Migrating an Active Directory Domain Controller from Windows 2000 to Windows 2008 R2 30


Officially, Microsoft says a direct migration from a Windows 2000 Server Domain Controller to Windows 2008 R2 (or even just regular Windows 2008) isn’t supported. But I just did it… in about an hour. You can, too!

My Setup

I’ve got a single Windows 2000 Server that’s acting as the Domain Controller, DNS Server, DHCP Server, File Server, and VPN Server. The server was new when Windows 2000 was. I recently bought a beefier server, and I wanted to run Windows 2008R2 on it, replace all the roles on the old Win2K server, but not affect any of the user accounts that use the Windows 2000 Domain Controller to log on to the network with Active Directory.

Back That ADS Up!

Yes, I made a little funny with the initials for “Active Directory Server.” But there’s nothing funny about lost data. I like to say that there are only two types of data: 1) data that’s backed up, and 2) data that is waiting to be lost.

Before doing anything, I backed up all the user directories to a separate hard drive on the network, and used Windows Backup to back up the system state on the Windows 2000 server, as explained in this Knowledge Base article.

Seriously. Obey Gwen Stefani and Back It Up!

Patch Your Old Windows 2000 Server

First, make sure that your Windows 2000 Server is patched up to Service Pack 4. This migration is straight-up impossible without it.

Prep Your New Windows 2008R2 Server

Next, install Windows 2008R2 on the new server. Assign it a static IP address that is outside the range (but still in the same subnet) of any IP addresses that are statically assigned. For example, if your DHCP scope starts at 192.168.1.110 and your old server is statically assigned to 192.168.1.101, assign the new server to something like 192.168.1.102. Give the server a unique name (different than the existing server), and join it to the existing domain.

Once the new server is set up and can connect to the Internet, run Windows Update to install all the latest and greatest stuff. You’ll probably have to reboot once this is done.

Transfer DHCP Server Role First

If you want your new server to be your DHCP server, and you want to copy the DHCP database and configuration from your old server, you should migrate the DHCP role from Windows 2000 to Windows 2008R2 by following these instructions BEFORE you promote the new server to be a domain controller. I repeat: you can (and should) make the new server the DHCP server (and stop the DHCP service on the old server) and migrate the old DHCP database prior to promoting your new server to domain controller. I made the mistake of promoting the new server before migrating DHCP over, which meant I could no longer migrate the old settings (apparently it requires a local admin account on the machine – not a domain one), and so I had to manually configure it after the promo. To speed things up, I used netsh dhcp dump (explained in the link earlier in this paragraph) to create a text file with the configuration, which I used to copy and paste the MAC addresses as I manually rebuilt the config on the new server. Luckily, I only have one scope and a handful of reservations, but this is still something I wish I’d known prior to the migration.

Prep the Old Active Directory Forest and Domain

Next, turn your attention to the old Windows 2000 server. On the Windows 2000R2 install media, find the /support directory and copy it over to a directory on the old server (total directory size is 11MB). If your Windows 2000 server has a DVD-ROM drive, you can just copy it direct from the disk. If your Windows 2000 server’s hardware is too old and you just have a CD-ROM drive (like mine), you can use an external USB DVD-ROM drive, or a USB flash drive, or copy it over the network.

For this example, we’ll assume you copied the \support directory from the Windows 2008R2 install media to c:\support on the Windows 2000 system. Go to the Command Prompt on the old server and do:

cd \support\adprep
adprep32 /forestprep

This will run the adprep utility on the Windows 2000 server, which will help update the schema of Active Directory Forest to a version that is compatible with Windows 2008. The output will show subsequent schemas being applied, until the schema is at the proper level (for those who care, mine started at Schema 13 and needed to be patched to Schema 47). You should get a “Command Completed Succesfully” message, but it’s not really done yet. It will spit out a few lines of dots for a couple minutes before it’s finished, so be patient and wait until the command prompt comes back.

Important Note: the standard adprep.exe file on the Windows 2008R2 disc is the 64-bit version, and will not work on a 32-bit operating system such as Windows 2000. That’s why you need to run the adprep32.exe file. More info on the adprep utility can be found on Microsoft TechNet.

