Migrating an Active Directory Domain Controller from Windows 2000 to Windows 2008 R2 30

Officially, Microsoft says a direct migration from a Windows 2000 Server Domain Controller to Windows 2008 R2 (or even just regular Windows 2008) isn’t supported. But I just did it… in about an hour. You can, too!

My Setup

I’ve got a single Windows 2000 Server that’s acting as the Domain Controller, DNS Server, DHCP Server, File Server, and VPN Server. The server was new when Windows 2000 was. I recently bought a beefier server, and I wanted to run Windows 2008R2 on it, replace all the roles on the old Win2K server, but not affect any of the user accounts that use the Windows 2000 Domain Controller to log on to the network with Active Directory.

Back That ADS Up!

Yes, I made a little funny with the initials for “Active Directory Server.” But there’s nothing funny about lost data. I like to say that there are only two types of data: 1) data that’s backed up, and 2) data that is waiting to be lost.

Before doing anything, I backed up all the user directories to a separate hard drive on the network, and used Windows Backup to back up the system state on the Windows 2000 server, as explained in this Knowledge Base article.

Seriously. Obey Gwen Stefani and Back It Up!

Patch Your Old Windows 2000 Server

First, make sure that your Windows 2000 Server is patched up to Service Pack 4. This migration is straight-up impossible without it.

Prep Your New Windows 2008R2 Server

Next, install Windows 2008R2 on the new server. Assign it a static IP address that is outside the range (but still in the same subnet) of any IP addresses that are statically assigned. For example, if your DHCP scope starts at and your old server is statically assigned to, assign the new server to something like Give the server a unique name (different than the existing server), and join it to the existing domain.

Once the new server is set up and can connect to the Internet, run Windows Update to install all the latest and greatest stuff. You’ll probably have to reboot once this is done.

Transfer DHCP Server Role First

If you want your new server to be your DHCP server, and you want to copy the DHCP database and configuration from your old server, you should migrate the DHCP role from Windows 2000 to Windows 2008R2 by following these instructions BEFORE you promote the new server to be a domain controller. I repeat: you can (and should) make the new server the DHCP server (and stop the DHCP service on the old server) and migrate the old DHCP database prior to promoting your new server to domain controller. I made the mistake of promoting the new server before migrating DHCP over, which meant I could no longer migrate the old settings (apparently it requires a local admin account on the machine – not a domain one), and so I had to manually configure it after the promo. To speed things up, I used netsh dhcp dump (explained in the link earlier in this paragraph) to create a text file with the configuration, which I used to copy and paste the MAC addresses as I manually rebuilt the config on the new server. Luckily, I only have one scope and a handful of reservations, but this is still something I wish I’d known prior to the migration.

Prep the Old Active Directory Forest and Domain

Next, turn your attention to the old Windows 2000 server. On the Windows 2000R2 install media, find the /support directory and copy it over to a directory on the old server (total directory size is 11MB). If your Windows 2000 server has a DVD-ROM drive, you can just copy it direct from the disk. If your Windows 2000 server’s hardware is too old and you just have a CD-ROM drive (like mine), you can use an external USB DVD-ROM drive, or a USB flash drive, or copy it over the network.

For this example, we’ll assume you copied the \support directory from the Windows 2008R2 install media to c:\support on the Windows 2000 system. Go to the Command Prompt on the old server and do:

cd \support\adprep
adprep32 /forestprep

This will run the adprep utility on the Windows 2000 server, which will help update the schema of Active Directory Forest to a version that is compatible with Windows 2008. The output will show subsequent schemas being applied, until the schema is at the proper level (for those who care, mine started at Schema 13 and needed to be patched to Schema 47). You should get a “Command Completed Succesfully” message, but it’s not really done yet. It will spit out a few lines of dots for a couple minutes before it’s finished, so be patient and wait until the command prompt comes back.

Important Note: the standard adprep.exe file on the Windows 2008R2 disc is the 64-bit version, and will not work on a 32-bit operating system such as Windows 2000. That’s why you need to run the adprep32.exe file. More info on the adprep utility can be found on Microsoft TechNet.

After adprep32 has prepped the forest, you need to run it again with a different flag to prep the domain. Do:

adprep32 /domainprep

This process is quicker than the forest prep, and should give you a success message when complete.

