008 DC into an existing Windows 2003 AD Infrastructure. i am comfortable with everything you have listed here (great guide and tallys up with other sources I have used and my own testing / experience)
    I have a query with regards to changing the DHCP scopes for each scope to point to the new IP of the Windows 2008 DC.
    We have multiple scopes (150+) is there any way of changing Option 006 (DNS) to the new IP of the windows 2008 DC?

    or would it be better to:
    1. transfer fsmo roles to new windows 2008 domain controller(s)
    2. change IP of existing DHCP server (eek) and at the same time changing IP of Windows 2008 DHCP server to previous 2003 DHCP server.

     
    • iSiek says :

      Hello Rob,

      thank you for reading an article on my blog and for nice words 🙂

      Going back to your question. Yes, it is possible to change an option without manual change on each scope. For that you may use Windows netsh command-line tool

      However, this is much more simple to migrate 2003 DHCP database to 2008 new DHCP server over dump option. This exports all current DHCP configuration from 2003 server into plain text file. You may simply remove/modify options there and import on your new DHCP server.

      So, modify optionvalue 006 or 6 (depends how it would be exported), modify server name from the old one to the new one and import config file on your new DHCP server over netsh exec

      Here, you can find and MS article for that (use the second option with dump)
      http://support.microsoft.com/kb/962355

      One more important thing. Enable on your new DHCP server on ipv4 on “Advanced” tab Conflict Detection Attempts to 2-3
      This will prevent from issuing used IP addresses in your network (mostly, turned off devices would be treated as IP is released) and IP conflict should not arise.

      If you have more questions, do not hesitate to ask

      Regards,
      Krzysztof

       
  17. Shawn says :

    Hi, we have one server running windows 2003 standard edition in my bangkok office, subnet 10.0.0.xx .. and recently we have purchase a new server in singapore runnng windows 2008 Foundation R2, subnet 192.168.1.x.

    We have employees in both Bangkok and Singapore office.

    IPSec VPN was configured on our firewall so right now both my bangkok and singapore office are able to connect to each other directly without manually VPN.

    A couple of questions and hope you can advise:

    1)Is it okay for windows server 2003 to act as the main DC while Windows server 2008 R2 to act as backup domain controller? What kind of impact will it be?

    2) My boss would like my singapore server to act as a backup domain controller, is it the same method to use for backup domain controller? If not, any steps which need to be edited and advise?

    3) Once i raised the domain funcational level , do i need to run adprep /forestprep and adprep /domainprep on the windows server 2003, or should i just run this command on my new Windows 2008 R2 server or both?

    4) when configuring the DNS, should the DNS point to the windows server 2003 in bangkok or the new Windows server 2008?

    Thanks for your time and your instructions is great!

     
    • iSiek says :

      Hi Shawn,

      unfortunately, you cannot use Windows Server 2003 as FSMO role holder with Windows Server 2008R2 Foundation as this is not supported scenario. 2008 R2 Foundation Domain Controller must be at the top of the forest configuration and it must hold all FSMO roles. In other case, you would notice periodical server reboots (every one hour). For more about that, please read Microsoft article on Technet at http://technet.microsoft.com/en-us/library/dd744832%28v=ws.10%29.aspx

      I hope it would clarify you the case

      Regards,
      Krzysztof

       
  18. Shawn says :

    Hi Krzysztof, sorry it is me again..

    Since my bangkok ip starts with 10.0.0.xx and my singapore internal ip is 192.168.1.x .. Do i need to set my ip as 10.0.0.xx in my singapore office? Will it make any different if i remains as it is?

    Also on the DHCP, do i need to export the DHCP files from my bangkok to my singapore server?

    Apologise for troubling you.

     
    • iSiek says :

      Hi Shawn again 🙂

      no, you don’t have to use the same IP scheme for both locations. Just ensure if your routing is configured properly and these 2 locations see each other. I would leave that as it is and in case of the same domain, I would define separate Sites and Subnets for them. More about Sites, Site Links and Subnets in Microsoft article at http://technet.microsoft.com/en-us/library/cc754697%28v=ws.10%29.aspx

      You don’t have to move DHCP server from one location to another. You are able to run 2 DHCP server, one per Site with appropriate scope(s) configuration.

      But remember (as I wrote in previous answer), you cannot run 2003 and 2008R2 Foundation in mentioned configuration. That’s the limitation of Foundation version of Windows. You need to buy at least Standard to accomplish your scenario.

