How to migrate the Active Directory domain functional level to Server 2008 R2 – Part 3

• Author
• Recent Posts

James Bannan

James Bannan is Senior Technical Consultant who specializes in deployment, virtualization and management.

Latest posts by James Bannan (see all)

• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration - Wed, Jun 29 2011
• Forefront Endpoint Protection 2012 –Part 1: Installation on Configuration Manager 2012 - Wed, Jun 22 2011
• iPad for business? The consumerisation of enterprise - Fri, Nov 19 2010

The actual process of raising the functional level is pretty straightforward – a couple of clicks and you’re done. However, every domain controller has to be able to support the new level, so that means taking existing DCs based on earlier versions of Windows Server out of commission. They can still stick around as member servers, but you have to use DCPROMO to revoke their role as DCs. In my case, the last DC (which was Server 2008 Standard) happened to be the first DC of a new domain, so that meant it also took the FSMO roles for the domain (Flexible Single Master Operations) which are still part of Active Directory Domain Services. These do not get transferred automatically so this must be done manually.

There are five roles to be transferred – Schema Master, Domain Naming Master, PDC, RID Pool Manager and Infrastructure Master. To see which servers hold these roles in your environment, open a command window and type in:

netdom query fsmo /domain:yourdomain.com

In my case the same server held all five roles. I used the MMC snapins from a domain-joined workstation with the Remote Server Admin Tools (RSAT) installed to transfer the roles as follows:

Step 1 – Transfer PDC, RID Pool Manager and Infrastructure Master roles

1. Open Active Directory Users and Computers
2. Right-click “Active Directory Users and Computers” in the left-hand pane of the snapin and select “Connect to domain controller”, and choose the DC which you are transferring the roles TO
3. Right-click “Active Directory Users and Computers” again, and select “All Tasks” and then “Operations Masters”
4. For each of the three tabs – RID, PCD and Infrastructure – verify that the current Operations master is the DC you wish to transfer the role FROM, and that the other field is populated with the DC you wish to transfer the role TO, and click Change
5. Click Close

Step 2 – Transfer Domain Naming Master role

1. Open Active Directory Domains and Trusts
2. Right-click Active Directory Domains and Trusts and select “Change Active Directory Domain Controller” and choose the DC which you are transferring the role TO
3. Right-click Active Directory Domains and Trusts again and select “Operations Master”
4. Verify that the current master server and the new master server fields are populated correctly, and click Change
5. Click Close

Step 3 – Transfer Schema Master role

1. First, register the snapin – go Start, Run, and type in “regsvr32 schmmgmt.dll” (without quotes) and hit Enter
2. Go Start, Run, mmc.exe
3. In the console screen go to the File menu and select “Add/Remove Snap-in”
4. Select “Active Directory Schema” from the list of available snapins and click Add, then press OK
5. Right-click “Active Directory Schema” and select “Change Active Directory Domain Controller”. Select the DC which you will transfer the role TO
6. Right-click “Active Directory Schema” again and select “Operations Master”
7. Verify that the current master server and the new master server fields are populated correctly, and click Change
8. Click Close

The remaining considerations to assess what roles are currently in operation on the old DC. In my case it was also running as a DNS and DHCP server, so those roles needed to be replicated on new infrastructure and migrated, as my plans were to take the old DC offline completely. You also need to look at any specific or unique authentication scenarios – for example, I had a NAS which supported AD authentication but which had to point at the AD server hosting the PDC role, as it used a legacy form of authentication.

Go to the old DC and go Start, Run, DCPROMO to launch the ADDS Installation Wizard.

1. Click Next
2. Click OK to confirm that you have another Global Catalog server available on the network
3. Do NOT click the checkbox on the next page, as this will delete the domain
4. If DNS is running on the DC, tick the box to remove the DNS delegations which point to the server and enter administrative credentials to confirm this
5. Type in a new Administrator account password

The server will configure and remove ADDS and replicate any existing data to the other DC. Reboot the system once the process is complete. Once the old system has restarted, log back in using the new local admin account (if the server was a DNS server then it will still be using its loopback address for DNS resolution so you won’t be able to log onto AD just yet) and then uninstall any services which are no longer needed.

Run checks in AD Users and Computers, Sites and Services and DNS to ensure that the DC has been removed successfully. At this stage, wait a few hours to allow domain replication to take place.

To migrate the functional level, launch Active Directory Users and Computers. Right-click the domain and select “Raise domain functional level”. In the field “Select an available domain functional level” choose “Windows Server 2008 R2” and click “Raise”. The domain level is now raised and the change replicates to each DC.

To raise the forest level, launch Active Directory Domains and Trusts and right-click “ Active Directory Domains and Trusts” (don’t click the domain). Click “Raise Forest Functional Level”, make sure that “Windows Server 2008 R2” is selected and click “Raise”. Again, the change replicates throughout the forest to all the other DCs.