Active Directory Migration from Server 2003 to Server 2012 R2


 For the purposes of this article, my environment consists of a single Windows Server 2003 domain (ad.contoso.com), with one DC (dc1) running Active Directory integrated DNS.This is a typical scenario for small businesses that can’t afford the luxury of two physical servers or virtualization.I’m going to add a Windows Server 2012 R2 DC (newDC) to the existing domain, decommission the Windows Server 2003 DC, and then raise the domain and forest functional levels to Windows Server 2012 R2. If your domain has more than one DC, or your server is running roles other than DNS, I’ve made notes along the way where you may need to consider taking extra steps for a successful transition.

Preparing the Domain

Before Windows Server 2012 R2 DCs can be added to the existing Windows Server 2003 domain, you will need to meet some prerequisites and perform a few recommend health checks.

Update Windows Server 2003

First let’s check that Windows Server 2003 is running Service Pack 2. Log in to the Windows Server 2003 DC with a domain administrator account, and following the instructions below:

  • Click Start, and select Run… from the Start menu.

  • In the Run box, type winver and press ENTER The About Windows dialog will be displayed, showing the installed build and service pack. If Service Pack 2 isn’t installed, you can

    Check the Service Pack level of Windows Server 2003.

    Now check to make sure any additional updates have been installed:

  • Click Start, and select Command Prompt from the Start menu.

  • In the command prompt window, type wuauclt /detectnow and press ENTER.

    If there are any available updates, a yellow shield will appear in the system tray. Double click it and follow the instructions for installing the available updates. You may need to wait a few minutes for the icon in the system tray to be updated.

    Domain and Forest Functional Levels

    Windows Server 2012 R2 DCs can only be added to a domain when the forest and domain functional levels are set to Windows Server 2003 or higher. So let’s check the forest and domain functional levels on the Windows Server 2003 DC:

    Check the domain and forest functional levels in Active Directory Domains and Trusts

  • Go to Administrative Tools on the Start menu, and click Active Directory Domains and Trusts.

  • Right click your domain in the left pane, and select Properties from the menu.

    In the Properties dialog, check the Domain functional level and Forest functional level. If they are set to anything other than Windows Server 2003, continue with the instructions below. Remember that raising the domain and forest functional levels is an irreversible operation.

    Raise the domain functional level using Active Directory Domains and Trusts

  • To raise the domain functional level, right click your domain in the left pane of Active Directory Domains and Trusts, and select Raise Domain Functional Level from the menu.

  • In the Raise Domain Functional Level dialog, select Windows Server 2003 from the drop-down menu, and then click Raise.

  • Click OK to start the operation.

  • Click OK again to confirm the operation has completed.

    If you have more than one domain in your forest, they will all need to be at the Windows Server 2003 domain functional level, before the forest functional level can be raised.

  • Right click Active Directory Domains and Trusts in the left pane of Active Directory Domains and Trusts console, and select Raise Forest Functional Level from the menu.

  • In the Raise Forest Functional Level dialog, select Windows Server 2003 from the drop-down menu and click Raise.

  • Click OK to start the operation.

  • Click OK again to confirm the operation has completed.

Active Directory Health

DCdiag is part of the Windows Server 2003 support tools, which can be downloaded here and allows you to check the health of Active Directory. Before adding Windows Server 2012 R2 DCs to your domain, I recommend that you run this tool to make sure that the domain passes all the basic tests. Any significant problems, including those connected to replication, will show up in the results.

Use DCdiag in the Windows Server 2003 Support Tools to check Active Directory health

  • To run dcdiag, open a command prompt, type dcdiag and press ENTER.

  • Check that the DC passed each test.

In the next part of this series, we’ll install Active Directory on Windows Server 2012 R2, add it to the domain, transfer the five Flexible Single Operation Master (FSMO) roles to the new DC, remove the Windows Server 2003 DC as a Global Catalog (GC) in the domain, and configure the new DC to use its own DNS server for name resolution.

Installing Active Directory in Windows Server 2012 R2

Now that the Windows Server 2003 domain is prepared to accept a Windows Server 2012 R2 DC, we can install Active Directory (AD) on a new server. If you’re wondering whether you need to run adprep.exe in the existing domain, starting in Windows Server 2012, adprep /forestprep and adprep /domainprep are run automatically as part of the AD Domain Services (AD DS) installation process.

For more information on installing Windows Server 2012 R2, see How to Install Windows Server 2012 R2 Don’t forget that you should assign the server a static IP address, and make sure that DNS resolution is working. Stated differently, be able to ping the fully-qualified domain name (FQDN) of your AD domain, which in my environment means setting the preferred DNS server on the new DCs network interface card (NIC) to point to my Windows Server 2003 DC (192.168.0.5).

Configuring a Static IP Address and DNS Server

To set a static IP address and configure DNS in Windows Server 2012 R2, log in as a local administrator and follow the instructions below:

  • Right click on the network icon in system tray, and select Open Network and Sharing Center.

  • In the left pane of the Network and Sharing Center, click Change adapter settings.

  • In the Network Connections dialog, right click the Ethernet adapter, and select Properties from the menu.

  • In the list of items, select Internet Protocol Version 4 (TCP/IPv4), and click Properties.

  • In the Properties dialog, add an IP address, subnet mask, and default gateway.

  • Set the Preferred DNS server address to the IP address of an existing DNS server, and click OK.

  • Close any remaining windows.

Installing Active Directory Domain Services

Once Windows Server 2012 R2 has a static IP address, and I can ping my domain’s FQDN and get a response from the Windows Server 2003 DC, then it’s time to start configuring Active Directory. Log in to Windows Server 2012 R2 as a local administrator:

Install the Active Directory Domain Services server role

  • Open Server Manager using the icon on the desktop taskbar.

