none
About to migrate AD from 2003 to 2008R2 - any comments/issues?

    Question

  • I’m looking for some information/advice/comments on migrating a 2003 native mode Active Directory to 2008R2 native mode.

    We have about 5,500 users in a single forest/single domain in a single site.    It’s been in place and working for about 7 years.   Our users have a mix of O/S’s from Windows XP (sp3) up to Windows 7.  Our windows servers are a mix of virtual (VMWare) and physical, functioning as file servers, some SQL, and some 3<sup>rd</sup> party apps.  We are using Exchange 2007 for email.

    Over the last year or so, we have replaced all of our 2003 domain controllers with Server 2008R2.   The AD mode is still 2003 native.

    We’re planning on doing the domain migration in about two weeks.   I’m looking for any comments, suggestions, issues, etc. that anyone has run into in a similar situation.

    I’ve been doing some searching and have found some info, but it never hurts to hear from someone who's "been there, done that..."

    Any comments would be appreciated.  (I'm also going to post this in the "general" server forum)

    Mike O.

    Tuesday, November 8, 2011 2:13 AM

Answers

  • I understand about the 2 weeks thing. I was just stating a reminder to do it on a weekend, off hours! :-)

    Good none of the DCs are multihomed.

    Assuming you haven't prepped the Schema, which I thought would be the first things to do, you can follow the summary below.

     

    Here's a quick summary from:
    Transitioning your Active Directory to Windows Server 2008 R2
    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx


    Run adprep with the following switches.

    If you are running it on a 32 bit machine, use the adprep32.exe version.

    adprep /forestprep
    adprep /domainprep /gpprep      Run after the foresprep and in each domain on the IM Role (enable Resultant Set of Policy (RSOP) Planning Mode functionality)
    adprep /domainprep              Run after the forestprep and in each domain
    adprep /rodcprep                Run on the DNM Role. Optional only if you expect to install an RODC.

    You can also use the /wssg switch so you can get a detailed result code instead of a 0 for success, or 1 for an error.

     

    Alllow replication time. Go get a cup of coffee, cold refreshment, or a beer.


    Then check your schema version

    repadmin /showattr * "cn=schema,cn=configuration,dc=domain,dc=tld" /atts:objectVersion

    When all your Domain Controllers report Schema version 47, you’re good to go. If not, check the event logs and the C:\Windows\Debug\Adprep\Logs\adprep.log. More info if needed:

    Troubleshooting ADPREP Errors
    http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

     

    Then raise the Domain Functional Level.

    This adds two features:
    1. Authentication Mechanism Assurance - Type of authentication is added to the user's Kerb ticket.
    2. Automatic SPN Management - Allows the use of Managed Service Accounts (MSAs) instead of Domain User accounts to run a service under.

     

    Allow a bit of time to replicate. Go get a cup of coffee, a beer, whatever.

     

    Then raise the Forest Funtional Level.

    Ths basically adds one thing:
    1. The ability to enable the new Active Directory Recycle Bin feature.

    If you want to enable it, go to Start, Programs AD Powershell, then run:
    Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=tld' -Scope ForestOrConfigurationSet -Target 'domain.local'

     

    Allow replication time, too. Go get another beer.

     

    Run the AD BPA

    1. Server Manager, expand the Roles node
    2. Select the Active Directory Domain Services role.
    3. Scroll down to the Best Practice Analyzer section.
    4. Click on the Scan This Role link on the right hand side.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Bruce-Liu Tuesday, November 29, 2011 3:54 PM
    Wednesday, November 9, 2011 4:25 AM

All replies

  • There are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.

    --Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels.

    --The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

    --Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep /gpprep on the infrastructure master.In your case as there is a single Dc you need to run on the same server.