      Regards,
      Krzysztof

       
  19. Shawn says :

    Thanks Krzysztof, I would like to know what is the reason which foundation version limits my scenario .. Pardon me for my ignorant. You mentioned that the foundation 2008 must be the top forest and hold all FSMO. I read the link you gave(thanks a lot:) but I still do not understand what limits the foundation version other than it can only support 15 AD users. And why I need at least standard 2008 to meet my scenario?

    You are a great IT guru! 🙂

     
    • iSiek says :

      Shawn, this is all about money 🙂

      Foundation is much more cheaper than Standard Windows Server version. When you would be able to simply switch FSMO roles from Foundation DC to Standard DC then limits about 15 users would be deactivated and you are no longer limited with numer of users 🙂 That’s why Microsoft disallowed for that. When FSMO roles are on Foundation DC then you are still limited to 15 users in your domain environment. Of course, you can add additional DCs for redundancy but those roles must be held on foundation DC to keep limits.

      This is the same for Small Business Server (SBS) edition. As they are cheaper that “higher” Windows editions and (SBS) offers more features like Exchange, SQL which you need to buy separately for Standard and other Windows versions.

      That’s reasonable, because you would be able to buy one more expensive OS (i.e. Standard) and then use only Foundation servers 🙂 Microsoft does not agree for that and you need to accept the terms of usage. Thanks to that, you may buy cheaper and legal OS to your institution.

      I hope it’s much more clear, now 🙂

      Regards,
      Krzysztof

       
      • Shawn says :

        Hi Krzystof, thanks for the explanation… So am i right to say that because foundation 2008 only limits to 15 AD users; in this case my scenario is not going to work?

        So adding DC on a new 2008 server means the all the Active Directory on the main server will be import to the new server as well?

        Also, We will also need to setup this new server as website and applications and SQL. Will there be any problem doing so?

        Thanks for your time.

         
        • iSiek says :

          Hi Shawn,

          yes, you’re right. Foundation version limits you to have maximum 15 users and when you combine these DCs into one domain, AD database would be replicated between them. All the same configuration is available on both DCs then. But you have to have all FSMO roles on Foundation DC to prevent server restarts.

          The next question about other roles, I would not put them on any DC. If it is possible just use dedicated server for that. This is not good idea to put other roles than AD and DNS on a DC server. This might be a security issue or it might cause potential issues. Microsoft does not recommend using DC as other ( i.e. application ) server. You would have much more work when you put IIS and SQL on your DC. My suggestion is to have separate server for that 🙂

          I hope you would choose the right direction and you would convince your boss to buy another HW or create VM for IIS and SQL 😉

          PS. Shawn, thank you for your kind words 😀

          Regards,
          Krzysztof

           
  20. Shawn says :

    Hi Krzysztof, if that is the case, what is your advise and recommendation (other than upgrade to windows server 2008 standard ? 🙂

    We intend to setup a business continuity plan in case if either of our office was shut down due to riot, fire etc and users had to work from home to connect to connect to our server? We also need to ensure our website / database is up when client/user connects to them.

    We will want such that, each server are like a mirror to each other, so in case of any ourbreak, we can switch our DNS to point to the another server.

    We are only using IIS and SQL server on the server. I am more concerned with getting our website and database online ASAP in case of any of this event occurs.

    Thanks for your precious advise and God bless your Family. 🙂

     
    • iSiek says :

      Hi Shawn,

      have you considered using NLB or clustering for that purposes ? You would be able to split cluster nodes between server room locations to prevent single point of failure. However, you need to remember that moving resources between locations might require faster WAN link speed to allow fast resources movement and this link must be reliable

      Regards,
      Krzysztof

       
  21. sanjoe says :

    Hi,
    Your blog has very good information.

    I want some more information. I wanted to setup a child domain in an existing forest with only first root domain controller. (All are windows server 2008 r2 servers)

    I wanted to know the pre-requisites for the below.
    1. Network configuration settings for primary DC & the new server where i want to install child domain
    2. Do I need to join the new server to the domain before I can install child domain?
    3. Do I need to have the domain functional level at 2008 r2 or 2003?
    4. Can I have my firewall’s enabled on the primary DC & the new server?

     
    • iSiek says :

      Hi,

      thank you! 🙂

      Regarding your case:

      AD1) Network configuration settings on your existing DC in the existing domain should not be changed at all. Your new server for the very new domain, should have its own IP address and you should configure only primary DNS server for it pointing to DNS server in forest root domain (existing AD/DNS server) only.

      AD2) No, you do not have to join the server into domain first. Just after NIC configuration, run dcpromo to initialize server promotion.

      Important! You need to have an Enterprise Administrator account to do that as you are creating new domain.

