Windows Server 2008 R2 (Photo credit: Wikipedia)

Purpose & Objective

This guide explains the process for upgrading Active Directory domains to Windows Server 2008 and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an existing domain.

1          Introduction

Upgrading your network operating system requires minimal network configuration and typically has a low impact on user operations. The upgrade process is straightforward, efficient, and allows organization to take advantage of the improved security that is offered by the Windows Server® 2008 and Windows Server 2008 R2 operating systems.

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for upgrading Windows Server 2003 Active Directory domains to Active Directory Domain Services (AD DS) domains that have domain controllers running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use the checklists that are provided in this guide and complete the tasks in the order in which they are presented.

Purpose & Objective

This guide explains the process for upgrading Active Directory domains to Windows Server 2008 and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an existing domain.

1          Introduction

Upgrading your network operating system requires minimal network configuration and typically has a low impact on user operations. The upgrade process is straightforward, efficient, and allows organization to take advantage of the improved security that is offered by the Windows Server® 2008 and Windows Server 2008 R2 operating systems.

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for upgrading Windows Server 2003 Active Directory domains to Active Directory Domain Services (AD DS) domains that have domain controllers running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use the checklists that are provided in this guide and complete the tasks in the order in which they are presented.

2          Overview of Upgrading Active Directory Domains

When the domain upgrade process is complete, all domain controllers will be running Windows Server 2008 or Windows Server 2008 R2, and the Active Directory Domain Services (AD DS) domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2 functional level. At the Windows Server 2008 R2 forest functional level, you can take advantage of all the advanced AD DS features. For more information about advanced AD DS features for AD DS functional levels, see Enabling Advanced Features for AD DS.

3          Reinstallation information

3.1        System requirements

The following are estimated system requirements for Windows Serverآ 2008. If your computer has less than the minimum requirements, you will not be able to install this product correctly. Actual requirements will vary based on your system configuration and the applications and features you install.

3.1.1      Processor

Processor performance depends not only on the clock frequency of the processor, but also on the number of processor cores and the size of the processor cache. The following are the processor requirements for this product:

• Minimum: 1 GHz (for x86 processors) or 1.4آ GHz (for x64 processors)
• Recommended: 2 GHz or faster

 

3.1.2      RAM

The following are the RAM requirements for this product:

• Minimum: 512 MB
• Recommended: 2 GB or more
• Maximum (32-bit systems): 4 GB (for Windows Serverآ 2008 Standard) or 64آ GB (for Windows Serverآ 2008 Enterprise or Windows Serverآ 2008 Datacenter)
• Maximum (64-bit systems): 32 GB (for Windows Serverآ 2008 Standard) or 2آ TB (for Windows Serverآ 2008 Enterprise, Windows Serverآ 2008 Datacenter, or Windows Serverآ 2008 for Itanium-Based Systems)

3.1.3      Disk space requirements

The following are the approximate disk space requirements for the system partition. Itanium-based and x64-based operating systems will vary from these estimates. Additional disk space may be required if you install the system over a network. For more information, see

• Minimum: 10 GB
• Recommended: 40 GB or more

• DVD-ROM drive
• Super VGA (800 x 600) or higher-resolution monitor
• Keyboard and Microsoftآ® mouse (or other compatible pointing device)

4          Planning to Upgrade Active Directory Domains

To plan the upgrade of your Active Directory domains, complete the tasks in Checklist: Preupgrade Tasks.

5          Checklist: Preupgrade Tasks

Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks.

 Checklist: Preupgrade Tasks

 

	Task	Reference
	Assign appropriate credentials to the users who are responsible for preparing the forest and domain for an Active Directory upgrade.	Assign Appropriate Credentials
	Introduce a newly installed member server into the forest.	Introduce a Member Server  That Runs Windows Server 2008 or Windows Server 2008 R2
	Review and document the existing hardware configuration of each domain controller that you plan to upgrade.	Assess Hardware Requirements
	Determine the order in which you will upgrade your domain controllers before you begin the domain upgrade process.	Determine Domain Controller Upgrade Order
	Develop a test plan for your domain upgrade process.	Develop a Test Plan for Your Domain Upgrade Process
	Back up your Windows  Windows Server 2003 domain data before you begin the upgrade.	Back Up Domain Data

 

6          Assign Appropriate Credentials

Assign appropriate credentials to the users who are responsible for preparing the forest and domain for an Active Directory upgrade. The adprep /forestprep command requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups. The adprep /domainprep command requires a user account that is a member of the Domain Admins group in the targeted domain. The adprep /rodcprep command requires a user account that is a member of the Enterprise Admins group.

