Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network

 

Prerequisites

To be able to configure Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network we need to check if Forest Functional Level is set up at least in Windows 2003 mode. This is the lowest required Forest Functional Level allowing Windows Server 2012 Domain Controller installation. That means, Windows 2000 DCs are not supported anymore. Microsoft does not support them with cooperation with 2012 Domain Controllers. It’s time to forget about these old DCs.

Windows Server 2012 DC Forest Functional Level requirements

Windows Server 2012 DC Forest Functional Level requirements

We can check this in domain, where we want to install first 2012 DC. To verify that, we need to use “Active Directory Users and Computers” or “Active Directory Domains and Trusts” console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (Windows 2003 mode), it means that you do not need to raise your Domain Functional Level. In other case you have to remove all Windows 2000 Domain Controllers or if you have no any, raise DFL to Windows 2003 mode or higher

Current Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before you raise it to 2003 mode, please ensure that all of your Domain Controllers are running at least on Windows Server 2003. In this case all of them are running at least 2003 DCs as DFL is set up to 2003 mode, which would not be possible when any of 2000 DCs are still available.

Windows 2003 mode do not support DCs based on earlier Microsoft Windows systems like NT4 and Windows 2000

Another way for that is using Active Directory Domains and Trusts console. Run this console, select domain for which you want to check Domain Functional Level and choose “Raise Domain Functional Level”

Current Domain Functional Level

Follow the same steps as in previous console.

More about Raising Domain Functional Level you can find in another article on my blog.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Roles section.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by clicking on “Raise” button.

In this case FFL is set up on Windows Server 2003 mode and there is no need to raise it.

Raising Forest Functional Level

For more information about Raising Forest Functional Level please check another article on my blog.

You can also try to determine DFL and FFL levels following artilce on my blog titled: Determine DFL and FFL using PowerShell

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The most important for preparing environment for 2012 DC are

  • Schema Master
  • Infrastructure Master

We need to be sure that connection to this/these DC(s) are available during set up process. In previous versions we need to prepare environment using adprep command to extend schema and configure Infrastructure Master. From Windows Server 2012 we don’t have to run adprep first. Of course, if you wish, you can still do that but it is not mandatory step. From, now, Windows Server 2012 will do that for you if it will detect that adprep was not used before for Schema and Infrastructure preparation. That’s the newest feature in Windows Server 2012 which simplifies promotion process as much as it can. You need to only check if connection to DC(s) with mentioned operators master roles is available (it is based on similar solution applied in Exchange 2010 where you do not have to use setup.com to extend Schema yourself).

To verify necessary Operation Masters, we can use netdom command installed from Support Tools on Windows Server 2003 (in 2008/2008R2 it is available by default). Open command-line and go to default installation directory:

C:Program FilesSupport Tools and type:

netdom query fsmo

and identify DC(s) from an output

Operation Master (FSMO) roles

We collected almost all necessary information to start AD preparation for the first Windows Server 2008 R2 Domain Controller. The last and the most important part before we start preparation, is checking Forest/Domain condition by running:

  • Dcdiag (from Support Tools)
  • Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /e /c /v

and check if there are no errors. If so, please correct them (in case that your forest/domain has a lot of Domain Controllers, please skip /e switch)

now run in command-line:

repadmin /showrepl /all /verbose

to check if your DCs are replicating data without errors.

For more about Active Directory Troubleshooting Tools check one of my articles on this blog

After those checks, you can start with Active Directory preparation.

Adding first Windows 2012 Domain Controller

Before we start preparing AD for new Windows Server 2012 DC, we need to be sure that we are members of:

  • Enterprise Admins group

when we are sure for that, we can start installation.

Install your new box with Windows Server 2012 and configure its IP address correspondingly to your network settings and change default server name to yours.

Remember that it’s very important to properly configure Network Card settings to be able to promote your new box as domain controller!

The most important part of configuring NIC is setting up DNS server(s). Point your new box to one of the existing Domain Controllers where you have installed and configured DNS.

IPv4 settings verification

After you verified IP settings, you can start server promotion to Domain Controller. However, you cannot use old good known dcpromo command as it is not valid anymore :)

dcpromo

Microsoft removed it and now everything is done over new Server Manager console. You need to install Active Directory: Directory Servicesrole and after that in post-installation steps, you can promote it to Domain Controller. Let’s start

Open Server Manager console (if it was not already opened) and click on “Add roles and features” on Dashboard screen

Adding Roles and Features

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation

Required features for AD:DS role

Verify if check box is in proper place and go to the next step

Adding AD:DS role

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Adding AD:DS role

Read information about role you are installing and go to confirmation screen to install it

Adding AD:DS role

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Installing AD:DS role

Installing AD:DS role

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

Domain Controller promotion

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

Now, wizard informs you that Schema and Domain preparation need to be done. As you did not run adprep before, it will be executed in a background for you

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

You can observe that Forest and Domain are being prepared by adprep running in backgroun. Wait until wizard will do its job and after server restart you will have new Windows Server 2012 Domain Controller.

Domain Controller promotion

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation steps

Now, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP configuration) modify option no. 006

Add there IP address of your new Domain Controller as DNS server.

DHCP server reconfiguration

That’s all!

