2003 a 2008Purpose
-
Upload
cristian-leiva-l -
Category
Documents
-
view
214 -
download
2
Transcript of 2003 a 2008Purpose
Purpose & Objective
This guide explains the process for upgrading Active Directory domains toWindows Server 2008 and Windows Server 2008 R2 , how to upgrade the operating system of domain controllers, and how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an existing domain.
1 IntroductionUpgrading your network operating system requires minimal network configuration and typically has a low impact on user operations. The upgrade process is straightforward, efficient, and allows organization to take advantage of the improved security that is offered by the Windows Server® 2008 and Windows Server 2008 R2 operating systems.
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for upgrading Windows Server 2003 Active Directory domains to Active Directory Domain Services (AD DS) domains that have domain controllers running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use the checklists that are provided in this guide and complete the tasks in the order in which they are presented.Purpose & ObjectiveThis guide explains the process for upgrading Active Directory domains to Windows Server 2008 and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an existing domain.
1 IntroductionUpgrading your network operating system requires minimal network configuration and typically has a low impact on user operations. The upgrade process is straightforward, efficient, and allows organization to take advantage of the improved security that is offered by the Windows Server® 2008 and Windows Server 2008 R2 operating systems.This guide is intended for use by system administrators and system engineers. It provides detailed guidance for upgrading Windows Server 2003 Active Directory domains to Active Directory Domain Services (AD DS) domains that have domain controllers running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use the checklists that are provided in this guide and complete the tasks in the order in which they are presented.
2 Overview of Upgrading Active Directory DomainsWhen the domain upgrade process is complete, all domain controllers will be running Windows Server 2008 or Windows Server 2008 R2, and the Active Directory Domain Services (AD DS) domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2 functional level. At the Windows Server 2008 R2 forest functional level, you can take advantage
of all the advanced AD DS features. For more information about advanced AD DS features for AD DS functional levels, see Enabling Advanced Features for AD DS.
3 Reinstallation information3.1 System requirementsThe following are estimated system requirements for Windows Server 2008 آ . If your computer has less than the minimum requirements, you will not be able to install this product correctly. Actual requirements will vary based on your system configuration and the applications and features you install.3.1.1 ProcessorProcessor performance depends not only on the clock frequency of the processor, but also on the number of processor cores and the size of the processor cache. The following are the processor requirements for this product:
Minimum: 1 GHz (for x86 processors) or 1.4آ GHz (for x64 processors) Recommended: 2 GHz or faster 3.1.2 RAMThe following are the RAM requirements for this product:
Minimum: 512 MB Recommended: 2 GB or more Maximum (32-bit systems): 4 GB (for Windows Server 2008 آ Standard) or 64آ GB (for
Windows Server 2008 آ Enterprise or Windows Server 2008 آ Datacenter) Maximum (64-bit systems): 32 GB (for Windows Server 2008 آ Standard) or 2آ TB (for
Windows Server 2008 آ Enterprise, Windows Server 2008 آ Datacenter, or Windows Server 2008 آ for Itanium-Based Systems)
3.1.3 Disk space requirementsThe following are the approximate disk space requirements for the system partition. Itanium-based and x64-based operating systems will vary from these estimates. Additional disk space may be required if you install the system over a network. For more information, see
Minimum: 10 GB Recommended: 40 GB or more DVD-ROM drive Super VGA (800 x 600) or higher-resolution monitor Keyboard and Microsoftآ® mouse (or other compatible pointing device)
4 Planning to Upgrade Active Directory Domains
To plan the upgrade of your Active Directory domains, complete the tasks in Checklist: Preupgrade Tasks.5 Checklist: Preupgrade TasksComplete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Checklist: Preupgrade Tasks Task Reference Assign appropriate credentials
to the users who are responsible for preparing the forest and domain for an Active Directory upgrade.
Assign Appropriate Credentials
Introduce a newly installed member server into the forest.
Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2
Review and document the existing hardware configuration of each domain controller that you plan to upgrade.
Assess Hardware Requirements
Determine the order in which you will upgrade your domain controllers before you begin the domain upgrade process.
