update domain

8/7/2019 update domain

1/74

Upgrading Active Directory Domains toWindows Server 2008 and Windows Server2008 R2 AD DS Domains

Microsoft Corporation

Published: November 2009

Writer: Justin Hall

Editor: Jim Becker

AbstractThis guide explains the process for upgrading Active Directory domains to Windows Server 2008

and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and

how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an

existing domain.


2/74

Copyright Information

This document supports a preliminary release of a software product that may be changed

substantially prior to final commercial release, and is the confidential and proprietary information

of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the

recipient and Microsoft. This document is provided for informational purposes only and Microsoft

makes no warranties, either express or implied, in this document. Information in this document,

including URL and other Internet Web site references, is subject to change without notice. The

entire risk of the use or the results from the use of this document remains with the user. Unless

otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred. Complying with all applicable copyright laws is the

responsibility of the user. Without limiting the rights under copyright, no part of this document may

be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by

any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

2009 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


3/74

Contents

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD

DS Domains...................................................................................................................... ..........1

Abstract....................................................................................................................................1

Copyright Information......................................................................................................................2

Contents..........................................................................................................................................3

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD

DS Domains...................................................................................................................... ..........6

About this guide...........................................................................................................................6

In this guide.................................................................................................................................6

Related information......................................................................................................................6

Overview of Upgrading Active Directory Domains...........................................................................7

Planning to Upgrade Active Directory Domains..............................................................................7

In this guide.................................................................................................................................7

Checklist: Preupgrade Tasks...........................................................................................................8

Assign Appropriate Credentials.......................................................................................................9

Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2.......11

Determine Supported Software Upgrades....................................................................................12

Assess Hardware Requirements...................................................................................................14

Disk space requirements for upgrading to Windows Server2008.............................................15

Disk space requirements for upgrading to Windows Server2008 R2........................................16

Determine Domain Controller Upgrade Order...............................................................................19

Develop a Test Plan for Your Domain Upgrade Process...............................................................20

Determine Service Pack Levels....................................................................................................21

Back Up Domain Data...................................................................................................................23

Resolve Upgrade and Application Compatibility Problems............................................................23

Known issues for upgrading to Windows Server2003...............................................................24

Performing the Upgrade of Active Directory Domains...................................................................25

In this guide.............................................................................................................................. .25


4/74

Checklist: Upgrade Tasks..............................................................................................................25

Prepare Your Infrastructure for Upgrade.......................................................................................26

Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008

or Windows Server 2008 R2......................................................................................................27

Upgrade Existing Domain Controllers...........................................................................................29

Unattended upgrade .................................................................................................................30

Modify Default Security Policies....................................................................................................34

Update Group Policy Permissions................................................................................................37

Perform Clean-up Tasks................................................................................................................38

Completing the Upgrade of Active Directory Domains..................................................................38

In this guide.............................................................................................................................. .39

Checklist: Post-Upgrade Tasks.....................................................................................................39

Raise the Functional Levels of Domains and Forests...................................................................40

Move DNS Data into DNS Application Directory Partitions...........................................................41

Redirect Users and Computers.....................................................................................................43

Complete the Upgrade..................................................................................................................44

Finding Additional Information About Upgrading Active Directory Domains..................................45

Appendix A: Background Information for Upgrading Active Directory Domains............................46

Active Directory preparation tool................................................................................................46

Application directory partitions for DNS.....................................................................................47

Service (SRV) resource records.............................................................................................47

_msdcs.domain_name subdomain.........................................................................................48

_msdcs.forest_root_domain subdomain.................................................................................48

Intrasite replication frequency.................................................................................................49

New groups and new group memberships that are created after upgrading the PDC...............50

Security policy considerations when upgrading from Windows 2000 to Windows Server2003.52

SMB packet signing................................................................................................................52

Secure channel signing and encryption..................................................................................52

Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2

Domain Controllers to Existing Domains...................................................................................53

Whats new in AD DS in Windows Server2008 and Windows Server2008 R2........................ 53

System requirements for installing Windows Server2008 and Windows Server2008 R2........55

Supported in-place upgrade paths.............................................................................................56

Functional level features and requirements...............................................................................56


5/74

Client, server, and application interoperability...........................................................................57

Secure default settings in Windows Server2008 and Windows Server2008 R2......................57

Virtualized domain controllers on Hyper-V, VMware, and other virtualization software..........58

Administration, remote administration, and cross-version administration..................................58

Configuring the Windows Time service for Windows Server2008 and Windows Server2008 R2...............................................................................................................................................59

Known issues for upgrades to Windows Server2008 and Windows Server2008 R2...............61

Verifications you can make and recommended hotfixes you can install before you begin.........61

Run Adprep commands.............................................................................................................65

Add schema changes using adprep /forestprep.....................................................................65

If you are deploying RODCs, run adprep /rodcprep...............................................................66

Run adprep /domainprep /gpprep...........................................................................................67

Upgrade domain controllers.......................................................................................................67

Background information about the in-place upgrade process................................................68

Upgrading and promoting new domain controllers into an existing domain............................68

Post-installation tasks.............................................................................................................70Fixes to install after AD DS installation...................................................................................70

Troubleshooting errors...............................................................................................................71

Adprep errors................................................................................................................ .........71

Forestprep errors................................................................................................................71

Domainprep errors..............................................................................................................72

Rodcprep errors..................................................................................................................72

Dcpromo errors......................................................................................................................72


6/74

Upgrading Active Directory Domains to

Windows Server 2008 and Windows Server2008 R2 AD DS Domains

Upgrading your network operating system requires minimal network configuration and typically

has a low impact on user operations. The upgrade process is straightforward, efficient, and allows

your organization to take advantage of the improved security that is offered by the

Windows Server 2008 and Windows Server 2008 R2 operating systems.

About this guideThis guide is intended for use by system administrators and system engineers. It provides

detailed guidance for upgrading Windows 2000 or Windows Server 2003 Active Directory

domains to Active Directory Domain Services (AD DS) domains that have domain controllers

running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment

experience, use the checklists that are provided in this guide and complete the tasks in the order

in which they are presented.

In this guide Overview of Upgrading Active Directory Domains

Planning to Upgrade Active Directory Domains

Performing the Upgrade of Active Directory Domains Completing the Upgrade of Active Directory Domains

Finding Additional Information About Upgrading Active Directory Domains

Appendix A: Background Information for Upgrading Active Directory Domains

Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008

R2 Domain Controllers to Existing Domains

Related information For more information about the AD DS logical structure and the Domain Name System

(DNS) infrastructure that is necessary to support AD DS, see Designing the LogicalStructure for Windows Server 2008 AD DS [LH].

For more information about AD DS functional levels, see Enabling Advanced Features

for AD DS.

For more information about installing and configuring a DNS server, see Deploying

Domain Name System (DNS) (http://go.microsoft.com/fwlink/?LinkId=93656).

6
http://go.microsoft.com/fwlink/?LinkId=93656http://go.microsoft.com/fwlink/?LinkId=93656


7/74

Overview of Upgrading Active DirectoryDomains

By upgrading your network operating system, you can maintain your current network and domainconfiguration while improving the security, scalability, and manageability of your network

infrastructure.