In addition, the security context can affect the ability of an administrator to complete the upgrade of domain controllers. Members of the Builtin\Administrators group can upgrade the operating system and install software on a computer. The following groups are members of the Builtin\Administrators group by default:

The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain and in each regional domain in the forest.

The Domain Admins group is a member of Builtin\Administrators in their domain.

The Domain Admins group is a member of Builtin\Administrators on member servers in their domain.

The following table shows the credentials that are required to upgrade servers, depending on the domain membership of the servers.

 

Credential	Domain controller in forest root domain	Member server in forest root domain	Domain controller in regional domain	Member server in regional domain
Enterprise Admins in forest root domain
Domain Admins in forest root domain
Builtin\Administrators in forest root domain
Domain Admins in regional domain
Builtin\Administrators in regional domain

7          To install Windows Server 2008 or Windows Server 2008 R2

1.   Insert the operating system DVD into the DVD drive, and then select the option to install the operating system.As an alternative, you can use an unattended installation method.2.   Use the NTFS file system to format the partitions.Enter the computer name, static IP address, and subnet mask that are specified by your design. Enter a strong administrator password.3.   Enable Remote Desktop to enable administrators to log on remotely, if necessary.To enable Remote Desktop, in Server Manager, click Configure Remote Desktop, and then click Allow connections from computers running any version of Remote Desktop (less secure) or Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).

8          Develop a Test Plan for Your Domain Upgrade Process

It is important to develop a plan for testing your domain upgrade procedures throughout the upgrade process. Before you begin, test your existing domain controllers to ensure that they are functioning properly. Continue to test your domain controllers throughout the process to verify that Active Directory Domain Services (AD DS) replication is consistent and successful.The following table lists the tools and log files to use in your test plan

Tool/log file	Description	Location
Repadmin.exe	Checks replication consistency and monitors both inbound and outbound replication partners. Displays replication status of inbound replication partners and directory partitions.	%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Dcdiag.exe	Diagnoses the state of domain controllers in a forest or enterprise, tests for successful Active Directory connectivity and functionality, and returns the results as passed or failed.	%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Nltest.exe	Queries and checks the status of trusts and can forcibly shut down domain controllers. Provides domain controller location capabilities.	%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Dnscmd.exe	Provides the properties of Domain Name System (DNS) servers, zones, and resource records.	%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.
Adprep.log	Provides a detailed progress report of the forest and domain preparation process.	%SystemRoot%\Windows\Debug\ADPrep\Logs
Dcpromoui.log and Dcpromo.log	Provides a detailed progress report of the Active Directory installation. Includes information regarding replication and services in addition to applicable error messages.	%systemroot%\Windows\debugNote These logs are added to the server as part of the AD DS installation.
Adsiedit.exe	A Microsoft Management Console (MMC) snap-in that acts as a low-level editor for AD DS and allows you to view, add, delete, and move objects and attributes within the directory.	%systemroot%\Windows\System32Note This tool is added to the server as part of the AD DS installation.

9          Performing the Upgrade of Active Directory Domains

To upgrade your Active Directory domains, complete the tasks in Checklist: Upgrade Tasks.

10     Checklist: Upgrade Tasks

Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks.

 Checklist: Upgrade Tasks

 

	Task	Reference
	Prepare your Active Directory infrastructure for upgrade.	Prepare Your Infrastructure for Upgrade
	Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 in the forest root domain.	Install Active Directory Domain Services on the Member Server  That Runs Windows Server 2008 or Windows Server 2008 R2
	Upgrade existing domain controllers.	Upgrade Existing Domain Controllers
	Modify default security policies as needed.	Modify Default Security Policies

11     Prepare Your Infrastructure for Upgrade

Preparing your Active Directory infrastructure for upgrade includes the following tasks:

prepare the forest schema by running adprep /foretsprep.

Prepare each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.

 Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running adprep /rodcprep.