Determine Domain Controller Upgrade Order
Develop a test plan for your domain upgrade process.
Develop a Test Plan for Your Domain Upgrade Process
Back up your Windows Windows Server 2003 domain data before you begin the upgrade.
Back Up Domain Data
6 Assign Appropriate Credentials
Assign appropriate credentials to the users who are responsible for preparing the forest and domain for an Active Directory upgrade. The adprep /forestprepcommand requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups. The adprep /domainprepcommand requires a user account that is a member of the Domain Admins group in the targeted domain. The adprep /rodcprep command requires a user account that is a member of the Enterprise Admins group.In addition, the security context can affect the ability of an administrator to complete the upgrade of domain controllers. Members of the Builtin\Administrators group can upgrade the operating system and install software on a computer. The following groups are members of the Builtin\Administrators group by default:The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain and in each regional domain in the forest.The Domain Admins group is a member of Builtin\Administrators in their domain.The Domain Admins group is a member of Builtin\Administrators on member servers in their domain.The following table shows the credentials that are required to upgrade servers, depending on the domain membership of the servers. Credential Domain
controller in forest root domain
Member server in forest root domain
Domain controller in regional domain
Member server in regional domain
Enterprise Admins in forest root domain
Domain Admins in forest root domain
Builtin\Administrators in forest root domain
Domain Admins in regional domain
Builtin\Administrators in regional domain
7 To install Windows Server 2008 or Windows Server 2008 R21. Insert the operating system DVD into the DVD drive, and then select the option to install the operating system.As an alternative, you can use an unattended installation method.2. Use the NTFS file system to format thepartitions.Enter the computer name, static IP address, and subnet mask that are specified by your design. Enter a strong administrator password.3. Enable Remote Desktop to enable administrators to log on remotely, if necessary.Toenable Remote Desktop, in Server Manager, click Configure Remote Desktop, and then click Allow connections from computers running any version of Remote Desktop (less secure) or Allow connections only
from computers running Remote Desktop with Network Level Authentication (more secure).
8 Develop a Test Plan for Your Domain Upgrade ProcessIt is important to develop a plan for testing your domain upgrade procedures throughout the upgrade process. Before you begin, test your existing domain controllers to ensure that they are functioning properly. Continue to test your domain controllers throughout the process to verify that Active Directory Domain Services (AD DS) replication is consistent and successful.The following table lists the tools and log files to use in your test planTool/log file Description LocationRepadmin.exe Checks
replication consistency and monitors both inbound and outbound replication partners. Displays replication status of inbound replication partners and directory partitions.
%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Dcdiag.exe Diagnoses the state of domain controllers in a forest or enterprise, tests for successful Active Directory connectivity and functionality, and returns the results as passed or failed.
%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Nltest.exe Queries and checks the status of trusts and can forcibly shut down
%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Tool/log file Description Locationdomain controllers. Provides domain controller location capabilities.
Dnscmd.exe Provides the properties of Domain Name System (DNS) servers, zones, and resource records.
%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Adprep.log Provides a detailed progress report of the forest and domain preparation process.
%SystemRoot%\Windows\Debug\ADPrep\Logs
Dcpromoui.logandDcpromo.log Provides a detailed progress report of the Active Directory installation. Includes information regarding replication and services in addition to applicable error messages.
%systemroot%\Windows\debugNote These logs are added to the server as part of the AD DS installation.
Adsiedit.exe A Microsoft Management Console (MMC) snap-in that acts as a low-level editor for AD DS and allows you to view, add,
%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Tool/log file Description Locationdelete, and move objects and attributes within the directory.
9 Performing the Upgrade of Active Directory DomainsTo upgrade your Active Directory domains, complete the tasks in Checklist: Upgrade Tasks.10 Checklist: Upgrade TasksComplete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Checklist: Upgrade Tasks Task Reference Prepare your
Active Directory infrastructure for upgrade.
Prepare Your Infrastructure for Upgrade
Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 in the forest root domain.
Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2
Upgrade existing domain controllers.
Upgrade Existing Domain Controllers
Modify default security policies as needed.