Promote the New Server

Now go back to the Windows 2008R2 server and run dcpromo. The wizard will walk you through the necessary steps to promote the server to be a domain controller. Answer the questions based on the needs and settings of your forest and domain. I rebooted the machine after it was done, just to be safe, and to verify that I could sign in with a domain admin account.

Congratulations! You’ve now got a Windows 2008R2 domain controller with all the SYSVOL data from your old Windows 2000 domain! You can verify this by poking around in the admin tools and seeing user and computer accounts that should be familar to you.

Be Patient, then Check the Event Logs

It’s likely that you’ll have to chase down a few Event Log warnings and errors on your new server. But be patient. Active Directory likes to take its time to replicate, and a good number of warnings and errors will probably fix themselves as both domain controllers figure out what’s going on. If you can afford to let both servers sit at least overnight, that’s the safest thing to do. I did that, then I checked the event logs.

Transfer FSMO Roles and Set Up Any Additional Roles

Usually, I let the Event Logs be my guide as to which problems to fix first. In my case, I noticed Event ID 4512 from the DNS server (the DNS server role was set up automatically when I set up Active Directory on the new server with dcpromo). To fix this, I needed to transfer the Domain Naming Operations Master role to the new server. The Domain Naming Operations Master role is one of the 5 FSMO roles, so you should transfer that role, as well as the other FSMO Roles, from the Windows 2000 server to the Windows 2008R2 server.

Just in case you’re wondering, the five FSMO roles are:

  1. Schema Master
  2. Domain Naming Master
  3. Infrastructure Master
  4. Relative ID (RID) Master
  5. PDC Emulator

You can easily transfer all five roles using three snap-ins by following this guide. I found one small tip that was overlooked, however. In the first step, where it tells you to run regsvr32 schmmgmt.dll, you need to make sure you run it as administrator, or you’ll get an error message (you can right-click the command prompt and select Run as administrator…).

After transferring the FSMO roles, I created default application directory partitions for the DNS server by following these instructions. That fixed the 4512 error!

Once the FSMO roles are transferred over, you can use the Server Manager to set up any additional roles you need on the new server. I set up File Services, and a VPN using the Network Policy and Access Service by following these steps, and I may tinker with a few others over the coming weeks.

After setting up the File Services role, I discovered Event ID 8193 appearing in the Event Log. This blog post helped me fix it.

Check Windows Live Family Safety Settings

Strangely, I discovered (ok… one of our kids discovered) that I had to redo the Windows Live Family Safety procedure for domain account explained in a previous blog post. I’m not sure which part of the process broke it (thereby allowing the kids to surf the Web without filters), but it was easy enough to tighten down again using the same steps. If you’re in an office environment, this probably won’t apply to you, but if you run a domain controller to manage in-home network, and use Windows Live Family Safety, you should verify that their accounts are still monitored.

Transfer Users’ Home Directories

My next step was to edit the user profiles in Active Directory Users and Computers on the new server to point their home directories to shares on the new server (which I’d previously copied over to a Drobo attached to the new server during my backup process).

Demote the Windows 2000 Server

Once you’re confident that everything is running properly on the new server and your Event Logs are happy, the final step is to run dcpromo on the old Windows 2000 server to demote it to a regular old server.

Mine served valiantly, and to reward it, I’ll probably keep it in place for a while to run some outdated applications that no longer run on current versions of Windows (like the 16-bit software that I use to program the Lutron HomeWorks lighting system in the house). But, like all old hardware in my house, I’m sure it will end up as a Linux box eventually. 🙂

Please Provide Feedback

If you stumble across additional steps during your migration that may benefit others pursuing this technically unsupported migration path, please post them in the comments.

Happy migrating from Windows 2000 Server to Windows Server 2008R2!

  • Alif Ambler

    Hey Steve now that you have a 2008 R2 server and a Windows 7 client, you should try out Direct Access. I am excited to try it but haven’t yet. It is a VPN-less certificate-based way to connect to your ‘corporate’ resources while out of the office.

    Other than a 2008 R2 server and a Win 7 client, I think the only other real requirement is that you have 2 static internet IPs on your server.

    Glad the dc switchover went well. I’ve had 2 go well and one go horribly wrong. I think my problem was more related to renaming the DCs too quickly than the upgrade though….