11.1   32 Bit windows 2003  preparation

11.1.1 Preparation

Schema owner                   olddc.Domain .com    adprep32 /forestprep

Domain role owner           olddc.Domain .com

PDC role                             olddc.Domain .com

RID pool manager            olddc.Domain .com   adprep32 /domainprep /gpprep

You need to run the following commands on the following servers in your Active Directory environment:

Command	Domain Controller
adprep.exe /forestprep	Schema Master
adprep.exe /domainprep	Infrastructure Master
adprep.exe /domainprep /gpprep	Infrastructure Master
adprep.exe /rodcprep *	Domain Naming Master

 

The first Windows Server 2008 Domain Controller in the forest must be a Global catalog server, and it cannot be a Read Only Domain Controller, RODC.

11.2   To prepare the infrastructure 

In order to run ADPREP

1-   Insert the DVD media of Windows Server 2008 into the DVD drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master of a forest.

 

2-   Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master and adprep /domainprep on the infrastructure master.

Run adprep32

• ·         First run adprep32 /forestprep

Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:

Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.

You can view detailed output of the ADPREP command by looking at the log files in the %Systemroot%’system32’debug’adprep’logs directory. Each time ADPREP is executed, a new log file is generated that contains the actions taken during that particular invocation.  The log files are named based on the time and date ADPREP was run.

• ·                  Then run adprep32 / domainprep /gpprep

NOTE:

Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2008 or installing new Windows Server 2008 domain controllers. For installing RODC in the future also run Adprep/rodcprep

Note: before running this command you must be member of enterprise admin group, schema admin group and domain admins group

Open the local path which contains the Adprep folder

Open your C:\Windows\Debug\Adprep\Logs folder

There will be a separate file each time that you run ADPREP.

12     Check if the adprep has success or not

Run adsiedit.msc

12.1    Forest Upgrade

adprep /forestprep

• A new container CN=ForestUpdates,CN=Configuration,DC= forest root domain is created on the schema master.
• A new container CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain is created on the schema master.
• For each operation that is performed by the adprep /forestprep command, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain container. Each operational GUID identifies the operation.
• If all 36 operations are successfully added, the CN=Windows2003Update,CN=ForestUpdates,CN=Configuration,DC=forest root domain object will be created and its revision attribute (CN=Revision in the schema, syntax Integer) set to 9.

12.2    Domain Upgrade

adprep /domainprep

• A new container CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=DomainName is created on the infrastructure master.
• A new container CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName is created on the infrastructure master.
• For each operation that is performed by the adprep /domainprep command, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName container. Each operational GUID identifies the operation.
• If all the operations in the following list succeed, the CN=Windows2003Update object overall task will be stamped as completed successfully by setting the revision attribute (CN=Revision in the schema, syntax Integer) to 8.

13     Install Active Directory

Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 by using the Active Directory Domain Services Installation Wizard (Dcpromo.exe). The member server should be located in the forest root domain. After you install AD DS successfully, the member server will become a domain controller. You can install AD DS on any member server that meets the domain controller hardware requirements

