Upgradation Plan for Active directory 2003 to 2008
Hi,
We have Active directory 2003 Setup Single forest and we have physically three location
which are replicating through Site to Site VPN.
We have created three sites (Location 1, 2,3) through site and services.
Location 1 ( Head office) it has 2 DC – All five roles are at this Site.
Location 2 ( Regional office )it has 2 DC – servers are acting as ADC only .
Location 3 ( Regional office )it has 1 DC - servers is acting as ADC only.
Queries:
I would like to Upgrade to new Technologies of Active directory from 2003 to 2008.
Which Windows 2008 server will be good whether it is windows server 2008 or Windows server 2008 R2 ?
What are the ports I need to open in Windows 2008 server firewall?
I would like to set one DC as Additional DC of 2008 then after proper replication I would like to move Roles to that I need to move ?
Is that if you can suggest any step by step Information link to up-gradation process.
Do let me know in case I need to share some thing else to help me .Regards
Amit Nigam
Answers
- 1) Which Windows 2008 server will be good whether it is windows server 2008 or Windows server 2008 R2 ?
I guess Windows 2008 R2 will be a good one. As its having lot of new features which Includes Active Directory Recyclebin, Service Account names and lot more things.
2)What are the ports I need to open in Windows 2008 server firewall?
Please see this article about Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
3) I would like to set one DC as Additional DC of 2008 then after proper replication I would like to move Roles to that I need to move ?
Yes you can have ADC as Windows 2008 as ADC but prior to that you have to make it sure that you run the below commands.
adprep /forestprep on the schema operations master
adprep /domainprep on the infrastructure operations master
adprep /domainprep /gpprep on the infrastructure operations master
For more information about Adprep on Windows Server 2008 R2, please refer to:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx
4) Is that if you can suggest any step by step Information link to up-gradation process.
Below Link is for Inplace Upgrade but before doing it its strongly recommended to take a complete system state backup
http://www.elmajdal.net/win2k8/In-Place_Upgrade_Windows_Server_2003_Domain_Controller_To_Windows_Server_2008.aspx
http://technetfaqs.wordpress.com- Marked As Answer byWilson JiaMSFT, ModeratorThursday, October 29, 2009 7:42 AM
Hello,
1. Yes, you can have multiple RODCs without any problem.
2. http://technet.microsoft.com/en-us/library/cc753531(WS.10).aspx
3. http://www.microsoft.com/windowsserver2008/en/us/why-upgrade.aspx
For the first question you have.
If you have the option/money for 2008 R2 i would choose it. But with 2008 and 2008 R2 you are a bit limited when you use Exchange 2000/2003/2007 in the domain, each has some limitations with both 2008 versions.
For firewall ports check out the following articles:
http://support.microsoft.com/kb/179442/ http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx http://www.microsoft.com/downloads/details.aspx?familyid=C2EF3846-43F0-4CAF-9767-A9166368434E&displaylang=en
Add a 2008 or 2008 R2 machine as additional DC to the domain according to:
!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!- Do you use any kind of Exchange in the 2003 domain? If yes, which one?
- On the old server open DNS management console and check that you are running Active directory integrated zone (easier for replication, if you have more then one DNS server)
- run replmon from the run line or repadmin /showrepl(only if more then one DC exist), dcdiag and netdiag from the command prompt on the old machine to check for errors, if you have some post the complete output from the command here or solve them first. For this tools you have to install the support\tools\suptools.msi from the 2003 installation disk.
- run adprep /forestprep and adprep /domainprep and adprep /rodcprep from the 2008 installation disk against the 2003 schema master(forestprep) / infrastructure master(domainprep/rodcprep), with an account that is member of the Schema/Enterprise/Domain admins, to upgrade the schema to the new version (44) or 2008 R2 (47)
- you can check the schema version with "schupgr" or "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion" without the quotes in a command prompt
- Install the new machine as a member server in your existing domain
- configure a fixed ip and set the preferred DNS server to the old DNS server only, think about disabling IPv6 if you are not using it, some known problems exist with it. Follow (http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx) to disable it
- run dcpromo and follow the wizard to add the 2008 server to an existing domain, make it also Global catalog and DNS server.
- for DNS give the server time for replication, at least 15 minutes. Because you use Active directory integrated zones it will automatically replicate the zones to the new server. Open DNS management console to check that they appear
- if the new machine is domain controller and DNS server run again replmon, dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on both domain controllers
- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801 applies also for 2008), FSMO should always be on the newest OS DC
- you can see in the event viewer (Directory service) that the roles are transferred, also give it some time
- reconfigure the DNS configuration on your NIC of the 2008 server, preferred DNS itself, secondary the old one
- if you use DHCP do not forget to reconfigure the scope settings to point to the new installed DNS server
- if needed export and import of DHCP database for 2008 choose "netshell dhcp backup" and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/library/cc772372.aspx)
Demoting the old DC
- reconfigure your clients/servers that they not longer point to the old DC/DNS server on the NIC
- to be sure that everything runs fine, disconnect the old DC from the network and check with clients and servers the connectivity, logon and also with one client a restart to see that everything is ok
- then run dcpromo to demote the old DC, if it works fine the machine will move from the DC's OU to the computers container, where you can delete it by hand. Can be that you got an error during demoting at the beginning, then uncheck the Global catalog on that DC and try again
- check the DNS management console, that all entries from the machine are disappeared or delete them by hand if the machine is off the network for ever
- also you have to start AD sites and services and delete the old servername under the site, this will not be done during demotion
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byWilson JiaMSFT, ModeratorMonday, November 09, 2009 2:12 AM
All Replies
- 1) Which Windows 2008 server will be good whether it is windows server 2008 or Windows server 2008 R2 ?
