Transitioning a Windows 2003 Domain to Windows 2008 R2


Created: 2010-03-01

Modified: 2011-01-19



In this guide we will walk through a Windows 2003 to Windows 2008 R2 Forest and Domain upgrade by transitioning your domain controllers to Windows 2008 R2.  Introducing Windows 2008 R2 DC's is a very straight forward process.  After the first Windows 2008 R2 DC is installed changing over existing 2003 DC to 2008 R2 DC's just takes some prudent planning.


Assuming good practices are in place with your current DC's upgrading your entire forest to Windows 2008 R2 Domain Controllers is a snap.  If you have mistreated your DC’s by installing many applications that need to be researched, planned, and tested then your upgrade will take longer.



  • Windows 2003 DC’s are all 32bit.
    • Even if you have 64bit Windows 2003 you can still use this process.
  • The Windows 2003 Active Directory is healthy
  • All Windows 2003 Domains are in Windows 2003 Mode
    • This is a requirement for Windows 2008 R2.
  • All applications / services running on the Domain Controllers are supported on Windows 2008 R2.
    • Research and test your applications as needed.
  • DNS is fault tolerant throughout the company
    • Meaning DNS clients have primary and secondary servers configured.
  • DNS will be transitioned to a Windows 2008 R2 DC/DNS server
    • How this is done can vary, this document will assume that after installing the first Windows 2008 R2 DC we will decommission the current DC/DNS server.  Then install a second Windows 2008 R2 DC with DNS, reusing the previous IP addresses.  Repeat process for all other DNS servers.
  • All Windows 2003 DC’s will be replaced
    • While this is an assumption, it need not take place in a single day, week, or month, but it should be done as quickly as possible.  You can run a mixed of 2003 and 2008 DC indefinitely, but the benefits of 2008 are minimal until all DC’s are Windows 2008.
  • All hardware meets the Windows 2008 R2 requirements.
  • All installations / changes will take place during periods of low activity or on DC’s with low activity.
    • This may require transferring FSMO roles as needed.
  • You should perform these steps in a dedicated test environment first.


Preparing the Forest and Domains

1)      Extend the Schema to support Win2008 R2 Domain Controllers

a.       Copy the support\adprep directory from the Windows 2008 R2 DVD to the Domain Controllers holding these respective FSMO Roles.

                                                               i.      Schema Master (1 DC per forest)

                                                             ii.      Domain Naming Master (1 DC per forest)

                                                            iii.      Infrastructure Master (1 DC per domain)

b.      Using the copied folder on each DC run the following commands in the order specified in the following table.  Use adprep32 since the OS on the DC is assumed to be 32bit.



Domain Controller


adprep /forestprep

Schema and Enterprise Admin

Schema Master

3-5 mins

adprep /rodcprep

Schema and Enterprise Admin

Domain Naming Master


adprep /domainprep /gpprep

Domain Admin

Infrastructure Master



c.       Check the following log file on each DC to verify there were no errors.


d.      If you run adprep multiple times on a DC then a new log is created for each run.

e.       Force replication before proceeding to the next schema update.


Installing the First Windows 2008 R2 DC to Each Domain

You can install the very first Windows 2008 R2 DC to any domain in the forest.  However, take the following into account when selecting the first domain to add the DC to in the forest.

  • Forest Root Domain: This domain is generally preferred above all others, especially if this is an Empty Root domain containing minimal users.
  • Number of Users in Domain: Domains with the least amount of users are generally the best domains to go first since the number of users affected is less.


Use the following procedure to install the first Windows 2008 R2 DC to an existing Domain.

1)      On an existing Windows 2003 DC

a.       Review the following settings in the Default Domain Controllers policy

                                                               i.      Microsoft network server: Digitally sign communications (always)

                                                             ii.      Domain member: Digitally encrypt or sign secure channel data (always)

                                                            iii.      Record their current settings for future reference.

b.      You may want to export the Default Domain Controllers policy for future reference as well.

