Update from 2003 to 2008 domain server

I have a forest with many child domains.

One of child domain is on 2003R2 x64 Server. I decided to replace that 2003 Server with new one, new Dell with Win 2008R2.

On 2008 Server I installed wins , put static IP address and run dcpromo ( Install Replica in an Existing AD child Domain ).

Error on screen, what happend?

Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.

ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system.

adprep.exe can be found on win2008R2 DVD, use 32bit or 64bit ( depends what version is your 2003 server )

Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.

to check FSMO roles

  1. In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).

2. I have a forest and this is done on child domain so roles on my child domain are :

PDC role

RID poll manager

Infrastructure owner

without "Shema owner" and "Domain role owner"; they are on forest AD and I need to run only adprep.exe /domainprep without adprep.exe /forestprep.

after adprep 2003, dcpromo on 2008 installed everything (domain and DNS ) without an error.

Then you need to transfer FSMO roles from 2003 to 2008.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers on 2003 Server.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
    1. NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      • -or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

And that's it if you are lucky if not...

SYSVOL AND NETLOGON are not sync, first thing to do: make backup

of course I try to fix without making backup.


stop NTFRS ( File Replication Service ) on all DC

set burnflags on 2003 to D4 on a know good sysvol ( or at this time restore sysvol data from backup then set burnflags to D4 ) then start NTFSR on this server

clean up the folders on all remaining servers ( Policies, Scripts, ... )

set burnflags to D2 on all remaining servers and start NTFRS service

wait for FRS to replicate

Restoring FRS replicas

The global


registry key contains REG_DWORD values, and is located in the following location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

The most common values for the


registry key are:

  • D2, also known as a nonauthoritative mode restore
  • D4, also known as an authoritative mode restore

You can also perform


restores at the same time as you restore data from backup or from any other known good source, and then restart the service.

After this steps sysvol appeared on 2008 Server but without netlogon. :(

So I created the folder called scripts under C:\Windows\SYSVOL\sysvol\mydom.local\SCRIPTSand restarted netlogon, and the NETLOGON share then appeared.

Do the same thing on 2003 Server,

i waited overnight and next morning run dcpromo on 2003 Server to demote him.

Error with netlogon service?

Change the first DNS setting on your network card to point to your new DNS server, not the server you are currently demoting. Once you change the DNS setting to the new DNS server you should be able to demote the server without any issues.

[ If you need for some reason reset GPO use command dcgpofix.exe /ignoreschema ]

Finally :), i have new server in place.