Upgrading AD from Windows Server 2003 to Windows Server 2008 R2

Upgrading AD fromWindows Server 2003 toWindows Server 2008 R2Daniel Petri (dpetri@microsoft.com)Senior Premier Field Engineer, Microsoft

AgendaWhy upgrade? Prepare ActionPlan Cleanup

Why Upgrade your serversIn relation to Active Directory:- RODC- Server Core- AD Snapshots (ntdsutil.exe, dsamain.exe)- DS Auditing (auditpol.exe)- Restartable AD service- Administrative Center- PowerShell Cmdlts- AD Best Practice Analyzer- Protect from accidental deletion- GPO benefits- Support lifecycle

Why Upgrade your DCsWindows 2008 Domain Windows 2008 R2Function Level Domain Function Level - Authentication mechanism- DFSR replication of Sysvol assurance(dfsrmig.exe) for AD-FS- Advanced Encryption Services (AES - Managed Service Accounts128 and 256) for Kerberos (MSA)- Last Interactive Logon Information- Fine-Grained Password Policy Windows 2008 R2 Forest- Personal Virtual Desktops Function Level- Offline Domain Join (djoin.exe) - AD Recycle Bin

PlanWhat are the upgrade goals?Map existing resourcesWhat other roles do DCs perform?Map the risksCan you consolidate?Can you virtualize?Should you virtualize?Plan for rollback

Identify potential issuesThis is mostly because DES encryption types for theKerberos authentication protocol are disabled by default inWindows Server 2008/R2. – SAP – Oracle Internet Directory (OID), CA Identity Manager, Tivoli Identity Management – Samba and other Linux/Unix interoperability – NetApp, EMC Celera or other storage devices – Firewalls, VPN, RADIUS – http://support.microsoft.com/kb/977321

Identify potential issuesAdditional considerations: – Terminal Server License Server on a DC – CA on a DC – Smart Cards – Customized password filters – Time keeping software – 3rd-party apps that are hard coded to work against specific DCs – Exchange servers with manual DC configuration

Test- The bigger and more complex you are, the more youneed to test before you act.- Consider regulations and standards (such as ChangeManagement procedures)- Test environment needs to be as close to production aspossible.- Test and production need to be totally isolated from eachother.

BackupMake sure you have a recent, supported and workingbackup:- System State- Boot Partition- System Partition- All GPOs (by using GPMC)- Scripts etc.Do NOT use a VM snapshot as backup!

BackupAs an extra security measure:- Consider disconnecting one DC in addition tobacking up.- Consider disabling outbound replication on theSchema Master DC during the Schema upgrade.repadmin /options <server_name>+/-disable_outbound_repl

BackupWhats the tombstone lifetime (TSL)?- Default up to Windows Server 2003 R2 = 60 days,for later = 180 days- If Forest is upgraded, TSL is not automaticallychangeddsquery * “cn=directory service,cn=windowsnt,cn=services,cn=configuration,dc=contoso,dc=com” –scope base –attr tombstonelifetime

PermissionsMake sure the user youre working with is amember of:- Domain Admins- Enterprise Admins- Schema Admins

Previous Operating SystemsMake sure DFL and FFL are Windows 2000 Nativeor above.If they exist, all Windows 2000 DCs must be runningSP4.- Issues with Win9X/NT4.0 client computers:http://support.microsoft.com/kb/555038http://support.microsoft.com/kb/946405http://support.microsoft.com/kb/942564- Issues with External Trusts to NT4.0 domains:http://support.microsoft.com/kb/2021766

Domain and ForestCheck the overall health of the existing AD: – Replication – DNS – Events – LogsFind FSMO holders: – netdom query fsmoConsider temporarily disabling AV on the DCs.

Execute – Schema upgradeSchema upgrade is a one-way process!- Needs to run once per forest.- On the existing Schema Master, insert theWindows Server 2008 R2 media, go tox:supportadprep:adprep.exe /forestpreporadprep32.exe /forestprep- When finished, wait for replication.

Verify – Schema upgrade- Check version:dsquery * “cn=ActiveDirectoryUpdate,cn=ForestUpdates,cn=configuration,dc=contoso,dc=com” -scope base -attr revision(should be 5 for 2008 R2)dsquery * “cn=schema,cn=configuration,dc=contoso,dc=com” -scope base -attr objectversion(should be 47 for 2008 R2)- Verify replicationrepadmin /replsum /bysrc /bydest /sort:delta

Execute – Domain preparation- Needs to run once for each to-be upgradeddomain in the forest.- On the existing Infrastructure Master:adprep.exe /domainprep (/gpprep)oradprep32.exe /domainprep (/gpprep)

Verify – Domain preparation- Check version:dsquery * “cn=ActiveDirectoryUpdate,cn=DomainUpdates,cn=system,dc=contoso,dc=com” -scope base -attr revision(should be 5 for 2008 R2)

Execute – RODC preparation- Only needs to run once per forest, but needs tobe able to connect to all Infrastructure Masters in allthe domains in the forest.- On any existing DC:adprep.exe /rodcpreporadprep32.exe /rodcprephttp://support.microsoft.com/kb/949257

Verify – RODC preparationCheck version:dsquery * “cn=ActivedirectoryRodcUpdate,cn=ForestUpdates,cn=configuration,dc=contoso,dc=com” -scope base -attr revision(should be 2)

Demo- Preparing the forest and domain for the first WindowsServer 2008 R2 DC.

