Migration from Windows 2000 to Windows 2008 R2

Dear all,

Our company are planning to migrate the Windows domain from Windows 2000 to
Windows 2008 R2. Because the user group is small and the existing domain
group policies is somehow messy and undocmented. I prefer to a clear startup.

I will setup a new domain with a Windows 2008 R2 server use test PC to test
all required settings. After the new server can work normally, I will move
the member server and client to the new domain.

I have a few question.
1) Which function level should I use? After migration, I will not have DC on
Windows 2000 Server, but I still have windows 2000 member server.
2) Is it possible I use the same domain name as the existing one if I do the
migration as mentioned above?

Thanks and Regards,
Terence

Hello TC,

Your questions answer are at the end.

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!

- Do you use any kind of Exchange in the 2000 domain? If yes, which one?

- On the old server open DNS management console and check that you are running
Active directory integrated zone (easier for replication, if you have more
then one DNS server)

- run replmon from the run line or repadmin /showreps(only if more then one
DC exist), dcdiag and netdiag from the command prompt on the old machine
to check for errors, if you have some post the complete output from the command
here or solve them first. For this tools you have to install the support\tools\suptools.msi
from the 2000 installation disk.

- run adprep /forestprep and adprep /domainprep and adprep /domainprep /gpprep
and adprep /rodcprep from the 2008 installation disk against the 2000 schema
master(forestprep) / infrastructure master(domainprep/rodcprep), with an
account that is member of the Schema/Enterprise/Domain admins, to upgrade
the schema to the new version (44) or 2008 R2 (47)

- you can check the schema version with "schupgr" or "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local
-scope base -attr objectVersion" without the quotes in a command prompt

- Install the new machine as a member server in your existing domain

- configure a fixed ip and set the preferred DNS server to the old DNS server
only, think about disabling IPv6 if you are not using it, some known problems
exist with it. Follow (http://blogs.dirteam.com/blogs/paulb...dows-2008.aspx)
to disable it

- run dcpromo and follow the wizard to add the 2008 server to an existing
domain, make it also Global catalog and DNS server.

- for DNS give the server time for replication, at least 15 minutes. Because
you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear

- if the new machine is domain controller and DNS server run again replmon,
dcdiag on both domain controllers. For using netdiag.exe on 2008, NOT 2008
R2, you have to download and install (http://www.microsoft.com/downloads/d...displaylang=en),
ignore the compatibility warning, or extract netdiag.exe only and copy it

- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801
applies also for 2008/2008R2), FSMO should always be on the newest OS DC

- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to
an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie
now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual
/reliable:yes /update" where PEERS will be filled with the ip address or
server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier
/reliable:no /update" and stop/start the time service on the old one. All
commands run in an elevated command prompt without the quotes.

- you can see in the event viewer (Directory service) that the roles are
transferred, also give it some time

- reconfigure the DNS configuration on your NIC of the 2008 server, preferred
DNS itself, secondary the old one

- if you use DHCP do not forget to reconfigure the scope settings to point
to the new installed DNS server



Demoting the old DC(if needed, but at leasst you should have 2 DC/DNS/GC
per domain)

- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC

- to be sure that everything runs fine, disconnect the old DC from the network
and check with clients and servers the connectivity, logon and also with
one client a restart to see that everything is ok

- then run dcpromo to demote the old DC, if it works fine the machine will
move from the DC's OU to the computers container, where you can delete it
by hand. Can be that you got an error during demoting at the beginning, then
uncheck the Global catalog on that DC and try again

- check the DNS management console, that all entries from the machine are
disappeared or delete them by hand if the machine is off the network for ever

- also you have to start AD sites and services and delete the old servername
under the site, this will not be done during demotion

1. If no older OS DC exist you can choose the Windows server 2008 R2 functional
levels. Member servers are not effected form functional levels.

2. If you like to use the same domain name follow the way above. If you create
a new domain with the same name all user accounts, policies settings, permissions,
etc. must be created new. Also all computers must be joined to the new domain.
Using theb same name will NOT keep any option on the old computers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dear all,
>
> Our company are planning to migrate the Windows domain from Windows
> 2000 to Windows 2008 R2. Because the user group is small and the
> existing domain group policies is somehow messy and undocmented. I
> prefer to a clear startup.
>
> I will setup a new domain with a Windows 2008 R2 server use test PC to
> test all required settings. After the new server can work normally, I
> will move the member server and client to the new domain.
>
> I have a few question.
> 1) Which function level should I use? After migration, I will not have
> DC on
> Windows 2000 Server, but I still have windows 2000 member server.
> 2) Is it possible I use the same domain name as the existing one if I
> do the
> migration as mentioned above?
> Thanks and Regards,
> Terence

