18 May, 2012
Text Size
Tech Notes Windows Server 2008 Transition between Server 2003 Domain to Server 2008 R2 Domain

Transition between Server 2003 Domain to Server 2008 R2 Domain

Transition between the Server 2003 Domain Controller and Server 2008 R2 Domain Controller.

Transitioning
Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. Then remove the old 2003 Domain Controllers from the enviroment.

Reasons to transition

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

  • Restructuring means filling a new Active Directory from scratch
  • In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
  • Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your servers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

Steps to transition

Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:

Before you begin

Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 with ease.

Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows server 2008. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.

Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...

Prepare your Active Directory environment

Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Group Policy
adprep.exe /rodcprep * Adding a Read Only - Domain Controller

* Optional when you want to deploy Read Only Domain Controllers.

After preparing your Active Directory for Windows Server 2008 be sure to check the process.

Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.

 

1. Run adprep32 /forestprep if the schema master is using a 32 bit version of Windows Server 2003 R2.

[ Run adprep /forestprep if it is a 64 bit version. ]

2. Run adprep32 /domainprep

[Run adprep /domainprep if iy id s 64bit version.]

Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not Windows NT 4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is not the case, you'll get this error:

  
Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep

Switch your domain to Native mode or above, then repeat the operation.

Again, make sure you let the existing Domain Controllers replicate all the changes throughout the domain BEFORE proceeding to the next step.

3. Run adprep32 /domainprep /gpprep

[Run adprep /domainprep /gpprep if iy id s 64bit version.]

 

ADPREP Commands:  These commands above must be run on the Win 2003 Server not Win 2008!

In case you don't have the 32-bit version available, you can also use the evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, so just download the file from Microsoft's website, and use it to run ADPREP on your 32-bit Windows 2000/2003 DCs.

Install the first Windows Server 2008 Domain Controller

1. Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels.

* The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

So leave the read only on checked when you do the promotion.

2. Static IP and Computer Name - you plan to keep the domain controller on after completion.

3.  New Server with Windows Server 2008 R2 installed and make it a member of the domain.

4.  In the Run Box - type "dcpromo.exe"  (the new interface is more friendly to use)

5. Make this Domain Controller an extra Domain Controller for the Active Directory domain you are transitioning into.  Do not choose read - only mode.

6. Type a secure password for Directory Services Resotre Mode.  Tip: Write down the the Directory Services Restore Mode (DSRM) password.

Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 Domain Controller will be open for business for active directory services after you restarted it to complete the wizard.

Exchange Warning:

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. You need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.


Take care of FSMOs

Run in command box - netdom.exe query fsmo

This will show you which dmc is running the FSMO services.

You need to transfer these services to the new Domain Controller(s).

Use the steps [ Here  ] to move the FSMOs

These steps are fine for a single domain or only a few domain enviroment.

If you have a large number of domains managed by the same enviroment (active directory) then:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server;
  • Make all Domain Controllers Global Catalog servers.
Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following command using netdom.exe from the Resource Kit: -

netdom.exe /query fsmo

Verify the fsmo roles of all domain controllers.  Use netdom /query fsmo to see who holds what roles (you will use this again to verify new roles after promotion of 2008 DC)

Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:

  • dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
  • dcpromoui.log
    all the events from a graphical interface perspective

Also check the event viewer.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot proper Active Directory replication.

Demote Windows Server 2003 Domain Controllers

Typically at most clients, any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller.

When you're one of the administrators treating their Domain Controllers like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your Windows Server 2003 ex-Domain Controllers though!

Warning - It is not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on before you demote the old Domain Controller.

When your Windows Server 2003 Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2008 would then suffice to migrate DNS settings. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can now safely demote a Domain Controller using the dcpromo.exe command.


 If you can not sucessful demote the old 2003 DC or it is dead.

The FORCE REMOVE - 2003 Domain Controller.

If the domain controller can boot into normal mode:

1. Click Start, click Run, and then type the following command:

dcpromo /forceremoval

2. Click OK. If Certificate Services is not removed, you will get a message to remove it first. If FSMO roles/GC are not seized from the DC, you will get a message to transfer the roles to another DC.

3. At the Welcome to the Active Directory Installation Wizard page, click Next.

4. At the Force the Removal of Active Directory page, click Next.

5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.

6. In Summary, click Next.

7. When it finishes, click Finish and reboot the computer.

Raise the domain functional level to Server 2008

After you've successfully demoted the last Windows Server 2003 Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:

  • Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
  • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
  • Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.

 

Note:  Raising the functional level is a one way procedure. Once you've raised your domain functional level there's no way to return to the previous domain functional level.

Raising the domain functional level in Windows Server 2008:

  1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
  4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.

Upgrade the forest functional level

After you've successfully upgraded the domain functional level of all the domains in your Active Directory forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

Note:  Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.

To upgrade the forest functional level to Windows Server 2008 perform the following actions:

  1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
  4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.

You should be good at this point.  If not review your event logs, dcpromo.log and dcpromoui.log.