      AD3) Domain Functional Level of the new domain depends on your current Forest Functional Level. FFL determines the lowest possible DFL, so you need to check that first. You may check an article about Domain and Forest Functional Levels on my blog

      AD4) I would deactivate Windows firewall for that and use only physical one but normally, you don’t have to worry as necessary ports should be already opened. However, you need to verify if your physical firewall allows for these ports
      http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx
      http://support.microsoft.com/kb/179442

      Regards,
      Krzysztof

       
  22. Maxwell says :

    Thank you, I never knew about the last step of adding your server as a dns server

     
  23. Shawn says :

    Hi Krzysztof, it is me again.. if we upgrade from Windows Foundation 2008R2 to Windows Standard 2012R2, is there any direct upgrade or we have to start/install from scratch? THanks for your time my friend. Take care and wish you a blessed a xmas

     
    • iSiek says :

      Hi Shawn,

      unfortunately, you cannot do in-place upgrade from 2008R2 Foundation to Windows Server 2012. However, I would not recommend doing any in-place upgrades as they may cause some issue later. It is always better (if possible) to have clean installation and after all data migration. That’s much more safe option

      You take care too and marry X-mas to you too

      Regards,
      Krzysztof

       
  24. Vili says :

    You are incredible!!!Thanks for your guide and detailed explanation of everything!!!

     
  25. George Wang says :

    appreciate for your perfect job and help!!!

     
  26. shawn says :

    Hi iSiek,thanks for your great advise and insights.

    A bit sidetrack… I will like my server to have multiple names / netbios. I read that there are ways to do so by editing the registry and adding CNAME on the DNS server. Not sure what is your opinion or any better advise on this?

    So when i enter my server name either ‘td-sg’ or ‘td-bkk’ internally, it will direct to my server

    if you can show me steps that will be good. 🙂

    Merry xmas my friend. If you coming to singapore one day i will treat you for a good meal. 🙂

     
    • iSiek says :

      Hi Shawn,

      sorry for delayed answer, I was bussy.
      Yes, this is a good idea to use more host names (A) or aliases (CNAME) for your server. It is much more easy to manage resources over that. You may also consider using a separate IP address per resource on that server and put it into NIC’s configuration. When you would move a resource to another server, you may simply migrate its IP address too.

      However, if you wish to use multiple CNAME or A records, you need to make some simple registry setting modification. You have to disable DisableStrictNameChecking in registry.
      Please follow this MS guide at http://technet.microsoft.com/en-us/library/ff660057%28v=ws.10%29.aspx and everything would be fine.

      Late Merry Christmas to you too and Happy New Year 🙂

      The same to you, when you visit Wroclaw in Poland, just let me know 😀

      Regards,
      Krzysztof

       
  27. how to remove diabetes fast says :

    Hello friends, good piece of writing and pleasant urging commented at this place, I am genuinely enjoying by
    these.

     
  28. Shelving Units says :

    I was excited to find this website. I need to to thank you for ones
    time for this particularly wonderful read!! I definitely savored every bit of
    it and I have you book marked to see new information on your website.

     
    • iSiek says :

      Thank you very much for reading my blog and for being a part of it!
      I’m working on new posts and I hope that they would be published soon.

      Happy New Year!

      Regards,
      Krzysztof

       
  29. http://www.magicmeshoffer.com says :

    I am regular visitor, how are you everybody?
    This article posted at this site is really nice.

     
  30. shawn says :

    Hi Krzysztof,

    I am sorry to sidetrack the title of this blog and i really need your expertise and advise on this.

    We have bought a hyperV Dell server and setup 2 VMs on this machine

    Everything works fine, but just that when i login using the domain administrator via RDP to these 2 VMs, it takes 2 mins to login (waiting at the “Welcome” ).

    Login using locally takes only 10 secs to logon.

    I have try to find answers on this however no results. These 2 VMs were newly installed and not much software were being installed.

    can you please advise?

    Thanks,
    Shawn

     
    • bobebuk says :

      Most issues with logins are DNS related, I would ensure you are not using ISP DNS and ensure that your vms are pointing to the domain controller(s) IP addresses.

      If these are ok, have a look of the user profiles of the accounts you are logging in with, are the paths accessible and have correct permissions.

      Is there a locally cached profile or is this being deleted so is it having to create a new profile each login ( this will take a minute or two)

       
    • bobebuk says :

      Check DNS of the servers you are logging into, ensure points to domain controllers ip
      Check profile path of user accounts and permissions of profiles if any

       
  31. Gerald says :

    Hey I would like to ask i have a 1 primary domain controller W2k3 and a secondary domain controller, W2k3. If I have already done a adprep32 forest and gpprep on the primary domain controller, I would be able to add the Windows 2008 standard 64 bit as a backup domain controller and decomission the W2k3 domain controller. Right? Any concern for a W2k3 as a Primary DC and a backup domain controller Windows 2008 standard?

