Replacing 2000 DC with a 2008 DC

Question

We currently have a 2000 DC and a 2003 DC. We want to remove the 2000 DC completely and replace it with a 2008 DC. Can we promote the 2008 DC using the 2003? I believe i've read you can not from a 2000 server? Any insight here very helpful.

Answer 1

You can't perform an in-place upgrade of the operating system from Windows 2000 to Windows 2008, and in-place upgrades are anyway not a best-practice solution. What you should do is add a new Windows 2008 DC to your domain, move all FSMO roles to it, move also DNS and any other service running on the old DC, and then remove it from the network.

First of all, your current Windows 2000 DC should have SP4 installed, and your 2003 DC should have SP2; if they don't, install them as soon as possible (they really should already have the latest SPs, anyway).

Then you will need to prepare your domain for the introduction of a Windows 2008 DC; for this, you need the ADPREP tool included on Windows 2008's installation media; more on this here:

http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc753437(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc754670(WS.10).aspx

After this is done, you can install your new Windows 2008 server, add it to the domain and make it a domain controller; if you're not confident with this process, have a look here:

http://technet.microsoft.com/en-us/library/cc753720(WS.10).aspx

Be sure to make your domain controller a DNS server and a Global Catalog, and be also sure to NOT make it a read-only domain controller.

Then you should remove all five FSMO roles from the old DC, if it holds any one of them; you can use the various AD MMC consoles for this, or do it from a single place using NTDSUTIL: http://support.microsoft.com/kb/255504/en-us; this is not a strictly required step, as demoting the old DC will automaticaly move the roles; but it is considered a best practice to move them manually and ensure they are properly moved before removing the DC which held them; I of course suggest moving them to the 2008 DC.

You should then make ALL of your domain computers use the new DC as their DNS server instead of the old one; this is critical to proper AD operation, so be especially careful to do this on ALL your domain computers, including the old DCs and the new one; if you use DHCP, make also sure it gives the new DC's IP address as the DNS server for client computers.

Finally, you can demote the old domain controller. Just run dcpromo.exe on it, and choose the option to remove the domain controller role and make it a standard member server again.

Answer 2

Your best bet is to remove all roles from the 2000 server and get your forest to a 2003 functional level. http://support.microsoft.com/kb/322692

Following that you will want to bring the new 2008 server online, and again update the schema for 2008 functionality. If you want to go 2008 fully, then once again remove the roles from the 2003 server and bring up the functional level.

Keep in mind to check ALL services on the 2000 and 2003 box, not just AD services. If you are making modifications to DNS make SURE they are working after each major step. If you are running exchange also make sure to check your GCs.

A good place to start would be to run a health check on your current domain, which will help you avoid problems you may not know about.