Modify Default Security Policies
11 Prepare Your Infrastructure for UpgradePreparing your Active Directory infrastructure for upgrade includes the following tasks:prepare the forest schema by running adprep /foretsprep.
Prepare each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep. Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running adprep /rodcprep.
11.1 32 Bit windows 2003 preparation11.1.1 PreparationSchema owner olddc.Domain .com adprep32 /forestprepDomain role owner olddc.Domain .comPDC role olddc.Domain .comRID pool manager olddc.Domain .com adprep32 /domainprep /gpprepYou need to run the following commands on the following servers in your Active Directory environment:Command Domain Controlleradprep.exe /forestprep Schema Masteradprep.exe /domainprep Infrastructure Masteradprep.exe /domainprep /gpprep Infrastructure Masteradprep.exe /rodcprep * Domain Naming Master The first Windows Server 2008 Domain Controller in the forest must be a Global catalog server, and it cannot be a Read Only Domain Controller, RODC.
11.2 To prepare the infrastructure In order to run ADPREP1- Insert the DVD media of Windows Server 2008 into the DVD drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master of a forest. 2- Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master and adprep /domainprep on the infrastructure master.Run adprep32
· First run adprep32 /forestprepNext, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
You can view detailed output of the ADPREP command by looking at the log files in the%Systemroot%’system32′debug’adprep’logs directory. Each time ADPREP is executed, a new log file is generated that contains the actions taken during that particular invocation. The log files are named based on the time and date ADPREP was run.
· Then run adprep32 / domainprep /gpprepNOTE:Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2008 or installing new Windows Server 2008 domain controllers. For installing RODC in the future also run Adprep/rodcprepNote: before running this command you must be member of enterprise admin group, schema admin group and domain admins groupOpen the local path which contains the Adprep folderOpen your C:\Windows\Debug\Adprep\Logs folderThere will be a separate file each time that you run ADPREP.
12 Check if the adprep has success or notRun adsiedit.msc
12.1 Forest Upgradeadprep /forestprep
A new container CN=ForestUpdates,CN=Configuration,DC= forest root domain is created on the schema master.
A new container CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain is created on the schema master.
For each operation that is performed by the adprep /forestprepcommand, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain container. Each operational GUID identifies the operation.
If all 36 operations are successfully added, the CN=Windows2003Update,CN=ForestUpdates,CN=Configuration,DC=forest root domain object will be created and its revision attribute (CN=Revision in the schema, syntax Integer) set to 9.
12.2 Domain Upgradeadprep /domainprep
A new container CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=DomainNameis created on the infrastructure master.
A new container CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName is created on the infrastructure master.
For each operation that is performed by the adprep /domainprepcommand, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=DomainUpdates,CN=System,DC=DomainNamecontainer. Each operational GUID identifies the operation.
If all the operations in the following list succeed, the CN=Windows2003Update object overall task will be stamped as completed successfully by setting the revision attribute (CN=Revision in the schema, syntax Integer) to 8.
13 Install Active DirectoryInstall Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 by using the Active Directory Domain Services Installation Wizard (Dcpromo.exe). The member server should be located in the forest root domain. After you install AD DS successfully, the member server will become a domain controller. You can install AD DS on any member server that meets the domain controller hardware requirementsTo install AD DS on a member server by using the Windows interface1. Click Start, and then click Server Manager.2. In Roles Summary, click Add Roles.3. If necessary, review the information on the Before You Begin page, and then click Next.4. On the Select Server Roles page, select the Active Directory Domain Services check box, and then click Next.5. If necessary, review the information on the Active Directory Domain Services page, and then click Next.6. On the Confirm Installation Selections page, clickInstall.7. On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
8. On the Welcome to the Active Directory Domain Services Installation Wizard page,
click Next.
If you want to install from media, identify the source domain controller for AD DS replication, or
specify the Password Replication Policy (PRP) for an RODC as part of the installation of the
additional domain controller, click Use advanced mode installation.
9. On the Operating System Compatibility page, review the warning about the default
security settings for Windows Server 2008 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Existing forest, click Add a
domain controller to an existing domain, and then click Next.
