Upgrade Win 2003 R2 Std AD to Win 2008 R2 DC RRS feed

  • Question

  • Hi,

    I'm planning to upgrade my Windows 2003 R2 Standard x32 Active Directory to Windows 2008 R2 Data Center x64. I'm documenting existing and new AD architecture.

    I've following applications on Win 2003 DC

    1. AD win2003 R2 Standard
    2. DNS
    3. DHCP
    4. Certificate Authority (CA)

    I've these applications dependent applications on network:

    1. Exchange 2007
    2. OCS 2007 R2

    Need is to setup AD between two physical locations. I've done some pre-work but wanted to discuss the upgrade planning options in this scenario and any suggestions you might have.



    Monday, February 27, 2012 9:24 PM


All replies

  • I'll start with what may be the most obvious (it looks like you've done some research and may know this already) but there is no direct upgrade path from W2K3 R2 Stan x32 (x86) to W2K8 R2 Data Center x64.

    So you'll have to either obtain some new material or reformat existing servers one by one and perform a fresh install of W2K8 R2 Data Center x64.

    Note: if you go with the existing servers, you will want to make sure they can run a x64 OS (most likely they can, and if they are that old that they cannot, you may want to replace them regardeless) 

    How many servers do you have? How are they distributed between sites?

    The upgrade (fortunately) can take place gradually so you can start by upgrading one DC, then another and so forth.

    W2K3 (R2) DCs and W2K8 (R2) DCs will coexist just fine, as will x86 and x64 DCs

    Cert Authority: although it is supported to run a CA on a DC, this has two drawbacks: 1) You cannot rename the DC, 2) you cannot take the CA offline (or keep it offline) which is a security best practice. Apparently the CA can be moved (I have not done this myself so cannot speak from experience).

    Monday, February 27, 2012 10:14 PM
  • Thanks for reply.

    I'll not be doing an in-polace upgrade. First I'll be adding win2008 R2 as additional DC in existing Win 2003 R2.

    The client currently has two win 2003 R2 DCs in main location. they have one one AD site. Planning to have two win 2008 R2 DC's but also add one DC to their other location.

    I'd like to get more input on AD migration when exchange 2007, OCS 2007 R2 and CA are also used on the network.

    Monday, February 27, 2012 10:25 PM
  • Hopefully my edits add something - concerning CA (some afterthoughts came to mind after I hit submit)

    I admit I know next to nothing about OCS / Lync. So no comments there.

    As for Exchange, you can upgrade domain controllers from W2K3 whatever to W2K8 whatever without having to upgrade Exchange (it's not like if you were moving E2K7 from servers running W2K3 or W2K8 to W2K8 R2 in which case you'd want to make sure E2K7 has SP3, etc.).

    I have done this for real and had no issues (not that my experience alone is an authoritative response).

    Monday, February 27, 2012 10:34 PM
  • Hi,

    Read this thread, Migration of Windows 2003 std 32-bit server to Windows 2008 64-bit enterprise R2 server


    Certificate Service: It is not recommended to install on DC, so transfer CA to another member server. Changing the server name is not recommended although it is supported, this is mainly because you need to change a number of configuration parameters to include the old name to keep the old certificates valid.

    Read this thread: http://social.technet.microsoft.com/Forums/sk/winserverDS/thread/bc1ad1d7-73e5-48b5-9372-924b506707d0


    You may ask the Certifiate Authority question in security forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 28, 2012 8:03 AM
  • I agree with Le Pivert, its time to move the CA and if possible DHCP role too to the member server. The main disadvantage with CA on the DC is that you can't demote the DC easily during corruption of the AD database. You first need to remove the CA role and then AD role where as demoting and promoting a DC w/o additional role is much simpler.  If DNS is AD-Integrated, you don't have to worry, it will automatically be replicated post install its services on the DC.

    Migration of DHCP Server from Windows Server 2003 to Windows Server 2008


    There is no issues in upgrading AD from windows 2003 R2 to windows 2008 R2. The application referred in your post very much supported by windows 2008 r2 AD.

    Exchange Server Supportability Matrix


    Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers


    Note: RODC is not supported for any version of the Exchange server.

    Migrate/Upgrade CA from windows 2003 to windows 2008/R2


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 28, 2012 8:45 AM
  • Hello,

    start with migration from the CA to a new domain member server, it should not run on a DC as others already mentioned and even is reocmmended from Microsoft. http://technet.microsoft.com/en-us/library/cc742466.aspx

    After this step go on with the DC/DNS/GC according to http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

    If possible move the DHCP also to another member server, or follow at least http://technet.microsoft.com/en-us/library/cc771732.aspx

    For Exchange and OCS requirements please use the specific forums also.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, February 29, 2012 4:54 PM
  • Thanks everyone for your quick input. Definitely it helped and saved lot of my time.

    With some of the information here, I was able to update my brainstorming planning sheet, Architecture and Upgrade Process Flow diagrams. Those helped in this successful upgrade.

    The CA was moved to new server. Had some issues during and after move but I was able to go through all those. For OCS I had to deploy the new certificate.

    I'll be adding couple of Win 2008 R2 DCs and configure FSMO roles among DCs for DR process.

    Faisal Masood - PMP


    Blog | Twitter

    Wednesday, March 7, 2012 7:53 PM