  • Kuldip Patil

    My client is having Windows 2000 domain which is containing 1Windows 2000 DC & 2 Windows 2000 ADC he wants to upgrade it to Windows 2008 R2 he start the up gradation but mistakenly he installed windows 2008 Ent. With SP1 & done the schema upgrade (by Forestprep & Domainprep) & he moves the PDC Emulator & Domain Naming master roles to Windows 2008 Ent. Server & also made it to GC. now in that Domain there is one Windows 2008 Ent. server & three Windows 2000 server (on windows 2000 server still having Schema master, Infrastructure Master & RID master roles.)
    Now clients want to install Windows 2008 R2 server in the domain & remove the windows 2000 & windows 2008 Ent. From the domain so please tell me how to go for this.
    Do I need to run forestprep & domainprep again?

  • Pingback: The things that are better left unspoken : Transitioning your Active Directory to Windows Server 2008 R2()

  • Nikosspi

    Hey Steve trying the same thing I could not join the 2008 R2 Server to the 2000 domain with the message “The account is not authorized to log in from this station” after typing username and password to join the domain. Any thoughts?

  • Hey…
    Am doing exactly the same setup for my client…but I seem not to locate the Adprep32.exe file in the Windows 2008 DVD which makes it impossible for this command to work (adprep32 /forestprep) or should I use the D:\sources\adprep\adprep /forestprep command instead?


  • Rayden F. Germosen

    This was very helpful. thank you for the wonderful article and simple instructions. I was successful at migrating from w2k to Wk8 following your instructions. I ran into some issues running Adprep /forestprep because exchange 5.5 was installed on the w2k DC but it was corrected by using ADSedit and modifying the exchange attributes.

  • I was trying to migrate my server from 2000 to 2008R2. When I tried to run addprep I get an error

    Adprep was unable to extend the schema.

    In case that someone get the same error due to the fact that took us 2days to find workarround the problem I give you the links to the solution.

    Your post is the best!!!

  • George Macdonald

    Thank you for this detailed and well-written article. I was beginning to despair after reading of all the failed attempts and in particular the people who were adamant that a Win2K Server hostname which had an underscore in it just wouldn’t work – my unfortunate circumstance.

    All I did was make sure that the DNS Properties/Advanced tab had “All sames” selected for “Name Checking” in the Win2K Server and then the same for the new Windows Server 2008 R2 DNS as soon as it was up and running. Both systems could see the other as hosts and after I demoted the old system it is still visible as a host, with the underscore intact in its name, and logged into the new domain just fine.

    One thing I’d note is that the new Windows Server 2008 R2 shows as running at “Windows 2000 native functional level” for the forest and the domain. Since I’ll have only that one DC, with server 2008 R2, I assume I’ll want to raise those to 2008 R2 functional level after the Windows 2000 Server, now a member server and still with its underscore in the name, has been retired.

    Thanks again.

    • George Macdonald

      Sorry to reply to my own post but just a correction, to be clear: that should read “All names” for the “Name Checking” box.

    • GregW

      Were you able to raise functionality to Sever 2008 functionality mode?

  • David

    I wish i would have came across this about 90 days ago. I ended up starting the W2k > W2k3 method. Oh well. Great write up.
    To be honest W2k > W2k8 seams much easier than my route.
    Then again i had to do a ton of clean up in AD.
    Either way good stuff.

    • Ah! Bummer! Sorry you didn’t find this earlier, too! But I’m glad you got it migrated and working. 🙂

  • Saad


    Very nice Article.

    One question though , when promoting the server 2008 R2 we have to choose it as a second domain controller and wait for replication to occur before moving FSMO roles .


  • Kevin Y

    Steve, many many thanks on a great article here! This article worked like a charm for me! I thought that I’d share a couple of additional steps/snags that I worked through that may be of value to future readers:

    – My old W2K server DNS was not set to allow dynamic updates. As a result, DCPROMO on my new W2K8R2 server could not find the domain in question. I had to go into DNS on the old box, allow dynamic updates in the DNS configuration and stop and start the Netlogon service to force to register SRV records in DNS that DCPROMO on the new box was looking for: http://support.microsoft.com/default.aspx?scid=kb;EN-US;241505

    – The domain on my old W2K box was not in Native mode. It was in Mixed mode, which allows for pre-Windows 2000 domain controllers (NT4 I would guess). So I went into the Active Directory Domains and Trust tool on the old W2K box and and set the AD mode to Native.