Meinolf Weber [MVP-DS] wrote:
> Hello TC,
>
> Your questions answer are at the end.
>
> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR
> DATA/MACHINE!!!
> - Do you use any kind of Exchange in the 2000 domain? If yes, which
> one?
> - On the old server open DNS management console and check that you
> are running Active directory integrated zone (easier for replication, if
> you have
> more then one DNS server)
>
> - run replmon from the run line or repadmin /showreps(only if more
> then one DC exist), dcdiag and netdiag from the command prompt on the old
> machine to check for errors, if you have some post the complete output
> from
> the command here or solve them first. For this tools you have to install
> the
> support\tools\suptools.msi from the 2000 installation disk.
>

Good *old* Server 2000 Schema masters often need a modification before new
extentions ae allowed.
See the following in advance to avoid the error;

http://support.microsoft.com/default.aspx/kb/285172

> - run adprep /forestprep and adprep /domainprep and adprep
> /domainprep /gpprep and adprep /rodcprep from the 2008 installation disk
> against the 2000
> schema master(forestprep) / infrastructure master(domainprep/rodcprep),
> with
> an account that is member of the Schema/Enterprise/Domain admins, to
> upgrade the schema to the new version (44) or 2008 R2 (47)
>
> - you can check the schema version with "schupgr" or "dsquery *
> cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr
> objectVersion" without the quotes in a command
> prompt
> - Install the new machine as a member server in your existing domain
>
> - configure a fixed ip and set the preferred DNS server to the old
> DNS server only, think about disabling IPv6 if you are not using it, some
> known
> problems exist with it. Follow
> (http://blogs.dirteam.com/blogs/paulb...dows-2008.aspx)
> to disable it
>
> - run dcpromo and follow the wizard to add the 2008 server to an
> existing domain, make it also Global catalog and DNS server.
>
> - for DNS give the server time for replication, at least 15 minutes.
> Because you use Active directory integrated zones it will automatically
> replicate the zones to the new server. Open DNS management console to
> check
> that they appear
>
> - if the new machine is domain controller and DNS server run again
> replmon, dcdiag on both domain controllers. For using netdiag.exe on 2008,
> NOT
> 2008 R2, you have to download and install
> (http://www.microsoft.com/downloads/d...displaylang=en),
> ignore the compatibility warning, or extract netdiag.exe only and
> copy it
> - Transfer, NOT seize the 5 FSMO roles to the new Domain controller
> (http://support.microsoft.com/kb/324801 applies also for 2008/2008R2),
> FSMO should always be on the newest OS
> DC
> - after transfer of the PDCEmulator role, configure the NEW
> PDCEmulator to an external timesource and reconfigure the old PDCEmulator
> to use the
> domainhierarchie now. Therefore run on the NEW "w32tm /config
> /manualpeerlist:PEERS
> /syncfromflags:manual /reliable:yes /update" where PEERS will be
> filled with the ip address or server(time.windows.com) and on the OLD one
> run "w32tm /config
> /syncfromflags:domhier /reliable:no /update" and stop/start the time
> service on the old one. All commands run in an elevated command prompt
> without the quotes.
>
> - you can see in the event viewer (Directory service) that the roles
> are transferred, also give it some time
>
> - reconfigure the DNS configuration on your NIC of the 2008 server,
> preferred DNS itself, secondary the old one
>
> - if you use DHCP do not forget to reconfigure the scope settings to
> point to the new installed DNS server
>
>
>
> Demoting the old DC(if needed, but at leasst you should have 2
> DC/DNS/GC per domain)
>
> - reconfigure your clients/servers that they not longer point to the
> old DC/DNS server on the NIC
>
> - to be sure that everything runs fine, disconnect the old DC from
> the network and check with clients and servers the connectivity, logon and
> also
> with one client a restart to see that everything is ok
>
> - then run dcpromo to demote the old DC, if it works fine the machine
> will move from the DC's OU to the computers container, where you can
> delete it by hand. Can be that you got an error during demoting at the
> beginning, then uncheck the Global catalog on that DC and try again
>
> - check the DNS management console, that all entries from the machine
> are disappeared or delete them by hand if the machine is off the network
> for ever
> - also you have to start AD sites and services and delete the old
> servername under the site, this will not be done during demotion
>
> 1. If no older OS DC exist you can choose the Windows server 2008 R2
> functional levels. Member servers are not effected form functional levels.
>
> 2. If you like to use the same domain name follow the way above. If
> you create a new domain with the same name all user accounts, policies
> settings,
> permissions, etc. must be created new. Also all computers must be joined
> to the
> new domain. Using theb same name will NOT keep any option on the old
> computers.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Dear all,
>>
>> Our company are planning to migrate the Windows domain from Windows
>> 2000 to Windows 2008 R2. Because the user group is small and the
>> existing domain group policies is somehow messy and undocmented. I
>> prefer to a clear startup.
>>
>> I will setup a new domain with a Windows 2008 R2 server use test PC
>> to test all required settings. After the new server can work
>> normally, I will move the member server and client to the new domain.
>>
>> I have a few question.
>> 1) Which function level should I use? After migration, I will not
>> have DC on
>> Windows 2000 Server, but I still have windows 2000 member server.
>> 2) Is it possible I use the same domain name as the existing one if I
>> do the
>> migration as mentioned above?
>> Thanks and Regards,
>> Terence