     
    • iSiek says :

      Hey,

      yes you are right. When you use adprep32 from your Windows Server 2008 DVD then you would be able to promote your first Windows Server 2008 Domain Controller. There is no known issue with concurrent Windows Server 2003 and 2008 Domain Controllers. I would only recommend transferring all FSMO roles from 2003 DC into Windows Server 2008 as this is Microsoft best practices to hold FSMO roles on DC with the newest operating system.

      When you transfer PDC Emulator role to another DC then you also need to advertise new time server in your forest/domain
      Please refer to these MS articles
      http://technet.microsoft.com/en-us/library/cc786897%28v=ws.10%29.aspx
      http://technet.microsoft.com/en-us/library/cc738042%28v=ws.10%29.aspx

      Regards,
      Krzysztof

       
      • Gerald Hoe says :

        I’m having an error on the dns server on my secondary domain controller. Using nslookup on my primary domain controller, it display ****Cannot find server name for address 10.200.10.xxx: Non-existent domain.

        But on my secondary domain controller using nslookup->name, it displays my primary domain controller with its address.

        DNS request timed out (was 2 sec)
        Request to primary domain timed-out

        Please note i have done the adprep /forest and gp prep on your article, I have yet to add the Windows 2008 R2 to my domain.

        What is wrong?

         
        • iSiek says :

          Hm, looks strange. Have you ran dcdiag tool before you started? If not, please run it on your Domain Controller in command-line

          dcdiag /e /c /v /f:c:dcdiag.log

          and review output file if there are no errors. In case that you have too many DCs in your domain environment, please skip /e switch

          Additionally, can you tell me please how did you configure DNS settings on those machines in NIC properties?

          Thank you in advance

          Regards,
          Krzysztof

           
  32. S_G8 says :

    Great Article …..Thanks

     
  33. Gerald Hoe says :

    I’ts ok now. I have added a reverse ptr to my secondary domain controller. I wonder why did it disppear.

     
  34. Serkan says :

    Son derece işe yarar bilgiler hocam çok teşekkür ederim.

     
  35. monstars to go Schlüsselanhänger says :

    After I initially commented I appear to have clicked on the -Notify me when new comments
    are added- checkbox and now each time a comment is added I receive four
    emails with the exact same comment. There has to be a way you
    are able to remove me from that service? Appreciate it!

     
    • iSiek says :

      Hi,

      I’m sorry but I also could not find any option to unsubscribe you from receiving new comments of this post

      Regards,
      Krzysztof

       
  36. Praz says :

    Dear Krzysztof,

    Greetings from Australia 🙂

    This is the exact guide I was looking for. I have got windows 2003 infrastructure and I am planning to introduce windows 2008 R2 as back up domain controller to provide redundancy. Thanks for your great work.

    Just to clarify in case my primary DC2003 went offline new 2008 RD will provide redundancy for my network is that right?

    I have plan to retire primary 2003 DC later stage though.

    Thanks heaps again

    PrazAU

     
  37. Praz says :

    Dear Krzysztof

    In windows sever 2008 R2 installation process I am gettting error

    “To install a domain controller in this active directory doamin, your must first prepare the the domain using “adprep /domainprep”

    What have I missed here? I did all according guide line including adprep32 /forestprep

    I will Google for some help while you get back to me

    Thanks
    PrasAU

     
  38. Praz says :

    Dear Krzysztof

    I found it. As usual I have missed Infrastructure Master update on sever2003 and no error anymore

    Thanks heaps

    PrasAU

     
    • iSiek says :

      Great! I’m glad you found this issue 🙂
      I’m sorry for delayed answer but I was really busy and I could not participate in life of community

      Regards,
      Krzysztof

       
  39. Mujahid says :

    Hi Krzysztof,
    I have two Wiindows 2003 DCs (Primary and Secondary) in my network. I would like to migrate to Windows 2008 DCs with new hardware and remove old 2003 servers but most importantly I would like to keep the same IP addresses for the DCs. May I know the migration procedure for that?
    Thanks for your support.
    Mujahid

     
    • iSiek says :

      Hello Mujahid,

      yes of course you can 🙂 This requires a little bit more work but this is possible.
      First of all, you need to deploy Windows Server 2008/2008 R2 Domain Controllers with new names and new IP addresses (You may find article for that process on my blog).
      At thi point this is really important to install DNS services on both DCs and make them Global Catalogs too.