Before you upgrade your Windows 2000 or Windows Server 2003 Active Directory domains,

review your business objectives and decide how they relate to your existing Active Directory

infrastructure. Although your objectives might not require other significant changes to your

existing environment, the operating system upgrade is an opportune time to review your existing

Active Directory design, including your Active Directory logical structure, site topology, and

domain controller capacity. You might find opportunities for increased efficiencies and cost

savings that you can incorporate into your upgrade process. In addition, ensure that you test your

upgrade process in a lab and pilot program.

When the domain upgrade process is complete, all domain controllers will be running Windows

Server 2008 or Windows Server 2008 R2, and the Active Directory Domain Services (AD DS)

domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2

functional level. At the Windows Server 2008 R2 forest functional level, you can take advantage

of all the advanced AD DS features. For more information about advanced AD DS features for

AD DS functional levels, see Enabling Advanced Features for AD DS.

Planning to Upgrade Active DirectoryDomains

To plan the upgrade of your Active Directory domains, complete the tasks in Checklist:

Preupgrade Tasks.

In this guide Checklist: Preupgrade Tasks

Assign Appropriate Credentials

Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008

R2

Determine Supported Software Upgrades

Assess Hardware Requirements

Determine Domain Controller Upgrade Order

Develop a Test Plan for Your Domain Upgrade Process

Determine Service Pack Levels

Back Up Domain Data

7


8/74

Resolve Upgrade and Application Compatibility Problems

Checklist: Preupgrade Tasks

Complete the tasks in this checklist in the order in which they are presented. If a reference link

takes you to a conceptual topic, return to this checklist after you review the conceptual topic so

that you can proceed with the remaining tasks.

Checklist: Preupgrade Tasks

Task Reference

Assign appropriate credentials to

the users who are responsible for

preparing the forest and domain for

an Active Directory upgrade.

Assign Appropriate

Credentials

Introduce a newly installed member

server into the forest.

Introduce a Member Server

That Runs Windows Server

2008 or Windows Server 2008

R2

Identify the editions of

Windows 2000 or

Windows Server 2003 that are

running in your environment. Then

determine if you can upgrade these

editions or if you must perform acomplete reinstallation for each.

Determine Supported

Software Upgrades

Review and document the existing

hardware configuration of each

domain controller that you plan to

upgrade.

Assess Hardware

Requirements

Determine the order in which you

will upgrade your domain

controllers before you begin the

domain upgrade process.

Determine Domain

Controller Upgrade Order

Develop a test plan for your

domain upgrade process.

Develop a Test Plan for Your

Domain Upgrade Process

Determine service pack levels. Determine Service Pack

Levels

Back up your Windows 2000 or

Windows Server 2003 domain data

Back Up Domain Data

8


9/74

Task Reference

before you begin the upgrade.

Resolve upgrade and application

compatibility problems.

Resolve Upgrade and

Application CompatibilityProblems

Assign Appropriate Credentials

Assign appropriate credentials to the users who are responsible for preparing the forest and

domain for an Active Directory upgrade. The adprep /forestprep command requires a user

account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins

groups. The adprep /domainprep command requires a user account that is a member of the

Domain Admins group in the targeted domain. The adprep /rodcprep command requires a useraccount that is a member of the Enterprise Admins group.

In addition, the security context can affect the ability of an administrator to complete the upgrade

of domain controllers. Members of the Builtin\Administrators group can upgrade the operating

system and install software on a computer. The following groups are members of the

Builtin\Administrators group by default:

The Enterprise Admins group is a member of Builtin\Administrators in the forest root

domain and in each regional domain in the forest.

The Domain Admins group is a member of Builtin\Administrators in their domain.

The Domain Admins group is a member of Builtin\Administrators on member servers in

their domain.

The following table shows the credentials that are required to upgrade servers, depending on the

domain membership of the servers.

Credential Domain

controller in

forest root

domain

Member server

in forest root

domain

Domain

controller in

regional domain

Member server

in regional

domain

Enterprise Admins in

forest root domain

Domain Admins in forest

root domain

Builtin\Administrators in

forest root domain

Domain Admins in

9


10/74

Credential Domain

controller in

forest root

domain

Member server

in forest root

domain

Domain

controller in

regional domain

Member server

in regional

domain

regional domain

Builtin\Administrators in

regional domain

You also need to ensure that the administrator who is upgrading the domain controllers has the

following rights:

Backup files and directories (SE_BACKUP_NAME)

Modify firmware environment values (SE_SYSTEM_ENVIRONMENT_NAME)

Restore files and directories (SE_RESTORE_NAME)

Shut down the system (SE_SHUTDOWN_NAME)

The setup program cannot run properly if these rights are not defined or if they are disabled by a

domain Group Policy setting on the computer.

Membership in the local Administratoraccount, or equivalent, is the minimum required to

complete this procedure. Review details about using the appropriate accounts and group

memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

1. In the Run dialog box, type mmc, and then click OK.

2. Click File, and then click Add/Remove snap-in.

3. In the Available snap-ins dialog box, select Group Policy Management Editor, and

then click Add.

4. On the Welcome to the Group Policy Wizard page, verify that Local Computer

appears in the Group Policy Object box, and then click Finish.

5. In the console tree, navigate to the Local Computer Policy\Computer

Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights

Assignment folder.

6. In the details pane, verify that the user who will perform the upgrade is a member in

one of the groups that has the necessary rights assigned. The policies are named

identically to the user rights listed above.

Assign the appropriate credentials in advance to allow both Active Directory domain upgrade

testing and deployment to proceed without unexpected security delays.

To verify if user rights assignments are disabled by a domain Group Policy setting

10
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477


11/74

Introduce a Member Server That RunsWindows Server 2008 or Windows Server2008 R2

You can upgrade your Active Directory environment in the following ways:

Introduce newly installed domain controllers that run Windows Server 2008 or Windows

Server 2008 R2 into the forest, and then retire or upgrade all existing domain controllers.

Perform an in-place upgrade of all existing domain controllers.

If you want to upgrade the operating system of a Windows 2000 domain

controller to Windows Server 2008, you must first perform an in-place upgrade of

a Windows 2000 operating system to a Windows Server 2003 operating system.

Then, perform an in-place upgrade of this Windows Server 2003 operating

system to a Windows Server 2008 operating system. A direct Windows 2000to

Windows Server 2008 operating system upgrade is not supported.

The information in this guide also applies to Windows Server 2008 R2. If you perform an in-

place upgrade of the existing domain controllers running Windows Server 2003 in the forest

to Windows Server 2008 R2, remember that Windows Server 2008 R2 is an x64-based

operating system. If your server is running an x64-based version of Windows Server 2003,

you can successfully perform an in-place upgrade of this computer's operating system to

Windows Server 2008 R2. If your server is running an x86-based version of

Windows Server 2003, you cannot upgrade this computer to Windows Server 2008 R2.