--
/kj

Hello kj [SBS MVP],

Will add this to my step by step, i saw this that seldom that i didn't thought
of it. Thank you for the hint. :-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf Weber [MVP-DS] wrote:
>
>> Hello TC,
>>
>> Your questions answer are at the end.
>>
>> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR
>> DATA/MACHINE!!!
>> - Do you use any kind of Exchange in the 2000 domain? If yes, which
>> one?
>> - On the old server open DNS management console and check that you
>> are running Active directory integrated zone (easier for replication,
>> if
>> you have
>> more then one DNS server)
>> - run replmon from the run line or repadmin /showreps(only if more
>> then one DC exist), dcdiag and netdiag from the command prompt on the
>> old
>> machine to check for errors, if you have some post the complete
>> output
>> from
>> the command here or solve them first. For this tools you have to
>> install
>> the
>> support\tools\suptools.msi from the 2000 installation disk.
> Good *old* Server 2000 Schema masters often need a modification before
> new
> extentions ae allowed.
> See the following in advance to avoid the error;
> http://support.microsoft.com/default.aspx/kb/285172
>
>> - run adprep /forestprep and adprep /domainprep and adprep
>> /domainprep /gpprep and adprep /rodcprep from the 2008 installation
>> disk
>> against the 2000
>> schema master(forestprep) / infrastructure
>> master(domainprep/rodcprep),
>> with
>> an account that is member of the Schema/Enterprise/Domain admins, to
>> upgrade the schema to the new version (44) or 2008 R2 (47)
>> - you can check the schema version with "schupgr" or "dsquery *
>> cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr
>> objectVersion" without the quotes in a command
>> prompt
>> - Install the new machine as a member server in your existing domain
>> - configure a fixed ip and set the preferred DNS server to the old
>> DNS server only, think about disabling IPv6 if you are not using it,
>> some
>> known
>> problems exist with it. Follow
>> (http://blogs.dirteam.com/blogs/paulb...9/03/19/disabl
>> ing-ipv6-on-windows-2008.aspx)
>> to disable it
>> - run dcpromo and follow the wizard to add the 2008 server to an
>> existing domain, make it also Global catalog and DNS server.
>>
>> - for DNS give the server time for replication, at least 15 minutes.
>> Because you use Active directory integrated zones it will
>> automatically
>> replicate the zones to the new server. Open DNS management console to
>> check
>> that they appear
>> - if the new machine is domain controller and DNS server run again
>>
>> replmon, dcdiag on both domain controllers. For using netdiag.exe on
>> 2008,
>>
>> NOT
>>
>> 2008 R2, you have to download and install
>>
>> (http://www.microsoft.com/downloads/d...id=96A35011-FD
>> 83-419D-939B-9A772EA2DF90&displaylang=en),
>>
>> ignore the compatibility warning, or extract netdiag.exe only and
>>
>> copy it
>>
>> - Transfer, NOT seize the 5 FSMO roles to the new Domain controller
>>
>> (http://support.microsoft.com/kb/324801 applies also for
>> 2008/2008R2),
>>
>> FSMO should always be on the newest OS
>>
>> DC
>>
>> - after transfer of the PDCEmulator role, configure the NEW
>>
>> PDCEmulator to an external timesource and reconfigure the old
>> PDCEmulator
>>
>> to use the
>>
>> domainhierarchie now. Therefore run on the NEW "w32tm /config
>>
>> /manualpeerlist:PEERS
>>
>> /syncfromflags:manual /reliable:yes /update" where PEERS will be
>>
>> filled with the ip address or server(time.windows.com) and on the OLD
>> one
>>
>> run "w32tm /config
>>
>> /syncfromflags:domhier /reliable:no /update" and stop/start the time
>>
>> service on the old one. All commands run in an elevated command
>> prompt
>>
>> without the quotes.
>>
>> - you can see in the event viewer (Directory service) that the roles
>> are transferred, also give it some time
>>
>> - reconfigure the DNS configuration on your NIC of the 2008 server,
>> preferred DNS itself, secondary the old one
>>
>> - if you use DHCP do not forget to reconfigure the scope settings to
>> point to the new installed DNS server
>>
>> Demoting the old DC(if needed, but at leasst you should have 2
>> DC/DNS/GC per domain)
>>
>> - reconfigure your clients/servers that they not longer point to the
>> old DC/DNS server on the NIC
>>
>> - to be sure that everything runs fine, disconnect the old DC from
>> the network and check with clients and servers the connectivity,
>> logon and
>> also
>> with one client a restart to see that everything is ok
>> - then run dcpromo to demote the old DC, if it works fine the machine
>> will move from the DC's OU to the computers container, where you can
>> delete it by hand. Can be that you got an error during demoting at
>> the beginning, then uncheck the Global catalog on that DC and try
>> again
>>
>> - check the DNS management console, that all entries from the machine
>> are disappeared or delete them by hand if the machine is off the
>> network
>> for ever
>> - also you have to start AD sites and services and delete the old
>> servername under the site, this will not be done during demotion
>> 1. If no older OS DC exist you can choose the Windows server 2008 R2
>> functional levels. Member servers are not effected form functional
>> levels.
>>
>> 2. If you like to use the same domain name follow the way above. If
>> you create a new domain with the same name all user accounts,
>> policies
>> settings,
>> permissions, etc. must be created new. Also all computers must be
>> joined
>> to the
>> new domain. Using theb same name will NOT keep any option on the old
>> computers.
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Dear all,
>>>
>>> Our company are planning to migrate the Windows domain from Windows
>>> 2000 to Windows 2008 R2. Because the user group is small and the
>>> existing domain group policies is somehow messy and undocmented. I
>>> prefer to a clear startup.
>>>
>>> I will setup a new domain with a Windows 2008 R2 server use test PC
>>> to test all required settings. After the new server can work
>>> normally, I will move the member server and client to the new
>>> domain.
>>>
>>> I have a few question.
>>> 1) Which function level should I use? After migration, I will not
>>> have DC on
>>> Windows 2000 Server, but I still have windows 2000 member server.
>>> 2) Is it possible I use the same domain name as the existing one if
>>> I
>>> do the
>>> migration as mentioned above?
>>> Thanks and Regards,
>>> Terence