Congratulations! You have promoted your first Windows Server 2012 in existing domain

Author: Krzysztof Pytko

facebooktwittergoogle_plusredditpinterestlinkedinmail

99 responses to “Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network”

  1. Roger says :

    Great article!

    Are you assuming that in the post-install steps that people are adding the DNS server role to this new DC? Without that, why would you have them add the new DC as a DNS server in DHCP?

     
    • iSiek says :

      Thank you!

      No, people should install DNS role during server promotion to DC. But after all, many of them forget to update DNS settings over DHCP server (when they are replacing the old Domain Controller).
      That might lead to some functionality issues, that’s why I mentioned about this in the article

      Regards,
      Krzysztof

       
  2. Rhys says :

    Have you got steps to then promote it to the main dc and copy user roles and anything needed to make it primary and kill the old 2003 server all together?

     
    • iSiek says :

      Yes, but not in single article :)
      After you have promoted new 2012 DC, you need to transfer FSMO roles (available on my blog) and advertise new time server in your forest. How to do that, you will find on MVP blog at
      http://msmvps.com/blogs/mweber/archive/2012/07/27/upgrading-an-active-directory-domain-from-windows-server-2008-or-windows-server-2008-r2-to-windows-server-2012.aspx
      under section ([…]After the transfer from the PDCEmulator FSMO it is required to reconfigure the time service on the old and new PDCEmulator[…])

      After that, you can simply decommission Windows Server 2003 (available on my blog)

      Can you tell me please, what do you mean by saying “and copy user roles” ?

      Regards,
      Krzysztof

       
      • sean says :

        One thing I don’t understand at the beginning to run netdom command from the default directory “Open command-line and go to default installation directory:”

        C:Program FilesSupport Tools? I cannot find this directory?

         
        • kpytko says :

          If you are using Windows Server 2003, you need to install manually support tools from installation CD to be able to run netdom utility (available in Support folder). It is available in Windows Server 2008+ by default, in earlier OS versions, it’s not.

          Regards,
          Krzysztof

           
          • sean says :

            Thank you. I worked it out. I have a Windows SBS2008 box and I setup a replicating server as a backup a number of years ago. I had forgotten I had already run adprep so all the commands worked ok. Seems pretty clear of errors except one stating the server (primary DC) servername is not trusted and cannot replicate. But it actually is replicating I checked this in sites and services. If I look in AD and exchange all the accounts and mailboxes are there as well as the sysvol and NTDS folders.

             
          • sean says :

            I was looking at another article on the same subject and the instructor mentions to register the schema dll dile by running regsvr32 schmmgmt.dll. Do I run this on the outgoing DC or on the new 2012 server? It works on the 2008 DC but when I attempt to run it on the 2012 box I get an error file not found?

             
          • sean says :

            I am running this setup on my virtual labs. The AD DS configuration wizard is still running. It’s been going for a couple of hours now. I think this is not working it should not take this long?

             
          • sean says :

            Ok to answer my own question and this may help someone else. The problem I had was this. At the stage where you can “specify additional option” Replicate from. I selected one of the DC’s from the drop down instead of “Any domain controller”.
            This caused the process to hang and ultimately fail. AD DS and DNS were installed but the joining to existing domain was not complete. I had to complete the process from the additional configuration tasks drop down menu. (the Flag icon). Then select “Any Domain Controller” and it completed in a manner of minutes.

             
      • sean says :

        Just to clarify why I selected one of the existing DC’s in particular the backup DC was because it will be remaining on the domain while the primary DC will be decommissioned. So my rational behind selecting the Backup DC was because it will remain and I did not want the new DC replicating to a DC that was being decommissioned. But I guess this is something that can be addressed later down the track.

         
  3. Ethan says :

    Excellent article! I simply followed these steps to install Windows 2012 DC to our existing domain running on Windows 2003.

     
  4. bobmoorehead says :

    This is an EXCELLENT article. Thank you for posting it. Really helped a lot.

     
  5. UndaZuna says :

    Thank you so much for posting it. very useful

    Regards,
    UndaSuna

     
  6. isaac goldfarb says :

    Very good notes!!

     
  7. Erc says :

    Very helpful article, thanks! One question I have relates to adding a 2012 domain controller into an existing Windows 2003 Native domain (currently 2x 2008R2 DCs and 1x 2003R2 DC). The end goal is to retire the 2003R2 DC with the addition of the 2012 one. The catch we have is that we have one legacy Windows 2000 member server (very important, dept drags feet to remove). If we keep the domain in Windows 2003 mode or even up it to Windows 2008 mode will we be OK having a 2000 member server?

    The Microsoft docs say a 2000 client isn’t supported with 2012 DCs, but makes no mention of a mixed OS domain running in 2003/2008 mode. Would we be able to add the 2012 DC and keep the 2000 member server working?

     
    • iSiek says :

      Thank you for reading my blog!

      Going back to your question about Windows Server 2012 Domain Controllers and Windows 2000 Server members. As you mentioned, you have only 2003+ Domain Controllers, there is no 2000 DC at all. That means you can freely decommission 2003 if you do not need them anymore and even you may raise your domain/forest functional level to Windows Server 2008R2 (the highest possible in your case).

      This change affects only Domain Controllers, not member servers. That means, you can still use any of Windows 2000 Server as domain members. You are only unable to use Windows 2000 Server Domain Controllers and when you would raise DFL/FFL to higher mode then you would not be able to use Windows Server 2003 DCs too.