Use the following procedure to introduce a member server that runs Windows Server 2008 orWindows Server 2008 R2 into your environment.




1. Insert the operating system DVD into the DVD drive, and then select the option to

install the operating system.

As an alternative, you can use an unattended installation method.

2. Use the NTFS file system to format the partitions.

Enter the computer name, static IP address, and subnet mask that are specified by your

design. Enter a strong administrator password.

3. Enable Remote Desktop to enable administrators to log on remotely, if necessary.

To enable Remote Desktop, in Server Manager, click Configure Remote Desktop, and

then click Allow connections from computers running any version of Remote

Important

To install Windows Server 2008 or Windows Server 2008 R2

11


12/74

Desktop (less secure) orAllow connections only from computers running Remote

Desktop with Network Level Authentication (more secure).

You can introduce this member server to any domain in the forest. However, if your forest root

domain is a dedicated root, introduce the member server into the forest root domain. Placing this

member server into a dedicated root domain has the lowest impact on your environment because

users generally do not log on to a dedicated forest root domain. Therefore, user authentications

are minimal.

After you prepare your forest and domains for the upgrade (see Prepare Your Infrastructure for

Upgrade), install AD DS on the new member server (see Install Active Directory Domain Services

on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2).

Determine Supported Software Upgrades

Identify the editions of Windows 2000 or Windows Server 2003 that are running in yourenvironment. Then, determine if you can upgrade these editions or if you must perform complete

operating system reinstallations.

To upgrade Windows 2000 Active Directory domains to Windows Server 2008

Active Directory Domain Services (AD DS) domains, you must perform an in-place

upgrade of all existing domain controllers running Windows 2000 in the forest to domain

controllers running Windows Server 2003. Then, perform an in-place upgrade of those

domain controllers to Windows Server 2008. A direct in-place upgrade of a

Windows 2000 edition to a Windows Server 2008 edition is not supported.

The following table lists Windows 2000 editions and indicates what editions can be upgraded

directly to each edition of Windows Server 2003.

Windows 2000 editions Upgrade to Windows

Server 2003 Standard

Edition

Upgrade to Windows

Server 2003 Enterprise

Edition

Upgrade to Windows

Server 2003 Datacenter

Edition

Windows 2000

Professional

Windows 2000 Server

Windows 2000

Advanced Server

Windows 2000

Datacenter Server

Important

12


13/74

The following table lists Windows Server 2003 editions and indicates what editions can be

upgraded directly to each edition of Windows Server 2008.

With the exception of Windows Server 2008 editions for Itanium-Based Systems, this

table applies equally to 32-bit and 64-bit Windows Server 2008 editions. However,

upgrades from 32-bit to 64-bit (and from 64-bit to 32-bit) are not supported.

The information in this guide also applies to Windows Server 2008 R2. If you perform an

in-place upgrade of the existing domain controllers running Windows Server 2003 in the

forest to Windows Server 2008 R2, remember that Windows Server 2008 R2 is an x64-

based operating system. If your server is running an x64-based version of

Windows Server 2003, you can successfully perform an in-place upgrade of this

computer's operating system to Windows Server 2008 R2. If your server is running an

x86-based version of Windows Server 2003, you cannot upgrade this computer to

Windows Server 2008 R2. For more information about supported upgrade options, see

Supported in-place upgrade paths.

Notes

13


14/74

Windows Server 2003

editions

Upgrade to Windows


Upgrade to Windows

Server 2008

Enterprise

Upgrade to Windows

Server 2008

Datacenter

Windows


Edition with Service

Pack 1 (SP1)

Windows


Edition with Service

Pack 2 (SP2)

Windows

Server 2003 R2

Standard Edition

Windows


Edition with SP1

Windows


Edition with SP2

Windows

Server 2003 R2

Enterprise Edition

Windows


Edition with SP1

Windows


Edition with SP2

Windows

Server 2003 R2

Datacenter Edition

Assess Hardware Requirements

Review and document the existing hardware configuration of each domain controller that you plan

to upgrade. Use this information to identify the domain controllers in your environment that you

can upgrade and the domain controllers that do not meet the hardware requirements necessary

to run Windows Server 2008 or Windows Server 2008 R2. You can retain domain controllers that

14


15/74

do not meet the necessary hardware requirements to serve as rollback servers if you must roll

back your deployment. In most cases, a Windows 2000based domain controller meets the

requirements to be upgraded to Windows Server 2008 as long as it has adequate disk space.

At minimum, a domain controller requires available free disk space for the Active Directory

Domain Services (AD DS) database, AD DS log files, SYSVOL, and the operating system. Usethe following guidelines to determine how much disk space to allot for your AD DS installation:

On the drive that will contain the AD DS database, NTDS.dit, provide 0.4 gigabytes (GB)

of storage for each 1,000 users. For example, for a forest with two domains (domain A and

domain B) with 10,000 users and 5,000 users, respectively, provide a minimum of 4 GB of

disk space for each domain controller that hosts domain A and provide a minimum of 2 GB of

disk space for each domain controller that hosts domain B. Available space must equal at

least 10 percent of your existing database size or at least 250 megabytes (MB), whichever is

greater.

On the drive containing the AD DS log files, provide at least 500 MB of available space.

On the drive containing the SYSVOL shared folder, provide at least 500 MB of available

space.

On the drive containing the operating system files, to run setup, provide at least 1.25 GB

to 2 GB of available space.

Disk space requirements for upgrading toWindows Server 2008

The upgrade process from Windows Server 2003 to Windows Server 2008 requires free disk

space for the new operating system image, for the Setup process, and for any installed server

roles. An error is logged when the domain controller role detects insufficient disk space to perform

the upgrade.

Additional disk space information may appear in the compatibility report that Setup displays.

For the domain controller role, the volume or volumes that host the following resources also have

specific free disk space requirements:

Application Data (%AppData%)

Program Files (%ProgramFiles%)

Users Data (%SystemDrive%\Documents and Settings)

Windows Directory (%WinDir%)

The free space on the %WinDir% volume must be equal or greater than the current size of the

resources listed above and their subordinate folders when they are located on the %WinDir%volume. By default, Dcpromo.exe places the Active Directory database and log files under

%Windir%, in which case, their size is included in the free disk space requirements for the

%Windir% folder.

For example, suppose that you have the following resources located on the %WinDir% volume,

with the sizes listed in the following table.

15


16/74

Resource Size

Application Data (%AppData%) 100 MB

Program Files (%ProgramFiles%) 100 MB

Users Data (%SystemDrive%\Documents and

Settings)

50 MB

Windows Directory (%WinDir%) 1 GB

Total size 1.25 GB

In this example, the free space on the %WinDir% volume must be equal to 1.25 GB or greater.

However, if the Active Directory database is hosted outside any of the folders above, then the

hosting volume or volumes must only contain additional free space equal to at least 10 percent of

the current database size or 250 MB, whichever is greater. Finally, the free space on the volume

that hosts the log files must be at least 50 MB.A default installation of Active Directory in Windows Server 2003 has the Active Directory

database and log files under %WinDir%\NTDS. With this configuration, the Ntds.dit database file

and all the log files are temporarily copied over to the quarantine location and then copied back to

their original location; this is why additional free space is required for those resources. Although

the SYSVOL directory is also under %WinDir% (that is, %WinDir%\SYSVOL), it is moved and not

copied. Therefore, it does not require any additional free space.