      After all, you have to transfer FSMO roles to the new DC, advertise new time server in your forest/domain, wait for replications and decommission those old Windows Server 2003 DCs. Uninstall DNS services from them also.

      When you are sure that replication took place, please ensure if your new DCs have configured DNS settings properly under NIC’s properties. They should point to new DNS servers only!

      Now, you may start decommissioning the old Domain Controllers. After that, change IP address on the first Windows Server 2008/2008 R2 Domain Controller and open elevated command-line. Type below commands to refresh your DNS configuration for DC changes:

      ipconfig /flushdns
      dcdiag /fix
      nltest /dsregdns
      ipconfig /registerdns
      net stop netlogon
      net start netlogon

      or instead of using net sto and net start commands, reboot your Domain Controller. Check if communication between your DCs is working fine then verify replication. When you have no issues the you may start the same procedure for the next Windows Server 2008/2008 R2 Domain Controller.

      If you have any other questions, do not hesitate to ask me

      Regards,
      Krzysztof

       
      • BuddyD says :

        Greetings Krzysztof,

        We have 3 DC’s, 2 running Win2008R2 and the 3rd running WIn2003 so the function level is Win2003 with one of the 2008R2 servers as “master”. My question is, can the existing 2008R2 servers be upgraded/configured as 2008R2 DC’s and then upgrade the bits on the 2003 system? Or is it necessary and/or safer to build new 2008R2 systems and add in?? I’d like to retain the current IP addresses of the existing DC’s.

        Great write up, I plan to use it for the upgrade process.

        Thanks in advance.

        Buddy

         
        • iSiek says :

          Hey Buddy,

          thank you for your question. As long as your Windows Server 2003 are 32-bit OSes you are not able to perform in-place upgrade This option is only supported on 64bit OSes because Windows Server 2008R2 is only 64bit OS.in-place upgrade

          And I recommend to always install clean server/virtual machine and then promote it as Domain Controller. Remember, doing in-place upgrade does not do clean install, all other data is still on your HDD. All installed applications are also there, so it might mess your in-place upgrade installation. IN case of some issues there might be some difficulty to troubleshoot the server.

          So, I would strongly suggest to perform clean servers installation.

          Regards,
          Krzysztof

           
      • Mujahid says :

        Hi Krzysztof,

        What about decommissioning the old Win2k3 BDC and removing the hardware and then adding Win2k8 system with the same name and IP address and then promoting it to a Domain Controller? This way we do not need to do all above?

        Hope this will work.

        Regards, Mujahid

         
  40. Eduard says :

    perfect guide, great job

    thank you very much.

     
  41. pope says :

    well.thanks for your guide.I have server 2003 SP2 which is 32bit.I need to upgrade to server 2008R2 64 bit. and if possible 2012 64 bit.

    is it possible i do an inhouse upgrade considering the the 32bit and 64bit variation..

    If not..what procedures should i follow..?

     
    • iSiek says :

      Hi,
      in-place upgrade
      unfortunatelly, you cannot do in-place upgared because this is not supported in this scenario. You cannot do that on 32bit OS. Windows Server 2008R2 and Windows Server 2012 are only 64bit Operating Systems. So, if you wish to use in-place upgrade option, you need to do that on earlier 64bit OSes. However, I would not recommed doing this kind of upgrade. It’s always better to do clean install and promote new DC. You may save a lot of time in the future in case of any issue(s).

      If you plan to introduce Windows Server 2012 Domain Controller(s) you are able to skip introducing Windows Server 2008R2 DC(s). With Windows Server 2003 DCs (Domin Functional Level must be raised to Windows Server 2003 mode) you can do that directly to promote 2012 DC and it’s much more convenient method that going to 2008R2 and after that to 2012

      Regards,
      Krzysztof

       
  42. Milton says :

    I have an existing Windows 2003 std AD Infrastructure. The environment has two servers DC2 (FSMODNSDHCP) & DC1 (Exchange Server) I also removed an old orphaned Domain Controller (DC3). I followed your instructions and introduced a Windows Server 2008 (DC2008) enterprise within my Windows 2003 network and everything completed successfully.
    Some of the issues I have are as follows:
    1. When I force replication via AD Sites & Services I get access denied (from DC2 and DC2008)
    2. Sometimes I can log on to DC2 and DC1 because of time clock conflict.
    3. I can access the shared folders on both servers from DC 2008 but when I try from DC2 and DC1 access is denied.
    4. On my DC2008 server when I try to turn on network discovery it’s not working.
    Let me know your thoughts.
    Thanks in advance,
    Milton

     
    • iSiek says :