Thanks Meinolf Weber [MVP-DS] and kj,

You information will be useful, let me review and test it.

We haven't used any Exchange server in our office.

Just one more silly question, How can I transfer the AD to the testing
machine for testing if the hardware is not the same?

"Meinolf Weber [MVP-DS]" wrote:

> Hello kj [SBS MVP],
>
> Will add this to my step by step, i saw this that seldom that i didn't thought
> of it. Thank you for the hint. :-)
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Meinolf Weber [MVP-DS] wrote:
> >
> >> Hello TC,
> >>
> >> Your questions answer are at the end.
> >>
> >> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR
> >> DATA/MACHINE!!!
> >> - Do you use any kind of Exchange in the 2000 domain? If yes, which
> >> one?
> >> - On the old server open DNS management console and check that you
> >> are running Active directory integrated zone (easier for replication,
> >> if
> >> you have
> >> more then one DNS server)
> >> - run replmon from the run line or repadmin /showreps(only if more
> >> then one DC exist), dcdiag and netdiag from the command prompt on the
> >> old
> >> machine to check for errors, if you have some post the complete
> >> output
> >> from
> >> the command here or solve them first. For this tools you have to
> >> install
> >> the
> >> support\tools\suptools.msi from the 2000 installation disk.
> > Good *old* Server 2000 Schema masters often need a modification before
> > new
> > extentions ae allowed.
> > See the following in advance to avoid the error;
> > http://support.microsoft.com/default.aspx/kb/285172
> >
> >> - run adprep /forestprep and adprep /domainprep and adprep
> >> /domainprep /gpprep and adprep /rodcprep from the 2008 installation
> >> disk
> >> against the 2000
> >> schema master(forestprep) / infrastructure
> >> master(domainprep/rodcprep),
> >> with
> >> an account that is member of the Schema/Enterprise/Domain admins, to
> >> upgrade the schema to the new version (44) or 2008 R2 (47)
> >> - you can check the schema version with "schupgr" or "dsquery *
> >> cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr
> >> objectVersion" without the quotes in a command
> >> prompt
> >> - Install the new machine as a member server in your existing domain
> >> - configure a fixed ip and set the preferred DNS server to the old
> >> DNS server only, think about disabling IPv6 if you are not using it,
> >> some
> >> known
> >> problems exist with it. Follow
> >> (http://blogs.dirteam.com/blogs/paulb...9/03/19/disabl
> >> ing-ipv6-on-windows-2008.aspx)
> >> to disable it
> >> - run dcpromo and follow the wizard to add the 2008 server to an
> >> existing domain, make it also Global catalog and DNS server.
> >>
> >> - for DNS give the server time for replication, at least 15 minutes.
> >> Because you use Active directory integrated zones it will
> >> automatically
> >> replicate the zones to the new server. Open DNS management console to
> >> check
> >> that they appear
> >> - if the new machine is domain controller and DNS server run again
> >>
> >> replmon, dcdiag on both domain controllers. For using netdiag.exe on
> >> 2008,
> >>
> >> NOT
> >>
> >> 2008 R2, you have to download and install
> >>
> >> (http://www.microsoft.com/downloads/d...id=96A35011-FD
> >> 83-419D-939B-9A772EA2DF90&displaylang=en),
> >>
> >> ignore the compatibility warning, or extract netdiag.exe only and
> >>
> >> copy it
> >>
> >> - Transfer, NOT seize the 5 FSMO roles to the new Domain controller
> >>
> >> (http://support.microsoft.com/kb/324801 applies also for
> >> 2008/2008R2),
> >>
> >> FSMO should always be on the newest OS
> >>
> >> DC
> >>
> >> - after transfer of the PDCEmulator role, configure the NEW
> >>
> >> PDCEmulator to an external timesource and reconfigure the old
> >> PDCEmulator
> >>
> >> to use the
> >>
> >> domainhierarchie now. Therefore run on the NEW "w32tm /config
> >>
> >> /manualpeerlist:PEERS
> >>
> >> /syncfromflags:manual /reliable:yes /update" where PEERS will be
> >>
> >> filled with the ip address or server(time.windows.com) and on the OLD
> >> one
> >>
> >> run "w32tm /config
> >>
> >> /syncfromflags:domhier /reliable:no /update" and stop/start the time
> >>
> >> service on the old one. All commands run in an elevated command
> >> prompt
> >>
> >> without the quotes.
> >>
> >> - you can see in the event viewer (Directory service) that the roles
> >> are transferred, also give it some time
> >>
> >> - reconfigure the DNS configuration on your NIC of the 2008 server,
> >> preferred DNS itself, secondary the old one
> >>
> >> - if you use DHCP do not forget to reconfigure the scope settings to
> >> point to the new installed DNS server
> >>
> >> Demoting the old DC(if needed, but at leasst you should have 2
> >> DC/DNS/GC per domain)
> >>
> >> - reconfigure your clients/servers that they not longer point to the
> >> old DC/DNS server on the NIC
> >>
> >> - to be sure that everything runs fine, disconnect the old DC from
> >> the network and check with clients and servers the connectivity,
> >> logon and
> >> also
> >> with one client a restart to see that everything is ok
> >> - then run dcpromo to demote the old DC, if it works fine the machine
> >> will move from the DC's OU to the computers container, where you can
> >> delete it by hand. Can be that you got an error during demoting at
> >> the beginning, then uncheck the Global catalog on that DC and try
> >> again
> >>
> >> - check the DNS management console, that all entries from the machine
> >> are disappeared or delete them by hand if the machine is off the
> >> network
> >> for ever
> >> - also you have to start AD sites and services and delete the old
> >> servername under the site, this will not be done during demotion
> >> 1. If no older OS DC exist you can choose the Windows server 2008 R2
> >> functional levels. Member servers are not effected form functional
> >> levels.
> >>
> >> 2. If you like to use the same domain name follow the way above. If
> >> you create a new domain with the same name all user accounts,
> >> policies
> >> settings,
> >> permissions, etc. must be created new. Also all computers must be
> >> joined
> >> to the
> >> new domain. Using theb same name will NOT keep any option on the old
> >> computers.
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Dear all,
> >>>
> >>> Our company are planning to migrate the Windows domain from Windows
> >>> 2000 to Windows 2008 R2. Because the user group is small and the
> >>> existing domain group policies is somehow messy and undocmented. I
> >>> prefer to a clear startup.
> >>>
> >>> I will setup a new domain with a Windows 2008 R2 server use test PC
> >>> to test all required settings. After the new server can work
> >>> normally, I will move the member server and client to the new
> >>> domain.
> >>>
> >>> I have a few question.
> >>> 1) Which function level should I use? After migration, I will not
> >>> have DC on
> >>> Windows 2000 Server, but I still have windows 2000 member server.
> >>> 2) Is it possible I use the same domain name as the existing one if
> >>> I
> >>> do the
> >>> migration as mentioned above?
> >>> Thanks and Regards,
> >>> Terence
>
>
> .
>

