Beruflich Dokumente
Kultur Dokumente
You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly. This post intends to help you with this transition in a structured, balanced and thorough way and describes:
Choosing between In-place upgrading, transitioning or restructuring Reasons to transition to Windows Server 2008 Steps to transition o Prepare your Active Directory environment o Installing the first Windows Server 2008 Domain Controller o Installing additional Windows Server 2008 Domain Controllers o Taking care of Flexible Single Master Operations and Global Catalogs o Checking proper installation and replication o Demoting Windows Server 2003 Domain Controllers o Raising the domain functional level o Raising the forest functional level Concluding
Ways to migrate
Upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in three distinct ways:
In-place upgrading Windows Server 2003 and Windows Server 2003 R2 can both be upgraded inplace to Windows Server 2008, as long as you keep the following in mind:
o o o o o
The Windows Server 2003 patchlevel should be at least Service Pack 1 You can't upgrade across architectures (x86, x64 & Itanium) Standard Edition can be upgraded to both Standard and Enterprise Edition Enterprise Edition van be upgraded to Enterprise Edition only Datacenter Edition van be upgraded to Datacenter Edition only
In-place upgrading requires you to run adprep.exe before starting the upgrade process on the Domain Controllers. Check this post from Jorge for more information.
Transitioning Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the
Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window. Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.
Restructuring A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Using tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.
Reasons to transition
I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:
Restructuring means filling a new Active Directory from scratch In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.
You worked hard to get your Active Directory in the shape it's in. Your servers are faced with aging. In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's) You need a chance to place your Active Directory files on different partitions/volumes.
When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.
Steps to transition
Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:
Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory. Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment: Command Domain Controller adprep.exe /forestprep Schema Master adprep.exe /domainprep Infrastructure Master adprep.exe /domainprep /gpprep Infrastructure Master adprep.exe /rodcprep * Domain Naming Master * Optional when you want to deploy Read Only Domain Controllers. After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files. If your life depends on it, you can use the HowTo Jorge wrote to check forestprep and domainprep succesfully replicated to all Domain controllers. Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.
Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog; Make all Domain Controllers Global Catalog servers.
When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI. Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following command using netdom.exe from the Resource Kit: netdom.exe query fsmo
It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:
dcpromo.log All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services dcpromoui.log all the events from a graphical interface perspective
Also check the event viewer. Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot proper Active Directory replication.
Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain. Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:
Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS. Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon. Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.
Note: Raising the functional level is a one way procedure. Once you've raised your domain functional level there's no way to return to the previous domain functional level. Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain functional level on Windows Server 2003: 1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group.. 2. Open Active Directory Domains and Trusts. 3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level. 4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.
To upgrade the forest functional level to Windows Server 2008 perform the following actions: 1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group. 2. Open Active Directory Domains and Trusts. 3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level. 4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.
Concluding
Transition your Active Directory to Windows Server 2008 seems as easy as running adprep and installing Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in one single Active Directory domain in its own forest with one single Active Directory site. Be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!