    Steps to Install Windows 2008 R2 DC

    1.First prepare the domain.
    Insert Win 2008 R2 DVD on windows 2003 DC and execute adprep as below
    Ran D:\2008DVD\Support\Adprep\adprep32.exe /forestprep on the server holding the Schema Master role.
    Ran D:\2008DVD\Support\Adprep\adprep32.exe /domainprep /gpprep on the server holding the domain master role.
    Reference article:http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm

    2.Install DNS role in win2k8
    Reference KB article:http://technet.microsoft.com/en-us/library/cc725925.aspx

    3.Once DNS role is installed.Ran dcpromo on win2k8 R2.
    Reference KB article:http://technet.microsoft.com/en-us/library/cc753720(WS.10).aspx

    4.After the Win2k8 Dc promotion is completed restart the win2k8 DC.

    5.You must transfer the FSMO roles to the 2008 machine then the process is as outlined at http://www.petri.co.il/transferring_fsmo_roles.htm

    6.Ran dcdiag /q and repadmin /replsum on DC to check for any errors.

    7.Change all of the clients (and the new 2008 DC itself), to point to the 2008 DC for their preferred DNS server this may be in DHCP options or the TCP/IP settings.

    Netometer has a nice video - http://www.netometer.com/video/tutorials/windows-dc-2008-add-upgrade/index.php

    As for Exchange then that should ideally be put on a 2008 MEMBER SERVER, not a DC, and it must go on a 64bit machine, you can then migrate the mailboxes etc to the new exchnage server.

    Reference article:
    http://networkadminkb.com/KB/a15/transitioning-a-windows-2003-domain-to-windows-2008-r2.aspx
    http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/
    http://markswinkels.nl/2009/01/08/how-to-migrate-a-domain-controller-from-windows-2003-to-windows-2008/

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, November 8, 2011 5:44 AM
  • Well, beyond the obvious, you want to do this over the weekend. And I think what you mean by "...doing the domain migration in about two weeks," is you're just bumping up the Domain and Forest Functional Levels. 

     

    Bumping it up would take advantage of the new features in 2008 R2.

     

    I would just make sure that none of the DCs are multihomed. I assume you are using AD Sites, just make sure they're defined properly, and configure replication schedule to 15 minutes to allow replication to go through between sites quicker.

     

    Not sure what you found, but I hope I'm not duplicating it with the links below:

     

    Transitioning your Active Directory to Windows Server 2008 R2
    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx

     

    Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2
    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

     

     

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Edited by Ace Fekay [MCT] Tuesday, November 8, 2011 5:55 AM - corrected an error
    Tuesday, November 8, 2011 5:55 AM
  • Hello,

    I’m looking for some information/advice/comments on migrating a 2003 native mode Active Directory to 2008R2 native mode.

    I think you mean raising DFL and FFL.

    By raising DFL and FFL to 2008 R2, you will benefit from new AD features like AD recycle Bin and AD DS Fine-Grained password policies.

    Just something to care about is that, if you raise DFL / FFL to 2008 R2, you will not be able to add DCs running 2008 / 2003 /2003 R2 or lower OS in your domain / forest. Downgrading from a 2008 R2 DFL / FFL is possible if you have not enabled AD recycle Bin.

    For issues, there is no know issues if raising was completed successfully.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Tuesday, November 8, 2011 6:52 AM
  • There will be not be ay issues as far as i know, until you are running with some really legacy application. Windows 2008 r2 has got numerous improvement over previous windows OS. By the way if there would have been any issues, it should have seen in the first place while introducing first windows 2008 R2 as an DC. DFL/FFL affects DC's so there should not be issue for member servers.

    http://awinish.wordpress.com/2011/07/11/improvements-in-windows-20082008-r2addns/

    Active Directory Functional Levels Technical Reference

    http://technet.microsoft.com/en-us/library/cc757019%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Tuesday, November 8, 2011 10:17 AM
    Moderator
  • Hello,

    See this as well.

    http://social.technet.microsoft.com/wiki/contents/articles/2903.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    • Edited by bshwjt Tuesday, November 8, 2011 1:07 PM
    Tuesday, November 8, 2011 1:06 PM
  • Hi,

    Addition to above, Microsoft link- Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=fa629de2-f4dd-47ac-8d80-3db46b2877a2

    Make sure you also perform the time server configuration on new PDC.
    Time Server Role in Forest/Domain
    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/

     

     


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    Tuesday, November 8, 2011 1:28 PM
  • The domain and forest functional level is at 2003 native mode and has been since the forest & domain was created (we created it new in 2004 and immediately took it to nateve mode).