Hello TC,

AD is not hardware dependend, the OS is it and if the machine has the requirements
for Windows server 2008 you will be safe. Just install the new server and
you will be fine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks Meinolf Weber [MVP-DS] and kj,
>
> You information will be useful, let me review and test it.
>
> We haven't used any Exchange server in our office.
>
> Just one more silly question, How can I transfer the AD to the testing
> machine for testing if the hardware is not the same?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello kj [SBS MVP],
>>
>> Will add this to my step by step, i saw this that seldom that i
>> didn't thought of it. Thank you for the hint. :-)
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Meinolf Weber [MVP-DS] wrote:
>>>
>>>> Hello TC,
>>>>
>>>> Your questions answer are at the end.
>>>>
>>>> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR
>>>> DATA/MACHINE!!!
>>>> - Do you use any kind of Exchange in the 2000 domain? If yes, which
>>>> one?
>>>> - On the old server open DNS management console and check that you
>>>> are running Active directory integrated zone (easier for
>>>> replication,
>>>> if
>>>> you have
>>>> more then one DNS server)
>>>> - run replmon from the run line or repadmin /showreps(only if more
>>>> then one DC exist), dcdiag and netdiag from the command prompt on
>>>> the
>>>> old
>>>> machine to check for errors, if you have some post the complete
>>>> output
>>>> from
>>>> the command here or solve them first. For this tools you have to
>>>> install
>>>> the
>>>> support\tools\suptools.msi from the 2000 installation disk.
>>> Good *old* Server 2000 Schema masters often need a modification
>>> before
>>> new
>>> extentions ae allowed.
>>> See the following in advance to avoid the error;
>>> http://support.microsoft.com/default.aspx/kb/285172
>>>> - run adprep /forestprep and adprep /domainprep and adprep
>>>> /domainprep /gpprep and adprep /rodcprep from the 2008 installation
>>>> disk
>>>> against the 2000
>>>> schema master(forestprep) / infrastructure
>>>> master(domainprep/rodcprep),
>>>> with
>>>> an account that is member of the Schema/Enterprise/Domain admins,
>>>> to
>>>> upgrade the schema to the new version (44) or 2008 R2 (47)
>>>> - you can check the schema version with "schupgr" or "dsquery *
>>>> cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr
>>>> objectVersion" without the quotes in a command
>>>> prompt
>>>> - Install the new machine as a member server in your existing
>>>> domain
>>>> - configure a fixed ip and set the preferred DNS server to the old
>>>> DNS server only, think about disabling IPv6 if you are not using
>>>> it,
>>>> some
>>>> known
>>>> problems exist with it. Follow
>>>> (http://blogs.dirteam.com/blogs/paulb...009/03/19/disa
>>>> bl
>>>> ing-ipv6-on-windows-2008.aspx)
>>>> to disable it
>>>> - run dcpromo and follow the wizard to add the 2008 server to an
>>>> existing domain, make it also Global catalog and DNS server.
>>>> - for DNS give the server time for replication, at least 15
>>>> minutes.
>>>> Because you use Active directory integrated zones it will
>>>> automatically
>>>> replicate the zones to the new server. Open DNS management console
>>>> to
>>>> check
>>>> that they appear
>>>> - if the new machine is domain controller and DNS server run again
>>>> replmon, dcdiag on both domain controllers. For using netdiag.exe
>>>> on 2008,
>>>>
>>>> NOT
>>>>
>>>> 2008 R2, you have to download and install
>>>>
>>>> (http://www.microsoft.com/downloads/d...lyid=96A35011-
>>>> FD 83-419D-939B-9A772EA2DF90&displaylang=en),
>>>>
>>>> ignore the compatibility warning, or extract netdiag.exe only and
>>>>
>>>> copy it
>>>>
>>>> - Transfer, NOT seize the 5 FSMO roles to the new Domain controller