After the upgrade, the space that was reserved for the copied resources will be returned to the file

system.

Disk space requirements for upgrading toWindows Server 2008 R2

The Active Directory database, NTDS.dit, on Windows Server 2008 R2 domain controllers can be

larger than in previous versions of Windows for the following reasons:

The "partial merge" feature is disabled on Windows Server 2008 R2 domain controllers.

Windows Server 2008 R2 domain controllers add two new indices on the large link table.

The Active Directory Recycle Bin Windows Server 2008 R2 preserves attributes on

deleted objects for the Recycle object lifetime.

For Active Directory Recycle Bin, the database increases in size at the following moments:

After Windows Server 2008 R2 adprep /forestprep completes and the first Windows

Server 2008 R2 domain controller is installed, there is a new indexed attribute,

isRecycled, whose value is set for all deleted objects.

After the Active Directory Recycle Bin is enabled, all attributes are kept on deleted

objects. More disk space is required as more object deletions occur.

In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle

Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the

16


17/74

original database size, using the default deletedObjectLifetime and

recycledObjectLifetime values of 180 days. Additional space requirements depend on the

size and count of the objects that are recycled.

An in-place upgrade of a domain controller to Windows Server 2008 R2 requires sufficient disk

space for the upgrade process to copy the following folders: %SystemRoot%

%ProgramFiles%

%SystemDrive%\Program Files

%ProgramFiles(x86)%

%SystemDrive%\build

%SystemDrive%\InstalledRepository

%ProfilesFolder%

%ProgramData%

%SystemDrive%\Documents and Settings

The following table shows the test results for an upgrade of a domain controller from Windows

Server 2008 to Windows Server 2008 R2. In this table:

= 15 GB (the minimum amount of free space on a Windows hard drive that Windows

setup requires)

The original size of Ntds.dit was 5 GB.

Ntds.dit location Free space (GB) on

the system drive

Result

Ntds.dit is located on the

same drive as the system,

but it is out of %windir%.

1 In this scenario, Ntds.dit does not have to

be copied from the Windows.old folder to

the Windows folder, but there is not enough

space to copy Windows setup files.

The compatibility report finds there is not

enough space to copy Windows files.

The upgrade is blocked at the compatibility

report.

Ntds.dit is located on a

different drive than the

system.

In this scenario, the disk meets the

minimum free-space requirements for the

Windows files to be installed, and Ntds.dit

does not have to be copied from the

Windows.old folder to the Windows folder.

The compatibility report warns the user that

the amount of free space meets the

minimum requirements and that the upgrade

process would take longer.

17


18/74

Ntds.dit location Free space (GB) on

the system drive

Result

The domain controller is upgraded

successfully.


default folder:

%windir%\ntds\

+ 1 In this scenario, the disk meets the


Windows Files to be installed, which causes

the compatibility report to be bypassed.

However, Ntds.dit is located under the

Windows folder, which causes the upgrade

to copy it from the Windows.old folder to the

Windows folder. This last step fails because

there is not enough space on the disk to fit

Ntds.dit because the database was not

copied to the new operating system. On itsfirst start, Windows Server 2008 R2 is not

able to locate Ntds.dit, which causes an

error and forces the computer to roll back to

the previous operating system.

ERROR_CODE: (NTSTATUS) 0xc00002ec -

Directory Services could not start because

of the following error: %hs Error Status: 0x

%x. Click OK to shut down the system. You

can use the recovery console to diagnose

the system further.

Err 0xc00002ec =

STATUS_DS_INIT_FAILURE_CONSOLE

The domain controller is rolled back to

Windows Server 2008 successfully.


same drive as the system,

but it is out of %windir%.

In this scenario, the disk meets the


Windows Files to be installed, and Ntds.dit

does not have to be copied from the

Windows.old folder to the Windows folder.

The compatibility report warns the user that

the amount of free space meets the

minimum requirements and that the upgrade

process would take longer.

The domain controller is upgraded

successfully.

18


19/74

Determine Domain Controller Upgrade Order

Determine the order in which you will upgrade your domain controllers before you begin the

domain upgrade process. Record the name, IP address, the domain in which the domain

controller will be located, and the operations master roles held by each domain controller before

and after the upgrade. Finally, record the order in which you will upgrade the operating system on

each domain controller.

One possible order for upgrading domain controllers is as follows:

Install Active Directory Domain Services (AD DS) on a member server that runs Windows

Server 2008 or Windows Server 2008 R2 in the forest root domain by using the

Active Directory Domain Services Installation Wizard (Dcpromo.exe).

In each domain, upgrade the operating system on the domain controller that holds the

primary domain controller (PDC) emulator operations master role, or transfer the role to a

domain controller that runs Windows Server 2008 or Windows Server 2008 R2.

Some tasks, such as creation of the Enterprise Read-Only Domain Controllers group, areperformed on the PDC emulator only if it is running Windows Server 2008 or Windows

Server 2008 R2. It may be preferable to upgrade the PDC emulator for that reason, but it is

not a requirement. If the PDC emulator is not upgraded, the Enterprise Read-Only Domain

Controllers group is created when the first read-only domain controller (RODC) is added to

the domain.

Continue upgrading domain controllers or retiring domain controllers that you no longer

want to keep in your infrastructure, until the domain upgrade is complete.

This order for upgrading or adding new domain controllers is a recommendation only. It issafe to upgrade the domain controllers holding any operations master role at any time in

the upgrade process.

Similarly, you can independently upgrade each domain within a forest that has multiple

domains. For example, you can begin upgrading domain controllers in a child domain

before you upgrade domain controllers in the root domain of the same forest.

Use a domain controller documentation table to document information about each domain

controller in the forest. For a worksheet to assist in documenting your domain controller

information, see Job Aids for Windows Server 2003 Deployment Kit

(http://go.microsoft.com/fwlink/?LinkID=102558). Download

Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and then open

DSSUPWN_2.doc.

Notes

19
http://go.microsoft.com/fwlink/?LinkID=102558http://go.microsoft.com/fwlink/?LinkID=102558


20/74

Develop a Test Plan for Your DomainUpgrade Process

It is important to develop a plan for testing your domain upgrade procedures throughout theupgrade process. Before you begin, test your existing domain controllers to ensure that they are

functioning properly. Continue to test your domain controllers throughout the process to verify that

Active Directory Domain Services (AD DS) replication is consistent and successful.

The following table lists the tools and log files to use in your test plan. For more information about

installing tools to test domain controllers, see How to Administer Microsoft Windows Client and

Server Computers Locally and Remotely(http://go.microsoft.com/fwlink/?LinkId=177813).

Tool/log file Description Location

Repadmin.exe Checks replication

consistency andmonitors both inbound

and outbound

replication partners.

Displays replication

status of inbound

replication partners

and directory partitions.