    The domain controllers are all currently 2008R2, we replaced the 2003 domain controllers with new hardware running 2008R2, we just never did the adprep and forest prep, so the AD is still running 2003 native mode.

    The Exchange server isn't, and never has been on a DC.  I mentioned Exchange just to give the general environment.

    Since the DC's are already 2008R2, if I do the forest prep and domain prep, do I still need to do a DCpromo on a new server to update the AD to 2008R2 mode?

     

    Wednesday, November 9, 2011 3:39 AM
  • Well, beyond the obvious, you want to do this over the weekend. And I think what you mean by "...doing the domain migration in about two weeks," is you're just bumping up the Domain and Forest Functional Levels. 

     

    Bumping it up would take advantage of the new features in 2008 R2.

     

    I would just make sure that none of the DCs are multihomed. I assume you are using AD Sites, just make sure they're defined properly, and configure replication schedule to 15 minutes to allow replication to go through between sites quicker.

     

    Not sure what you found, but I hope I'm not duplicating it with the links below:

     

    Transitioning your Active Directory to Windows Server 2008 R2
    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx

     

    Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2
    http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

     

     

     

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    What I meant by "in about 2 weeks", was that is when our maintenance window is (over the weekend of the 19th). 

    None of the DC's are multihomed.  Everything is in a single site, with 1G connectivity.

    What we did was over time replace the 2003 domain controllers with 2008R2, but never did the forest and domain prep, so the AD is native 2003.  What I want to do over the weekend is get the AD to 2008R2 native mode.

    Wednesday, November 9, 2011 3:44 AM
  • Hello,

    I’m looking for some information/advice/comments on migrating a 2003 native mode Active Directory to 2008R2 native mode.

    I think you mean raising DFL and FFL.

    By raising DFL and FFL to 2008 R2, you will benefit from new AD features like AD recycle Bin and AD DS Fine-Grained password policies.

    Just something to care about is that, if you raise DFL / FFL to 2008 R2, you will not be able to add DCs running 2008 / 2003 /2003 R2 or lower OS in your domain / forest. Downgrading from a 2008 R2 DFL / FFL is possible if you have not enabled AD recycle Bin.

    For issues, there is no know issues if raising was completed successfully.

     

     

    We originally set the domain up with 2003 servers.  Over time, we replaced the 2003 domain controllers with 2008R2, but never did the forest and domain prep, so the AD is native 2003. What I want to do is get the AD functional level to 2008R2.

    Since the existing DC's are all currently running 2008R2 as their O/S, will I just need to do the "forestprep" and "domainprep" functions to get the AD to 2008R2 mode (and then set it to "native")?  Once the "prep" processes are done, will the DC's detect it and set the domain level to 2008R2?

    Or will I need to do the two "prep" functions, then "DCPromo" another 2008R2 member server to "trigger" the domain upgrade?

     


    Wednesday, November 9, 2011 3:52 AM
  • I understand about the 2 weeks thing. I was just stating a reminder to do it on a weekend, off hours! :-)

    Good none of the DCs are multihomed.

    Assuming you haven't prepped the Schema, which I thought would be the first things to do, you can follow the summary below.

     

    Here's a quick summary from:
    Transitioning your Active Directory to Windows Server 2008 R2
    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx


    Run adprep with the following switches.

    If you are running it on a 32 bit machine, use the adprep32.exe version.

    adprep /forestprep
    adprep /domainprep /gpprep      Run after the foresprep and in each domain on the IM Role (enable Resultant Set of Policy (RSOP) Planning Mode functionality)
    adprep /domainprep              Run after the forestprep and in each domain
    adprep /rodcprep                Run on the DNM Role. Optional only if you expect to install an RODC.

    You can also use the /wssg switch so you can get a detailed result code instead of a 0 for success, or 1 for an error.

     

    Alllow replication time. Go get a cup of coffee, cold refreshment, or a beer.