      OK, looks like some issue arose during promotion of your 2008 Domain Controller. This would be hard to resolve the issue without some additional diagnostic tools. Could you run those commands below in command-line on your DCs, please? Send the output to my mail: kpytko at go2 dot pl I will try to analyze those logs and will try to help you

      On DC1 type:

      netdom query fsmo >c:fsmo.log
      ipconfig /all >c:dc1_ipconf.log
      dcdiag /e /c /v /f:c:dc1_diag.log
      repadmin /showrepl /intersite /all /verbose >c:dc1_rep.log
      repadmin /replsummary >c:dc1_replsum.log

      On DC2 type:

      ipconfig /all >c:dc2_ipconf.log
      dcdiag /e /c /v /f:c:dc2_diag.log
      repadmin /showrepl /intersite /all /verbose >c:dc2_rep.log
      repadmin /replsummary >c:dc2_replsum.log

      When we gather all those logs, we could try to start solving the issue

      Thank you in advance and regards,
      Krzysztof

       
  43. PrazAU says :

    G’Day iSiek,

    I have new scenario that I want to implement. Appreciate your advice.

    I got DC running on cloud (remote data-center). I need setup on site domain controller ti synchronization with remote DC on cloud. So on-premise domain controller act as a a backup/addition domain controller.

    Have you done anything smiler to my requremnt ? I mean specially integration on premise with cloud environment .

    Cheers
    PrazAU

     
    • iSiek says :

      Hi PrazAU,

      thank you for writting me. I’m sorry I haven’t done similar case, so I could not be able to help you.
      However, some security issues may arise, so please carefully plan this environment. While your cloud DC is avalable in the Internet, so maybe you should consider using Windows Server 2008/2008R2/2012 Read-Only Domain Controller (core version is more secure) in your DMZ ? That would be better solution than placing standard read/write DC. You need to remember that you still require some AD-related ports to be opened on your firewall(s)

      If you’re interested operating this way, we may try to prepare some guide for this scenario

      Regards,
      Krzysztof

       
  44. Harsha says :

    Its really a good article…
    myself having some doubts like we are having 10ADC(10 different areas) with 1 common PDC all running on the windows 2003 sp1 OS with forest functional level:windows 2000 & domain funtional level:windows 2000 mixed
    doubts:1-Is it able to add new windows 2008 r2 server as a member in any ADC(different area level)?
    doubt:2-If i made the new ADC with windows 2008 r2 then shall it replicate with our common PDC.

    Pls help me

     
    • iSiek says :

      Thank you!

      Doubt 1) – as long as you do not promote this Windows Server 2008R2 member server into Domain Controller then yes, you are able to have it added to your domain. Member servers are not affected by Forest or Domain Functional Level. You need to be aware that you won’t be able to fully manage Windows Server 2008R2 over GPOs. There are many new policies related with 2008R2 which are unavailable in Windows Server 2003.

      Doubt 2) – First of all, to be able to promote your first Windows Server 2008 R2 Domain Controller, you need to raise Domain Functional Level to Windows 2000 native mode. Domain Controllers based on Windows Server 2008 do not support NT4 domains. So, in your case, DFL must be raised before you may promote new DC. When you prepare your environment and promote 2008R2 as DC then you need to keep active connection between Site in which it is placed and other Site(s). Replication requires active connection between Site(s) where other Domain Controllers are running. For Active Directory replication does not have to be necessarilly DC with FSMO roles (that’s why you probably said “PDC” 🙂 ) Any other DC would be enough.

      Regards,
      Krzysztof

       
  45. Darren says :

    Hello Krzysztof,

    This is a fantastic blog. So concise and easy to follow. Thank you very much for taking the time to write and post it.

    I’m hoping you can help me with a couple of queries regarding adding a 2008 R2 domain controller.
    We have a 2003 Forest in which there are several domains. The schema level is at 47 so I assume the adprep /forestprep has been run at some stage.
    I wish to add a 2008 R2 domain controller to one of the domains in the forest. I do not know if the Adprep /domainprep has been run on this domain.
    This domain controller will eventually become the Operations master and anothe 2008 R2 domain controller will added. Finally the old 2003 domain controllers (3 total) will be decommissioned.

    So my questions:

    i) Is there any harm in running Adprep /domainprep in the domain I wish to add the 2008 R2 domain controller?

    ii) Will I require enterprise domain administrator permissions to run dcpromo or will domain administrator rights be sufficient?

    iii) Would it make sense to add a 2012 domain controller instead?

    Thank you!

