Microsoft’s new baby in their server family is Windows Server 2008. The Windows Server® 2008 operating system ease operation of IT administrator and enterprise IT planner and designer. Windows 2008 Active Directory got improved roles, AD domain services, federation services, AD rights management services, compliances and BPA. Its time to shift to Windows 2008 Active Directory. In this article, I will show how to migrate from windows 2003 AD to windows 2008 AD.
On Windows Server 2003 DC, insert the Windows Server 2008 DVD, then open command prompt and change directory to d:\sources\adprerp directory. Here D:\ is my dvd rom drive. In your case do as appropriate. note: you need to log on to windows 2003 domain controller as enterprise admin to run these command.
Now run following command adprep/ forestprep 
After finishing forestprep run adprep/ domainprep
adprep/ rodcprep (Optional)
Install windows 2008 server and promote windows 2008 server as additional domain controller in windows 2003 forest
This is a trial version of windows 2008, I do not find any necessity to mention any cd key for this article. If you have proper cd key, you can mention here.
Windows 2008 will ask you to reset password for the first time. note: password complexity is enabled by default.
Now you have completed installing Windows 2008 machine. Log on as an administrator. Add active directory role in windows 2008 server. follow the screenshot as shown below
Mention your existing domain name, provide domain admin credentials to add this server to domain.
A restore password is required in case you need to restore AD.
Now restart windows 2008 server. It takes few minutes to replicate all AD container, AD object and DNS records. I would prefer to wait more then hours and see all the records are available in windows 2008 active directory. or you can force replicate all record if necessary.
Now transfer all the FSMO roles from windows 2003 AD domain controller to windows 2008 AD domain controller. Log on to windows 2003 domain controller as enterprise admin. open command prompt type as follows:
ntdsutil
roles
connections
connect to server WIN2008SERVERNAME
q
Transfer domain naming master
Transfer PDC
Transfer Schema Master
Transfer RID master
Transfer infrastructure master
Now you are ready to demod windows 2003 domain controller. log on to windows 2003 domain controller as domain admin . Open AD sites and services from administrative tools, expand default first site name, expand windows 2003 domain controller, right click on NTDS settings and go to properties. uncheck global catalog, click ok.
open run from start menu type dcpromo
LEAVE THIS ABOVE BOX UNCHECKED, this will enable windows 2003 domain controller transfer all AD database to windows 2008 domain controller.
Click next, provide password and follow next prompt, wait until demotion completed. Restart…. That’s all.
Blog by Raihan Al-Beruni 
HI, Thats a very good Step by Step, thanks for the efforts put in for this..
I have some questions
1) Are the steps same for domain having exchange 2003 part of it.
2) are the steps same for migrating 2003 32 bit to 2008 r2 64 bit.
3) what will be impact on 2003 site to site trust relationships
4) will all the user & passwords, policies, login scripts,etc. will be migrated or extra steps are involved in it.
have to upgrade my domin 2003 32 bit (also a file server) to 2008 r2 64 bit with exchange 2003 sp2 32 bit, to exchange 2010 64 bit. sharepoint 2007 32 bit to 2010 64 bit
phew thats lot of work nd mental pressure
thanks in advance
LikeLike
Hi,
when i given command adprep /forestperp on windows 2003 r2 server. it give error the system cannot execute the specified program.
please help
LikeLike
use adprep32.exe for 32 bit DC servers
LikeLike
HI, Thats a very good Step by Step, thanks for the efforts put in for this..
I have some questions
1) Are the steps same for domain having exchange 2003 part of it.
2) are the steps same for migrating 2003 32 bit to 2008 r2 64 bit.
3) what will be impact on Domain 2003 site to site trust relationships
4) will all the user & passwords, policies, login scripts,etc. will be migrated or extra steps are involved in it.
have to upgrade my domin 2003 32 bit (also a file server) to 2008 r2 64 bit with exchange 2003 sp2 32 bit, to exchange 2010 64 bit. SharePoint 2007 32 bit to 2010 64 bit
phew!!! that’s gonna be lot of work and mental pressure
thanks in advance
LikeLike
Yes lot of work to do.
1) Yes. if you have Exchange 2003 and you to upgrade exchange to 2010 you will follow the steps to upgrade AD.
2) Yes.
3) Trust relationship will be valid for other sites having win2k3 DC.
4)User, password, policies will migrate. no further steps required
Once you have completed transition of AD. Do not raise Forest functional level to win2k8 native you will do this after exchange 2010 transition. Exchange 2010 & 2003 can co-exist.