    Then check your schema version

    repadmin /showattr * "cn=schema,cn=configuration,dc=domain,dc=tld" /atts:objectVersion

    When all your Domain Controllers report Schema version 47, you’re good to go. If not, check the event logs and the C:\Windows\Debug\Adprep\Logs\adprep.log. More info if needed:

    Troubleshooting ADPREP Errors
    http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

     

    Then raise the Domain Functional Level.

    This adds two features:
    1. Authentication Mechanism Assurance - Type of authentication is added to the user's Kerb ticket.
    2. Automatic SPN Management - Allows the use of Managed Service Accounts (MSAs) instead of Domain User accounts to run a service under.

     

    Allow a bit of time to replicate. Go get a cup of coffee, a beer, whatever.

     

    Then raise the Forest Funtional Level.

    Ths basically adds one thing:
    1. The ability to enable the new Active Directory Recycle Bin feature.

    If you want to enable it, go to Start, Programs AD Powershell, then run:
    Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=tld' -Scope ForestOrConfigurationSet -Target 'domain.local'

     

    Allow replication time, too. Go get another beer.

     

    Run the AD BPA

    1. Server Manager, expand the Roles node
    2. Select the Active Directory Domain Services role.
    3. Scroll down to the Best Practice Analyzer section.
    4. Click on the Scan This Role link on the right hand side.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Bruce-Liu Tuesday, November 29, 2011 3:54 PM
    Wednesday, November 9, 2011 4:25 AM
  • If all your DC is Win2008 R2 and if you have removed the 2000/2003 DC from network you can raised the AD functional level to 2008R2.

    You have to not run adpep/domain and adprep/forestprep again.Just raised the functional level.

    Even if you want to introduce new 2008R2 server you have to not run adperp again.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    Wednesday, November 9, 2011 8:06 AM
  • I was having a major "senior moment" about the forest and domain prep.  We did those before putting our first 2008R2 DC in place.  I confirmed it with ADSIEdit, the schema version is "47".  We just hadn't brought the functional level up from 2003 mode. 

    Everything I've read and heard says that there's no issues with doing setting the level to that, as long as the DC's are all at 2008R2.  The problem has been the (non technical) management.  Apparently some of them "heard" that changing the domain level to 2008R2 to activate the additonal functions in AD is going to remove some existing compatibility and will somehow "break" some of our older clients and/or applications.  I just wanted to see if anyone has ever run into anything from setting this.

     

    Thursday, November 10, 2011 12:51 AM
  • That was what was confusing me, because you would have had to run those preps when first installing the first 2008 R2 DC.

    As for what it will break or not break, the only thing that comes to mind is you'll want to upgrade FRS to DFS-R, which is one of the features that bumping up the domain level provides.  Other than that, you should really be fine.

    Here's more info on DFS-R:

    Distributed File System - Why migrate?
    http://technet.microsoft.com/en-us/library/cc753479(WS.10).aspx

    SYSVOL Replication Migration Guide: FRS to DFS Replication
    http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

    Migrate a Domain-based Namespace to Windows Server 2008 Mode - Applies To: Windows Server 2008 R2
    "To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure."
    http://technet.microsoft.com/en-us/library/cc753875.aspx


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, November 10, 2011 1:12 AM
  • That was what was confusing me, because you would have had to run those preps when first installing the first 2008 R2 DC.

    As for what it will break or not break, the only thing that comes to mind is you'll want to upgrade FRS to DFS-R, which is one of the features that bumping up the domain level provides.  Other than that, you should really be fine.

    Here's more info on DFS-R:

    Distributed File System - Why migrate?
    http://technet.microsoft.com/en-us/library/cc753479(WS.10).aspx

    SYSVOL Replication Migration Guide: FRS to DFS Replication
    http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx

    Migrate a Domain-based Namespace to Windows Server 2008 Mode - Applies To: Windows Server 2008 R2
    "To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure."
    http://technet.microsoft.com/en-us/library/cc753875.aspx


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn


    When you say about "..want to upgrade FRS to DFS-R", you're saying that we'll want to upgrade to take advantage of the DFS-R functions, not that the FRS will stop working or anything, correct?

     

    Friday, November 18, 2011 10:35 PM