none
2008R2 Migration Questions (ldap logging, adprep, dns & time service)

    Question

  • I've got a couple of quick questions about my migration from 2003 to 2008R2.  First, our environment: Exchange 2003 SP2; Two DCs in site1, one DC in site2; Domain/forest functional levels are 2003/2003 interim.

    1. It is my understanding that nothing gets reboot and Exchange won't blip or anything when I run ADPREP.  Is that correct? Will users notice any interruption in service?

    2. Are there any issues to consider regarding running a 2003 and a 2008R2 DNS together?

    3. How do I make my 2008R2 DNS server the primary?

    4. Since we're changing host names, how can I tell what service(s) are connecting to a particular LDAP server? Is there logging I can enable?

    5. When I run the command: reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters my XP clients (I checked just a couple), it looks like time.windows.com is my time server.  Shouldn't it be one of my DCs?

    6. The new DC will replace our current authoritative time server.  How do clients find the time server?

     

    Thanks.

    Sunday, July 04, 2010 10:01 PM

Answers

  • Hi,

     

    Please check the answer below:

     

    1. It is my understanding that nothing gets reboot and Exchange won't blip or anything when I run ADPREP.  Is that correct? Will users notice any interruption in service?

    Yes, we don’t need to reboot domain controller to complete the adprep. I suggest that you confirm with Exchange experts to check if it has any impact on Exchange service.

     

    Exchange Server forum

    http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

     

    2. Are there any issues to consider regarding running a 2003 and a 2008R2 DNS together?

    I’ve not heard of any known issue so far.

     

    3. How do I make my 2008R2 DNS server the primary?

    If you are using Active Directory-integrated DNS zone, it offers multi-master model (rather than traditional primary/secondary model). It means you can modify the DNS record in each DNS server. An Active Directory-integrated zone is a primary DNS zone that's held within the AD and replicated to other AD primary zones, using AD replication (and not traditional zone transfer). Although this method of holding zones is a Microsoft proprietary approach, it can provide some useful benefits.

     

    Active Directory-Integrated DNS

    http://technet.microsoft.com/en-us/library/cc978010.aspx

     

    4. Since we're changing host names, how can I tell what service(s) are connecting to a particular LDAP server? Is there logging I can enable?

    You can use nltest /dsgetdc: command.

     

    5. When I run the command: reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters my XP clients (I checked just a couple), it looks like time.windows.com is my time server.  Shouldn't it be one of my DCs?

    It is normal. You just need to ensure that the value of registry entry type (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters) is NT5DS.  

     

    6. The new DC will replace our current authoritative time server.  How do clients find the time server?

    You can refer to the following articles:

     

    How to configure an authoritative time server in Windows Server

    http://support.microsoft.com/kb/816042

     

    How the Windows Time Service Works

    http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by mhashemi Tuesday, July 06, 2010 9:15 PM
    Monday, July 05, 2010 4:28 AM
    Moderator
  • Hello,

    1. correct, schema update doesn't require a reboot, just give time for replication before going on with /domainprep

    2. no, the only known problem is that you can't access the Windows server 2008 DNS management with the dnsmgmt.msc from Windows server 2003. This belongs to new security settings and can be resolved with lowering them or using machines with RSAT installed, so Windows Vista or higher OS.

    starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info
    http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx

    3. use AD integrated zones and all DC/DNS servers are fully writable(if not RODC) and you are done, they replicate all changes with each other. Don't forget to reconfigure all machines to sue the new OS DC/DNS on the NIC.

    4. if the applications/services documentation doesn't state anything you can use Network Monitor to check the traffic

    5. you see normal behaviour, this is always listed make sure the NT5DS is shown under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

    6. this belongs to the DCLocator process during logon.

    http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1 and http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

    Maybe helpful for you also:

    http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by mhashemi Tuesday, July 06, 2010 9:15 PM
    Monday, July 05, 2010 12:52 PM

All replies

  • Hi,

     

    Please check the answer below:

     

    1. It is my understanding that nothing gets reboot and Exchange won't blip or anything when I run ADPREP.  Is that correct? Will users notice any interruption in service?

    Yes, we don’t need to reboot domain controller to complete the adprep. I suggest that you confirm with Exchange experts to check if it has any impact on Exchange service.

     

    Exchange Server forum

    http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

     

    2. Are there any issues to consider regarding running a 2003 and a 2008R2 DNS together?

    I’ve not heard of any known issue so far.

     

    3. How do I make my 2008R2 DNS server the primary?

    If you are using Active Directory-integrated DNS zone, it offers multi-master model (rather than traditional primary/secondary model). It means you can modify the DNS record in each DNS server. An Active Directory-integrated zone is a primary DNS zone that's held within the AD and replicated to other AD primary zones, using AD replication (and not traditional zone transfer). Although this method of holding zones is a Microsoft proprietary approach, it can provide some useful benefits.

     

    Active Directory-Integrated DNS

    http://technet.microsoft.com/en-us/library/cc978010.aspx

     

    4. Since we're changing host names, how can I tell what service(s) are connecting to a particular LDAP server? Is there logging I can enable?

    You can use nltest /dsgetdc: command.

     

    5. When I run the command: reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters my XP clients (I checked just a couple), it looks like time.windows.com is my time server.  Shouldn't it be one of my DCs?

    It is normal. You just need to ensure that the value of registry entry type (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters) is NT5DS.  

     

    6. The new DC will replace our current authoritative time server.  How do clients find the time server?

    You can refer to the following articles:

     

    How to configure an authoritative time server in Windows Server

    http://support.microsoft.com/kb/816042

     

    How the Windows Time Service Works

    http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by mhashemi Tuesday, July 06, 2010 9:15 PM
    Monday, July 05, 2010 4:28 AM
    Moderator
  • Hello,

    1. correct, schema update doesn't require a reboot, just give time for replication before going on with /domainprep

    2. no, the only known problem is that you can't access the Windows server 2008 DNS management with the dnsmgmt.msc from Windows server 2003. This belongs to new security settings and can be resolved with lowering them or using machines with RSAT installed, so Windows Vista or higher OS.

    starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info
    http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx

    3. use AD integrated zones and all DC/DNS servers are fully writable(if not RODC) and you are done, they replicate all changes with each other. Don't forget to reconfigure all machines to sue the new OS DC/DNS on the NIC.

    4. if the applications/services documentation doesn't state anything you can use Network Monitor to check the traffic

    5. you see normal behaviour, this is always listed make sure the NT5DS is shown under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

    6. this belongs to the DCLocator process during logon.

    http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1 and http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

    Maybe helpful for you also:

    http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by mhashemi Tuesday, July 06, 2010 9:15 PM
    Monday, July 05, 2010 12:52 PM