2)      Install Windows 2008 R2

a.       Configure Static IP and appropriate DNS and WINS settings.

b.      Optional: Add the server to the domain it will be a DC for.

                                                               i.      Reboot

c.       Run DCPromo

                                                               i.      AD Domain Services binaries will be installed.

d.      OS Compatibility

                                                               i.      A warning about a new more secure setting implemented called Allow cryptography algorithms compatible with Windows NT 4.0, which by default disables NT4 SP3 and earlier versions of cryptology.  This is only of concern if you have NT4, non-Microsoft SMB, or NAS devices joined to the domain. If that is the case you may need to change this setting after the DCPromo is complete.


                                                            iii.      Click Next

e.       Deployment Configuration

                                                               i.      Select Existing forest

                                                             ii.      Select Add a domain controller to an existing domain

                                                            iii.      Click Next

f.        Network Credentials

                                                               i.      Type the name of a domain in the forest.

1.      This does not need to be the name of the domain you are joining.

                                                             ii.      Click the Set button

1.      Enter the credentials of an Enterprise Admin or Domain Admin.

                                                            iii.      Click OK

                                                           iv.      Click Next

g.       Select Domain 

                                                               i.      Select the domain to join

                                                             ii.      Click Next

h.       Select a Site

                                                               i.      Select which site to place the DC in.

                                                             ii.      Click Next

i.         DC Options

                                                               i.      Deselect DNS server

1.      We will be using the existing DNS server.

                                                             ii.      Select Global Catalog Server

                                                            iii.      Click Next

j.        Database, Log, and SYSVOL Locations

                                                               i.      Change the drive letter for these locations as needed.

                                                             ii.      Click Next

k.      Restore Password

                                                               i.      Type the DS Restore password

1.      Document and save

                                                             ii.      Click Next

l.         Summary

                                                               i.      Review the summary

                                                             ii.      Optional: Click Export Settings to save an unattended install file for future use.

                                                            iii.      Click Next

3)      Wait as the DC is installed.

4)      Completing the Install

a.       Click Finish

b.      Click Restart Now

5)      When the server reboots review the Default Domain Controllers policy settings

a.       Microsoft network server: Digitally sign communications (always)

b.      Domain member: Digitally encrypt or sign secure channel data (always)

c.       If these values changed (to enabled) then you may need to verify that all your clients and servers can still communicate to the domain, or you can revert the settings back to their previous value.

6)      Review the Allow cryptography algorithms compatible with Windows NT 4.0 setting.

a.       This setting only applies to Windows 2008 DC’s, thus clients authenticating to Windows 2003 DC’s are not affected by this new setting.

b.      Change this setting as needed to support NT 4.0 or non-Microsoft SMB clients.

c.       The default setting is Not Configured, which means the policy is Disabled.  You must configure the option as Enabled to actually change the setting.

7)      Repeat this procedure once for every Domain in the Forest.


Transferring and Placing Operation Master Roles

In previous versions of Windows Server the Operations Master Roles were known as Flexible Single Master Operations (FSMO).  In Windows 2008 these are now known as the Operation Master Roles.


Transferring these roles to a Windows 2008 R2 Domain Controller is not a requirement, but it may provide you additional benefits or functionality.


Schema Master and Domain Naming Master

No added features or functionality are introduced with Window 2008.  You can transfer these roles to a Windows 2008 DC or keep them on Windows 2003.


PDC Emulator

If you transfer the PDC emulator operations master role to a Windows Server 2008 R2 domain controller, or you add a read-only domain controller (RODC) to your domain, all the following will occur when the role is transferred.


Note: The role is automatically transferred to a Windows 2008 DC if you add a read-only DC.