Action- Promote the first Windows Server 2008 R2 DC.- Move relevant roles – DHCP – DNS – WINS- Transfer FSMO- If needed, point relevant applications to new DC.

Names and IP addressesIs it simpler to 1. New DCs, newkeep the old DC’s Simplest names, new IPsname and/or IPaddress? 2. New DCs, new MediumPossible options: names, old IPs complexity 3. New DCs, old May be more names, old IPs complex

New DCs, old names and IPsOption 1: Problems:- Demote old DC - What do you do with theGive name and IP to the FSMO roles and other rolesnew server on the old DC?- Promote new server to - DNS, DHCP etc. may notDC (+GC) function for a while.

New DCs, old names and IPsOption 2:- Give new server a temp. name and temp. IP- Promote new server to DC (+GC)- Move DNS, DHCP etc. ,- Rename old DC to alt. name and assign alt. IP- Rename new DC to old name, assign old IP- Transfer FSMO- Demote old DC (you may want to wait a few days)To rename a DC – you must use netdom.exe

Check everything is okAlways wait for KCC (15-30 minutes).If replication topology is complex – wait forreplication for as long as it takes.Before you demote old DC, make sure new DC isfunctioning:- Check replication- Check SYSVOL- Check events

Time synchronizationPDC Emulator of the Forest RootDomain is responsible for time Servers andkeeping. workstations pullIf not properly configured – Event ID 12(W32Time). from DCs.http://support.microsoft.com/kb/816042PDC Emulators ofother domains in forest Never pull timepull time from FRD DCs pull time from host if usingPDCE. from PDCEs. virtualization!

Time synchronization- Configuration for FRD PDCE:w32tm /config /update /manualpeerlist:"timeserver.iix.net.il"/syncfromflags:manualnet stop w32time && net start w32timew32tm /resync- Check HKLM/SYS/CCS/Services/W32Time/Config >AnnounceFlags = 10 (Decimal)- If you get an error, check that UDP port 123 is openthrough the FW:portqry -n timeserver.iix.net.il -e 123 -p udp

Some additional tips- Never clone a DC operating system!- Remember Windows Server 2008 R2issues a random computer name by default- Do NOT disable IPv6http://support.microsoft.com/kb/929852- Configure Windows Update- Secure the server(s)

Some additional tips- Configure Anti-Virus exclusionshttp://support.microsoft.com/kb/822158- Configure backups- Do not use snapshots for virtual DCs- Do not pause/resume virtual DCs- If on VMs, exclude DCs from LiveMigration or vMotion

Removing old DCsTake your time If demoting isto test. If all = ok, demote unsuccessful – old DCs one by one consider forcing (dcpromo.exe). (/forceremoval)Consider shuttingdown old DC(s) for If demoting was unsuccessful – you musta few days (the clean AD from old DC remains“who did it???!” (ntdsutil.exe)effect). http://support.microsoft.com/kb/216498

Raising DFL and FFLDomain Function Level:- Active Directory Users and ComputersCheck version:dsquery * “dc=contoso,dc=com” -scope base -attr msDS-Behavior-Version(should be 2 for 2003, 4 for 2008 R2)Forest Function Level:- Active Directory Domains and TrustsCheck version:dsquery * “cn=partitions,cn=configuration,dc=contoso,dc=com” -scope base-attr msDS-Behavior-Version(should be 2 for 2003, 4 for 2008 R2)

Demo- Adding the first Windows Server 2008 R2 DC.- Removing the old Windows Server 2003 DC.- Raising DFL/FFL.

ConclusionUpgrading yourAD to WindowsServer 2008 R2 is Plan and testimportant even if before you move.you do not planto use any of thebenefits.Upgrading is not Verify and clean More sessions onrocket science. after you move. AD will follow…

http://www.dario.co.il	579
http://blogs.microsoft.co.il	123
http://beta.blogs.microsoft.co.il	17
http://feeds.feedburner.com	8
http://feeds2.feedburner.com	3

Upgrading AD from Windows Server 2003 to Windows Server 2008 R2

by Amit Gatenyo on Feb 06, 2012

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 730

Statistics

Upgrading AD from Windows Server 2003 to Windows Server 2008 R2 — Presentation Transcript