%systemroot%\Windows\System32

Note

This tool is added to the server as part

of the AD DS installation.

Dcdiag.exe Diagnoses the state of

domain controllers in a

forest or enterprise,

tests for successful

Active Directory

connectivity and

functionality, and

returns the results as

passed or failed.


Note

This tool is added to the server as partof the AD DS installation.

Nltest.exe Queries and checks

the status of trusts and

can forcibly shut down

domain controllers.

Provides domaincontroller location

capabilities.


Note



Dnscmd.exe Provides the properties

of Domain Name

System (DNS) servers,

zones, and resource


Note


20
http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813


21/74

Tool/log file Description Location

records. of the AD DS installation.

Adprep.log Provides a detailed

progress report of theforest and domain

preparation process.

%SystemRoot%\Windows\Debug\ADPrep\Logs

Dcpromoui.log and

Dcpromo.log

Provides a detailed

progress report of the

Active Directory

installation. Includes

information regarding

replication and

services in addition to

applicable error

messages.

%systemroot%\Windows\debug

Note

These logs are added to the server as

part of the AD DS installation.

Adsiedit.exe A Microsoft

Management Console

(MMC) snap-in that

acts as a low-level

editor for AD DS and

allows you to view,

add, delete, and move

objects and attributes

within the directory.


Note



For more information about support tools for Windows, see Help and Support for Windows

Server 2008.

Determine Service Pack Levels

Before preparing your infrastructure for upgrade, all Windows 2000based domain controllers in

the forest must be running Windows 2000 Service Pack 4 (SP4). Use the repadmin/showattr

command to perform an inventory of the operating system and service pack revision level on all

domain controllers in a particular domain.




21


22/74

For each domain in the forest, type the following command at the command line of a

computer that has the support tools for Windows Server 2008 installed, and then pressENTER:

repadmin /showattr ncobj:domain:

/filter:"(&(objectcategory=computer)(primaryGroupID=516))/subtree

/atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

The following text is sample output from this command:

DN: CN=NA-DC-01,OU=Domain Controllers,DC=company,DC=com

1> operatingSystem: Windows Server 2008 Standard

1> operatingSystemVersion: 6.0 (6001)

1> operatingSystemServicePack: Service Pack 1, v.624

Note

The repadmin /showattrcommand does not show any hotfixes that might

be installed on a domain controller.

Parameter Description

repadmin /showattr Displays the

attributes on an

object.

domain_controller_in_target_domain Specifies the fully

qualified domain

name (FQDN) of

the domain

controller.

/filter:"(&(objectcategory=computer)(primaryGroupID=516)) /subtree

/atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

Filters the output

to display the

object's operating

system, operating

system version,

and operating

system service

pack.

Upgrade domain controllers to the appropriate service pack as necessary.

To determine the operating system and service pack revision level on all domaincontrollers

22


23/74

Back Up Domain Data

Back up your domain data before you begin the upgrade. This task varies based on the

operations and procedures that already exist in your environment. At a minimum, complete the

following steps:

To allow for fault tolerance, ensure successful replication between two domain controllers

in each domain.

Back up two domain controllers in each domain in the forest, including System State

data.

Test all backup media to ensure that the data can be restored successfully.

Store backup media in a secure offsite location designated by (and accessible to)

the upgrade team before you begin the upgrade process.

Develop a recovery plan to use if some portion of your domain upgrade process fails. A

successful recovery plan includes the following:

Step-by-step instructions that enable the upgrade team to restore normal operations to

the organization.

An approval process, ensuring that all team members review, agree on, and approve the

recovery plan.

If you plan to retire or upgrade the first promoted domain controllers of your

Windows 2000 or Windows Server 2003 domains, we highly recommend that you exportand back up the private key of the Encrypting File System (EFS) recovery agent. EFS is

a component of the NTFS file system that enables transparent encryption and decryption

of files by using advanced, standard cryptographic algorithms. You can use EFS to

encrypt data files to prevent unauthorized access. For more information, see article

241201in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?

LinkId=114578).

Resolve Upgrade and Application

Compatibility ProblemsFor more information about upgrades to Windows Server 2008 and Windows Server 2008 R2,

see Known Issues for Upgrades to Windows Server2008 and Windows Server2008 R2 .

Important

Note

23
http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578


24/74

Known issues for upgrading toWindows Server 2003

Before upgrading a server to Windows Server 2003, use the Winnt32.exe command-line tool with

the /checkupgradeonly parameter to identify potential upgrade problems such as inadequatehardware resources or compatibility problems.

Two application compatibility problems you might need to resolve include the following:

Distributed File System (DFS) root shares are not supported if they are hosted on a file

allocation table (FAT) partition.

In Windows Server 2003, DFS root shares must be located on NTFS partitions with no files or

directories under the DFS link.

For more information about deploying DFS, see Designing and Deploying File Servers

(http://go.microsoft.com/fwlink/?LinkID=27928).

Windows 2000based computers running Windows Deployment Services might cause

errors in a Windows Server 2003 Active Directory domain.

When using a Windows 2000based Windows Deployment Services server in your

Windows Server 2003 Active Directory domain, you might receive the following error when

using the Client Installation Wizard:

" Unable to create or Modify Computer account"

Error: 00004E4F

This error occurs because Windows Server 2003 creates machine account objects differently

from Windows 2000. To prevent this error from occurring when creating machine accounts,

configure the Windows 2000based Windows Deployment Services servers in your

environment to point to a domain controller running Windows 2000. This is done by adding

the DefaultServerregistry parameter to the Windows 2000based Windows DeploymentServices servers.

For more information about configuring optional registry parameters for the Boot Information

Negotiation Layer (BINL) service, see article 235979 in the Microsoft Knowledge Base

(http://go.microsoft.com/fwlink/?LinkId=106488).

You must remove the Windows 2000 Administration Tools Pack before upgrading to

Windows Server 2003. For more information about Windows 2000 administration tools and

upgrade issues, see article 304718 in the Microsoft Knowledge Base



complete this procedure. Review details about using the appropriate accounts and groupmemberships at http://go.microsoft.com/fwlink/?LinkId=83477.

At the command line, connect to the I386 directory at your installation source, type

the following command, and then press ENTER:

To identify potential upgrade and compatibility problems

24
http://go.microsoft.com/fwlink/?LinkID=27928http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkID=27928http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=83477


25/74

winnt32 /checkupgradeonly

Parameter Description

winnt32 /checkupgradeonly Checks your computer for upgrade compatibilitywith products in the Windows Server 2003

family.

Performing the Upgrade of Active DirectoryDomains

To upgrade your Active Directory domains, complete the tasks inChecklist: Upgrade Tasks.

In this guide Checklist: Upgrade Tasks

Prepare Your Infrastructure for Upgrade

Install Active Directory Domain Services on the Member Server That Runs Windows

Server 2008 or Windows Server 2008 R2

Upgrade Existing Domain Controllers

Modify Default Security Policies

Update Group Policy Permissions

Perform Clean-up Tasks

Checklist: Upgrade Tasks

Complete the tasks in this checklist in the order in which they are presented. If a reference link

takes you to a conceptual topic, return to this checklist after you review the conceptual topic so

that you can proceed with the remaining tasks.