    Other than the above, promoting in a brand new W2K8R2 DC to my old W2K domain was a piece of cake thanks to your article, and I now have a shiny new DC on my domain. All the best! -Kevin

    • I had those exact issues, wish i read your comment before googling like a maniac, but i got it working with the same sollution as you posted.

  • Fransiscus Lesmana

    Hi Steve, thank you for the article.

    If you don’t mind, could you please advise at which point did you rename the new box to the original DC name? Also its IP address?
    I would think it should happen after the demotion of the Windows 2000 server.

    Thank you.

    • Hi, Fransiscus. I never did rename the new DC or give it the old DC’s IP address. The new DC kept a new name, and new IP. In fact, the old DC is still on my network with its original IP address, and I still use it as a file server. It’s just no longer a DC.

      • Fransiscus Lesmana

        ah cool. thanks for the reply mate.

  • Greg

    Steve, Thanks for the great instructions! I’ve been researching for sometime now on how tackle this project. My primary DC is Win 2000 Server SP4 (mixed mode) and I have a Backup DC which is a Windows 2003 Server also acting as Terminal Server. 1) Do I need to demote the Backup DC during this process or just leave it in place until the 2008R2 is ready to be Primary, then demote it? 2) I have the issue of having an _ underscore in my Domain Name, can I leave it or do I really need to fix the domain name and if so, at what point in the process so it doesn’t screw everything up.


    • Hey, Greg. Hmm… I’m no help with the underscore issue, as I’ve never encountered that. Sorry! But concerning your backup DC, I can’t think of any reason why you’d need to demote it. You don’t need to demote your primary until the very last step, so keeping the backup DC running through the process shouldn’t hose anything either.

  • James

    This documentation ROCKS!!! Thank you for posting this..

  • Thank you for the write up Steve. I have a client whose system needs to be upgraded from windows 2000 to windows 2008r2. You’ve saved me some hair. Thanks to those of you who also contributed your work around methods. I’ll report the outcome soon. Thanks again.

  • Bill

    It just works! Tested on a test network and we had no problems whatsoever.
    Thanks for the information!

  • Terry

    Hi Steve, I will be doing an upgrade soon from AD 2000 TO AD 08 and need the best possible solution to get it done my environment is like this. we currently have a WAN enviroment with 6 locations and all are connected. we each have a domain controller at each location three has server 2003 and three has windows 2000 server our PDC has windows server 2000 sp 4 on it.
    The three w2k servers cannot be upgraded as they need to be replaced with new servers and that dont seem likely right now no funding. We currently use exchange 2000 for our mail, that will be replaced with a new server. We have purchase two new servers one for the exchange and the other for our new Primary Domain Controller. How do i go about this, will all my domain controllers at each location have to be upgraded to windows 2008 server first before installing my new PDC, and what do i need to do with the exchange box. Its a big undertaking and would love some guidance. Thanks in advance. I have 08 license already.

  • André

    Can this be achieved for Windows 2012 STD target instead of Windows 2008 R2?

    • Wish I could say for sure, André. I haven’t tested on that platform. Sorry!

      • André

        Well. I tried and it doesn´t work for the simple fact that Windows 2012 does not have a adprep32.exe version. It only comes with a 64bit one.

  • André

    The only issue I had was with the DHCP! I could NOT import the database nor the configuration on the new Win 2008 server.
    It gave me errors regarding conflicting Classes. I don´t remember exactly the error message.

  • Ebj Immano

    Great article, very insightful.
    A question: I have Exchange 2000 on the Win 2000 server, but won’t have a modern version on the Win 2008 R2 server. Should I do something about Exchange 2000 before I attempt this? I would really like not to find the new server to be riddled by issues such as Active Directory expecting to find a working Exchange installation only to find none. Or does it conveniently happen that if I don’t transfer that role specifically, it gets left behind and does not affect the target 2008 R2 server? Yeah, wishful thinking, I’d assume.

    My evaluation here is against the alternative of just making a new domain and migrating the clients manually by using an utility to map users from one to the other. It’s slow, but I only have about 25 clients and will get it done in a few days. If the migration between the servers requires too many intermediate steps on the source server, it might make the manual alternative preferable, but I’d like some insight on it if you have the time.

    • Ebj Immano

      The answer: better to remove Exchange 2000 and also to check MS Technet to retrieve a script to fix some malformed ldap entities that resulted from its presence, remove mailboxes for all AD users, and then proceed with your process. Thanks again for it.