Active Directory Upgrade


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Active Directory Upgrade

  1. 1. Upgrading Active Directory from 2003 –2008 R2Stanley Lopez, Senior Premier Field Engineer
  2. 2. Agenda Introducing Windows Server 2008R2 into Active Directory Windows Server 2008R2 Setup Requirements Windows Server 2008R2 Upgrade Scenarios Preparing Active Directory DC Promo
  3. 3. Implementing Windows Server 2008R2 New AD Features in Windows Server 2008R2 Server Versions System Requirements Full versus Core Installation Upgrade Scenarios Time Configuration Registry Changes Well Known TCP / UDP Dynamic Port Changes Kerberos Improvements 3
  4. 4. New AD Features in Windows Server 2008R2 Active Directory Domain Services role in Windows Server 2008/2008R2 includes many new features that are not available in previous versions of Windows Server Active Directory: Auditing Enhancements Fine-Grain Password Policies Read-Only Domain Controllers (RODC) Restartable Active Directory Domain Services Database Mounting Tool DFSR Replication for SYSVOL AES(Advance Encryption Standard) Support for Kerberos User Interface Improvements Preventing Accidental Deletion Group Policy Changes (central store, admx, preferences) ADLDS 4
  5. 5. Server Versions (only x64 available!) Windows Server 2008R2 Foundation Available through OEMs only on selected single processor servers, limited to 15 user accounts Windows Server 2008R2 Standard Provides most server roles / features and supports Server Core Installation Windows Server 2008R2 Enterprise Provides Failover Clustering and Active Directory Federation Services Windows Server 2008R2 Datacenter Additional memory and processors, and unlimited virtual image use rights Windows 2008R2 Web Server Provides Web / Application / DNS server functionality. Other server roles not available. 5
  6. 6. Minimum Storage Requirements for DCs 500 MB for Active Directory transaction logs. 500 MB for the drive containing the SYSVOL share. 1.5 GB to 2 GB for the Windows Server 2008R2 operating system files 0.4 GB for every 1,000 users in the directory for the NTDS.dit drive + 50% of Recommended Disk space for each additional Domain Additional storage for each application partition Consider pagefile and dump files as wellRecommended reading:Step D1: Determine Domain Controller Configuration Tuning Guidelines for Windows Server 2008 R2 hardware requirements to reclaim space after applying Windows 7/2008 R2 Service Pack 1 6
  7. 7. Full versus Core Installation Windows Server Core installation provides an environment for running one or more of the following server roles: Active Directory Directory Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) Active Directory Certificate Services (ADCS) Branch Cache Hosted Cache Dynamic Host Configuration Protocol (DHCP) Server Domain Name System (DNS) Server Hyper-V File server Print Services Windows Media Services Web Services 7
  8. 8. Upgrade Scenarios Cross Platform Upgrades (32 bit to 64 bit) are not supported In-place upgrade from Windows 2000 is not supported Upgrading existing OS to Server Core is not supported Application compatibility issues Exchange Server Supportability Matrix (Supported AD environments) Supported Active Directory Environments by Office Communications Server Version Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 Application Compatibility Update through Dynamic Update: June 2010 Application Considerations When Upgrading to Windows Server 2008 Known Issues When Upgrading to Windows Server 2008 8
  9. 9. Time Configuration Registry Changes MaxPosPhaseCorrection (DWORD) HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig The new default value for domain members and domain controllers is 172,800 (48 hours) MaxNegPhaseCorrection (DWORD) HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig The new default value for domain members and domain controllers is 172,800 (48 hours) This is true for OS clean install and in-place upgrade as well… be aware of: The Windows Time Group Policy has incorrect defaults after you enable the Windows Time Service Group Policy in Windows Server 2008 or Windows Vista Service Pack 1 (961027) 9
  10. 10. TCP / UDP Port Considerations Windows Server 2008+ aligns port ranges with IANA standards The default dynamic port range for TCP/IP has changed in Vista and 2008 The default dynamic ports ranges are now: Win2008+/Vista+: 49152 through 65535 Win2003: 1025 through 5000 To adjust dynamic ports: netsh int <ipv4|ipv6> set dynamicportrange <tcp|udp> start=number num=range Root domain connectivity needed Logoff takes several minutes if there is no LDAP connectivity to the forest root domain;EN-US;971198 Cannot install AD if the DNS and LDAP traffic to the forest root domain is blocked 10