1.   Click Start, and then click Server Manager.2.   In Roles Summary, click Add Roles.3.   If necessary, review the information on the Before You Begin page, and then click Next.4.   On the Select Server Roles page, select the Active Directory Domain Services check box, and then click Next.5.   If necessary, review the information on the Active Directory Domain Services page, and then click Next.6.   On the Confirm Installation Selections page, click Install.7.   On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). 8.   On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next. If you want to install from media, identify the source domain controller for AD DS replication, or specify the Password Replication Policy (PRP) for an RODC as part of the installation of the additional domain controller, click Use advanced mode installation. 9.   On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers, and then click Next. 10. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next. 11. On the Network Credentials page, type the name of any existing domain (DOMAIN .COM) in the forest where you plan to install the additional domain controller. Under Specify the account credentials to use to perform the installation, click My current logged on credentials ( must be  Enterprise Amdin) or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next. 12. On the Select a Domain (Domain .com)  page, select the domain of the new domain controller, and then click Next. 13. On the Select a Site  (Default-firs-site) page, select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address, and then click Next. 14. On the Additional Domain Controller Options page, make the following selections, and then click Next: DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this option. 15. Clear the DNS check BOX Because you use Active directory integrated zones it will automatically replicate the zones to the new server. Open DNS management console to check that they appear. For DNS give the server time for replication, at least 15 minutes. Important 1.     If you do not have static IPv4 and IPv6 addresses assigned to your network adapters, a warning message might appear advising you to set static addresses for both of these protocols before you can continue. If you have assigned a static IPv4 address to your network adapter and your organization does not use IPv6, you can ignore this message and click, Yes, the computer will use a dynamically assigned IP address (not recommended). After configuring the DNS and  after  making sure it is successfully installed Please change the following Go to the DNS mgmt console Right click the Domain .com Zone 1-    Primary   then name servers then add servername 2-    And remove servername   3-     Then change the primary server to point to servername 4-    And change the response person to be admin@Domain .com   Note If you select the option to install DNS server, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message. Global Catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality.  Read-only domain controller. This option is not selected by default. It makes the additional domain controller read only. 15.       If you selected Use advanced mode installation on the Welcome page, the Install from Media page appears. You can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can have all the replication done over the network. Note that some data will be replicated over the network even if you install from media. For information about using this method to install the domain controller, see Installing AD DS From Media. 16.       If you selected Use advanced mode installation on the Welcome page, the Source Domain Controller page appears. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller, and then click Next. If you do not choose to install from media, all data will be replicated from this source domain controller. 17.       On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the system volume (SYSVOL) files, and then click Next. Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other no directory files. 18.       On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline. 19.       On the Summary page, review your selections. Click Back to change any selections, if necessary. To save the settings that you have selected to an answer file that you can use to automate subsequent Active Directory operations, click Export settings. Type the name for your answer file, and then click Save. When you are sure that your selections are accurate, click Next to install AD DS. 20.       On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. 21.       You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.

14     Modify Default Security Policies

To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.

By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, we recommend that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

To configure a domain controller to not require SMB packet signing or secure channel signing, disable the following settings in the Default Domain Controllers Policy:

Microsoft network server: Digitally sign communications (always)

Domain member: Digitally encrypt or sign secure channel data (always)

Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be restored, if necessary.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure

1.   To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2.   In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit.3.   In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.4.   In the details pane, double-click Microsoft network server: Digitally sign communications (always).5.   Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK.To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:gpupdate /force Note Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

1.         To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2.         In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.3.         In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.4.         In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK.To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:gpupdate /forceNote Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

Allow cryptography algorithms compatible with Windows NT 4.0

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

1.   To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2.   In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit.3.   In the Group Policy Management Editorwindow, in the console tree, go to Computer Configuration/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/System/Net Logon.4.   In the details pane, double-click Allow cryptography algorithms compatible with Windows NT 4.0, and then click Enabled.Note By default, the Not Configured option is selected, but, programmatically, after you upgrade a server to Windows Server 2008 domain controller status, this policy is set to Disabled.To apply the Group Policy change immediately, either restart the domain controller or open command line, type the following command, and then press ENTER: gpupdate /force Note Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that are made here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers.

15     Completing the Upgrade of Active Directory Domains

To complete the upgrade of your Active Directory domains, perform the tasks in Checklist: Post-Upgrade Tasks.

16     Checklist: Post-Upgrade Tasks

Complete the tasks in this checklist in the order in which they are presented.

 Checklist: Post-Upgrade Tasks

 

	Task	Reference
	Raise the functional levels of domains and forests to enable all advanced features of Active Directory Domain Services (AD DS).	Raise the Functional Levels of Domains and Forests
	Complete the upgrade.	Complete the Upgrade

 

17     Raise the Functional Levels of Domains and Forests

To enable all Windows Server 2008 advanced features in Active Directory Domain Services (AD DS), raise the functional level of your forest to Windows Server 2008. This will automatically raise the functional level of all domains to Windows Server 2008. To enable all Windows Server 2008 R2 advanced AD DS features, raise the functional level of your forest to Windows Server 2008 R2. This will automatically raise the functional level of all domains to Windows Server 2008 R2.

Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier.

After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

For more information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).

Use the following procedure to raise the forest functional level to Windows Server 2008.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

1.   Open the Active Directory Domains and Trusts snap-in. Click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.2.   In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.3.   In Select an available forest functional level, do one of the following:To raise the forest functional level to Windows Server 2003, click Windows Server 2003, and then click Raise. To raise the forest functional level to Windows Server 2008, click Windows Server 2008, and then click Raise. To raise the forest functional level to Windows Server 2008 R2, click Windows Server 2008 R2, and then click Raise.