>>>>
>>>> (http://support.microsoft.com/kb/324801 applies also for
>>>> 2008/2008R2),
>>>>
>>>> FSMO should always be on the newest OS
>>>>
>>>> DC
>>>>
>>>> - after transfer of the PDCEmulator role, configure the NEW
>>>>
>>>> PDCEmulator to an external timesource and reconfigure the old
>>>> PDCEmulator
>>>>
>>>> to use the
>>>>
>>>> domainhierarchie now. Therefore run on the NEW "w32tm /config
>>>>
>>>> /manualpeerlist:PEERS
>>>>
>>>> /syncfromflags:manual /reliable:yes /update" where PEERS will be
>>>>
>>>> filled with the ip address or server(time.windows.com) and on the
>>>> OLD one
>>>>
>>>> run "w32tm /config
>>>>
>>>> /syncfromflags:domhier /reliable:no /update" and stop/start the
>>>> time
>>>>
>>>> service on the old one. All commands run in an elevated command
>>>> prompt
>>>>
>>>> without the quotes.
>>>>
>>>> - you can see in the event viewer (Directory service) that the
>>>> roles are transferred, also give it some time
>>>>
>>>> - reconfigure the DNS configuration on your NIC of the 2008 server,
>>>> preferred DNS itself, secondary the old one
>>>>
>>>> - if you use DHCP do not forget to reconfigure the scope settings
>>>> to point to the new installed DNS server
>>>>
>>>> Demoting the old DC(if needed, but at leasst you should have 2
>>>> DC/DNS/GC per domain)
>>>>
>>>> - reconfigure your clients/servers that they not longer point to
>>>> the old DC/DNS server on the NIC
>>>>
>>>> - to be sure that everything runs fine, disconnect the old DC from
>>>> the network and check with clients and servers the connectivity,
>>>> logon and
>>>> also
>>>> with one client a restart to see that everything is ok
>>>> - then run dcpromo to demote the old DC, if it works fine the
>>>> machine
>>>> will move from the DC's OU to the computers container, where you
>>>> can
>>>> delete it by hand. Can be that you got an error during demoting at
>>>> the beginning, then uncheck the Global catalog on that DC and try
>>>> again
>>>> - check the DNS management console, that all entries from the
>>>> machine
>>>> are disappeared or delete them by hand if the machine is off the
>>>> network
>>>> for ever
>>>> - also you have to start AD sites and services and delete the old
>>>> servername under the site, this will not be done during demotion
>>>> 1. If no older OS DC exist you can choose the Windows server 2008
>>>> R2
>>>> functional levels. Member servers are not effected form functional
>>>> levels.
>>>> 2. If you like to use the same domain name follow the way above. If
>>>> you create a new domain with the same name all user accounts,
>>>> policies
>>>> settings,
>>>> permissions, etc. must be created new. Also all computers must be
>>>> joined
>>>> to the
>>>> new domain. Using theb same name will NOT keep any option on the
>>>> old
>>>> computers.
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Dear all,
>>>>>
>>>>> Our company are planning to migrate the Windows domain from
>>>>> Windows 2000 to Windows 2008 R2. Because the user group is small
>>>>> and the existing domain group policies is somehow messy and
>>>>> undocmented. I prefer to a clear startup.
>>>>>
>>>>> I will setup a new domain with a Windows 2008 R2 server use test
>>>>> PC to test all required settings. After the new server can work
>>>>> normally, I will move the member server and client to the new
>>>>> domain.
>>>>>
>>>>> I have a few question.
>>>>> 1) Which function level should I use? After migration, I will not
>>>>> have DC on
>>>>> Windows 2000 Server, but I still have windows 2000 member server.
>>>>> 2) Is it possible I use the same domain name as the existing one
>>>>> if
>>>>> I
>>>>> do the
>>>>> migration as mentioned above?
>>>>> Thanks and Regards,
>>>>> Terence
>> .
>>