Checklist: Upgrade Tasks

Task Reference

Prepare your Active Directory

infrastructure for upgrade.

Prepare Your Infrastructure

for Upgrade

Install Active Directory Domain

Services (AD DS) on a member

server that runs Windows

Install Active Directory

Domain Services on the

Member Server That Runs

25


26/74

Task Reference

Server 2008 or Windows

Server 2008 R2 in the forest root

domain.

Windows Server 2008 or

Windows Server 2008 R2

Upgrade existing domain

controllers.

Upgrade Existing Domain

Controllers

Modify default security policies as

needed.

Modify Default Security

Policies

Update Group Policy permissions.

Note

This step is required only if

you are upgrading

Windows 2000

Active Directory domains.

Update Group Policy

Permissions

Perform clean-up tasks. Perform Clean-up Tasks

Prepare Your Infrastructure for Upgrade

Preparing your Active Directory infrastructure for upgrade includes the following tasks:

Prepare the forest schema by running adprep /foretsprep.

Prepare each domain where you want to install a domain controller that runs Windows

Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.

Prepare the forest for read-only domain controllers (RODCs), if you plan to install them,

by running adprep /rodcprep.

Review the list of operations that Adprep.exe performs in Windows Server 2008, and test

the schema updates in a lab environment to ensure that they will not conflict with any

applications that run in your environment. There should not be any conflicts if your

applications use RFC-compliant object and attribute definitions. For a list of specific

operations that are performed when you update the Active Directory schema, seeWindows Server2008: Appendix of Changes to Adprep.exe to Support AD DS and

Windows Server2008 R2: Appendix of Changes to Adprep.exe to Support AD DS .

For more information about running Adprep.exe, seeRun Adprep commands.

Important

26
http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177828


27/74

Install Active Directory Domain Services onthe Member Server That Runs WindowsServer 2008 or Windows Server 2008 R2

Install Active Directory Domain Services (AD DS) on a member server that runs Windows

Server 2008 or Windows Server 2008 R2 by using the Active Directory Domain Services

Installation Wizard (Dcpromo.exe). The member server should be located in the forest root

domain. After you install AD DS successfully, the member server will become a domain controller.

You can install AD DS on any member server that meets the domain controller hardware

requirements.

You can install AD DS using the Windows user interface (UI). The Windows UI provides two

wizards that guide you through the installation process for AD DS. One wizard is the Add Roles

Wizard, which you can access in Server Manager. The other wizard is the Active Directory

Domain Services Installation Wizard (Dcpromo.exe), which you can access in either of thefollowing ways:

When you complete the steps in the Add Roles Wizard, click the link to start the

Active Directory Domain Services Installation Wizard.

Click Start, click Run, type dcpromo.exe, and then click OK.




Depending on the operating system installation options that you selected for the computer, the

local Administrator password might be blank or it might not be required. In this case, run the

following command at a command prompt before you start to install AD DS:net user Administratorpassword/passwordreq:yes

Replace passwordwith a strong password.

1. Click Start, and then click Server Manager.

2. In Roles Summary, click Add Roles.

3. If necessary, review the information on the Before You Begin page, and then click

Next.

4. On the Select Server Roles page, select the Active Directory Domain Services

check box, and then click Next.

5. If necessary, review the information on the Active Directory Domain Services page,

and then click Next.

6. On the Confirm Installation Selections page, click Install.

7. On the Installation Results page, click Close this wizard and launch the Active

Directory Domain Services Installation Wizard (dcpromo.exe).

To install AD DS on a member server by using the Windows interface

27


28/74


29/74

to create the domain controller and configure AD DS, or you can have all the replication

done over the network. Note that some data will be replicated over the network even if

you install from media. For information about using this method to install the domain

controller, see Installing AD DS From Media.

16. If you selected Use advanced mode installation on the Welcome page, the SourceDomain Controllerpage appears. Click Let the wizard choose an appropriate

domain controlleror click Use this specific domain controllerto specify a domain

controller that you want to provide as a source for replication to create the new domain

controller, and then click Next. If you do not choose to install from media, all data will be

replicated from this source domain controller.

17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the

volume and folder locations for the database file, the directory service log files, and the

system volume (SYSVOL) files, and then click Next.

Windows Server Backup backs up the directory service by volume. For backup and

recovery efficiency, store these files on separate volumes that do not contain applications

or other nondirectory files.

18. On the Directory Services Restore Mode Administrator Password page, type and

confirm the restore mode password, and then click Next. This password must be used to

start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed

offline.

19. On the Summary page, review your selections. Click Back to change any selections,

if necessary.

To save the settings that you have selected to an answer file that you can use to

automate subsequent Active Directory operations, click Export settings. Type the name

for your answer file, and then click Save.

When you are sure that your selections are accurate, click Next to install AD DS.

20. On the Completing the Active Directory Domain Services Installation Wizard

page, click Finish.

21. You can either select the Reboot on completion check box to have the server

restart automatically or you can restart the server to complete the AD DS installation

when you are prompted to do so.

For information about installing AD DS by using a command line or an answer file, see Installing

an Additional Domain Controller.

Upgrade Existing Domain Controllers

When you upgrade the operating system on domain controllers, the computer immediately

assumes the role of domain controller after the final restart of the computer. It is not necessary to

install Active Directory Domain Services (AD DS) by using the Active Directory Domain Services

Installation Wizard (Dcpromo.exe).

29


30/74

If you want to upgrade the operating system of a Windows 2000 domain controller to

Windows Server 2008, you must first perform an in-place upgrade of a Windows 2000

operating system to a Windows Server 2003 operating system. Then, perform an in-placeupgrade of this Windows Server 2003 operating system to a Windows Server 2008

operating system. A direct Windows 2000toWindows Server 2008 operating system

upgrade is not supported.

The information in this guide also applies to Windows Server 2008 R2. If you want to

perform an in-place upgrade of the existing domain controllers running

Windows Server 2003 in the forest to Windows Server 2008 R2, remember that Windows

Server 2008 R2 is an x64-based operating system. If your server is running an x64-based

version of Windows Server 2003, you can successfully perform an in-place upgrade of

this computer's operating system to Windows Server 2008 R2. If your server is running

an x86-based version of Windows Server 2003, you cannot upgrade this computer to

Windows Server 2008 R2.

To initiate the installation of the Windows Server 2003 operating system on a Windows 2000

based domain controller, insert the Windows Server 2003 operating system CD on the domain

controller. Or, if the Windows Server 2003 media are shared over the network, run the

Winnt32.exe command-line tool. You can also perform an unattended installation of

Windows Server 2003. Instructions for creating an answer file for an Active Directory installation

are located in the Deploy.cab file in the Support\Tools folder on the Windows Server 2003

operating system CD. Inside the Deploy.cab file, open Ref.chm to access the Unattend.txt file.

