Migration of Windows server 2003 to windows server 2008

1. Raise Domain Functional Level

2. Prepare your current Windows 2003 Active Directory for Windows Server 2008 domain
controllers.
3. Then, we will need to setup the server ELMAJ-DC2K8 as an additional domain

controller, read my previous article Setting Up an Additional Domain Controller With

Windows Server 2008 to know the steps required to setup an additional domain
controller.
4. Transfer FSMO roles to the Windows Server 2008 Domain Controller

So lets starts :
1. Raise Domain Functional Level

We need to configure the domain to run in native mode, this is done by:

On the Windows Server 2003 Domain Controller, run Active Directory User and Computers snap-in by
clicking on Start > Administrative Tools > Active Directory User and Computers

Right Click the Domain Name node, then click on Raise Domain Functional Level

If you have Windows 2000 Active Directory domain controllers then choose Windows
2000 native, if you do not have any Windows 2000 Active Directory domain controllers
and all of your domain controllers are Windows Server 2003, then choose Windows
Server 20003. I don't have any Windows 2000 Active Directory domain controllers, so
using the drop down list, I will select Windows Server 2003 and then click the Raise
button.

A warning message will be displayed, informing you that the changes cannot be reversed.
Click OK

A confirmation message will be displayed stating that the functional level was raised
successfully. Click OK

Close Active Directory User and Computers snap-in

2.Prepare current Windows 2003 Active Directory

Before you can have a 2008 server domain controller in your existing 2003 domain, we
will need to prepare both the Forest Level and the Domain level, this is done by running
the following commands on the Windows Server 2003 Domain Controller.
Insert the Windows Server 2008 DVD inside the Windows Server 2003 DVD Drive

Open Command Prompt, this is done by Clicking on Start > Run > type CMD > click
OK

Type D:\sources\adprep\adprep /forestprep (Where D: is the drive of your Windows

2008 DVD)

Click Enter

Read the warning message, in my lab I don't have any Windows 2000 Active Directory
Domain Controllers, so I can simply skip this by typing C and then press Enter, else

quite the Forest Preparation step and upgrade Windows 2000 Active Directory Domain
Controller(s) to SP4, then run forestperp again.

After Forest preparation is completed successfully, run the Domain preparation command
Inside CMD, type D:\sources\adprep\adprep /domainprep (Where D: is the drive of
your Windows 2008 DVD)
If you have not Raised the Domain Functional Level from Windows 2000 Mixed to
Windows 2000 Native or Windows 2003 as was illustrated earlier in step # 1, then you
will receive the following error message after you run domainprep command:

If you did raise the domain functional level, adprep will successfully update the domainwide information

Although adprep /domainprep will update the domain-wide information, you can still
run the last command adprep /domainprep /gpprep
Inside CMD, type D:\sources\adprep\adprep /domainprep /gpprep (Where D: is the
drive of your Windows 2008 DVD)

As you can see, Domain-wide information has already been updated when we ran the
domainprep command, as no Group Policy Object (GPO) updates needed, or GPO
information has already been updated.
To set up an Additional Domain Controller, I will use the dcpromo.exe command.
1. To use the command, click on Start

> Run > and then write dcpromo > Click OK

2. The system will start checking if Active Directory Domain Services ( AD DS) binaries
are installed, then will start installing them. The binaries could be installed if you had run
the dcpromo command previously and then canceled the operation after the binaries were
installed.

3. The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside
Use Advanced mode installation and Click Next , or keep it unselected and click on Next

4. The Operating System Compatibility page will be displayed, take a moment to read it and click Next

5. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain
controller to an existing domain, and then click Next.

6. On the Network Credentials page, type your domain name, my domain name is
elmajdal.net ( was set in the previous article ) , so I will type elmajdal.net.

7. To set up an Additional Domain Controller, you will need an account that must be either a
member of the Enterprise Admins group or the Domain Admins group. We have two
options:

My Current logged on credentials ( DomainName\Username or

MachineName\Username)

Alternate credentials

If you have previously joined this server to the domain and you are currently logged in to it with an
Enterprise Admin/Domain Admin user, then you can use the first option (My current logged on
credentials) . As you can see this option is grayed here, and the reason for this is below it. It is because I'm
currently logged in with a local user, the machine is not a domain member. I'm left out with the second
option: Alternate credentials

8. To enter the Alternate credentials, click Set. In the Windows Security dialog box, enter the
user name and password for an account that must be either a member of the Enterprise
Admins group or the Domain Admins group > then click Next.