1)      The following new well-known and built-in groups are created:

a.       Builtin\IIS_IUSRS

b.      Builtin\Cryptographic Operators

c.       Allowed RODC Password Replication Group

d.      Denied RODC Password Replication Group

e.       Read-only Domain Controllers

f.        Builtin\Event Log Readers

g.       Enterprise Read-only Domain Controllers (created only on the forest root domain)

h.       Builtin\Certificate Service DCOM Access

2)      The following group memberships are established:

a.       IUSR security principal added to the Builtin\IIS_IUSRS group

3)      The following groups are added to the Denied RODC Password Replication Group:

a.       Group Policy Creator Owners

b.      Domain Admins

c.       Cert Publishers

d.      Domain Controllers

e.       Krbtgt

f.        Enterprise Admins

g.       Schema Admins

h.       Read-only Domain Controllers

4)      The following new, additional security principals are created in the forest root domain:

a.       IUSR

b.      Owner Rights

5)      The Network Service security principal added to Builtin\Performance Log Users

6)      The Well-Known-Security-Id-System security principal is renamed to System


Remember the PDC Emulator of the forest root domain should be configured as the authoritative time server for the forest.  When transferring this role, but sure to transfer the SNTP configuration of the server as well. 


To retrieve the SNTP settings

Net time /querysntp

            To set the SNTP settings

                        Net time /


RID Master and Infrastructure Master

No added features or functionality are introduced with Window 2008.  You can transfer these roles to a Windows 2008 DC or keep them on Windows 2003.


Review best practices for Operation Master role placement and transfer the role to an appropriate Windows 2008 R2 servers at your convenience.  All you need to do is build the new Windows 2008 R2 domain controller and transfer the Operations Master Role to the new DC.


Replacing Existing Windows 2003 DC / DNS Servers with Windows 2008 R2

There are several new record types available in Windows 2008 DNS that are not supported in Windows 2003.  If you plan on using these record types you should upgrade all your DNS server as soon as possible.  If these new record types are not currently needed in your environment you can safely mix Windows 2003 and 2008 DNS servers.


This process is just a guideline.  There are many ways to replace your existing DNS servers. However, this approach is the most efficient, and it assumes the following

  • A fault tolerant DNS infrastructure
  • Your DC’s are not being used as application servers as well. 
  • All DNS servers are also DC’s and all or your DNS zones are Active Directory Integrated.


1)      Demote the existing Windows 2003 DC/DNS Server

a.       Record current IP Address settings for future reference.

b.      Remove from the Domain

c.       Power Off

2)      From the DNS Console on another Server

a.       Remove any Name Server (NS) records that point to the server just removed.

3)      Build a new Windows 2008 R2 Server

a.       Configure Static IP (same as previous server) and appropriate DNS and WINS settings.

b.      Optional: Add the server to the domain it will be a DC for.

                                                               i.      Reboot

c.       Run DCPromo

                                                               i.      Follow the same installation procedure as specified above with the following changes

                                                             ii.      DC Options

1.      Select DNS server

2.      Select Global Catalog Server

d.      Unable to create Name Server record in DNS error message

                                                               i.      Click Yes to continue.

                                                             ii.      This is caused when not joining the domain prior to running DCPromo, and will be fixed once the server is rebooted.

e.       Complete the installation per the previous instructions.

4)      Verify DNS zones have replicated to the new server.

5)      Repeat for each DNS/DC server.



It’s typical for WINS to be installed on Domain Controllers.  Use the same basic replacement approach for WINS as you did for DNS.  Make sure you record the configuration settings so you can reconfigure the new server the same way.


Raise Domain Functional Level

1)      For each domain where all DCs are now Windows 2008 R2

a.       Login to a Windows 2008 R2 DC

b.      Run Active Directory Users and Computers

                                                               i.      Right Click the domain name

                                                             ii.      Select Raise domain functional level

                                                            iii.      Select Windows 2008 R2

                                                           iv.      Click Raise

                                                             v.      Click OK, OK



Raise Forest Functional Level

1)      Login to the Forest Root domain as an Enterprise Admin

2)      Launch Active Directory Domains and Trusts

a.       Right Click the Active Directory Domain and Trusts

b.      Select Raise Forest Functional Level

c.       Select Windows 2008 R2

d.      Click Raise

e.       Click OK, OK


Enable AD Recycle Bin

By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled.  To enable the AD Recycle Bin the following requirements must be met.