Meinolf Weber [MVP-DS] wrote:
> Hello kj [SBS MVP],
>
> Will add this to my step by step, i saw this that seldom that i
> didn't thought of it. Thank you for the hint. :-)
>
> Best regards

Fortunately fewer 2000 schema masters floating around makes this a vanishing
need... but still worthy for a while longer though.

Pleased to contribute, Meinolf.

>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello TC,
>>>
>>> Your questions answer are at the end.
>>>
>>> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR
>>> DATA/MACHINE!!!
>>> - Do you use any kind of Exchange in the 2000 domain? If yes, which
>>> one?
>>> - On the old server open DNS management console and check that you
>>> are running Active directory integrated zone (easier for
>>> replication, if
>>> you have
>>> more then one DNS server)
>>> - run replmon from the run line or repadmin /showreps(only if more
>>> then one DC exist), dcdiag and netdiag from the command prompt on
>>> the old
>>> machine to check for errors, if you have some post the complete
>>> output
>>> from
>>> the command here or solve them first. For this tools you have to
>>> install
>>> the
>>> support\tools\suptools.msi from the 2000 installation disk.
>> Good *old* Server 2000 Schema masters often need a modification
>> before new
>> extentions ae allowed.
>> See the following in advance to avoid the error;
>> http://support.microsoft.com/default.aspx/kb/285172
>>
>>> - run adprep /forestprep and adprep /domainprep and adprep
>>> /domainprep /gpprep and adprep /rodcprep from the 2008 installation
>>> disk
>>> against the 2000
>>> schema master(forestprep) / infrastructure
>>> master(domainprep/rodcprep),
>>> with
>>> an account that is member of the Schema/Enterprise/Domain admins, to
>>> upgrade the schema to the new version (44) or 2008 R2 (47)
>>> - you can check the schema version with "schupgr" or "dsquery *
>>> cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr
>>> objectVersion" without the quotes in a command
>>> prompt
>>> - Install the new machine as a member server in your existing domain
>>> - configure a fixed ip and set the preferred DNS server to the old
>>> DNS server only, think about disabling IPv6 if you are not using it,
>>> some
>>> known
>>> problems exist with it. Follow
>>> (http://blogs.dirteam.com/blogs/paulb...9/03/19/disabl
>>> ing-ipv6-on-windows-2008.aspx)
>>> to disable it
>>> - run dcpromo and follow the wizard to add the 2008 server to an
>>> existing domain, make it also Global catalog and DNS server.
>>>
>>> - for DNS give the server time for replication, at least 15 minutes.
>>> Because you use Active directory integrated zones it will
>>> automatically
>>> replicate the zones to the new server. Open DNS management console
>>> to check
>>> that they appear
>>> - if the new machine is domain controller and DNS server run again
>>>
>>> replmon, dcdiag on both domain controllers. For using netdiag.exe on
>>> 2008,
>>>
>>> NOT
>>>
>>> 2008 R2, you have to download and install
>>>
>>> (http://www.microsoft.com/downloads/d...id=96A35011-FD
>>> 83-419D-939B-9A772EA2DF90&displaylang=en),
>>>
>>> ignore the compatibility warning, or extract netdiag.exe only and
>>>
>>> copy it
>>>
>>> - Transfer, NOT seize the 5 FSMO roles to the new Domain controller
>>>
>>> (http://support.microsoft.com/kb/324801 applies also for
>>> 2008/2008R2),
>>>
>>> FSMO should always be on the newest OS
>>>
>>> DC
>>>
>>> - after transfer of the PDCEmulator role, configure the NEW
>>>
>>> PDCEmulator to an external timesource and reconfigure the old
>>> PDCEmulator
>>>
>>> to use the
>>>
>>> domainhierarchie now. Therefore run on the NEW "w32tm /config
>>>
>>> /manualpeerlist:PEERS
>>>
>>> /syncfromflags:manual /reliable:yes /update" where PEERS will be
>>>
>>> filled with the ip address or server(time.windows.com) and on the
>>> OLD one
>>>
>>> run "w32tm /config
>>>
>>> /syncfromflags:domhier /reliable:no /update" and stop/start the time
>>>