      Please check more about this topic in my another articles on the blog:
      Raising Domain Functional Level
      http://kpytko.pl/2012/05/14/raising-domain-functional-level/

      Raising Forest Functional Level
      http://kpytko.pl/2012/05/14/raising-forest-functional-level/

      When you would like to introduce Windows Server 2012 Domain Controller, you have to remove all Windows 2000 Server DCs before you can start. As you do not have any 2000 DCs and your Domain Functional Level is set up to Windows Server 2003 mode, you are ready.

      All other servers, not acting as DC, would work fine even if they are based on older operating system like Windows 2000 Server.

      Regards,
      Krzysztof

       
      • Erc says :

        Thanks Krzysztof. I had a chance to test this scenario and you’re correct, the Windows 2000 box worked normally even after removing the 2003 DC and raising the domain levels to 2008 R2.

         
  8. Larry says :

    Great Article! This has really helped me in planning the replacement of a SBS 2003 server with individual Server 2012 servers.

     
  9. Garfield_nl says :

    Thank you, also the screen shots makes it easy. I used your blog as preparation material

     
  10. Rob says :

    Thank you for a very useful read, as it’s the first time I’m adding 2012 to our environment. I have a very simple domain with only a 2003 DC which I’d like to decomission after the 2012 DC is in place.

    Is it as simple as you stated? Just transfer FSMO roles, reconfigure time service peer to new 2012 DC on both, then demote?

    Thanks again,

    Rob

     
    • iSiek says :

      Hey Rob,

      thank you for reading my blog. Yes, it is that simple as it is written :)
      Just only prepare your environment for the first 2012 DC, transfer FSMO roles to it, advertise new time server in your environment and decommission the old 2003 DCs. That’s all!

      Regards,
      Krzysztof

       
  11. Voz says :

    I have a 2008 R2 Domian (dozen or so DCs) and want to add a 2012 Domain Controller. I do not want to change the servers that host my FSMO roles. Does adding a 2012 domain controller allow me to maintain my existing roles on the 2008 R2 domain controllers?

     
    • iSiek says :

      Hello,

      yes it does. However, Microsoft strongly recommends keeping FSMO roles on Domain Controller with the newest OS.
      And when you transfer PDC Emulator and RID Operation Masters to 2012 DC then you would be able to use:
      – Hyper-V 3.0 new features for Domain Controller cloning
      – New extended RID space 2^31 instead of 2^30

      Regards,
      Krzysztof

       
  12. VJP says :

    Nice Article… I have one ? ..We have Server 2008R2 environment for all DC’s and want to introduce Server 2012 as RODC. Is it possible ? if yes ..do we really need to transfer FSMO roles to this RODC. During DC promotion ..will it update the schema as well ?

     
    • iSiek says :

      Hello,

      thank you! I’m really sorry for delayed answer but I was busy and I could not write to you.
      I need to check that because I did not test this scenario. I suppose that Windows Server 2012 RODC will update schema itself during promotion but I’m not sure if this would not require at least 1 Windows Server 2012 Read/Write Domain Controller as there might be some new features in comparision to RODC based on Windows Server 2008/2008R2.

      However, you cannot transfer FSMO roles to any RODC as that kind of DC cannot support that scenario. It works in read-only mode and needs at least one writeable Domain Controller.

      Let me check that RODC 2012 scenario with schema update for you and I will reply is few days with the results.

      Regards,
      Krzysztof

       
    • iSiek says :

      Hi,

      I’ve just checked this scenario for you in my test lab where I have Windows Server 2008 R2 Read/Write Domain Controller with Forest Functional Level at Windows Server 2003 mode and:

      1) Introduction of Windows Server 2012 RODC automatically extended Schema and it also prepared domain for RODC.

      2) RODC is working fine, however, you need to remember that I did that in and my test environment, so I cannot fully test all RODC features for Windows Server 2012

      3) I did not notice any events in Event Log stating that no Windows Server 2012 Read/Write Domain Controller has been found. Looks like this is fixed since Windows Server 2008/2008 R2 were released. Previously, you had an event stating that no read/write DC for 2008 R2 was available (in case that 2008 is RWDC and 2008 R2 RODC)

      4) and of course the last thing to confirm, you cannot transfer FSMO roles to the Read-Only Domain Controller.

      I hope I could help you

      Regards,
      Krzysztof

       
  13. JohnB. says :

    My Domain and Forest is at 2003 level. I understand I can add a 2012 controller. But, I also happen to have windows 2000 SP4, their replacement to Windows-7 will take about a year. This is where I get uncomfy. Can I join a 2012 box as a DC, (and possibly also remove the 2003 DC’s?), while retaining the 2003 domain/forest levels, and, keep the windows 2000 SP4 machines running normally? I’ve done a lot of reading and I’m still unclear.
    Advance Thanks.

     
    • iSiek says :

      Hello John,

      I’m really sorry for this delayed answer but I was really busy.

      Yes of course, you may promote new Windows Server 2012 Domain Controller and do not change DFL/FFL from Windows Server 2003 to the higher level.
      The same with your Windows 2000 client machines. They can be simply still in the environment but remember, you won’t be able to manage new functions over GPOs on those machines.