1)      Completed ALL Schema updates listed in the Preparing the Forest and Domains section above

2)      All domain controllers in your Active Directory forest must be running Windows Server 2008 R2.

3)      Raise the functional level of your Active Directory forest to Windows Server 2008 R2.


To enable Active Directory Recycle Bin use the following procedure.

1)      Login to the Windows 2008 R2 Domain controller that holds the Schema Master

a.       You must login as the built-in Administrator with the Enterprise Admin and Schema Admin permissions.

2)      Launch Windows PowerShell

3)      Type the following command, then press enter

import-module activedirectory

4)      Type the following command, then press enter (this command is all one line)

a.       Change the items in bold as required for your environment\

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com’ -Scope ForestOrConfigurationSet -Target ‘

5)      A warning will appear

WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=domain,DC=com' is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=domain,DC=com ' if you proceed.

a.       Press Y, then Enter to continue

6)      Errors:

a.       If you receive an insufficient access rights error

                                                               i.      You did not login as the built-in Administrator, or that account is not a member of the Enterprise Admins, Domain Admins, or Schema Admins groups.

b.      If you receive an referral error

                                                               i.      You are not logged into the DC containing the Schema Master role.

7)      To verify that Active Directory Recycle Bin is enabled

a.       Launch ADSIEdit.msc

b.      Connect to the Configuration partition of the forest root domain.

c.       Right click the CN=Partitions container.

                                                               i.      Select Properties

                                                             ii.      In the details pane, locate the msDS-EnabledFeature attribute

d.      Confirm that its value is set to the configured value.




Configuring Tombstone Lifetime

The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in the Active Directory database.  The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.


In Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2008, or Windows Server 2008 R2 operating systems, when the tombstoneLifetime attribute is set to null its default value is considered to be 180 days.


In Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 operating systems, when the tombstoneLifetime attribute is set to null its default value is considered to be 60 days.


If you upgrade your domain controller to Windows Server 2008 or Windows Server 2008 R2 from Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 operating, as opposed to performing a clean installation of Windows Server 2008 or Windows Server 2008 R2 operating systems, it is recommended that you manually set the value of tombstoneLifetime to 180 days.


Run the following PowerShell (PS) commands to determine the current tombstoneLifetime setting and configure this value if needed.


Load the PS AD module


import-module activedirectory


Find the current value of tombstoneLifetime (all one line)


Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com” -properties tombstonelifetime


Configure the value of tombstoneLifetime (all one line)


Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com” -Partition “CN=Configuration,DC=domain,DC=com” -Replace:@{“tombstoneLifetime” = 180}


Redirect Users and Computers

By default all new users are created in CN=Users and all new Computer object are created in CN=Computers.  However, neither of these locations allow Group Policies to be applied.  You can choose to change these default locations to an OU where group policy could be applied.


This not new to Windows 2008 (it was available in Windows 2003), but it does require that the domain functional level be at Windows 2003 or higher.  To change these locations use the following commands.


Redirusr ou=userou,dc=domain,dc=com


Redircmp ou=computerou,dc=domain,dc=com



More Information:

Intrasite replication Frequency

The original Windows 2000 intrasite replication frequency is 300/30. That is, any changes that are made to AD DS replicate to all other domain controllers in the same site 5 minutes (300 seconds) after a change is made—with a 30-second offset before notifying the next domain controller.  However, when the forest functional level is raised to Windows Server 2003 (the minimum required to install Windows 2008 R2), the replication frequency of AD DS is changed to the Windows Server 2003 default setting of 15/3 (15 sec / 3 sec offset).


Computer Browser

The Computer Browser service is disabled by default in Windows 2008 and 2008 R2.



More Information:

Migrate Server Roles to Windows Server 2008 R2


Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

Enabling Windows Server 2008 Advanced Features for AD DS


Active Directory Recycle Bin Step-by-Step Guide

Article ID: 15, Created On: 9/16/2011, Modified: 9/16/2011