Step1: Transition AD from 2k3 to 2k8 with forest level 2k3
Step2: follow this http://microsoftguru.com.au/2009/10/29/transitioning-from-exchange-server-2003-to-exchange-server-2010-step-by-step/
Step3: Remove Exchange 2003
step4: raise Forest functional to win2k8 Native
Step5: Transition Sharepoint
Hope this help. feel free to contact again. Thanks for visiting my site.
LikeLike
This is an excellent step-by-step. However I can’t seem to get DNS examination part. It said domain name cannot be contacted.
LikeLike
I’ve also faced the same problem
LikeLike
This is an excellent step-by-step. However I can’t seem to get DNS examination part. It said domain name cannot be contacted.
LikeLike
Current my 2003 DC holds the Schema Master and Domain Naming Master, but my Exchange 2003 Server holds the PDC, RID, and Infrastructure.
Can I still move all FSMO (5) to my new Windows 2008 DC and no problems with my 2003 Exchange Server?
LikeLike
yes you can move all FSMO role without any trouble at all. Exchange contact GC server to get all the information it needs. Make win2k8 server GC and wait for replication. in short no problem migrating fsmo
LikeLike
Good tutorial, however, I had to use adprep32 in order to get the command to run. Just thought I might add that in case anyone had trouble simply getting adprep to run.
LikeLike
While transferring roles we are getting error “This computer is a non-replication partner. Do you want to continue wit the transfer.” and asking to forcebly transfer the roles.. Is it save to continue with or what steps needs to be taken?
LikeLike
I already performed the first phase, and ready for the transfer of the FSMO roles, but I had to make the new W2K8 the new DHCP by transferring the DHCP setting and activating the Role. DNS seems to be okay, but what about Printing Services, I guess that I have to recreate the PrintServer? Can you elaborate on that transition. Great document.
LikeLike
Hi Raihan,
Really very nice and complete step-by-step guide.
I have few queries and suggestions from you.
We have two offices in two cities Pune and Mumbai, Pune is main hub location and Mumbai is branch office.
Pune Office setup (Hub location) – 100 Users: Leased Line Internet connection ( 3Mbps)
1) Windows 2003 R2 Active Directory server
2) Mail (Sendmail – Linux)
3) FTP Server (Linux) ( Pune ADS integration )
5) File server(Linux) ( Pune ADS integration )
6) Open Fire Chat server ( Pune ADS integration )
Mumbai Office (Branch Office-30 Users) : 4 Mbps DSL Internet connection
1) Windows 2008 R2 Active Directory Server
—————–
Presently there is no connection between both the above Active Directories. But offices are connected using site to site IPSec VPN using firewall’s.
Some users are traveling between both offices on a regular basis. All the above servers are at hub location and having access to all users including branch office.
We want to achieve following goals :
1) Upgrade/Migrate existing windows 2003 active directory server to Windows 2008 R2 64 bit server on better and new server hardware.
2) Want to create a central user database for Pune and Mumbai offices, So one user can avail on both location.
3) How can I change or convert branch office Win 2008 R2 Active Directory server to Read Only Domain Controller and it will be part of New Active Directory Server of Pune office.
I need your help and suggestions to achieve the above goals.
Thank you for the nice post.
Regards,
Santosh Yadav
LikeLike
Install Win2k8 R2 in Pune
Promote as PDC and Other FSMO Roles
Demote old 2003 DC
Allow DNS and LDAP protocol over IPSEc VPN for Mumbai office
Install Win2k8 R2 in Mumbai
Promote as a RODC in Mumbai (http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx)
Migrate users from Mumbai to DC in Pune using http://www.microsoft.com/download/en/details.aspx?id=17488
You are good to go now.
LikeLike
When I try to demote my old w2k3 at the last fase of the steps it gives an error that i need to remove my Certification Services, yet how do i this?
Thanks in advance
LikeLike
do you have certificate services installed in Domain controller? backup CA and install a separate CA. than demot
LikeLike
I have a single forest and single domain and 4 sites with 2 dc each the FSMO roles are available in one site however GC is configured in every site. I have exchange 2010 and lots of application intergrated with AD.
can you please guide me to the process of upgrade to win2008 active directory.
does the upgrade impact the integrated application with AD. if yes can you please tell me how can I take care of the application that integrated with AD.
does the upgrade impact the exchange envirnoment.