For more information about Windows Server 2008 advanced AD DS features, see Enabling Advanced Features for AD DS.

18     Complete the Upgrade

Complete the following tasks to finalize the process:

• ·      Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.

Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.

Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.

Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).

Verify Windows Firewall status.

Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel.

Continuously monitor your domain controllers and Active Directory Domain Services (AD DS). Using a monitoring solution (such as Microsoft Operations Manager (MOM)) to monitor distributed Active Directory Domain Services (AD DS)—and the services that it relies on—helps maintain consistent directory data and a consistent level of service throughout the forest.

After these tasks have been completed successfully, you will have completed the in-place upgrade process.

18.1   Know Issues for upgrading

Extension mechanisms for DNS (EDNS) are enabled by default on Windows Server 2008 R2. If you notice queries that used to work on DNS servers that run Windows 2000, Windows Server 2003, or Windows Server 2008 fail after those DNS servers are upgraded or replaced with DNS servers that run Windows Server 2008 R2, or queries that the old DNS servers can resolve cannot be resolved by Windows Server 2008 R2 DNS servers, then disable EDNS using the command:dnscmd /Config /EnableEDnsProbes 0

19     Verifications you can make and recommended hotfixes

you can install before you begin

1.     All domain controllers in the forest should meet the following conditions:

a.   Be online.

b.   Be healthy (Run dcdiag /v to see if there are any problems.)

c.   Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). d.     Have successfully inbound-replicated and outbound-replicated SYSVOL.

 

 3.  Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers.

a.   For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system.

i.    If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment.

ii.   For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2, remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers.

iii.  The following table lists hotfixes for Windows Server 2008. You can install a hotfix individually, or you can install the service pack that includes it.

 

Description	Microsoft Knowledge Base article	Service pack
Domain controllers that are configured to use the Japanese language locale	949189 (http://go.microsoft.com/fwlink/?LinkId=164588)	Windows Server 2008 SP2
EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008	948690 (http://go.microsoft.com/fwlink/?LinkID=106115)	Not included in any Windows Server 2008 Service Pack
Records on Windows Server 2008 secondary DNS server are deleted following zone transfer	953317 (http://go.microsoft.com/fwlink/?LinkId=164590)	Windows Server 2008 SP2
Use root hints if no forwarders are available	2001154 (http://go.microsoft.com/fwlink/?LinkId=165959)
Setting Locale info in GPP causes Event Log and dependent services to fail. If you change “Regional Option – User Locale – enabled,” the Windows Event Log Service, DNS Server Service, task Scheduler Service fail to start.	For prevention and resolution, see  951430 (http://go.microsoft.com/fwlink/?LinkId=165960).	To be included in Windows Server 2008 SP3
GPMC Filter fix	949360	Windows Server 2008 SP2
If you use devolution to resolve DNS names (instead of suffix search list), apply the DNS devolution hotfix.	957579 (http://go.microsoft.com/fwlink/?LinkId=178224)	Windows Server 2008 SP2
Group Policy Preferences rerelease	943729(http://go.microsoft.com/fwlink/?LinkId=164591)974266 (http://go.microsoft.com/fwlink/?LinkID=165035)	Windows Server 2008 SP2
Synchronize the Directory Services Restore Mode (DSRM) Administrator password with a domain user account	961320 (http://go.microsoft.com/fwlink/?LinkId=177814)

 

The following table

19.1   lists hot fixes for Windows Server 2008 R2.

 

Description	Microsoft Knowledge Base article	Comment
Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502	2002490 (http://go.microsoft.com/fwlink/?LinkId=178225)	[The article will include a hotfix.]
Event ID 1202 logged with status 0x534 if security policy modified	2000705 (http://go.microsoft.com/fwlink/?LinkId=165961)	Hotfix is in progress. Also scheduled for Windows Server 2008 R2 SP1.
TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades	2001086 (http://go.microsoft.com/fwlink/?LinkId=178226)	Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel.
Deploying the first Windows Server 2008 R2 domain controller in an existing Active Directory forest may temporarily halt Active Directory replication to strict-mode destination domain controllers.	2002034

 

19.2   Run Adprep commands

19.2.1 Add schema changes using adprep /forestprep

1.     Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup:

a.   Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a domain controller with a deleted NTDS settings object,

b.   Log on to the schema operations master with an account that has Enterprise Admins, Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-in administrator account in a forest root domain has these credentials.

c.   On the schema master, run the repadmin /showreps command. If schema master has inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use the replicate now command Dssite.msc to trigger inbound replication of the schema partition to the schema master.

