How to Migrate from a 2003 to 2012 Domain Environment

Migrating from a 2003 to 2012 Domain environment can sound complicated, but Microsoft has made it rather easy. My main reasons for migrating from a 2003 to 2012 environment are as followed:

  • More stable AD
  • More features
  • FRS to DFSR means much smoother replication
  • More secure
  • 2008 Namespace for DFS
  • AD Recycle Bin

Along with the domain/forest environment we will be also transitioning from FRS to DFSR for SYSVOL replication.

The environment is as follows:

NDC1 (2003 SP2)

NDC2 (2012 R2)

NFS1 (file server 2012 R2)


The first step is to join all the machines to the domain.

You’ll notice that if you try to add a 2012 R2 domain controller it requires at least a forest functional level of 2003, and by default 2003 domain controllers choose a functional level of 2000. So you’ll get this error if you try to add the new DC.

img 55d0aebd7b538

At this point we need to open up AD domains and trusts to raise the domain functional level to 2003.

img 55d0afc3e2333

Now choose 2003, and press ok to the prompts.

After you’re done, click the raise button again to verify it worked (also wait for AD to replicate if you have more than 1 DC)

img 55d0b024b1031

Now right click the domains and trusts root and raise the forest functional level as well to 2003.

img 55d0b05e4ae0f

Now you should have a domain and forest functional level of 2003

img 55d0b095b6f6a

Now when you try to promote your 2012 DC it will work but it will warn you that you cannot make read only DCs (ignore this). Doing this will upgrade your AD forest schema.

img 55d0b11a7a369


Now to proceed we need to transfer the 5 FSMO roles over to our 2012 DC before demoting the 2003 DC.




If you want to transfer all 5 FSMO roles via powershell use this commandlet (credits to Reddit for showing me this)

“Move-ADDirectoryServerOperationMasterRole -Identity <destinationserver> -OperationMasterRole 0,1,2,3,4”



If you’d like to do it via the GUI, continue reading on.


Open domains and trusts again.

Choose change active DC and select your 2012 DC from the menu.

img 55d0f075b84b7

img 55d0f0f637131

Now right click AD domains and trusts and choose ” Operations Master” then click change to transfer the role over to your 2012 DC.

img 55d0f12bf1995

Now a quick netdom /query fsmo will confirm that you moved 1/5 of the roles.

img 55d0f14ba7607

Now open up users and computers change your DC to your 2012 DC, and transfer the RID, PDC, and Infra roles.

Note: you have to right click the domain on this menu to get the operations masters option.

img 55d0f1b1e653c

Transfer the roles.

img 55d0f1947683c

Now we have 4/5 roles , again we can confirm this.

img 55d0f1de3aa01

Now to transfer the schema master role we need to register a dll, open up the run dialog and type “regsvr32 schmmgmt.dll”

NOTE: if you get some weird errors open up a command prompt in admin mode and type the command in.

img 55d0f253b59dd

Now type “MMC” in the run box and press enter, or do it in command prompt.

img 55d0f2742d02b

Click file , and add/remove snap in

img 55d0f28bbf85d

Add the AD Schema module and click ok.

img 55d0f2a5c9f3a

Change your DC like we did before, and then change your operations master…

img 55d0f2ed66c49

img 55d0f2df252dd

Your 2012 R2 DC should now hold all 5 roles, again let’s verify.

img 55d0f3120897c

Now if you have more than 2 DCs (your 2003 and 2012) you should wait for replication to finish before proceeding to demote the 2003 server.

You can also force replication by typing this into an admin cmd prompt “repadmin /syncall /force”

Your output should produce lots of “syncall terminated with no errors”

img 55d0f38242364

Now before demoting your 2003 DC, make sure that any static settings pointing to this DC as a DNS server are changed over to the 2012 DC.

(other servers, printers, DHCP, stuff like that)


Now log into your 2003 DC and open up an admin cmd prompt, type “dcpromo”

NOTE: seriously right click , run as , choose admin and uncheck the restrict box. I’ve had this cause problems for me before.

img 55d0f3f72b162

Let’s demote it. Click next, DO NOT check the box.

img 55d0f41924079

Choose a new local admin pass…

img 55d0f42b58582

Now wait for the wizard to finish!

img 55d0f438eca28


Once done it will ask you to restart the DC, if it failed make sure you run the CMD as admin and uncheck the restrict box like I said earlier. This 2003 server is now just a member of the domain and not a dc.

Jump back over to your 2012 DC, open up AD domains and Trusts. Right click and choose raise forest functional level.

img 55d0f5f2ba05e


Choose 2012 R2, and click OK to the prompts.

Right click it again and choose raise forest functional level to confirm it is now 2012 R2.

img 55d0f62d08a5f



Now our domain functional level was raised to 2012 R2 as well!


Now we’re done!

If you had a DFS Namespace previously, you will have to migrate from FRS to DFSR, however if you didn’t, then DFSR won’t need to be migrated.

If you’d like to check out how to migrate FRS TO DFSR (which you totally should be doing) check out my next post here.


Leave a comment