  • In Server Manager, click Manage in the top right corner, and select Add Roles and Features from the drop-down menu.

  • In the Add Roles and Features Wizard, click Server Selection on the Before You Begin screen.

  • The local server should already be selected in the Server Pool box. Click Next to continue.

  • On the Server Roles screen, click Active Directory Domain Services, and click Next.

  • In the pop-up dialog, click Add Features to confirm you want to install the additional required components. Click Next again to continue.

  • On the Features screen, click Next.

  • On the AD DS screen, click Next.

  • On the Confirmation screen, click Install.

  • Click Close when the installation has completed.

Install the Active Directory Domain Services server role

Promoting to a Domain Controller

Now that the AD DS bits are installed on the new server, we can add it as a DC in the Windows Server 2003 domain.

Promote the server to a domain controller in Server Manager

  • Back in Server Manager, notice the yellow exclamation mark that indicates a notification. Click the notification icon in the top right corner.

  • In the notifications, click Promote this server to a domain controller.

  • In the Active Directory Domain Services Configuration Wizard, select Add a new domain controller to an existing domain, and type the FQDN of the Windows Sever 2003 domain in the box to the right of Domain:

  • Below Supply the credentials to perform this operation, click Change.

  • In the Windows Security dialog, type the username and password for a domain administrator account in the Windows Server 2003 domain, using the format username@ad.contoso.com for the username, and click OK.

Add the new domain controller to an existing domain

  • Click Next on the Deployment Configuration screen.

  • On the Domain Controller Options screen, check Domain Name System (DNS) server, and Global Catalog (GC).

  • If you have more than one site in your current domain, select the site in which you’d like to place the DC from the drop-down menu to the right of Site name:

  • Type and confirm a password for Directory Services Restore Mode, and then click Next. As we are not installing a read-only domain controller, the warning at the top of the dialog can be safely ignored.

Configure the domain options

  • On the DNS Options screen, click Next.

  • On the Additional Options screen, click Next unless you want to replicate AD from a specific DC, in which case select it from the Replicate from drop-down menu.

Choose the domain controller from which to replicate

  • Click Next on the Paths screen, unless you want to modify any of the default settings. It’s best practice to place the database and logs on different physical disks.

  • The Preparation Options screen confirms that forest and domain schema preparation will be carried out by the wizard. Click Next.

  • Check the selected options on the Review Options screen, and click Next.

  • Now we need to wait as the wizard checks the prerequisites. Once it’s done, make a note of any warnings, and click Install to begin the promote operation.

Prerequisite check

The promotion operation will take some time, especially as the forest and domain schemas also need to be upgraded before Windows Server 2012 R2 can join the Windows Server 2003 domain as a DC.  

The server will automatically reboot, and you should then be able to log in using a domain administrator username and password.

Change the Preferred DNS Server

At this point, configure the new DC to use its own DNS server for name resolution. You can follow the instructions given earlier in this article for setting the preferred DNS server address, which should now be set to 127.0.0.1, which is the server’s loopback address. You can specify an alternate DNS server address if required, but make sure it’s not one of the Windows Server 2003 DCs that you’re about to decommission.

DCdiag and Best Practices Analyzer

Check the new DCs health by running dcdiag in a command prompt window, just as we did for Windows Server 2003 in the first article in this series. You don’t need to install the support tools in Windows Server 2012 R2, as dcdiag is a built-in command. There might be some initial replication or errors, as name resolution might fail before the DNS zones have a chance to replicate.

I also recommend that you run the Best Practices Analyzer for Active Directory, which can be found in Server Manager.

Run the Best Practices Analyzer in Server Manager

  • Go back to Server Manager, and click AD DS in the left pane.

  • In the right pane of Server Manager, scroll down to the Best Practices Analyzer section, click the TASKS drop-down menu on the far right, and select Start BPA Scan.

  • In the Select Servers dialog, make sure your new DC is selected and click Start Scan.

When the scan has completed, check for any recommendations given in Server Manager.

Transferring FSMO Roles to the New DC

Prior to decommissioning the Windows Server 2003 DC, you’ll need to transfer the five Flexible Single Master Operation (FSMO) roles to Windows Server 2012 R2, and decommission Windows Server 2003 as a Global Catalog server.Check for transfer fsmo roles

Open a PowerShell prompt using the blue icon on the desktop taskbar, and run the Move-AdDirectoryServerOperationMasterRole cmdlet as shown below, replacing newDC with the name of your new Windows Server 2012 R2 DC. You’ll be asked to confirm the operation before it’s executed.


Check the location of the FSMO roles

Remove the Global Catalog Server

To remove Windows Server 2003 as a Global Catalog (GC) server from the domain, follow the instructions below in Windows Server 2012 R2:


  • Open Server Manager using the icon on the desktop taskbar.

  • In Server Manager, click Tools in the top right corner, and select Active Directory Sites and Services from the drop-down menu.

  • In the left pane of Active Directory Sites and Services, expand the Sites folder, and then your AD site. Mine is called Default-First-Site-Name. You should see your domain controllers listed.

  • Expand the Windows Server 2003 DC, right click NTDS Settings, and select Properties from the menu.

  • In the NTDS Settings Properties dialog, uncheck the Global Catalog check box, and click OK.

  • Close Active Directory Sites and Services.

Remove Windows Server 2003 as a Global Catalog (GC) server in the domain

You will need to repeat this action for any additional Windows Server 2003 DCs you’re planning to retire in your domain that are also Global Catalog servers.