      Regards,
      Krzysztof

       
  14. Jeffrey Johnson says :

    We just replaced all of our 2003 and 2008 R2 DC’s to 2012. Can we raise the FFL/DFL to 2012 or do we have to go to 2008 R2 level and then 2012. Our FFL/DFL is 2003.

    We want to do 2003 –> 2012. Or do we have to do 2003 –> 2008R2 –> 2012

    Thanks in advance,
    Jeff

     
    • iSiek says :

      Hi Jeff,

      that’s fine, you can directly go into Windows Server 2012 DFL/FFL. You don’t have to raise it to 2008R2 first. But you need to be sure that you would not use any Windows Server 2003/2008/2008R2 Domain Controllers in the future because DFL 2012 does not allow for that. When you raise FFL then you need to be sure that all your domains will have only 2012 Domain Controllers

      Regards,
      Krzysztof

       
      • Jeffrey Johnson says :

        Thank you for the quick response. I missed the email in my mailbox. I am actually doing the raise tomorrow. We have only 2012 domain controllers. Is there any reason why I would want to go back or use 2008 r2 over 2012?

         
  15. Shahid Azam Afridi says :

    What if i have Exchange 2010 SP1 running in my existing Windows 2008 R2 domain and I would like to upgrade only Domain environment to Windows 2012?

     
  16. Patrick says :

    Hi, I was able to successfully follow the steps as laid out but I now have a scenario where the workstations log on very slowly when the old server is disconnected. I haven’t demoted it yet but is that the reason?

     
    • iSiek says :

      Hi,

      I would guess this is related with DNS server. Did you update DHCP server/scope configuration after you introduced new DC with DNS role?

      You should update option no. 006 under server/scope options of DHCP server (depends on your configuration) and reboot workstations to get new lease with new DNS server’s IP address.

      Additionally, you need to change IP address of DNS server undre NIC’s properties of every server with fixed IP address. Point them to the new IP address of your Domain Controller where DNS is probably also running (if you went step-by-step with my article)

      Then check once again if you are experiencing this issue. Please let me know

      Regards,
      Krzysztof

       
  17. Riyadh says :

    I followed through up to adding new server 2012 to domain but am afraid to make it the Primary DC as it seems the users have roaming profiles pointing to a directory on current old DC , I want to stop roaming profiles totally how do I go about this ?

     
    • iSiek says :

      Oh, this is not too simple process, unfortunatelly. Roaming profiles are real pain when new server comes into the environment :/
      You need to change your current GPO and move back profiles back to local workstations. When you are sure that all of users data is stored locally, you can go with server replacement.

      You need to have appropriate disk space on the server where you are going to redirect users profiles and then re-create folders structure on the new server.
      When it is done, you can create new GPO for roaming profiles pointing to the new location.

      Remember! It is really good idea to do full backup of users data before you will start the action :)

      Regards,
      Krzysztof

       
  18. SP007 says :

    A great article and is really useful!!

     
  19. Robert says :

    I have a Windows SBS 2003 domain server. Can I use this procedure to install a DC then demote the SBS 2003 server?

     
    • iSiek says :

      Yes of course, you may use it as for regular Windows Server 2003

      Regards,
      Krzysztof

       
      • Robert says :

        Thanks for your help. Just a confirmation. I have a network with an SBS server 2003 that is my domain server with all roles and two additional DCs. If I install the Windows 2012 server as a DC, I can move all the roles from SBS 2003 to Windows 2012 and demote SBS 2003. Now Windows 2012 will perform all the required adprep to the system when install begins. True?

        Sorry for the questions. I just want to be sure.

         
        • iSiek says :

          Yes, exactly, but adprep is being done during promotion process to DC, so it is performed before SBS demotion :)
          All the rest steps are exactly as you wrote.

          Important! When you transfer FSMO roles from SBS to 2012 DC, you need to demote it because you will get regular SBS reboots (behavior as designed)

          Krzysztof

           
          • Robert says :

            Thanks so much for your help. One last thing. I have Microsoft Exchange 2007 not on the SBS 2003 server but separate. This server promotion should have not affect on the Exchange, correct?

             
      • Alberto Mejia says :

        I have a domain in Windows 2003 domain functional level. Two DCs running windows 2003. No more domains.
        I just added a windows 2012 r2 std, added roles and dcpromo it as per your article. The schema got upgraded to version 69.
        All is fine. I will be transferring all FSMO roles to new DC shortly.
        Do I need to raise domain functional level to windows 2012 assuming that will be available after the dcpromo of winodws 2012?
        I do not see this option, and I am not sure I should see it. Or just DCpromo down the two domain controllers running windows 2003.
        Please advise.

         
        • iSiek says :

          No, everything at this stahe is fine. You cannot raise DFL/FFL at this moment because you still have Windows Server 2003 DCs. Do FSMO transfer, decommission old DCs and the you would be able to raise DFL/FFL

           
  20. A. Draper says :

    As others have noted: Excellent article!

    Quick question, at what point must one consider the *security implications* of upgrading AD?

    For example, I have a 2k3 AD today and wish to upgrade to 2k8 (or 2k12). If I follow your steps above, I will have successfully “upgraded” my 2k3 AD, but what about new OS settings such as NT4crypto (which will break NT4 trusts) or NTLM or DES changes that will occur? Or even the Default Domain GPO and Default Domain Controllers GPO?