You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master.

 

20     Configure the Windows Time service on the PDC emulator in the Forest Root Domain

20.1   To configure the Windows Time service on the PDC emulator

1. 1.      Open a Command Prompt.
2. 2.      Type the following command to display the time difference between the local computer and a target computer, and then press ENTER:

w32tm /stripchart /computer: target /samples: n /dataonly

1. Open User Datagram Protocol (UDP) port 123 for outgoing traffic if needed.
2. Open UDP port 123 (or a different port that you have selected) for incoming NTP traffic.

5. Type the following command to configure the PDC emulator, and then press ENTER:

For example, to configure your PDC emulator to use the following list of fictional time servers:

ntp1.Domain .com

1. Run the following command:

w32tm /config /manualpeerlist:”ntp1.Domain .com” /reliable:yes /update

21     Upgrade Existing Domain Controllers

To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing

By modifying the settings of the default security policies, you are weakening the default security policies in your environment

22     Complete the Upgrade

Complete the following tasks to finalize the process:

Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.

Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.

Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.

Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).

Verify Windows Firewall status.

23       Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:

• dcpromo.log
  All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
• dcpromoui.log
  all the events from a graphical interface perspective

Also check the event viewer.

23.1.1 After replication

Check replication

repadmin /showreps

24     Migration of DHCP Server from Windows Server 2003 to Windows Server 2008R2

Note: Backup and Restore are not expected to work across server versions as the DHCP database format has changed between Windows Server 2003 and Windows Server 2008.

The recommended procedure for DHCP server migration is to use the export import commands through netsh. Following is the procedure for migrating DHCP server from Windows Server 2003 to Windows Server 2008 outlined in brief:

In the following Four steps

24.1   Export the DHCP database from the server that is running Microsoft Windows Server 2003

Log on to the source DHCP server by using an account that is a member of the local Administrators group or the DHCP Administrators group.

-Click Start, click Run, type cmd in the Open box, and then click OK.

-Type netsh dhcp server export C:\dhcpdatabase.dat all, and then press ENTER.

Note: While the export command runs, DHCP server is stopped and does not respond to clients seeking new leases or lease renewals.

You can now stop the DHCP service on the source server.

24.2   Install the DHCP server service on the server that is running Windows Server 2008

To install the DHCP Server service on an existing Windows Server 2008 computer:

1.       Start Server Manager.

2.       Click on Add Roles.

3.       Select the DHCP server role and press Next.

4.       Click through the next sequence for screens of the installation wizard to complete the DHCP server installation. You should not authorize the DHCP server at this point.

24.3   Import the DHCP database

Log on as a user who is a member of the local Administrators group or DHCP administrators group.

2.       Copy the exported DHCP database file to the local hard disk of the Windows Server 2008 computer.

3.       Verify that the DHCP service is started on the Windows Server 2008 computer.

4.       Click Start, click Run, type cmd in the Open box, and then click OK.

5.       At the command prompt, type netsh dhcp server import c:\dhcpdatabase.dat all, and then press ENTER, where c:\dhcpdatabase.dat is the full path and file name of the database file that you copied to the server.

6.       After you receive the message that the command completed successfully, quit the command prompt.

 

24.4   Authorize the DHCP server

1.  Click Start, point to All Programs, point to Administrative Tools, and then click DHCP. You must be logged on to the server by using an account that is a member of the Administrators group. In an Active Directory domain, you must be logged on to the server by using an account that is a member of the Enterprise Administrators group.

2.       In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.

3.       Right-click the server object, and then click Authorize.

4.     After several moments, right-click the server again, and then click Refresh. A green arrow indicates that the DHCP server is authorized.