11. On the Network Credentials page, type the name of any existing domain (DOMAIN .COM)
in the forest where you plan to install the additional domain controller. Under Specify the
account credentials to use to perform the installation, click My current logged on
credentials ( must be Enterprise Amdin) or click Alternate credentials, and then click Set. In
the Windows Security dialog box, provide the user name and password for an account that can
install the additional domain controller. To install an additional domain controller, you must be a
member of the Enterprise Admins group or the Domain Admins group. When you are finished
providing credentials, click Next.
12. On the Select a Domain (Domain .com) page, select the domain of the new domain
controller, and then click Next.
13. On the Select a Site (Default-firs-site) page, select a site from the list or select the option
to install the domain controller in the site that corresponds to its IP address, and then click Next.
14. On the Additional Domain Controller Options page, make the following selections, and
then click Next:
DNS server: This option is selected by default so that your domain controller can
function as a DNS server. If you do not want the domain controller to be a DNS
server, clear this option.
15. Clear the DNS check BOX
Because you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that theyappear. For DNS give the server time for replication, at least 15 minutes.
Important1. 1. If you do not have static IPv4 and IPv6 addresses assigned to your network
adapters, a warning message might appear advising you to set static addresses for both of these protocols before you can continue. If you have assigned a static IPv4 address to your network adapter and your organization does not use IPv6, you can ignore this message and click, Yes, the computer will use a dynamically assigned IP address (not recommended).
After configuring the DNS and after making sure it is successfully installed
Please change the following
Go to the DNS mgmt console
Right click the Domain .com Zone
1- Primary then name servers then add servername
2- And remove servername
3- Then change the primary server to point to servername
4- And change the response person to be admin@Domain .com
Note
If you select the option to install DNS server, you might receive a message that indicates that a
DNS delegation for the DNS server could not be created and that you should manually create a
DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an
additional domain controller in either the forest root domain or a tree root domain, you do not
have to create the DNS delegation. In this case, click Yes and disregard the message.
Global Catalog: This option is selected by default. It adds the global catalog, read-only directory
partitions to the domain controller, and it enables global catalog search functionality.
Read-only domain controller. This option is not selected by default. It makes the additional
domain controller read only.
15. If you selected Use advanced mode installation on the Welcome page, the Install
from Media page appears. You can provide the location of installation media to be used to
create the domain controller and configure AD DS, or you can have all the replication done over
the network. Note that some data will be replicated over the network even if you install from
media. For information about using this method to install the domain controller, seeInstalling
AD DS From Media.
16. If you selected Use advanced mode installation on the Welcome page, the Source
Domain Controller page appears. Click Let the wizard choose an appropriate domain
controller or click Use this specific domain controller to specify a domain controller that you
want to provide as a source for replication to create the new domain controller, and then
click Next. If you do not choose to install from media, all data will be replicated from this source
domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the
volume and folder locations for the database file, the directory service log files, and the system
volume (SYSVOL) files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and recovery
efficiency, store these files on separate volumes that do not contain applications or other no
directory files.
18. On the Directory Services Restore Mode Administrator Passwordpage, type and
confirm the restore mode password, and then click Next. This password must be used to start
AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline.
19. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you have selected to an answer file that you can use to automate
subsequent Active Directory operations, click Export settings. Type the name for your answer
file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
20. On the Completing the Active Directory Domain Services Installation
Wizard page, click Finish.
21. You can either select the Reboot on completion check box to have the server restart
automatically or you can restart the server to complete the AD DS installation when you are
prompted to do so.