    At what point do such default security settings (of the upgraded DC OS) take over and change the domain function?

     
  21. Kljuka says :

    Hello,

    I have only one question about your blog post, which is great!

    This guide is for Windows Server 2012 domain controller. I would like to ask you if it is also supported to add Windows Server 2012 R2 domain controller to the 2003 domain and forest functional level if all other controllers are Windows Server 2003?

    If I want to raise functional level to 2012 R2, do I need to remove Windows Server 2003 servers and after that raise the level or are there any other steps to do this safely?

    Also, I have read in the comments that having Windows Server 2000 server as a member server is supported in this scenarion, even when I remove 2003 DCs and raise functional level to 2008 R2 (but I cannot to 2012 R2, because Windows Server 2000 member server is not supported in 2012 R2). Is this correct.

    Thank you!

    Best wishes,
    Marko

     
    • iSiek says :

      Hello,

      thank you!

      Yes, it is also valid for this configuration.
      Yes, exactly, when you wish to raise DFL you need to decommission all 2003 DCs first. If you wish you may check this article on my blog at

      No, as domain member servers you can still use Windows 2000 But you need to know that OS is no longer supoprted and many GPOs would not fit to this kind of OS

       
  22. poedigs says :

    Great article, thank you for taking the time to post it. Could you maybe add this one caveat if adding a 2012 DC to a 2003 Forest?

    Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT AuthorityLocalService (In Log On tab of remote registry service)

    Then promote the 2012 server again.

     
  23. XaviXaus says :

    Thanks a lot for this article and to the asked questions because has solved my problems. We have windows 2000 clients and windows 2003, we will create domain controllers with windows server 2012 and we maintain the DFL and FFL to windows 2003 to maintain compatibility with windows 2000 clients, when we have all domain controllers with windows 2012 and all windows 2000 migrated to windows xp or later we will raise the functional level of domain and forest to use new features.

    Regards.

     
  24. Alberto Mejia says :

    I have a Windows 2003 domain. It has two DCs. both windows 2003 R2. The DFL and FFL are 2003.

    I have added a Windows 2012 DC. I followed your steps. They were great. Thx. The Schema got upgrade fine to 69 (Windows 2012 r2).

    I am stuck here; When I go back to the Windows 2003 DC, I do not see the option to raise the level to Windows 2012. Is that something I should expect? Do I go ahead and transfer FSMO roles to new DC and demote the win2k3 servers?

     
    • iSiek says :

      Great! I’m glad that all went well.

      Do you know why you cannot do that? :) Because, you need to decommission all non Windows Server 2012 R2 Domain Controllers. The lowest OS as Domain Controller defined the highest possible Domain Functional Level. And the lowest DFL determines the highest possible Forest Functional Level.

      So, to raise DFL/FFL into Windows Server 2012 R2 you have to decommission every 2003/2008/2008R2/2012 Domain Controllers. Then it would work fine!

       
  25. Shaun Van Tonder says :

    Hi there.. This article is brilliant and very helpful.. Easy to understand.. There is however one thing that is not mentioned and I am concerned about.. Windows 2003 domains use FRS to replicate the sysvol and Group Policy.. If you migrate from a 2003 domain you had the option of convering to DFRS replication in 2008… Should this be done first or can you still do the FRS to DFRS migration once the 2012 servers are in.. ?

    Thanks very much..

    Shaun
    djshaunvt@gmail.com

     
    • iSiek says :

      No you don’t have to migrate FRS into DFS-R first. Windows Server 2008/2012 still support FSR for SYSVOL.
      This step may be done later when you are ready to migratio FRS to DFS-R for SYSVOL. This is 4 phase action which requires much more time that admins think of 😀

       
  26. Daytron says :

    I’m still trying to add a new DC with W2012 to a Domain under W2008r2, but I can not fix the problems that appear after I run the dcdiag as this post explains, in the W2008r2 Server. That server (Srv01) has also the roles: DNS, DHCP, File Srv and Routing and Remote Acces (we have a VPN).

    I’m new in the Servers world, but I read that there are many things that can allows the error that I see when I try to add this new DC to our network. This error says that the AD DC can not be contacted.

    Here is a peace of info provided by the dcdiag command:

    Doing initial required tests

    Testing server: Default-First-Site-NameSRV01
    Starting test: Connectivity
    * Active Directory LDAP Services Check
    The host 40b7c03b-d287-403e-ad6c-9d5e2d904be0._msdcs.DOMAINNAME.dom could not be resolved to an IP address.
    Check the DNS server, DHCP, server name, etc.
    Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
    ……………………. SRV01 failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-NameSRV01
    Skipping all tests, because server SRV01 is not responding to directory service requests.
    Test omitted by user request: Advertising
    Test omitted by user request: CheckSecurityError
    Test omitted by user request: CutoffServers
    Test omitted by user request: FrsEvent
    Test omitted by user request: DFSREvent
    Test omitted by user request: SysVolCheck
    Test omitted by user request: KccEvent
    Test omitted by user request: KnowsOfRoleHolders
    Test omitted by user request: MachineAccount
    Test omitted by user request: NCSecDesc
    Test omitted by user request: NetLogons
    Test omitted by user request: ObjectsReplicated
    Test omitted by user request: OutboundSecureChannels
    Test omitted by user request: Replications
    Test omitted by user request: RidManager
    Test omitted by user request: Services
    Test omitted by user request: SystemLog
    Test omitted by user request: Topology
    Test omitted by user request: VerifyEnterpriseReferences
    Test omitted by user request: VerifyReferences
    Test omitted by user request: VerifyReplicas

    Starting test: DNS

    DNS Tests are running and not hung. Please wait a few minutes…
    See DNS test in enterprise tests section for results
    ……………………. SRV01 passed test DNS

    If there is any thing that I can do…… or should I just go ahead and creat a new ADDC in the new DC (luckily there are no more than 16 users, and a few folders to share).

