Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
15 likes8,979 views
This document outlines the process of upgrading from Windows Server 2003 to Windows Server 2008 R2, focusing on the importance of planning, testing, and performing backups prior to the upgrade. It covers various factors such as Active Directory enhancements, schema upgrades, and potential issues that may arise, as well as best practices for ensuring a smooth transition. The document emphasizes the need for thorough preparation and caution when demoting old domain controllers and raising domain and forest function levels.
Upgrading AD from Windows Server 2003 to Windows Server 2008 R2
- 1. Upgrading AD from Windows Server 2003 to Windows Server 2008 R2 Daniel Petri ([email protected]) Senior Premier Field Engineer, Microsoft
- 2. Agenda Why upgrade? Prepare Action Plan Cleanup
- 3. Why Upgrade your servers In relation to Active Directory: - RODC - Server Core - AD Snapshots (ntdsutil.exe, dsamain.exe) - DS Auditing (auditpol.exe) - Restartable AD service - Administrative Center - PowerShell Cmdlts - AD Best Practice Analyzer - Protect from accidental deletion - GPO benefits - Support lifecycle
- 4. Why Upgrade your DCs Windows 2008 Domain Windows 2008 R2 Function Level Domain Function Level - Authentication mechanism - DFSR replication of Sysvol assurance (dfsrmig.exe) for AD-FS - Advanced Encryption Services (AES - Managed Service Accounts 128 and 256) for Kerberos (MSA) - Last Interactive Logon Information - Fine-Grained Password Policy Windows 2008 R2 Forest - Personal Virtual Desktops Function Level - Offline Domain Join (djoin.exe) - AD Recycle Bin
- 5. Plan What are the upgrade goals? Map existing resources What other roles do DCs perform? Map the risks Can you consolidate? Can you virtualize? Should you virtualize? Plan for rollback
- 6. Identify potential issues This is mostly because DES encryption types for the Kerberos authentication protocol are disabled by default in Windows Server 2008/R2. – SAP – Oracle Internet Directory (OID), CA Identity Manager, Tivoli Identity Management – Samba and other Linux/Unix interoperability – NetApp, EMC Celera or other storage devices – Firewalls, VPN, RADIUS – http://support.microsoft.com/kb/977321
- 7. Identify potential issues Additional considerations: – Terminal Server License Server on a DC – CA on a DC – Smart Cards – Customized password filters – Time keeping software – 3rd-party apps that are hard coded to work against specific DCs – Exchange servers with manual DC configuration
- 8. Test - The bigger and more complex you are, the more you need to test before you act. - Consider regulations and standards (such as Change Management procedures) - Test environment needs to be as close to production as possible. - Test and production need to be totally isolated from each other.
- 9. Backup Make sure you have a recent, supported and working backup: - System State - Boot Partition - System Partition - All GPOs (by using GPMC) - Scripts etc. Do NOT use a VM snapshot as backup!
- 10. Backup As an extra security measure: - Consider disconnecting one DC in addition to backing up. - Consider disabling outbound replication on the Schema Master DC during the Schema upgrade. repadmin /options <server_name> +/-disable_outbound_repl
- 11. Backup What's the tombstone lifetime (TSL)? - Default up to Windows Server 2003 R2 = 60 days, for later = 180 days - If Forest is upgraded, TSL is not automatically changed dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=contoso, dc=com” –scope base –attr tombstonelifetime
- 12. Permissions Make sure the user you're working with is a member of: - Domain Admins - Enterprise Admins - Schema Admins
- 13. Previous Operating Systems Make sure DFL and FFL are Windows 2000 Native or above. If they exist, all Windows 2000 DCs must be running SP4. - Issues with Win9X/NT4.0 client computers: http://support.microsoft.com/kb/555038 http://support.microsoft.com/kb/946405 http://support.microsoft.com/kb/942564 - Issues with External Trusts to NT4.0 domains: http://support.microsoft.com/kb/2021766
- 14. Domain and Forest Check the overall health of the existing AD: – Replication – DNS – Events – Logs Find FSMO holders: – netdom query fsmo Consider temporarily disabling AV on the DCs.
- 15. Execute – Schema upgrade Schema upgrade is a one-way process! - Needs to run once per forest. - On the existing Schema Master, insert the Windows Server 2008 R2 media, go to x:supportadprep: adprep.exe /forestprep or adprep32.exe /forestprep - When finished, wait for replication.