>>> service on the old one. All commands run in an elevated command
>>> prompt
>>>
>>> without the quotes.
>>>
>>> - you can see in the event viewer (Directory service) that the roles
>>> are transferred, also give it some time
>>>
>>> - reconfigure the DNS configuration on your NIC of the 2008 server,
>>> preferred DNS itself, secondary the old one
>>>
>>> - if you use DHCP do not forget to reconfigure the scope settings to
>>> point to the new installed DNS server
>>>
>>> Demoting the old DC(if needed, but at leasst you should have 2
>>> DC/DNS/GC per domain)
>>>
>>> - reconfigure your clients/servers that they not longer point to the
>>> old DC/DNS server on the NIC
>>>
>>> - to be sure that everything runs fine, disconnect the old DC from
>>> the network and check with clients and servers the connectivity,
>>> logon and
>>> also
>>> with one client a restart to see that everything is ok
>>> - then run dcpromo to demote the old DC, if it works fine the
>>> machine will move from the DC's OU to the computers container,
>>> where you can delete it by hand. Can be that you got an error
>>> during demoting at the beginning, then uncheck the Global catalog
>>> on that DC and try again
>>>
>>> - check the DNS management console, that all entries from the
>>> machine are disappeared or delete them by hand if the machine is
>>> off the network
>>> for ever
>>> - also you have to start AD sites and services and delete the old
>>> servername under the site, this will not be done during demotion
>>> 1. If no older OS DC exist you can choose the Windows server 2008 R2
>>> functional levels. Member servers are not effected form functional
>>> levels.
>>>
>>> 2. If you like to use the same domain name follow the way above. If
>>> you create a new domain with the same name all user accounts,
>>> policies
>>> settings,
>>> permissions, etc. must be created new. Also all computers must be
>>> joined
>>> to the
>>> new domain. Using theb same name will NOT keep any option on the old
>>> computers.
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Dear all,
>>>>
>>>> Our company are planning to migrate the Windows domain from Windows
>>>> 2000 to Windows 2008 R2. Because the user group is small and the
>>>> existing domain group policies is somehow messy and undocmented. I
>>>> prefer to a clear startup.
>>>>
>>>> I will setup a new domain with a Windows 2008 R2 server use test PC
>>>> to test all required settings. After the new server can work
>>>> normally, I will move the member server and client to the new
>>>> domain.
>>>>
>>>> I have a few question.
>>>> 1) Which function level should I use? After migration, I will not
>>>> have DC on
>>>> Windows 2000 Server, but I still have windows 2000 member server.
>>>> 2) Is it possible I use the same domain name as the existing one if
>>>> I
>>>> do the
>>>> migration as mentioned above?
>>>> Thanks and Regards,
>>>> Terence

--
/kj

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello kj [SBS MVP],
>
> Will add this to my step by step, i saw this that seldom that i didn't
> thought of it. Thank you for the hint. :-)
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

Meinolf,

You should blog this procedure. :-)


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello kj [SBS MVP],
>
> Will add this to my step by step, i saw this that seldom that i didn't
> thought of it. Thank you for the hint. :-)
>

With KJ's additions, of course! :-)

Ace

Hello Ace Fekay [MVP-DS, MCT],

I send an email some weeks ago to Susan from msmvps but until now i didn't
get an answer. I will do it again today.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
>
>> Hello kj [SBS MVP],
>>
>> Will add this to my step by step, i saw this that seldom that i
>> didn't thought of it. Thank you for the hint. :-)
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Meinolf,
>
> You should blog this procedure. :-)
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE
> &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>