14 Modify Default Security PoliciesTo increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.NoteBy modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, we recommend that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.To configure a domain controller to not require SMB packet signing or secure channel signing, disable the following settings in the Default Domain Controllers Policy:Microsoft network server: Digitally sign communications (always)Domain member: Digitally encrypt or sign secure channel data (always)Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be restored, if necessary.Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedureTo disable SMB packet signing enforcement based domain controllers1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group
Policy objects\Default Domain Controllers Policy, and then click Edit.3. In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.4. In the details pane, double-click Microsoft network server: Digitally sign communications (always).5. Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then clickOK.To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change theDefault Domain
Controllers Policy. Policy changes that you make here will be replicated to all other domain
controllers in the domain. Therefore, you only have to modify these policies one time to affect
the Default Domain Controllers Policy on all domain controllers.Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.To disable secure channel signing enforcement on domain controllers1. To open GPMC, click Start, click Run, type gpmc.msc, and then clickOK.2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.3. In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.4. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), clickDisabled to prevent secure channel signing from being required, and then clickOK.To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:gpupdate /forceNote
Modifying these settings in the Domain Controllers container will change theDefault
Domain Controllers Policy. Policy changes that you make here will be replicated to all
other domain controllers in the domain. Therefore, you only have to modify these policies
one time to affect the Default Domain Controllers Policy on all domain controllers.Allow cryptography algorithms compatible with Windows NT 4.0Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.To allow cryptography algorithms that is compatible with Windows NT 4.01. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.3. In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/System/Net Logon.4. In the details pane, double-click Allow cryptography algorithms compatible with Windows NT 4.0, and then click Enabled.Note By default, theNot Configured option is
selected, but, programmatically, after you upgrade a server to Windows Server 2008 domain controller status, this policy is set toDisabled.To apply the Group Policy change immediately, either restart the domain controller or open command line, type the following command, and then press ENTER:
gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change theDefault Domain
Controllers Policy. Policy changes that are made here will be replicated to all other domain
controllers in the domain. Therefore, you only have to modify these policies one time to affect
the Default Domain Controllers Policy on all domain controllers.
15 Completing the Upgrade of Active Directory DomainsTo complete the upgrade of your Active Directory domains, perform the tasks in Checklist: Post-Upgrade Tasks.16 Checklist: Post-Upgrade TasksComplete the tasks in this checklist in the order in which they are presented. Checklist: Post-Upgrade Tasks Task Reference
Raise the functional levels of domains and forests to enable all advanced features of Active Directory Domain Services (AD DS).
Raise the Functional Levels of Domains and Forests
Complete the upgrade. Complete the Upgrade
17 Raise the Functional Levels of Domains and ForestsTo enable all Windows Server 2008 advanced features in Active Directory Domain Services (AD DS), raise the functional level of your forest to Windows Server 2008. This will automatically raise the functional level of all domains to Windows Server 2008. To enable all Windows Server 2008 R2 advanced AD DS features, raise the functional level of your forest to Windows
Server 2008 R2. This will automatically raise the functional level of all domains to Windows Server 2008 R2.CautionDo not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier.ImportantAfter you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.For more information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).Use the following procedure to raise the forest functional level to Windows Server 2008.Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.To raise the forest functional level1. Open the Active Directory Domains and Trusts snap-in. Click Start, clickAdministrative Tools, and then click Active Directory Domains and Trusts.2. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.3. In Select an available forest functional level, do one of the following:To raise the forest functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.
To raise the forest functional level to Windows Server 2008, click Windows Server 2008, and then click Raise.
To raise the forest functional level to Windows Server 2008 R2, click Windows Server 2008 R2,
and then click Raise.For more information about Windows Server 2008 advanced AD DS features, see Enabling Advanced Features for AD DS.
18 Complete the UpgradeComplete the following tasks to finalize the process:
· Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.
Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).Verify Windows Firewall status.Important
Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel.Continuously monitor your domain controllers and Active Directory Domain Services (AD DS). Using a monitoring solution (such as Microsoft Operations Manager (MOM)) to monitor distributed Active Directory Domain Services (AD DS)—and the services that it relies on—helps maintain consistent directory data and a consistent level of service throughout the forest.After these tasks have been completed successfully, you will have completed the in-place upgrade process.