If you have entered a wrong username/password , you will receive the following error message

9. On the Select a Domain page, select the domain of the Additional Domain Controller, and
then click Next, as I already have only one domain, then it will be selected by default.

10. On the Select a Site page, either enable the checkbox beside Use the site that
corresponds to the IP address of this computer, this will install the domain controller
in the site that corresponds to its IP address, or select a site from the list and then click
Next. If you only have one domain controller and one site, then you will have the first option grayed and
the site will be selected by default as shown in the following image

11. On the Additional Domain Controller Options page, By default, the DNS Server and Global
Catalog checkboxes are selected. You can also select your additional domain controller to be a Read-only
Domain Controller (RODC) by selecting the checkbox beside it.
My primary domain controller is a DNS Server is well, and this can be verified by reading the additional
information written in the below image, that there is currently 1 DNS server that is registered as an
authoritative name server for this domain. I do want my Additional DC to be a DNS server and a Global
catalog, so I will keep the checkboxes selected. Click Next

12. If you select the option to install DNS server in the previous step, then you will receive a message that
indicates a DNS delegation for the DNS server could not be created and that you should manually create a
DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional
domain controller in either the forest root domain (or a tree root domain) , you do not need to create the
DNS delegation. In this case, you can safely ignore the message and click Yes.

13. In the Install from Media page ( will be displayed if you have selected Use advanced mode
installation on the Welcome page, if you didn't select it, then skip to step # 15), you can choose to either
replicate data over the network from an existing domain controller, or specify the location of installation

media to be used to create the domain controller and configure AD DS. I want to replicate data over the
network, so I will choose the first option > click Next

14. On the Source Domain Controller page of the Active Directory Domain Services Installation Wizard, you
can select which domain controller will be used as a source for data that must be replicated during
installation, or you can have the wizard select which domain controller will be used as the source for this
data. You have two options :

Let the wizard choose an appropriate domain controller

Use this specific domain controller

If you want to choose from the list, any domain controller can be the installation partner. However, the
following restrictions apply to the domain controllers that can be used as an installation partner in other
situations:
o

A read-only domain controller (RODC) can never be an installation partner.

If you are installing an RODC, only a writable domain controller that runs
Windows Server 2008 can be an installation partner.

If you are installing an additional domain controller for an existing domain, only a
domain controller for that domain can be an installation partner.

15. Now you will have to specify the location where the domain controller database, log files
and SYSVOL are stored on the server.
The database stores information about the users, computers and other objects on the
network. the log files record activities that are related to AD DS, such information about
an object being updated. SYSVOL stores Group Policy objects and scripts. By default,
SYSVOL is part of the operating system files in the Windows directory
Either type or browse to the volume and folder where you want to store each, or accept
the defaults and click on Next

Note : Windows Server Backup backs up the directory service by volume. For backup
and recovery efficiency, store these files on separate volumes that do not contain
applications or other nondirectory files.

16. In the Directory Services Restore Mode Administrator Password (DSRM) page, write a password and
confirm it. This password is used when the domain controller is started in Directory Services Restore
Mode, which might be because Active Directory Domain Services is not running, or for tasks that must

be performed offline.

Make sure the password meet the password complexity requirements of the password
policy, that is a password that contains a combination of uppercase and lowercase letters,
numbers, and symbols. else you will receive the following message :

17. Summary page will be displayed showing you all the setting that you have set . It gives you the option to
export the setting you have setup into an answer file for use to automate subsequent AD DS operations, if
you wish to have such file, click on the Export settings button and save the file. Then click Next to begin
AD DS installation

18. Active Directory Domain Services installation will be completed, click Finish, then click on Restart Now
to restart your server for the changes to take effect.

Open Active Directory Users & Computers, and then click on the Domain Controllers Organizational
Unit, and you will see your Additional Domain Controller along with your Primary Domain Controller.

To set an additional Domain Controller as a Global Catalog Server, follow the below steps:
1. Open Active Directory Sites and Services, click Start > Administrative Tools > then
click Active Directory Sites and Services.

