AD Migration from win 2000 to win 2008 server

Discussion in 'Active Directory' started by saqib ahmad, Aug 2, 2009.

  1. saqib ahmad

    saqib ahmad Guest


    We are migrating AD windows server 2000 to AD DS windows server 2008 but the
    GPO is not healthy how can we migrate without GPO coz we want to customise
    the new GPO in new 2008 server.

    saqib ahmad, Aug 2, 2009
    1. Advertisements

  2. Howdie!

    Can you elaborate a little on what you are trying to do? Is that a real
    migration from one domain to another is it that you want to replace the
    Win2000 DCs and have 2008DCs for the very same domain?

    Also, what with the Group Policy isn't working? Most GP errors relate to
    DNS or other core AD component mis-configurations which could
    potentially bite you back during other procedures in your

    Florian Frommherz [MVP], Aug 2, 2009
    1. Advertisements

  3. saqib ahmad

    saqib ahmad Guest


    Well we are upgrading our hardware and sofware but with the same domain as
    we want to design new GPO and policies in new 2008 server. further more its a
    real production environment and cant afford long downtimes.

    saqib ahmad, Aug 2, 2009
  4. Howdie!

    Actually, there's no downtime necessary if you do it correctly:
    1) take a backup of the current domain (system state)
    2) update the current AD schema to Server 2008 (you'll find a lot of
    howtos on the web).
    3) install Windows 2008 on a new machine (new hardware)
    4) while the current DCs are running, promote the new 2008 machine to a
    domain controller. Make sure the DNS server is also installed and that
    the new DC can resolve all FQDNs of all other DCs correctly.
    5) repeat the steps 3 and 4 for every new DC you're going add.
    6) To remove old DCs, check whether they have any special roles/any
    applications rely on them.
    7) Check whether the DCs to be removed have FSMO role ownership. If so,
    move (transfer!) the roles to one of the new DCs.
    8) run dcpromo on the DCs to be removed and uninstall AD from them.

    The steps above may not complete all the work you need to do but should
    give you an idea on how you should proceed. Also, when you're currently
    experiencing GP problems (you still didn't mention what problems
    specifically!) they will still persist. GP Preferences won't solve GP
    application problems. Neither will 2008 do that. Again, most GP problems
    relate to DNS misconfiguration.

    Florian Frommherz [MVP], Aug 2, 2009
  5. Hello saqib,

    With adding 2008 DC to the existing domain, you will not change the existing
    GPOs. If there are some problems with, i suggest to solve them before starting
    with the new OS version DC.

    Which problems do you have with GPO exactly, can you provide some error messages?
    Also an unedited ipconfig /all from a client machine and the DC/DNS server
    can help to exclude as a basic problem. How many DCs are you using in the
    domain, all in one site or multiple sites?

    And if you will keep the same domain name and all existing user accounts,
    computer accounts, security groups etc.etc.etc. you have to add the 2008
    DC to the existing domain.

    Do you use Exchange in the domain or any other applications, especially on
    the DCs? Upgrading AD itself will not cause downtimes normally.

    To add a 2008 DC to the domain follow this way:

    - On the old server open DNS management console and check that you are running
    Active directory integrated zone (easier for replication, if you have more
    then one DNS server)

    - run replmon from the run line or repadmin /showrepl(only if more then one
    DC exist), dcdiag and netdiag from the command prompt on the old machine
    to check for errors, if you have some post the complete output from the command
    here or solve them first. For this tools you have to install the support\tools\suptools.msi
    from the 2000 installation disk.

    - run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
    the 2008 installation disk against the 2000 schema master, with an account
    that is member of the Schema admins, to upgrade the schema to the new version
    (44), you can check the version with "schupgr" in a command prompt.

    - Install the new machine as a member server in your existing domain

    - configure a fixed ip and set the preferred DNS server to the old DNS server

    - run dcpromo and follow the wizard to add the 2008 server to an existing
    domain, make it also Global catalog and DNS server.

    - for DNS give the server time for replication, at least 15 minutes. Because
    you use Active directory integrated zones it will automatically replicate
    the zones to the new server. Open DNS management console to check that they

    - if the new machine is domain controller and DNS server run again replmon,
    dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
    both domain controllers

    - Transfer, NOT seize the 5 FSMO roles to the new Domain controller (
    applies also for 2008), FSMO should always be on the newest OS DC

    - you can see in the event viewer (Directory service) that the roles are
    transferred, also give it some time

    - reconfigure the DNS configuration on your NIC of the 2008 server, preferred
    DNS itself, secondary the old one

    - if you use DHCP do not forget to reconfigure the scope settings to point
    to the new installed DNS server

    Demoting the old DC

    - reconfigure your clients/servers that they not longer point to the old
    DC/DNS server on the NIC

    - to be sure that everything runs fine, disconnect the old DC from the network
    and check with clients and servers the connectivity, logon and also with
    one client a restart to see that everything is ok

    - then run dcpromo to demote the old DC, if it works fine the machine will
    move from the DC's OU to the computers container, where you can delete it
    by hand. Can be that you got an error during demoting at the beginning, then
    uncheck the Global catalog on that DC and try again

    - check the DNS management console, that all entries from the machine are
    disappeared or delete them by hand if the machine is off the network for ever

    - also you have to start AD sites and services and delete the old servername
    under the site, this will not be done during demotion

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Aug 2, 2009
  6. Not sure what state your gpo's are in but if you want to reset the default
    domain and domain controllers gpo you could run RecreateDefPol. This should
    only be run on Windows 2000 machines. dcgpofix can be run on 2003 and
    beyonds o/s's to fix them.

    A nice tutorial on upgrading from 2000 to 2008

    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
    Paul Bergson [MVP-DS], Aug 3, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.