18.1 Know Issues for upgradingExtension mechanisms for DNS (EDNS) are enabled by default on Windows Server 2008 R2. If you notice queries that used to work on DNS servers that run Windows 2000, Windows Server 2003, or Windows Server 2008 fail after those DNS servers are upgraded or replaced with DNS servers that run Windows Server 2008 R2, or queries that the old DNS servers can resolve cannot be resolved by Windows Server 2008 R2 DNS servers, then disable EDNS using the command:dnscmd /Config /EnableEDnsProbes 0
19 Verifications you can make and recommended hotfixesyou can install before you begin1. All domain controllers in the forest should meet the following conditions:a. Be online.b. Be healthy (Run dcdiag /v to see if there are any problems.)c. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). d. Have successfully inbound-replicated and outbound-replicated SYSVOL. 3. Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers.a. For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system.i. If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment.ii. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2,
remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers.iii. The following table lists hotfixes for Windows Server 2008. You can install a hotfix individually, or you can install the service pack that includes it. Description Microsoft Knowledge Base article Service
packDomain controllers that are configured to use the Japanese language locale
949189(http://go.microsoft.com/fwlink/?LinkId=164588) Windows Server 2008 SP2
EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008
948690(http://go.microsoft.com/fwlink/?LinkID=106115) Not included in any Windows Server 2008 Service Pack
Records on Windows Server 2008 secondary DNS server are deleted following zone transfer
953317(http://go.microsoft.com/fwlink/?LinkId=164590) Windows Server 2008 SP2
Use root hints if no forwarders are available
2001154(http://go.microsoft.com/fwlink/?LinkId=165959)
Setting Locale info in GPP causes Event Log and dependent
For prevention and resolution, see 951430(http://go.microsoft.com/fwlink/?LinkId=165960).
To be included in Windows Server
services to fail. If you change “Regional Option – User Locale – enabled,” the Windows Event Log Service, DNS Server Service, task Scheduler Service fail to start.
2008 SP3
GPMC Filter fix
949360 Windows Server 2008 SP2
If you use devolution to resolve DNS names (instead of suffix search list), apply the DNS devolution hotfix.
957579(http://go.microsoft.com/fwlink/?LinkId=178224) Windows Server 2008 SP2
Group Policy Preferences rerelease
943729(http://go.microsoft.com/fwlink/?LinkId=164591)974266(http://go.microsoft.com/fwlink/?LinkID=165035)
Windows Server 2008 SP2
Synchronize the Directory Services Restore Mode (DSRM) Administrator password
961320(http://go.microsoft.com/fwlink/?LinkId=177814)
with a domain user account The following table
19.1 lists hot fixes for Windows Server 2008 R2. Description Microsoft Knowledge Base article CommentWindows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502
2002490(http://go.microsoft.com/fwlink/?LinkId=178225)
[The article will include a hotfix.]
Event ID 1202 logged with status 0×534 if security policy modified
2000705(http://go.microsoft.com/fwlink/?LinkId=165961)
Hotfix is in progress. Also scheduled for Windows Server 2008 R2 SP1.
TimeZoneKeyNameregistry entry name is corrupt on 64-bit upgrades
2001086(http://go.microsoft.com/fwlink/?LinkId=178226)
Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel.
Deploying the first Windows Server 2008 R2
2002034
domain controller in an existing Active Directory forest may temporarily halt Active Directory replication to strict-mode destination domain controllers.
19.2 Run Adprep commands19.2.1 Add schema changes using adprep /forestprep1. Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup:a. Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a domain controller with a deleted NTDS settings object,b. Log on to the schema operations master with an account that has Enterprise Admins, Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-in administrator account in a forest root domain has these credentials.c. On the schema master, run the repadmin /showreps command. If schema master has inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use the replicate now command Dssite.msc to trigger inbound replication of the schema partition to the schema master.You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master.
20 Configure the Windows Time service on the PDC emulator in the Forest Root Domain20.1 To configure the Windows Time service on the PDC emulator
1. 1. Open a Command Prompt.2. 2. Type the following command to display the time
difference between the local computer and a target computer, and then press ENTER:
w32tm /stripchart /computer: target /samples: n /dataonly
1. Open User Datagram Protocol (UDP) port 123 for outgoing traffic if needed.2. Open UDP port 123 (or a different port that you have selected) for incoming NTP
traffic.5. Type the following command to configure the PDC emulator, and then press ENTER:
For example, to configure your PDC emulator to use the following list of fictional time servers:
ntp1.Domain .com
1. Run the following command:
w32tm /config /manualpeerlist:”ntp1.Domain .com” /reliable:yes /update
21 Upgrade Existing Domain ControllersNoteTo increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signingBy modifying the settings of the default security policies, you are weakening the default security policies in your environment
22 Complete the UpgradeComplete the following tasks to finalize the process:Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).Verify Windows Firewall status.