2. From the left side pane, expand Sites > Default-First-Site-Name ( If you have renamed
the Site name, then this name will reflect your Site name) > Servers > Domain
Controllers .

3. Now expand the Windows Server 2008 that you want to set as a Global Catalog and right
Click its NTDS Settings then click on Properties

4. Under the General Tab, there is a check box beside Global Catalog, if it is unselected
then this means that this Domain Controller is not a Global Catalog, if you do want to set
it as a Global Catalog server, then select this checkbox and click on Apply then OK. The
process it takes the Global Catalog to replicate itself throughout the forest takes time
depending on your Active Directory infrastructure.

5. Close Active Directory Sites and Services and then restart the Domain Controller.

Using Active Directory Schema snap-in to transfer the Schema Master role
You have to register schmmgmt.dll in order to be able to use the Active Directory Schema snap-in

1. Click Start > RunType regsvr32 schmmgmt.dll

2. Click OK

A popup message will confirm that schmmgmt.dll was successfully registered. Click OK
3. Click Start > Run, type mmc, then click OK

4. Click File > then click Add/Remove Snap-in...

5. From the left side, under Available Snap-ins, click on Active Directory Schema, then

click Add > and then click OK

6. Right click Active Directory Schema, then click Change Active Directory Domain

Controller...

7. From the listed Domain Controllers, click on the domain controller that you want to be

the schema master role holder and then click on OK

You will receive a message box stating that the schema snap-in is not connected to a
schema operations master. That is for sure, as we have not yet set this Windows Server
2008 domain controller as a Schema Master role holder. This will be done in the next
step. Click OK

8. In the console tree, right click Active Directory Schema

[DomainController.DomainName], and then click Operations Master...

9. On the Change Schema Master page, the current schema master role holder will be

displayed ( ex. ELMAJ-DC.ELMAJDAL.NET) and the targeted schema holder as well

(ex. ELMAJ-DC2K8.ELMAJDAL.NET). Once you click Change, the schema master
holder will become
ELMAJ-DC2K8.ELMAJDAL.NET , click Change

Click Yes to confirm the role transfer

The role will be transferred and a confirmation message will be displayed. Click OK

Then click Close, as you can see in the below snapshot, the current schema master is
ELMAJ-DC2K8.ELMAJDAL.NET

Using Active Directory Domains and Trusts snap-in to transfer the Domain Naming Master Role

Click Start > Administrative Tools > then click Active Directory Domains and Trusts

1. Right click Active Directory Domains and Trusts, then click Change Active Directory
Domain Controller...

2. From the listed Domain Controllers, click on the domain controller that you want to be
the Domain Naming master role holder and then click on OK

3. Right click Active Directory Domains and Trusts, then click Operations Master...

4. On the Operations Master page, we are going to change the Domain Naming role holder
from ELMAJ-DC.ELMAJDAL.NET to ELMAJ-DC2K8.ELMAJDAL.NET, Click
Change

5.

Click YES to confirm the transfer of the Domain Naming role

The role will be transferred and a confirmation message will be displayed. Click OK ,
then click Close

Till now, we have successfully transferred two FSMO roles, the Schema Master role and the
Domain Naming role. The last three roles can be transferred using a single Snap-in.

Using Active Directory Users and Computers snap-in to transfer the RID Master, PDC Emulator,
and Infrastructure Master Roles

1. Click Start > Administrative Tools > then click Active Directory Users and
Computers

2. Right click Active Directory Users and Computers, then click All Tasks > Operations
Master...

3. You will have three Tabs, representing three FSMO roles (RID, PDC, Infrastructure).
Click the Change button under each of these three tabs to transfer the roles.
4.

Click Yes to confirm the role transfer

The role will be transferred and a confirmation message will be displayed. Click OK

As for the Infrastructure role, once you click on the Change button you will receive the
below message

By default, when you first install your first Domain Controller, it holds the five roles and
beside that it is a Global Catalog. If your environment is a multi-domain/forest, then you
should think about structuring your FSMO roles and transfer the Infrastructure role to a
none Global Catalog domain controller. Else if you have small number of domain
controllers ( ex. two domain controllers) then you should not worry about this. Click Yes

4 .The Tabs should now look like this:

That's it, by now, you have successfully transferred the five FSMO roles to the Windows Server
2008 Domain Controller.