Replacing a Windows 2003 AD DS server with a 2008 R2 AD DS server

We had:

1) 1 Windows Server 2003 running Active Directory services to manage logon and permissions for file sharing.
2) 15 workstations.

We now want to have:

1) 1 Windows Server 2008 R2 server running Active Directory services to manage logon and permissions for file sharing.
2) 15 same workstations, with their same user profiles.

So I joined the 2008 R2 server to the domain, and then used the dcpromo tool to make it a domain controller.

Problem is, whenever I take the old server offline, (the 2003 one) everything flips out, logons are slow, and the 2008 server gives people trying to access shared files weird errors like that the server that authenticated them cannot be contacted, and asks them to log in again with their username and password before accessing shared files on the server.

What did I do wrong? I must be forgetting something.


TS Enthusiast
1. Transfer all FSMO roles to your 2008 R2 server
2. Uninstall AD on 2003 server
3. You can now permanently take 2003 server offline
Okay, I transferred the roles, but it says that the domain controller cannot be contacted when I try and use dcpromo.exe to demote the old 2003 one.
Can I just force this in some way?


TS Enthusiast
It is much easier and safer to transfer the roles than seize (force) it. Your server 2003 must be online (connected to the network) while transferring the roles. You are transferring the roles from your server 2003 to your server 2008, so 2003 server must be online.
It refuses to let me run dcpromo on the old one. Some thing's up with it, evidently.

All the roles have been transfered (some had to be seized because it wouldn't allow me to transfer them) over, I have just not been able to demote the old 2003 server as it tells me that 'a domain controller cannot be contacted that has an account for this machine.'
Should I just check the box that says 'this is the last domain controller for this domain'?

Or I could go in and delete the domain controller (the old one) from the Active Directory Users and Computers section on the new server.


TS Enthusiast
DO NOT CHECK 'this is the last domain controller for this domain', you are not removing the whole domain. After the FSMO roles have been transferred, disconnect server 2003 from the network and check user access for any problems. If there are no problems, you can delete the DC(server 2003 machine) on Active Directory Users and Computers on your server 2008 machine.
One user access issue that seems to be happening, is that when a user (who is logged onto the domain) tries to access a share on the new server, they are prompted for their username and password. (Even though the shares are set to 'Everyone'.)

If they enter their logon username and password, then they're fine. They can use the share just fine until they log off and on again... then they have to resubmit their user info to access the share for some reason.

Previously, if you were logged onto the domain, you didn't have to log on again if you were accessing a share on the server.
There is... it doesn't work.

Below the box, it says that it detects that something 'may be trying to compromise the security of the network' and that I should 'make sure to ensure I can still contact the server that authenticated me'.
It does... all the computers appear in the list... and they all do the same thing apparently.

Here's a picture of the dialogue box that pops up... not that it's extremely descriptive.



TS Enthusiast
Shutdown the pc, delete the pc in the list of computers in Active Directory Users and Computers. Power on the pc. Or re-join them to the domain.
Well, we've shut down the old one, or rather it is refusing to start now (hardware issue), so we're gonna see if we can't get it to work by the method you mentioned, and if not, we'll just create an entirely new domain... there's only 20 workstations, so it's not a big deal I guess.

Thanks for the help though. :3