23 Check proper installation and replicationIt is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:
dcpromo.logAll the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
dcpromoui.logall the events from a graphical interface perspective
Also check the event viewer.
23.1.1 After replicationCheck replicationrepadmin /showreps
24 Migration of DHCP Server from Windows Server 2003 to Windows Server 2008R2Note: Backup and Restore are not expected to work across server versions as the DHCP database format has changed between Windows Server 2003 and Windows Server 2008.The recommended procedure for DHCP server migration is to use the export import commands through netsh. Following is the procedure for migrating DHCP server from Windows Server 2003 to Windows Server 2008 outlined in brief:In the following Four steps
24.1 Export the DHCP database from the server that is running Microsoft Windows Server 2003Log on to the source DHCP server by using an account that is a member of the local Administrators group or the DHCP Administrators group.-Click Start, click Run, type cmd in the Open box, and then click OK.-Type netsh dhcp server export C:\dhcpdatabase.dat all, and then press ENTER.Note: While the export command runs, DHCP server is stopped and does not respond to clients seeking new leases or lease renewals.You can now stop the DHCP service on the source server.24.2 Install the DHCP server service on the server that is running Windows Server 2008To install the DHCP Server service on an existing Windows Server 2008 computer:
1. Start Server Manager.2. Click on Add Roles.3. Select the DHCP server role and press Next.
4. Click through the next sequence for screens of the installation wizard to complete the DHCP server installation. You should not authorize the DHCP server at this point.
24.3 Import the DHCP databaseLog on as a user who is a member of the local Administrators group or DHCP administrators group.
2. Copy the exported DHCP database file to the local hard disk of the Windows Server 2008 computer.
3. Verify that the DHCP service is started on the Windows Server 2008 computer.
4. Click Start, click Run, type cmd in the Open box, and then click OK.5. At the command prompt, type netsh dhcp server importc:\dhcpdatabase.dat all, and then press ENTER, where c:\dhcpdatabase.dat is the full path and file name of the database file that you copied to the server.
6. After you receive the message that the command completed successfully, quit the command prompt.
24.4 Authorize the DHCP server1. Click Start, point to All Programs, point to Administrative Tools, and then click DHCP. You must be logged on to the server by using an account that is a member of the Administrators group. In an Active Directory domain, you must be logged on to the server by using an account that is a member of the Enterprise Administrators group.
2. In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.
3. Right-click the server object, and then click Authorize.4. After several moments, right-click the server again, and then click Refresh. A green arrow indicates that the DHCP server is authorized. http://www.windowsreference.com/windows-server-2008/step-by-step-tutorial-how-to-migrate-dhcp-server-from-a-windows-server-2003-to-windows-server-2008/http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspxNote: Note When you try to export a DHCP database from a 2003 domain controller to a Windows Server 2008 member server of the domain, you may receive the following error message:
Error initializing and reading the service configuration – Access Denied
To resolve this issue, add the Windows Server 2008 DHCP server computer to the DHCP Admins group at the Enterprise level and redo Steps 4 &5 Under 25.3 section
25 Recommendations for FSMO rolesPlace the RID and PDC emulator roles on the same domain controller. Goodcommunicationfrom the PDC to the RID master is desirable as down level clients and Target the PDC, making it a large consumer of RIDs. It is also easier to keep track of FSMO roles if you cluster them on fewer machines Place the RID and primary domain controller emulator roles on separate domain controllers.
The infrastructure master should be located on a no global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.http://www.pcreview.co.uk/forums/thread-1456278.phphttp://www.planning-tech.com/?p=78
26 What are FSMO ROLES?Names OF 5 FSMO roles and placeSchema owner servername.Domain .comDomain Role Owner servername.Domain .comPDC role servername.Domain .comRID pool manager servername.Domain .comInfrastructure owner servername.Domain .com The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.The Forest level Fsmo:
· Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. When this update finish the schema will replicate to all other DC in our directory.
