If you have a lot of organization programs on the domain controller, this is not good by default.
Bring up a second controller on a newer operating system, transfer the FSMO roles to it, and carefully demote your business process computer to a regular domain member. You will also get rid of the maximum level of the win2003 forest from which you suffer, and other problems will decrease.

What's in the log when adprep is run? Can it be run from another location? Can it be run with other keys? For example "adprep /?"
Save and clear all logs (Application, security, system), run adprep and see the new entries. In addition:
1). 2008 will soon become obsolete too. Windows Server 2016 must support the 2003 domain level:
https://docs.microsoft.com/en-us/windows-server/id...
2). 2008 that isn't R2 sucks.
3). As a last resort, make 2008 R2 intermediate. That is, make it a controller with a domain level of 2003, make a second controller - you cannot do without a reserve in this matter. After making sure that everything is in order for a week, make system dumps of all three servers. Disconnect all client PCs from the network. Downgrade 2003 to a member server. Promote 2008 to a 2008 domain, make sure there are no replication errors, DNS, time synchronization, etc. Connect the test client PCs to the network. Make sure everything works. Connect all client PCs to the network. If everything is ok, then upgrade to 2012 or 2016 in the same manner.
4). Are you sure you have enough money for the Enterprise edition? Maybe Standard is enough?

Now the 2003 controller is the only one? Remove the disk image first.
(this is a very ambiguous recommendation,
not in all cases it is possible / worth using! but you shouldn’t touch it without a backup, believe me)
Plan a lot of time, weekend ++ and time to rollback, if anything.
Stopping all this for 2 days / days - is it permissible?
I did it like in 1.2 answers. That's right, but there are a lot of details to consider.
Thorough preparation, re-read everything - the benefit is full of mana on this topic, it is
better disclosed on MSDN and so on, and not on a toaster, xs who will write what)))
A step-by-step plan for preparation and deployment, a step-by-step recording.
I stupidly screenshotted everything with a utility + laptop with the current comment on the screen, if necessary, it's faster.
Checking the status and readiness of your AD with utilities, etc.
I had problems - the inherited AD setting was somehow crooked,
or then they did something with it, didn’t finish it ... The check passed, but ...
The second controller 2008-2 entered the domain somehow very, very difficult,
with a lot of work on the command line - not only the transfer of roles to fsmo, etc.,
but also all sorts of cleanings, etc., etc., very abnormal.
Seriously left time to roll back from the image (there was only one controller), but it turned out.
Today I would rip off the image from the controller and raise it on a test virtual machine,
next to the second virtual machine from 2008-2, ALL THIS IS IN A SEPARATE TEST NETWORK,
ISOLATED from the one where your HELL is
PHYSICALLY IMPOSSIBLE TO CROSS! NOT AT ALL!
!!! Attention - originals and copies
SHOULD NEVER SEE IN THE SAME NETWORK!!! EVEN 1sec! OTHERWISE YOU REAP HELL PPC!!!
I ran my update plan on virtual machines calmly, recorded everything step by step and took a screenshot,
and then reproduced it in production, with the current image, in order to roll back the controller, if anything.
And then the owner was already ready ...
- And pofik, let's just raise a new domain in 2008-2 ...
- Yeah ... and all the policies, balls, dfs, etc., etc. ...
rejoin machines, and all user profiles there will be new, etc., etc. joy)))
- OH ...