LikeLike
Hi Raihan,
Thanks for the step by step procedures….
I have some quires in the migration process….for our infrastructure…or please propose the proper upgrade procedure for migration/upgrade from 2k3 to 2k8 DC.
We have 30 DCs across few countries.These DCs are integrated with DNS role.Some have DHCP & file print server role.
So here we have to upgrade DCs with few existing roles and few will be fresh 2008 DCs.
here Schema is already extended for forest as root domain is running on win 2k8.
we have to upgrade our exchange envt from 2003 to 2010 also.
a.local
|
|
b.a.local , g.a.local ………………x.a.local
|
target.b.a.local
this is the forest structure of our AD…
We have only rights on target.b.a.local
a.local is already in win2k8 DC role
we have to upgrade target.b.a.local DCs from win2K3 to win2K8 DCs.
Please suggest the best approach of upgrade process.
LikeLike
good articles,keep it up
LikeLike
I must say here that Raihan Al-Beruni has done a marvelous job. Thumbs up to you buddy.
LikeLike
Thanks Raihan for the very useful step by step guide, however can you guide me with the following. the aim to migrate to windows 2008
Existing setup.
7 sites with 2 DC each win2k3.
Exchange 2010 available and lots of other application connected
how can I migrate to windows 2008 and should I follow the same steps above since I have exchange 2010 and lots of other application.
finally what is the impact on the application that integrated with AD 2k3
Thank you very much in advance
LikeLike
This is very usefull for me, thanks. I have a problem using DCPROMO, it nags about dns not able to reach. I figured out that dns should be point to the new server and not the old one. In DHCP setup of the new server, dns is all fine and all computers in the network can be reached properly.
LikeLike
Hi,
We have two domian(abc.test.com and xyz.test.com) and 8 DC,each site have both domian dc.
currently OS of all Dc’s is win 2003 R2 and FFL=win 2000,DFL=win 2000 native.
I want to upgrade the dc into win 2008 R2 so please can you tell me what i have to do step by step.
LikeLike
sorry i forgot to share no of site.
3 sites
LikeLike
Dear Sir
I step by step to do it. when I dcpromo remove Old AD, it have error.
Old AD can not rejoin Domain, if I use Dcpromo / foXXXXXX. it can remove. But New AD can not running. I make sure FSMO is migrated. and DNS is working,
and then I find out Sysvol have not file.
Do you have any suggest to fix the problem?
Old Server: 03 SVR STD + Exchange 2003
New Server: 08 R2 64bit
Thanks
Eric
LikeLike
Very good job dude. Thanks for this useful guide.
There two missing parts which can be included in this document which are my questions too. They are:
1. Post Migration steps: What should be done (i.e. changing IP’s, DHCP, DNS, etc.)? When and how should be done? Do we need to do these before demoting the source server?
2. Testing the Migration: How can I make sure that the migration has been successful before demoting the source/old server?
thank you
LikeLike
1. Since DC changed. What: Change your DHCP configuration. Change DNS record in all servers. When immediately changing to new. do it before demoting old DC.
2. run netdom query fsmo and http://microsoftguru.com.au/2009/09/01/active-directory-health-check/ , http://microsoftguru.com.au/2011/05/28/microsoft-active-directory-best-practice/ and http://microsoftguru.com.au/2012/07/29/microsoft-active-directory-best-practice-part-ii/
LikeLike
Thanks for the prompt reply.
What do you mean by “Change DNS record in all servers.”? Do you mean the IP configurations in member servers?
LikeLike
You need to change primary DNS record in all member servers. your new Doamin controller should point itself as primary DNS server.
LikeLike
I am in process of migrating existing 32 bit code to 64 bit. Currently this application is working with windows 2k3 server ADDS. When I upgrade/migrate to 64 bit win 2k8server ADDS, what implications will it have on my 64 bit code? Will there be any changes required etc to connect and make it work?
LikeLike
nope. just follow the link.
LikeLike
Hi i need help urgently followed the steps above to replace our old dc. Demoted the old one and took it offline as its not needed anymore but I cannot edit group policies I get an error message that Says i might not have sufficient privileges and that the path cannot be found. I can however create new polices but when I try to do gpupdate I get an error message again that polices can’t be updated. Tried to force update but that didn’t help either. Thank u in advance
LikeLike
what privileges you have in new domain controller? Are you are domain admin? Please check FSMO roles in new server? does new server has five roles? type netdom query fsmo to see fsmo roles.
LikeLike