Note!We have only ONE schema master per directory!
Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.
The Domain level Fsmo: RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool
requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).
The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .
· PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for
Kerberos Authentication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.
The PDC role is the role that provides us the most services and from this we can Say that this role is the busy one on our environment, here are few Examples:- This role helps us to replicate the Sysvol folder in our environment.- Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.
Infrastructure Master Role – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.
FSMO levels:Schema master : One per forest.Domain Naming Master : One per forest.PDC Emulator : One per domain.RID Master : One per domain.Infrastructure Master : One per domain.Worst Case Scenario – What Happens’ if Fsmo fails…?
Schema Master - If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.
Domain Naming Master - Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest.
PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.
Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).
Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).
27 Moving the RolesNew groups and new group memberships that are created after upgrading the PDC After you upgrade the Windows Server 2003–based domain controller holding the role of the PDC emulator master in each domain in the forest to Windows Server 2008, or after you move the PDC emulator operations master role to a Windows Server 2008-based domain controller, or after you add a read-only domain controller (RODC) to your domain, the following new well-known and built-in groups are created:
· Builtin\IIS_IUSRS · Builtin\Cryptographic Operators · Allowed RODC Password Replication Group · Denied RODC Password Replication Group
· Read-only Domain Controllers · Builtin\Event Log Readers · Enterprise Read-only Domain Controllers (created only on the forest root domain) · Builtin\Certificate Service DCOM Access
The newly established group memberships are: · IUSR security principal added to the Builtin\IIS_IUSRS group · The following groups added to the Denied RODC Password Replication Group:
Group Policy Creator Owners · Domain Admins · Cert Publishers · Domain Controllers · Krbtgt · Enterprise Admins · Schema Admins · Read-only Domain Controllers · Network Service security principal added to Builtin\Performance Log Users · Also, the following new, additional security principals are created in the forest root
domain: · IUSR · Owner Rights Well-Known-Security-Id-System security principal is renamed to System
28 Transfer the RID Master, PDC Emulator, and Infrastructure Master RolesTo transfer the FSMO role the administrator must be a member of the following group:FSMO Role Administrator must be a member ofSchema Schema AdminsDomain Naming Enterprise AdminsRID
Domain AdminsPDC EmulatorInfrastructure
29 ROLES on our serversSchema owner servername.Domain .comDomain role owner servername.Domain .comPDC role servername.Domain .comRID pool manager servername.Domain .comInfrastructure owner servername.Domain .com
29.1 Plan will beSchema owner servername.Domain .com move role to servernameDomain role owner servername.Domain .com move role to servernamePDC role servername.Domain .com
RID pool manager servername.Domain .comInfrastructure owner servername.Domain .com
29.2 Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUITransferring the RID Master, PDC Emulator, and Infrastructure Masters via GUITo Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.(servername)
3. Select the domain controller that will be the new role holder, the target, and press OK. (servername)
4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.7. Press OK all the way out.
To Transfer the Domain Naming Master Role:1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.4. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.5. Press the Change button.6. Press OK to confirm the change.7. Press OK all the way out.
To Transfer the Schema Master Role:1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll1. Press OK. You should receive a success confirmation.2. From the Run command open an MMC Console by typing MMC.3. On the Console menu, press Add/Remove Snap-in.4. Press Add. Select Active Directory Schema.5. Press Add and press Close. Press OK.6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
Active Directory Schema icon in the Console Root and press Change Domain Controller.
7. Press Specify …. and type the name of the new role holder. Press OK.8. Right-click right-click the Active Directory Schema icon again and press Operation
Masters.9. Press the Change button.10. Press OK all the way out.
Make sure that the Active directory module for the Power Shell is installedThen Run Dcdiag
· In the Starting test: fsmocheckThen run the netdom query fsmoIf the server couldn’t locate the RolesRestart the following services on w2k8Active directory Domain servicesAnd Netlogon service
30 After installing and removing RolesTest the DNS and the new ServerClient testModify the DNS of some clients so that the primary DNS isthen new W2k8 serverServer testModify the DNS of some Servers to beThen new W2k8 server
31 Revision History