    Hope you can help me.
    Thanks for your time

     
  27. Bob says :

    Great tutorial… I just seen a video that details out a complete domain upgrade from 2008 to 2012 http://youtu.be/uZB-1kCOEBU and I think I’m ready to upgrade now. Thank you!

     
  28. Tóth Ádám says :

    You mention Windows Server “20012” thrice. At least you are consistent :)

     
  29. David Baartman says :

    I did all these steps, including transferring of FSMO roles. Everything looked OK at first. When checking Group Policy, it too, looked OK on the surface but when I checked the SYSVOL folder on the new Windows 2012 domain controller, there was nothing there. I gave it ample time to replicate, if that was needed, but no existing policy folders ever showed up. Group Policies continued to work but stopped after I demoted the older Windows 2003 server. It was almost as if “c:windowssysvol” on Server2012 was actually pointing to “c:windowssysvol” on the old windows 2003 domain controller. Any ideas on what happened or what to do? This was all done a test environment.

     
    • iSiek says :

      Looks like SYSVOL did not replicate to your new DC. I don’t know what might happen wrong at this stage.

      Before you demoted 2003 DC, you could initiate non-authoritative SYSVOL restore on your 2012 DC to see if SYSVOL would replicate policies.

      Do you remember your lab configuration? Maybe we could reproduce the issue and track what happened?

       
  30. iVern says :

    Good tutorial, thank you iSiek…

    I hope you don’t mind the following questions:

    – do i need to make the 2012 machine a member for the domain prior to step 1?

    – is there a way to remove an offline backup dc? i’m under the impression that i need to issue the demote command on the backup dc itself…quite difficult if it’s not talking anymore…

    – any additional 2012 server steps for DNS before adding it as a secondary DNS server in the DHCP scope option?

    – any thoughts on running this as a virtual machine on a production environment?

    Thanks again!

     
    • iSiek says :

      Hi, thank you for reading my blog.

      If these questions are still valid, pleasde take a look at below answers.

      1) No, you don’t have to add your Windows Server 2012 into domain first. When you want to promote it as Domain Controller, you may do that withou being a domain member server.

      2) Yes of course it is. You need to do metadata cleanup of it. If you wish you may read an article on my blog for that at http://kpytko.pl/2011/08/29/metadata-cleanup-for-broken-domain-controller/

      3) Nope, if you installed DNS server role on 2012 too, that’s all. But when you would like to remove the old DC with DNS from the environment, you need to define appropriate forwarders on your new DNS server to allow users accessing the Internet

      4) You can simply run 2012 Domain Controller in virtual environment without any issue. This OS has built-in feature which saves you from USN rollback when restoring from snapshot (you still should not use that :) just use system state backup for that) but this requires new generation hypervisor supporting VM Generation ID invocation (Hyper-V on Windows Server 2012 or VMWare ESXi 5.1 at least)

      Regards,
      Krzysztof

       
  31. Pandu POLUAN says :

    Nice, detailed writeup! I have a question, though: I vaguely remember reading somewhere that, for successful integration of 2008 DCs into a 2003 domain, the schema needs to be updated/patched.

    Is it true?

     
    • iSiek says :

      Thank you fo reading my blog!

      Yes, exactly, you’re right.
      To introduce any new operating system as Domain Controller you need to extend schema once.
      To do that, you need to use adprep tool included on install media. Since Windows Server 2012, Microsoft introduced trasnparent adpreping, which means, the whole process is done automatically by Domian Controller promotion wizard.
      Of course it still requires appropriate privileges to do that – Enterprise Administrator or Schema Admins group membership.

       
  32. Daniel says :

    Dear Krzysztof, Thnks for yours great advices. I need to install a 2 new windows 20121 R2 dc in a Windows 2008R2 domain. After the installation I will demote the 2008R2 dc. The main problem is that the new DC must have the IP of the old DC. Is it better to change the IP address of the old 2008 DC and install the new 2012DC with this address or to install the new DC 2012 with a new address and then switch the addresses? Thanks in advance

     
    • iSiek says :

      Hi Daniel,

      is this still valid request? If so, please let me know I will try to help you with that process.