I guess Windows 2008 R2 will be a good one. As its having lot of new features which Includes Active Directory Recyclebin, Service Account names and lot more things.
2)What are the ports I need to open in Windows 2008 server firewall?
Please see this article about Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
3) I would like to set one DC as Additional DC of 2008 then after proper replication I would like to move Roles to that I need to move ?
Yes you can have ADC as Windows 2008 as ADC but prior to that you have to make it sure that you run the below commands.
adprep /forestprep on the schema operations master
adprep /domainprep on the infrastructure operations master
adprep /domainprep /gpprep on the infrastructure operations master
For more information about Adprep on Windows Server 2008 R2, please refer to:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx
4) Is that if you can suggest any step by step Information link to up-gradation process.
Below Link is for Inplace Upgrade but before doing it its strongly recommended to take a complete system state backup
http://www.elmajdal.net/win2k8/In-Place_Upgrade_Windows_Server_2003_Domain_Controller_To_Windows_Server_2008.aspx
http://technetfaqs.wordpress.com- Marked As Answer byWilson JiaMSFT, ModeratorThursday, October 29, 2009 7:42 AM
Hi Syed,
Thanks for Reply,
These information is really going to help me a lot.
I have few more query related to this .
1. Can we have more than one RODC( Read Only Domain Controller) in one forest. in my setup . actually I like to give any authentication facility to branch offices users .
2.Can you please let me know about an like where i can see the know more about RMS ( Rights management System which is in AD 2008) I would like to implement.
3. I am preparing a Business Case which Actually need to have comparative study with AD 2003 Vs AD 2008 . For that can you suggest any link.
Please let me know if anything is not clear about my query.
Regards
Amit Nigam
Hello,
1. Yes, you can have multiple RODCs without any problem.
2. http://technet.microsoft.com/en-us/library/cc753531(WS.10).aspx
3. http://www.microsoft.com/windowsserver2008/en/us/why-upgrade.aspx
For the first question you have.
If you have the option/money for 2008 R2 i would choose it. But with 2008 and 2008 R2 you are a bit limited when you use Exchange 2000/2003/2007 in the domain, each has some limitations with both 2008 versions.
For firewall ports check out the following articles:
http://support.microsoft.com/kb/179442/ http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx http://www.microsoft.com/downloads/details.aspx?familyid=C2EF3846-43F0-4CAF-9767-A9166368434E&displaylang=en
Add a 2008 or 2008 R2 machine as additional DC to the domain according to:
!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!- Do you use any kind of Exchange in the 2003 domain? If yes, which one?
- On the old server open DNS management console and check that you are running Active directory integrated zone (easier for replication, if you have more then one DNS server)
- run replmon from the run line or repadmin /showrepl(only if more then one DC exist), dcdiag and netdiag from the command prompt on the old machine to check for errors, if you have some post the complete output from the command here or solve them first. For this tools you have to install the support\tools\suptools.msi from the 2003 installation disk.
- run adprep /forestprep and adprep /domainprep and adprep /rodcprep from the 2008 installation disk against the 2003 schema master(forestprep) / infrastructure master(domainprep/rodcprep), with an account that is member of the Schema/Enterprise/Domain admins, to upgrade the schema to the new version (44) or 2008 R2 (47)
- you can check the schema version with "schupgr" or "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion" without the quotes in a command prompt
- Install the new machine as a member server in your existing domain
- configure a fixed ip and set the preferred DNS server to the old DNS server only, think about disabling IPv6 if you are not using it, some known problems exist with it. Follow (http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx) to disable it
- run dcpromo and follow the wizard to add the 2008 server to an existing domain, make it also Global catalog and DNS server.
- for DNS give the server time for replication, at least 15 minutes. Because you use Active directory integrated zones it will automatically replicate the zones to the new server. Open DNS management console to check that they appear
- if the new machine is domain controller and DNS server run again replmon, dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on both domain controllers
- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801 applies also for 2008), FSMO should always be on the newest OS DC
- you can see in the event viewer (Directory service) that the roles are transferred, also give it some time
- reconfigure the DNS configuration on your NIC of the 2008 server, preferred DNS itself, secondary the old one
- if you use DHCP do not forget to reconfigure the scope settings to point to the new installed DNS server
- if needed export and import of DHCP database for 2008 choose "netshell dhcp backup" and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/library/cc772372.aspx)
Demoting the old DC
- reconfigure your clients/servers that they not longer point to the old DC/DNS server on the NIC
- to be sure that everything runs fine, disconnect the old DC from the network and check with clients and servers the connectivity, logon and also with one client a restart to see that everything is ok
- then run dcpromo to demote the old DC, if it works fine the machine will move from the DC's OU to the computers container, where you can delete it by hand. Can be that you got an error during demoting at the beginning, then uncheck the Global catalog on that DC and try again
- check the DNS management console, that all entries from the machine are disappeared or delete them by hand if the machine is off the network for ever
- also you have to start AD sites and services and delete the old servername under the site, this will not be done during demotion
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byWilson JiaMSFT, ModeratorMonday, November 09, 2009 2:12 AM