After adprep32 has prepped the forest, you need to run it again with a different flag to prep the domain. Do:

adprep32 /domainprep

This process is quicker than the forest prep, and should give you a success message when complete.

Promote the New Server

Now go back to the Windows 2008R2 server and run dcpromo. The wizard will walk you through the necessary steps to promote the server to be a domain controller. Answer the questions based on the needs and settings of your forest and domain. I rebooted the machine after it was done, just to be safe, and to verify that I could sign in with a domain admin account.

Congratulations! You’ve now got a Windows 2008R2 domain controller with all the SYSVOL data from your old Windows 2000 domain! You can verify this by poking around in the admin tools and seeing user and computer accounts that should be familar to you.

Be Patient, then Check the Event Logs

It’s likely that you’ll have to chase down a few Event Log warnings and errors on your new server. But be patient. Active Directory likes to take its time to replicate, and a good number of warnings and errors will probably fix themselves as both domain controllers figure out what’s going on. If you can afford to let both servers sit at least overnight, that’s the safest thing to do. I did that, then I checked the event logs.

Transfer FSMO Roles and Set Up Any Additional Roles

Usually, I let the Event Logs be my guide as to which problems to fix first. In my case, I noticed Event ID 4512 from the DNS server (the DNS server role was set up automatically when I set up Active Directory on the new server with dcpromo). To fix this, I needed to transfer the Domain Naming Operations Master role to the new server. The Domain Naming Operations Master role is one of the 5 FSMO roles, so you should transfer that role, as well as the other FSMO Roles, from the Windows 2000 server to the Windows 2008R2 server.

Just in case you’re wondering, the five FSMO roles are:

  1. Schema Master
  2. Domain Naming Master
  3. Infrastructure Master
  4. Relative ID (RID) Master
  5. PDC Emulator

You can easily transfer all five roles using three snap-ins by following this guide. I found one small tip that was overlooked, however. In the first step, where it tells you to run regsvr32 schmmgmt.dll, you need to make sure you run it as administrator, or you’ll get an error message (you can right-click the command prompt and select Run as administrator…).

After transferring the FSMO roles, I created default application directory partitions for the DNS server by following these instructions. That fixed the 4512 error!

Once the FSMO roles are transferred over, you can use the Server Manager to set up any additional roles you need on the new server. I set up File Services, and a VPN using the Network Policy and Access Service by following these steps, and I may tinker with a few others over the coming weeks.

After setting up the File Services role, I discovered Event ID 8193 appearing in the Event Log. This blog post helped me fix it.

Check Windows Live Family Safety Settings

Strangely, I discovered (ok… one of our kids discovered) that I had to redo the Windows Live Family Safety procedure for domain account explained in a previous blog post. I’m not sure which part of the process broke it (thereby allowing the kids to surf the Web without filters), but it was easy enough to tighten down again using the same steps. If you’re in an office environment, this probably won’t apply to you, but if you run a domain controller to manage in-home network, and use Windows Live Family Safety, you should verify that their accounts are still monitored.

Transfer Users’ Home Directories

My next step was to edit the user profiles in Active Directory Users and Computers on the new server to point their home directories to shares on the new server (which I’d previously copied over to a Drobo attached to the new server during my backup process).

Demote the Windows 2000 Server

Once you’re confident that everything is running properly on the new server and your Event Logs are happy, the final step is to run dcpromo on the old Windows 2000 server to demote it to a regular old server.

Mine served valiantly, and to reward it, I’ll probably keep it in place for a while to run some outdated applications that no longer run on current versions of Windows (like the 16-bit software that I use to program the Lutron HomeWorks lighting system in the house). But, like all old hardware in my house, I’m sure it will end up as a Linux box eventually. 🙂

Please Provide Feedback

If you stumble across additional steps during your migration that may benefit others pursuing this technically unsupported migration path, please post them in the comments.

Happy migrating from Windows 2000 Server to Windows Server 2008R2!