      Below just short overview for the steps:

      1) Do not change current DCs configuration
      2) Install and promote new 2012R2 DCs with new IP addresses
      3) Wait for AD database and SYSVOL replication between those new DCs
      4) Transfer FSMO roles
      5) Introduce new time server in your environment
      6) Reconfigure DNS servers and DHCP scopes
      7) Decommision old 2008R2 DCs if everything is working fine
      8) Clean up DNS records for old DC
      9) Replace IP address on one of the new DCs with that previous one

      and in elevated command-line type:

      ipconfig /flushdns
      nltest /dsregdns

      net stop netlogon
      net start netlogon

      or just reboot DC

      Verify if it is working then repeat these steps for the second DC

      Regards,
      Krzysztof

       
  33. Dan says :

    Thank you for your post, just an word: you wrote erroneously windows server 20012 instead of 2012 =)

     
  34. Tomas says :

    Great article!!!
    I added w2012 and promoted like DC.. I can see all users in AD on old and new server too, but on new server I can´t see replicated zones in DNS.. it is empty… i guess that it should replicatet from old DC too. am I right?
    Any idea??

    thankyou for help

    Tomas

     
    • kpytko says :

      UPDATE

      Discussion was moved to the forum and it is available under this thread

      End of UPDATE

      Hello Tomas,

      I’m sorry for delayed answer, I was a little bit busy. I hope you could solve the issue but if not, let’s try to figure this out.
      First of all, I need to know few things about your environment configuration. If you can tell me please if this is single forest, single domain environment or more complex setup?

      Do you know what kind of DNS zones type do you have in your domain?

      In the meantime, please generate 2 log files for me to analyze current situation.

      On your old working DC with DNS, in command-prompt type:

      dnscmd /EnumZones >dns-zones1.log

      dcdiag /e /c /v /f:c:\dcdiag-old.log

      The second command might take some time, so be patient :) and if your environment contains more than 15 DCs in genereal, please skip /e switch. This queries every DC in the entire forest.

      do that same commands on the new DC

      dnscmd /EnumZones >dns-zones2.log

      dcdiag /e /c /v /f:c:\dcdiag-new.log

      Please attach those logs and send me over e-mail. I will try to help you to solve this problem.
      Thank you in advance

      Regards,
      Krzysztof

       
  35. Eddy Princen says :

    Hello Krzysztof, is it nescessary to perform adprep on the windows 2008 r2 domain controller before adding the 2012 r2 DC? on many sites you see this? Or is this only when you upgrade the existing 2008 DC? It’s not clear to me?

    We have a multisite network with 10 dc’s on other locations all as 2008 r2 dc’s. Can i add a 2012 r2 Dc on the main location and leave the other dc’s on 2008 for the moment? Thanks in advance, Great article by the way.

     
    • kpytko says :

      Hello Eddy,

      thank you for asking this good question!

      ADPREP is always required in Active Directory when you want to deploy Domain Controller based on newer operating system. In this case, you would like to promote new 2012R2 DC within 2008R2 environment. If you did not run adprep manually, current schema is 47 version. That means you cannot use Domain Controllers with OS higher than 2008R2 in your AD.

      Up to Windows Server 2008R2 you had to adprep schema manually. Since Windows Server 2012 was released, Microsoft introduced new feature called transparent adpreping. This means, you do not have to execute tool manually, it is automatically done during promotion of new DC based on Windows Server 2102 or 2012R2 and of course newer in the future.

      This feature still requires appropriate credentials to successfully prepare your environment. So, during promotion of Windows Server 2012R2 DC you need to be sure that you have Enterprise and Schema Admins membership to modify Schema Master and Domain Admins user to prepare Infrastructure master.

      Another very important thing is to have available connection to Schema Master and Infrastructure master DC(s) to extend schema and prepare infrastructure. Schema needs to be extended only once per entire forest, while each domain needs to have executed adprep for Infrastructure master preparation.

      Your described scenario is good and it will work. You can leave Windows Server 2008R2 Domain Controllers and they will co-operate with 2012R2 DC as well. This will only prevent you from raising Domain Functional Level higher than Windows Server 2008R2.

      If you have more questions, do not hesitate to ask. To get more help, please open a new thread on my forum at http://kpytko.pl/forum under Active Directory -> Domain Services section.

      Thank you for reading my blog!

      Regards,
      Krzysztof

       
  36. Alex says :

    Hello Krzysztof,

    I am a server newbie, so your guides are hugely helpful. I think I know what to do but have a few questions.

    I have a 2003 DC, DFL is 2003 with no option to increase (I just cleaned the old metadata from an old 2003 backup that hit tombstone – nice guide too) and intend to move to 2012 R2 DC. I also have 2008 R2 hosting my hyper-v machines. As I have enterprise versions of 2008 R2, I can have 4 virtual servers per license so I would like to have a 2008 R2 server act as my secondary DC (and other compatible roles – DNS/DHCP?). Will this work? Do I have to move the FSMO roles to the 2012 DC?

    So, if this set up is not a problem, should I add the 2008 R2 DC to the domain first, then add the 2012 R2 DC (eventually to retire the 2003 DC), or should I add the 2012 DC first then the 2008 as secondary? At which stage should I run adprep and on which machines.

    Thanks
    Alex

     
    • kpytko says :

      Hello Alex,

      I’m sorry for delayed answer.
      You mentioned DFL at Windows Server 2003 level but what if your Forest Functional Level? To be able to implement Windows Server 2012/2012R2 Domain Controller, you need to have FFL at Windows Server 2003 level. In other case, you would be only able to go for Windows Server 2008R2 Domain Controller.