- 16. Verify – Schema upgrade - Check version: dsquery * “cn=ActiveDirectoryUpdate, cn=ForestUpdates,cn=configuration,dc=contoso, dc=com” -scope base -attr revision (should be 5 for 2008 R2) dsquery * “cn=schema,cn=configuration,dc=contoso, dc=com” -scope base -attr objectversion (should be 47 for 2008 R2) - Verify replication repadmin /replsum /bysrc /bydest /sort:delta
- 17. Execute – Domain preparation - Needs to run once for each to-be upgraded domain in the forest. - On the existing Infrastructure Master: adprep.exe /domainprep (/gpprep) or adprep32.exe /domainprep (/gpprep)
- 18. Verify – Domain preparation - Check version: dsquery * “cn=ActiveDirectoryUpdate,cn=DomainUpdates, cn=system,dc=contoso,dc=com” -scope base -attr revision (should be 5 for 2008 R2)
- 19. Execute – RODC preparation - Only needs to run once per forest, but needs to be able to connect to all Infrastructure Masters in all the domains in the forest. - On any existing DC: adprep.exe /rodcprep or adprep32.exe /rodcprep http://support.microsoft.com/kb/949257
- 20. Verify – RODC preparation Check version: dsquery * “cn=ActivedirectoryRodcUpdate, cn=ForestUpdates,cn=configuration, dc=contoso,dc=com” -scope base -attr revision (should be 2)
- 21. Demo - Preparing the forest and domain for the first Windows Server 2008 R2 DC.
- 22. Action - Promote the first Windows Server 2008 R2 DC. - Move relevant roles – DHCP – DNS – WINS - Transfer FSMO - If needed, point relevant applications to new DC.
- 23. Names and IP addresses Is it simpler to 1. New DCs, new keep the old DC’s Simplest names, new IPs name and/or IP address? 2. New DCs, new Medium Possible options: names, old IPs complexity 3. New DCs, old May be more names, old IPs complex
- 24. New DCs, old names and IPs Option 1: Problems: - Demote old DC - What do you do with the Give name and IP to the FSMO roles and other roles new server on the old DC? - Promote new server to - DNS, DHCP etc. may not DC (+GC) function for a while.
- 25. New DCs, old names and IPs Option 2: - Give new server a temp. name and temp. IP - Promote new server to DC (+GC) - Move DNS, DHCP etc. , - Rename old DC to alt. name and assign alt. IP - Rename new DC to old name, assign old IP - Transfer FSMO - Demote old DC (you may want to wait a few days) To rename a DC – you must use netdom.exe
- 26. Check everything is ok Always wait for KCC (15-30 minutes). If replication topology is complex – wait for replication for as long as it takes. Before you demote old DC, make sure new DC is functioning: - Check replication - Check SYSVOL - Check events
- 27. Time synchronization PDC Emulator of the Forest Root Domain is responsible for time Servers and keeping. workstations pull If not properly configured – Event ID 12 (W32Time). from DCs. http://support.microsoft.com/kb/816042 PDC Emulators of other domains in forest Never pull time pull time from FRD DCs pull time from host if using PDCE. from PDCEs. virtualization!
- 28. Time synchronization - Configuration for FRD PDCE: w32tm /config /update /manualpeerlist:"timeserver.iix.net.il" /syncfromflags:manual net stop w32time && net start w32time w32tm /resync - Check HKLM/SYS/CCS/Services/W32Time/Config > AnnounceFlags = 10 (Decimal) - If you get an error, check that UDP port 123 is open through the FW: portqry -n timeserver.iix.net.il -e 123 -p udp
- 29. Some additional tips - Never clone a DC operating system! - Remember Windows Server 2008 R2 issues a random computer name by default - Do NOT disable IPv6 http://support.microsoft.com/kb/929852 - Configure Windows Update - Secure the server(s)
- 30. Some additional tips - Configure Anti-Virus exclusions http://support.microsoft.com/kb/822158 - Configure backups - Do not use snapshots for virtual DCs - Do not pause/resume virtual DCs - If on VMs, exclude DCs from Live Migration or vMotion
- 31. Removing old DCs Take your time If demoting is to test. If all = ok, demote unsuccessful – old DCs one by one consider forcing (dcpromo.exe). (/forceremoval) Consider shutting down old DC(s) for If demoting was unsuccessful – you must a few days (the clean AD from old DC remains “who did it???!” (ntdsutil.exe) effect). http://support.microsoft.com/kb/216498
- 32. Raising DFL and FFL Domain Function Level: - Active Directory Users and Computers Check version: dsquery * “dc=contoso,dc=com” -scope base -attr msDS-Behavior-Version (should be 2 for 2003, 4 for 2008 R2) Forest Function Level: - Active Directory Domains and Trusts Check version: dsquery * “cn=partitions,cn=configuration,dc=contoso,dc=com” -scope base -attr msDS-Behavior-Version (should be 2 for 2003, 4 for 2008 R2)
- 33. Demo - Adding the first Windows Server 2008 R2 DC. - Removing the old Windows Server 2003 DC. - Raising DFL/FFL.
- 34. Conclusion Upgrading your AD to Windows Server 2008 R2 is Plan and test important even if before you move. you do not plan to use any of the benefits. Upgrading is not Verify and clean More sessions on rocket science. after you move. AD will follow…