Expand Unattend.txt in the left pane, and then click DCInstall.To initiate the installation of the Windows Server 2008 or Windows Server 2008 R2 operating

system on a Windows Server 2003based domain controller, insert the operating system DVD on

the domain controller. Or, if the operating system installation media are shared over the network,

run the Setup.exe command-line tool.

Unattended upgradeYou can also perform an unattended upgrade by using an answer file. For more information about

how to create a new answer file, see "Step 2: Building an Answer File" in the Windows Vista

Deployment Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=66066).

Here is a sample of an answer file that can be used to perform an unattended upgrade to

Windows Server 2008:

Important

Important

30
http://go.microsoft.com/fwlink/?LinkID=66066http://go.microsoft.com/fwlink/?LinkID=66066


31/74

Machine Name

Product-Key

True

User Name

Organization Name

Never

0

1

Image/Name

W2K8S

Never

0

False

31


32/74

1

1

C

True

True

True

EN-US

Domain Name

Administrator

Administrators

32


33/74

True

Domain Name

User Name

User Password

9999

1

Command To Execute

"RunOnceItem0"

2

Command To Execute

"Post Install Command Execute"

True

True

After you create the answer file, use the following procedure to perform an unattended upgrade of

a Windows Server 2003based domain controller.

Membership in the local Administratoraccount, or equivalent, is the minimum required tocomplete this procedure. Review details about using the appropriate accounts and group


Depending on the operating system installation options that you selected for the computer, the

local Administrator password might be blank or it might not be required. In this case, run the

following command at a command prompt before you start to install AD DS:

net user Administratorpassword/passwordreq:yes

33


34/74

Replace passwordwith a strong password.

1. At the command prompt, type the following:

setup.exe /unattend:"path to the answer file"

2. Press ENTER.

Modify Default Security Policies

To increase security, domain controllers that run Windows Server 2008 and Windows

Server 2008 R2 require (by default) that all client computers attempting to authenticate to them

perform Server Message Block (SMB) packet signing and secure channel signing. If your

production environment includes client computers that run platforms that do not support SMB

packet signing (for example, Microsoft Windows NT 4.0 with Service Pack 2 (SP2)) or if it

includes client computers that run platforms that do not support secure channel signing (for

example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security

policies to ensure that client computers running older versions of the Windows operating system

or non-Microsoft operating systems will be able to access domain resources in the upgraded

domain.

By modifying the settings of the default security policies, you are weakening the default

security policies in your environment. Therefore, we recommend that you upgrade yourWindowsbased client computers as soon as possible. After all client computers in your

environment are running versions of Windows that support SMB packet signing and

secure channel signing, you can re-enable default security policies to increase security.

To configure a domain controller to not require SMB packet signing or secure channel signing,

disable the following settings in the Default Domain Controllers Policy:

Microsoft network server: Digitally sign communications (always)

Domain member: Digitally encrypt or sign secure channel data (always)

Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it.

Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be

restored, if necessary.

Membership in Domain Admins orEnterprise Admins, or equivalent, is the minimum required

to complete this procedure. Review details about using the appropriate accounts and group


To perform an in-place domain controller upgrade by using an answer file

Note

34


35/74


36/74

gpupdate /force

Note

Modifying these settings in the Domain Controllers container will change the

Default Domain Controllers Policy. Policy changes that you make here will

be replicated to all other domain controllers in the domain. Therefore, you

only have to modify these policies one time to affect the Default Domain

Controllers Policy on all domain controllers.

For more information about SMB packet signing and secure channel signing, see Appendix A:

Background Information for Upgrading Active Directory Domains.

By default, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 also

prohibit clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to

establish security channels using weak Windows NT 4.0 style cryptography algorithms. Any

security channel dependent operation that is initiated by clients running older versions of the

Windows operating system or non-Microsoft operating systems that do not support strong

cryptographic algorithms will fail against a Windows Server 2008-based domain controller.

Until you are able to upgrade all of the clients in your infrastructure, you can temporarily relax this

requirement by modifying the following default domain policy setting on your domain controllers:

Allow cryptography algorithms compatible with Windows NT 4.0




1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.

2. In the console tree, right-click Default Domain Controllers Policy in

Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy,

and then click Edit.

3. In the Group Policy Management Editorwindow, in the console tree, go to

Computer Configuration/Administrative Templates: Policy definitions (ADMX files)

retrieved from the local machine/System/Net Logon.

4. In the details pane, double-click Allow cryptography algorithms compatible with

Windows NT 4.0, and then click Enabled.

Note

By default, the Not Configured option is selected, but, programmatically,after you upgrade a server to Windows Server 2008 domain controller status,

this policy is set to Disabled.

To apply the Group Policy change immediately, either restart the domain controller or

open command line, type the following command, and then press ENTER:

gpupdate /force

To allow cryptography algorithms that are compatible with Windows NT 4.0

36


37/74


38/74

cd /d %programfiles%\Microsoft Group Policy\GPMC Sample Scripts

2. Type the following, and then press ENTER:

Cscript GrantPermissionOnAllGPOs.wsf Enterprise Domain Controllers

/permission:read /domain:DNSDomainName /Replace

Using the Replace switch removes existing permissions for the group or user before

making the change. If a group or user is already granted a permission type that is higher

than the new permission type, and you do not specify Replace, no change is made.

Perform Clean-up Tasks

After upgrading your Active Directory infrastructure to Active Directory Domain Services (AD DS),

perform the following clean-up operations:

After the security descriptor propagator has finished building the single-instance store,

perform an offline defragmentation of the database on each upgraded domain controller. This

reduces the size of AD DS on the file system by up to 40 percent, reduces the memory

footprint, and updates pages in the database to the new format. For more information, see

Compact the directory database file (offline defragmentation) (http://go.microsoft.com/fwlink/?

LinkID=106343).

This task is relevant only when you are performing an in-place upgrade from

Windows 2000 to Windows Server 2003. If you are upgrading a Windows 2000

domain controller to Windows Server 2008 (which requires an in-place upgradefrom Windows 2000 to Windows Server 2003, followed by an in-place upgrade

from Windows Server 2003 to Windows Server 2008), we recommend that you

perform this task after your domain controller is upgraded to

Windows Server 2003.

Create a new System State backup for at least two domain controllers in your

environment. For more information about backing up AD DS, see the AD DS Backup and

Recovery Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=93077). Be sure to

label all backup tapes with the operating system version that the domain controller is running,

including service packs and hotfixes.

Completing the Upgrade of Active DirectoryDomains

To complete the upgrade of your Active Directory domains, perform the tasks in Checklist: Post-

Upgrade Tasks.

Note

38
http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=93077http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=93077


39/74

In this guide Checklist: Post-Upgrade Tasks

Raise the Functional Levels of Domains and Forests

Move DNS Data into DNS Application Directory Partitions Redirect Users and Computers

Complete the Upgrade

Checklist: Post-Upgrade Tasks

Complete the tasks in this checklist in the order in which they are presented.

Checklist: Post-Upgrade Tasks

Task Reference

Raise the functional levels of domains

and forests to enable all advanced

features of Active Directory Domain

Services (AD DS).