  11. 11. Kerberos changes (AES) Changes in default encryption type cause security audit events 675 and 680 on Windows Server 2003 DCs It is possible to start pre-authentication with RC4 by modifying the DefaultEncryptionType registry value to 0x17 hex (0x18 hex is AES). authentication-on-vista-and-windows-7-clients-cause-security-audit-events-675-and-680-on-windows-server-2003- dc-s.aspx 11
  12. 12. Other Known IssuesTopic 2003 2008R2 CommentAllowNT4Crypto N/A Disabled Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers. Article 942564DES Enable Disabled The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with d the default settings on a computer that is running Windows 7 or Windows Server 2008 R2 Article 977321 Article 978055CBT/Extended Protection N/A Enabled See Microsoft Security Advisory (937811) and article 976918for Integrated Authentication Control Extended Protection for Authentication using Security Policy policy.aspxLMv2 Enable Disabled Computers that are running Windows 7 and Windows Server 2008 R2 may fail to be authenticated by non-Windows d NTLM or Kerberos-based servers Article 976918 You may experience one or more of the following symptoms: 1. Windows clients that support channel binding fail to be authenticated by a non-Windows Kerberos server. 2. NTLM authentication failures from Proxy servers. 3. NTLM authentication failures from non-Windows NTLM servers. 4. NTLM authentication failures when there is a time difference between the client and DC or workgroup server.LMhash Enable Disabled If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the d NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server 2008 is enabled. Article 946405Signing required No Yes Domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. N/A N/A Some DNS name queries are unsuccessful after you deploy a 2003 or 2008 R2-based DNS server lockouts, lmcompat ? 3 When you see massive account lockouts from transitive NTLM authentication, there is likely a mismatch of the lanman authentication level between the clients and DCs in the path. List N/A N/A For a sample list with recommended hotfixes, see askds Blog or evaluate SP1 (recommended). 12
  13. 13. Preparing AD Environment for Windows Server 2008R2 Create a lab first! Trigger garbage collection on all DCs Locate Schema Master and disable outbound replication Forestprep: Prepare an existing forest for a Windows Server 2008R2 DC Domainprep: Prepare an existing domain for a Windows Server 2008R2 DC Rodcprep: prepare an existing forest for Windows Server 2008R2 RODC Verify adprep logs Enable outbound replicationNote Use adprep32 on 32-bit systems instead Location of ADPREP debug logs has moved from %systemroot%system32debug to %systemroot%debugadprep ADPREP error lists can be found at: Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains For creating a lab see: Testing for Active Directory Schema Extension Conflicts SP1 and Directory Services (added on 14-Jan 2011): 13
  14. 14. RODC Considerations with ADPREP For the deployment of RODC: FFL must be 2003 or higher, so that linked-value replication is available If the RODC will be a global catalog server, you must also run adprep /domainprep in all domains in the forest. The first Windows Server 2008R2 domain controller in an existing Windows 2000, Windows Server 2003 or Windows Server 2008R2 domain cannot be created as a RODC Be aware of KB 949257 (invalid fsmoroleowner) 14
  15. 15. Identify Schema Version Determine the current version of the Active Directory schema by checking the value ObjectVersion attribute of the dn=schema,cn=configuration,dc=<root_domain> partition Example: dsquery * cn=schema,cn=configuration,dc=<root_domain> -scope base -attr objectVersion o Applications track schema changes differently, you need to query different object each time. For example Exchange: dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration, dc=<root_domain> -scope base -attr rangeUpper 15
  16. 16. Schema Versions Checking the value ObjectVersion attribute of the dn=schema,cn=configuration,dc=<root_domain> partition Operating System Schema Version Windows 2000 Server 13 Windows Server 2003 30 Windows Server 2003 R2 31 Windows Server 2008 44 Windows Server 2008R2 47 16
  17. 17. Active Directory Installation New Installation Options DCPROMO Enhancements Adding the DC Role using Server Manager Unattended Installation Options Global Catalog Options DNS Options 17
  18. 18. New DCPROMO Installation Options Pick Source Domain Controller Pick Destination Site DNS installed automatically (cover later in this module and in detail in the DNS module) Optional Global Catalog install Automatic reboot on completion Installs GPMC by default. 18
  19. 19. Demo 19
  20. 20. Questions???