      If you have set up Windows Server 2003 FFL, you are fine to go with 2012/2012R2 DCs. Of course you can have mix of Domain Controllers based on 2003, 2008, 2008R2, 2012 and 2012R2. Just your schema version needs to be at proper version. Please in the meantime check this article on my blog at http://kpytko.pl/active-directory-domain-services/schema-version/

      For now, I suppose you have it at 30/31 version. If you promote the first Windows Server 2012/2012R2 DC, schema will be extended transparently during that process (of course Enterprise and Schema Admins membership is required). After that you would be also able to promote 2008R2 DC.

      Above case, is the best methid because you don’t have to manually extend schema and you are allowed to promote 2008/2008R2/2012/2012R2 DCs (depends which 2012 you use). If 2012 R1 then you cannot use 2012R2 but this is not a problem because schema will be again extended during promotion process.

      If you do not want to go that way, you need to extend schema version manually with 2008/2008R2 and after that start with 2012/2012R2. It is of course noting wrong in this case but much more administrative work :)

      I hope I could clarify that for you. If you have additional questions, do not hesitate to ask.

      Regards,
      Krzysztof

       
      • Alex says :

        Krzysztof,

        No worries for the delay, we all have other work to do 😉

        I said I was a newbie…I right clicked on the domain name as per the image (hence only DFL info) not on “Active Directory…” for the FFL. Done that now, and surprise! FFL is Windows2000. I have a vague recolleciton of being ask about mixed mode (we moved from NT to 2000 to 2003) when the Win2003 server was added way back when and probably panicked and accepted the default.

        So, first thing will be to elevate FFL to 2003, correct? Is there any major risk to do this on production system?

        As you indicate that once at FFL/DFL 30 (R1 version), I can add the 2012R2 DC into the domain without needing to run ADPREP as this is done automatically, correct?

        I will move the FSMO roles to the 2012R2 DC after the AD and SYSVOL have repliciated? How do I tell when replication is completed?

        I will also need to move the DNS and DHCP servers to the new 2012R2 DC (and backup DC), if I add the roles to the new DC does it replicate automatically?

        When I retire the 2003 server do I use DCPROMO to remove (run from 2003 DC I guess)? If so, does this also remove the DNS and DHCP roles? Is DNS/DHCP cleaned of old IP numbers or do I manually remove like when clenaing tombstoned DC.

        Thanks for your time and assitance.

        Regards
        Alex

         
  37. Thy Fere says :

    Hi Krzysztof,

    First, and foremost, how do you pronounce your name Krzysztof and what does it mean? It’s fun to know about the names and correct pronunciation.

    I have added my first Windows Server 2012 domain controller among Windows Server 2008 R2 domain controllers by following your article. Thanks a lot for this. Now, I want to move my DHCP, Schema and infrastructure FSMO roles and time server to this new server. There are couple of reason, first it’s the only physical box, second, we have a plan to decommission our Windows Server 2008 R2 DCs soon.

    Do you recommend doing this? Do you see any issue in this plan? If you have any documentations handy in this regard, please share; otherwise, no worries, I will find.

     
  • Chris Wanamaker says :

    We have a domain network that was FFL/DFL 2000 with a 2000 Server and 2003 Server. We need to upgrade them to 2012. We demoted the 2000 Server and upgraded the FFL/DFL to 2003. We’re trying to add the 2012 Server and keep getting the error: Adprep could not retrieve data from the server through WMI – Access is denied. We’ve followed a number of tutorials on the internet about making sure that the person authorizing the promotion is part of the Enterprise and Schema groups – but we still can’t get this to work. Any ideas?

     
    • kpytko says :

      Hello Chris,

      could you tell me please a little bit more about this environment and its configuration:

    • how many Sites and Site links are there
    • Subnets configuration
    • Firewall confiugration
    • how many Domain Controllers are there
    • in the mean time please provide me logs from below commands executed on DC with FSMO roles to my e-mail at kpytko at go2 dot pl

      repadmin /showrepl /intersite /all /verbose >c:\repadmin.log
      dcdiag /e /v /f:c:\dcdiag.log (in case if you have more than 15 DCs and more than 2 domains, please remove /e switch from syntax)

      Thank you in advance and talk to you later.

      Regards,
      Krzysztof

       
  • Eagle says :

    Excellent article!!! Very informative even with the comments below. My question is, would my ancient Exchange 2003 still work under my current 2003 DFL/FFL after I have introduced a 2012 domain controller in? Thanks.

     
  • UHM says :

    A Simple Question:

    We have 2 DC running 2003, suppose I added additional 2012 DC, but kept the FSMO on the old 2003 DC.

    – Now can I benefit from this new 2012 DC server in terms of users management, GPO,etc.. ?
    so exactly what will force me to transfer FSMO and decommission the old DC?

    – Also suppose FSMOs were transferred to the new 2012 server, can the old 2003 still be used as additional DC?

    Thanks,

     
  • Ajay Bhat says :

    You have not mentioned about upgrading sysvol replication, because sysvol is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.

     
  • Trackbacks / Pingbacks

    1. What’s new in Active Directory in Windows Server 2012 « iSiek's blog about Microsoft Windows services - November 12, 2012
    2. Minimum domain and forest levels for Server 2012 | homelabblogger - July 11, 2013
    3. Windows 2003 AD Migration to 2012 R2 AD Checklist | BritV8 - July 23, 2014
    4. Active Directory Upgrade | Netibex Blog - June 3, 2015

    Leave a Reply

    Your email address will not be published. Required fields are marked *