Raise the Functional

Levels of Domains and

Forests

Move Domain Name System (DNS)

zones into DNS application directory

partitions.

Note

This step is optional. If you areupgrading

Windows Server 2003

Active Directory domains, your

DNS zones have already been

stored in the DNS application

directory partitions. However, if

you are upgrading

Windows 2000

Active Directory domains, you

might choose to move your

DNS zones into the newlycreated DNS application

directory partitions.

Move DNS Data into DNS

Application Directory

Partitions

Redirect users and computers to

organizational units (OUs).

Note

Redirect Users and

Computers

39


40/74

Task Reference

The procedures described in

this section are required only if

you are upgrading

Windows 2000

Active Directory domains. A

Windows Server 2003

Active Directory domain OU

structure will remain the same

after the upgrade is complete.

Complete the upgrade. Complete the Upgrade

Raise the Functional Levels of Domains andForests

To enable all Windows Server 2008 advanced features in Active Directory Domain Services

(AD DS), raise the functional level of your forest to Windows Server 2008. This will automatically

raise the functional level of all domains to Windows Server 2008. To enable all Windows

Server 2008 R2 advanced AD DS features, raise the functional level of your forest to Windows

Server 2008 R2. This will automatically raise the functional level of all domains to Windows

Server 2008 R2.

Do not raise the forest functional level to Windows Server 2008 R2 if you have or will

have any domain controllers running Windows Server 2008 or earlier.

After you set the forest functional level to a certain value, you cannot roll back or lower

the forest functional level, with one exception: when you raise the forest functional level

to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have

the option of rolling the forest functional level back to Windows Server 2008. You can

lower the forest functional level only from Windows Server 2008 R2 to Windows

Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be

rolled back, for example, to Windows Server 2003.

For more information about the Active Directory Recycle Bin, see Active Directory

Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).

Use the following procedure to raise the forest functional level to Windows Server 2008.

Caution

Important

40
http://go.microsoft.com/fwlink/?LinkId=133971http://go.microsoft.com/fwlink/?LinkId=133971


41/74




1. Open the Active Directory Domains and Trusts snap-in. Click Start, click

Administrative Tools, and then click Active Directory Domains and Trusts.

2. In the console tree, right-click Active Directory Domains and Trusts, and then click

Raise Forest Functional Level.

3. In Select an available forest functional level, do one of the following:

To raise the forest functional level to Windows Server 2003, click

Windows Server 2003, and then click Raise.

To raise the forest functional level to Windows Server 2008, click Windows

Server 2008, and then click Raise.

To raise the forest functional level to Windows Server 2008 R2, click Windows

Server 2008 R2, and then click Raise.

For more information about Windows Server 2008 advanced AD DS features, see Enabling

Advanced Features for AD DS.

Move DNS Data into DNS ApplicationDirectory Partitions

The procedures in this topic are optional. If you are upgrading Windows Server 2003

Active Directory domains, your Domain Name System (DNS) zones have already been

stored in the DNS application directory partitions. However, if you are upgrading

Windows 2000 Active Directory domains, you might choose to move your DNS zones into

the newly created DNS application directory partitions.

To reduce replication traffic and the amount of data stored in the global catalog, you can use

application directory partitions for Active Directoryintegrated DNS zones.

After completing the upgrade of all Windows 2000based domain controllers in the forest, move

the Active Directoryintegrated DNS data on all DNS servers from the domain partition into the

newly created DNS application directory partitions. You can do this by changing the replication

scope of the DNS zones.

Move the DNS zones that you want to replicate to all DNS servers in the forest to the forest-wide

DNS application directory partition, ForestDnsZones. For each domain in the forest, move the

DNS zones that you want to replicate to all DNS servers in the domain to the domain-wide DNS

application directory partition, DomainDnsZones.

To raise the forest functional level

Note

41


42/74

Before you attempt to move DNS data to an application directory partition, make sure that

the domain naming operations master is hosted on at least a Windows Server 2003

based version domain controller.

If the _msdcs.forest_root_domain zone is not present as a separate zone on your DNS server,

you do not need to perform this procedure because the DNS data that is stored in the

_msdcs.forest_root_domain is moved with the forest root domain zone to the domain-wide

application directory partition, DomainDnsZones.

For more information about DNS and application directory partitions, seeAppendix A:

Background Information for Upgrading Active Directory Domains.


to complete this procedure. Review details about using the appropriate accounts and groupmemberships at http://go.microsoft.com/fwlink/?LinkId=83477.

1. On a domain controller that hosts a DNS server in a particular domain, click Start,

click Administrative Tools, and then click DNS to open the DNS Manager.

2. Right-click the DNS zone that uses the fully qualified domain name (FQDN) of the

Active Directory domain, and then click Properties.

3. Click the Change button next to Replication: All DNS servers in this domain.

4. Click To all DNS servers in this domain:, and then click OK.




1. On a domain controller that hosts a DNS server in the forest root domain, click Start,

click Administrative Tools, and then click DNS to open DNS Manager.

2. Right-click the _msdcs. DNS zone, and then click Properties.

3. Click the Change button next to Replication: All DNS servers in this forest.

4. Click To all DNS servers in this forest:, and then click OK.

For more information, see Deploying Domain Name System (DNS)


Important

Note

To change the replication scope of the domain-wide DNS zone by using a DNSapplication directory partition

To change the replication scope of the _msdcs.forest_root_domain DNS zone by usinga DNS application directory partition

42
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=93656http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=93656


43/74

Redirect Users and Computers

The procedures in this topic are required only if you are upgrading Windows 2000

Active Directory domains. A Windows Server 2003 Active Directory domain organizational

unit (OU) structure will remain the same after the upgrade is complete.

The default CN=Users and CN=Computers containers that are created when AD DS is installed

are not OUs. Objects in the default containers are more difficult to manage because Group Policy

cannot be applied directly to them. New user accounts, computer accounts, and security groups

that are created by using earlier versions of user interface (UI) and command-line management

tools do not allow administrators to specify a target OU. For this reason, administrators are not

allowed to create these objects in either the CN=Computers container or the CN=User container,

by default. Examples of these earlier versions include the net userand net computer

commands, the net group command, or the netdom add command where the /ou parameter iseither not specified or not supported.

We recommend that administrators who upgrade Windows 2000based domain controllers

redirect the well-known path for the CN=Users and CN=Computers containers to an OU that is

specified by the administrator so that Group Policy can be applied to containers hosting newly

created objects. For more information about creating an OU design, see Designing the Logical

Structure for Windows Server 2008 AD DS [LH].

The CN=Users and CN=Computers containers are computer-protected objects. For

backward-compatibility reasons, you cannot (and must not) remove them. However, you

can rename these objects.

When the domain functional level has been raised to Windows Server 2003, you can redirect the

default CN=Users and CN=Computers containers to OUs that you specify so that each can

support Group Policy, making them easier to manage.




1. Use the Active Directory Users and Computers snap-in to create an OU container towhich you will redirect user objects that were created with earlier versions of UI and

command-line management tools:

a. To open the Act

update domain

Documents

Transcript of update domain