(Answering myself...)
No, this won't work. Shutting down the server in City B while the FSMO roles are seized from the server in City A will effectively orphan the server the City B, as it will no longer have a point of contact into the network.
Alternate solutions would be to leave the server in City B online, or even to use that server to seize FSMO roles.
Reverse-engineering the script provides some hints about what it does, but ultimately the behavior that it attempts to invoke occurs inside the "black box" of the Active Directory domain controller code itself, so troubleshooting it is going to be difficult (unless you've got source code access to AD... >smile<).
Essentially, the script prepares the domain for an runSamUpgradeTasks call, then executes it. This involves appending a value to the otherWellKnownObjects attribute of the "CN=Server, CN=System. DC=domain..." object in the directory, then making an LDAP call to modify the runSamUpgradeTasks attribute. That's supposed to trigger the W2K8 domain controller to automatically create its default groups and users in the directory and, as such, cause the missing account and group to be created.
I'm a little dubious of the script because the runSamUpgradeTasks reference calls for the balue to be appended to otherWellKnownObjects attribute to end with "...:X", whereas the script doesn't do that. Even so, you indicate that the "IIS_IUSRS" group was created, so that means that, presumably, the W2K8 DC "got the message" and created groups.
This one is fairly perplexing, and I'd opt to go to Microsoft Product Support Services on it. You're not going to spend a lot of money, but given the strangeness of the behaviour you're seeing they're probably the best people on the planet to help you.
Best Answer
Question 1:
Instructions for adding a Server 2008 domain controller to Small Business Server 2003 domain
http://technet.microsoft.com/en-us/library/cc708131(WS.10).aspx
The instructions are for SBS 2003 R1 and Server 2008 R1, but the process should be similar. Note that, the 32-bit adprep command on the 2008 R2 media is adprep32.exe.
Question 2:
The previous 2003 SBS CALs will still apply to that server, and are still necessary. For any connections to the 2008R2 box you'll need 2008R2 Standard CALs.
I'm not sure if you can mix CAL types however (User/Device); perhaps someone else can edit that in.