     
  46. Tom Oechsli says :

    Excellent article Krzysztof:

    I’ve been chasing down a problem in our small environment and wanted to see if you could point me toward what I am missing.
    We had two Win 2003 R2 domain controllers, one of which was also Exchange 2003 server (traditionally, budget out weighs best practices).

    An outside firm upgraded our exchange from 2003 to 2010 and introduced a new DC Win 2008 R2 standard (DC with FSMO roles and Exchange 2010)
    The old DC/Exchange was demoted to member server. FSMO was moved from remaining Win 2003 R2 domain controller to new Win 2008 R2 Standard domain controller. DHCP is running from the remaining Win 03 R2 DC. Most operations coexist correctly. Mixed environment with 2 DC’s Win 2008 R2 Standard & Win 2003 R2 Enterprise.

    Problem occurs when the former Domain Master (Win 03 R2) is undergoing maintenance and has to be rebooted, communication goes down in the network. Email becomes inaccessible on the other new Domain Master (Win 2008 R2 Standard). Remote access to the network goes down. We expect the new domain master (Win 2008 R2 Standard) would keep communications in place, while the former Master is down, but it does not.

    One other communication symptom present is that on the Win 2008 R2 Standard domain controller, the Active Directory Administrative Center is unable to access the domain object in DNS. AD Sites & Services works fine on the 2008 R2 DC. AD Users & Computers works fine. But ADAC cannot access the object – the domain in active directory. This at one time was also working fine. Unable to find the cause. But shared it here as it is a symptom in the environment experiencing a communication issue.

    Would appreciate any insight you can share.

    Regards,

    Tom

     
    • Tom Oechsli says :

      An update on the issue I was experiencing. Activating DHCP on the new DC appears to resolved the blackouts when the former Master is down for maintenance. Our upgrade left us with only one DHCP instance. Tom

       
  47. Manny says :

    Thank you much great guied

     
  48. Axel says :

    Perfect guide, thank you very much !!!

     
  49. Derrick says :

    Thanks for the detailed guide.

    I have successfully added my Windows Server 2008 R2 as a DC to my existing SBS 2003 network, and replication is occurring fine. I am planing on decommissioning the existing SBS in the future.

    I have noticed one thing, it seems the the new 2008 R2 server is not authentication logon requests. It always seems to be the SBS 2003 server that authenticates.

    I am checking via the >echo %logonserver% command after a use logs in.

    Any ideas as to why the new 2008R2 server is never showing up in the command output? They can reach each other and they are resolving DNS inquiries fine on bother servers.

    Any ideas would be greatly appreciated. Thanks!

     
    • iSiek says :

      Hello Derrick,

      I’m really sorry for delayed answer. A lot of work :/

      Is this case still valid or you fixed that?

      Regards,
      Krzysztof

       
      • bobebuk says :

        See kb247811 for further information how domain controllers are located.

        SBS servers should be FSMO holders and GC servers but this shouldn’t impact DC locating.

        >

         
    • bobebuk says :

      Additionally you could always temporarily remove the network cable from the SBS and login to a client to see whether it locate the 2008 DC

      >

       
  50. Vanessa Blore says :

    Excellent instruction. Really helpful! I have successfully added my Windows Server 2008 R2 as a DC to my existing Windows 2003 network. If I don’t plan to retire my old Windows 2003 server, do I need to transfer the 5 FSMO roles to the new Windows 2008 DC? It’s a small network and we have only one Windows 2003 DC before adding this Windows 2008 R2 server.

    Thank you

     
    • iSiek says :

      Great! I’m glad I could help you.

      Yes, I would recommend transferring FSMO role to the newest Windows Server 2008R2 Domain Controller. It is good to have FSMO roles on the lates OS release becasue some features might rely on FSMO with specific Windows Server version.

       
  51. pari says :

    if i already installed the windows server 2008 using DCPROM and again i again tried to installed it using DCPROMO.What will be the result????????????????????????????
    PLZZZZZ RPLYYYY….

     
  52. iurii says :

    Hello. What if I want to add a Windows Server 2008 SP2 domain controller to existing Active Directory 2003? Are there any differences between adding Windows Server 2008 SP2 and R2?

     
    • iSiek says :

      Hi, no. All steps are exactly the same. First you need to extend schema and prepare Infrastructure Master using adprep. All steps are the same, please follow an article.

       
      • Chris says :

        I have added a Windows 2008R2 domain controller to the first site in a single domain with 2 sites and 2 Windows 2003 domain controllers. FSMO roles have been transferred and everything seems fine but looking in “sites and services” I can see there is only a site replication link between the 2 Windows 2003 servers, there is no link between the 2008 server and the 2003 server is the second site. When I demote the 2003 server in the first site will the replication link be automatically moved to the 2008 server?

         
        • kpytko says :

          OK, it looks that you did everything properly 🙂
          Yes, as your Windows Server 2003 is a bridgehead server for replication with other Site, that’s why you cannot see it there. Your new 2008R2 DC is replicating AD database and SYSVOL locally (intra-site replication) with the old Windows Server 2003.

          Before, you will decommission the old box, shut it down for couple of days and check if everything is working fine. If so, turn it on and then decommission.

          When old 2003 Domain Controller would be turned off, after 15 minutes, check Sites and Services to verify if your Windows Server 2008R2 is taking a part for AD replication (it should be nominated as bridgehead server). If you do not want to wait 15 minutes until KCC will generate new replication topology, you may use repadmin.exe tool

          To do that, open elevated command-prompt as Enterprise Administrator or account with delegated rights and type
          repadmin /kcc site:SiteName

          where SiteName is a name of Site in which Windows Server 2008R2 is present. Or use this syntax for all Sites:
          repadmin /kcc site:*

          If you have more questions, please open a new thread under Active Directory -> Domain Services on http://kpytko.pl/forum forum.

          Regards,
          Krzysztof

           
  53. Tim says :

    In the process of migrating from 2003R2 to 2008R2. Performed all the tasks as listed without issue until I got to the Win2008R2 server portion. During the ADDS wizard, got an error
    Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=BL1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bli,DC=com on the remote AD DC BL2.bli.com. Ensure the provided network credentials have sufficient permissions.
    “The RPC server is unavailable.”
    Active Directory Domain Services was not installed.
    Thoughts?

     
    • kpytko says :

      This looks like firewall issue or DNS could not resolve appropriate SRV records during promotion phase.

      Can you provide details from those diagnostic commands executed on the old Domain Controller, please?

      dcdiag /e /c /v /f:c:\dcdiag.log

      and

      repadmin /showrepl /intersite /all /verbose >c:\repadmin.log

      If you wish to continue this case, please open a new thread on my forum at http://kpytko.pl/forum under Active DIrectory -> Domain Services
      This would be much more convenient to discuss 🙂

      Regards,
      Krzysztof

       
  54. Satish Suvarna says :

    Thanks Krzysztof Pytko for a detail procedure. It helped me in adding my first 2008 R2 server in windows 2003 domain.

     
  55. Tassos says :

    Hello dear Krzysztof,

    Thank you so much for your excellent guide, it really sums things up, instead of reading multiple Microsoft articles! I need however to ask you this.

    We have 2 DCs running 2003 Enterprise x64 and we are in the process of replacing all of them with 2008 R2 Enterprise. Of course, I will follow your guide exactly, but what troubles me is that one of our two 2003 DCs runs Exchange 2007 SP3 (unfortunately! A mistake by previous IT personnel, to run Exchange and AD on the same server!!!)

    So, how will the first steps of your guide, the ones about the preparation of the existing 2003 domain, with domainprep and forestprep commands affect the functionality of Exchange 2007??

    This is what worries me the most, because it must remain fully operational until we decomission its host 2003 DC. The other 2003 DC runs nothing but AD and DNS.

    What would you suggest in this case? If I run the first preparation commands and join the new 2008 R2 server in the existing 2003 domain, will those commands affect the functionality of the mail server, since it runs on a DC??

    Thank you so much.

    Regards

    Tassos

    P.S. The 1st DC is a virtual machine in VMware 5.5.0 infrastructure and the other DC with Exchange 2007 SP3 is a physical server. Both 2003 Enterprise x64.

     
  56. Amit Kumar says :

    Hi Sir,

    I have two Windows 2003 DC’s, which is used as AD+DNS server for 2 sites. I have another Windows 2008 R2 server which is used as only DNS server for one site. Now i want to convert this Windows 2008 server as primary DC and also replicate the DNS zones. (Both server have different DNS zones)

    Can you help me with that please

     
  57. Harjeet Singh Makkar says :

    Thanks for such a great and simple to follow article

     
  58. alejandr0ck says :

    It works. Thanks!

     
  59. Christian Muehter says :

    Can you just add new 2008 R2 DCs without the prep and work under the 2003 functionality?

     
    • iSiek says :

      No, it is impossible. You need to extend schema and prepare domain infrastructure to be able to use newer Windows Server version for Domain Controller(s).

      However, you do not need to raise Domain/Forest functional levels, it is possible to use mix of Windows 2003/2008 Domain Controllers if you wish.

      Krzysztof

       

Leave a Reply

Your email address will not be published. Required fields are marked *