 

http://www.windowsreference.com/windows-server-2008/step-by-step-tutorial-how-to-migrate-dhcp-server-from-a-windows-server-2003-to-windows-server-2008/

http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx

Note: Note When you try to export a DHCP database from a 2003 domain controller to a Windows Server 2008 member server of the domain, you may receive the following error message:

Error initializing and reading the service configuration – Access Denied

To resolve this issue, add the Windows Server 2008 DHCP server computer to the DHCP Admins group at the Enterprise level and redo Steps 4 &5 Under 25.3 section

25     Recommendations for FSMO roles

Place the RID and PDC emulator roles on the same domain controller. Good communication

from the PDC to the RID master is desirable as down level clients and  Target the PDC, making it a large consumer of RIDs. It is also easier to keep track of FSMO roles if you cluster them on fewer machines Place the RID and primary domain controller emulator roles on separate domain controllers.

The infrastructure master should be located on a no global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.

http://www.pcreview.co.uk/forums/thread-1456278.php

http://www.planning-tech.com/?p=78

26     What are FSMO ROLES?

Names OF 5 FSMO roles and place

Schema owner	servername.Domain .com
Domain Role Owner	servername.Domain .com
PDC role	servername.Domain .com
RID pool manager	servername.Domain .com
Infrastructure owner	servername.Domain .com

 

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

The Forest level Fsmo:

• ·         Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. When this update finish the schema will replicate to all other DC in our directory.

Note!

We have only ONE schema master per directory!

• Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.

The Domain level Fsmo:

• RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).

The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

• ·         PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Authentication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.

The PDC role is the role that provides us the most services and from this we can Say that this role is the busy one on our environment, here are few Examples:

–          This role helps us to replicate the Sysvol folder in our environment.

–          Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

• Infrastructure Master Role – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.

FSMO levels:

Schema master                                         : One per forest.

Domain Naming Master                        : One per forest.

PDC Emulator                                            : One per domain.

RID Master                                                 : One per domain.

Infrastructure Master                            : One per domain.

Worst Case Scenario – What Happens’ if Fsmo fails…?

• Schema Master – If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.

• Domain Naming Master – Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest. 

• PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.

• Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).

• Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).

27     Moving the Roles

New groups and new group memberships that are created after upgrading the PDC After you upgrade the Windows Server 2003–based domain controller holding the role of the PDC emulator master in each domain in the forest to Windows Server 2008, or after you move the PDC emulator operations master role to a Windows Server 2008-based domain controller, or after you add a read-only domain controller (RODC) to your domain, the following new well-known and built-in groups are created:

• ·         Builtin\IIS_IUSRS
• ·         Builtin\Cryptographic Operators
• ·         Allowed RODC Password Replication Group
• ·         Denied RODC Password Replication Group
• ·         Read-only Domain Controllers
• ·         Builtin\Event Log Readers
• ·         Enterprise Read-only Domain Controllers (created only on the forest root domain)
• ·         Builtin\Certificate Service DCOM Access

The newly established group memberships are:

• ·         IUSR security principal added to the Builtin\IIS_IUSRS group
• ·         The following groups added to the Denied RODC Password Replication Group:

Group Policy Creator Owners

• ·         Domain Admins
• ·         Cert Publishers
• ·         Domain Controllers
• ·         Krbtgt
• ·         Enterprise Admins
• ·         Schema Admins
• ·         Read-only Domain Controllers
• ·         Network Service security principal added to Builtin\Performance Log Users
• ·         Also, the following new, additional security principals are created in the forest root domain:
• ·         IUSR
• ·         Owner Rights
• Well-Known-Security-Id-System security principal is renamed to System

28     Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role	Administrator must be a member of
Schema	Schema Admins
Domain Naming	Enterprise Admins
RID	Domain Admins
PDC Emulator
Infrastructure

29     ROLES on our servers

Schema owner                servername.Domain .com

Domain role owner           servername.Domain .com

PDC role                     servername.Domain .com

RID pool manager            servername.Domain .com

Infrastructure owner        servername.Domain .com

29.1   Plan will be

Schema owner                servername.Domain .com  move role to servername

Domain role owner           servername.Domain .com move role to servername

PDC role                    servername.Domain .com

RID pool manager            servername.Domain .com

Infrastructure owner        servername.Domain .com

29.2   Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.(servername)
3. Select the domain controller that will be the new role holder, the target, and press OK. (servername)
4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

To Transfer the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

To Transfer the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
7. Press Specify …. and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
9. Press the Change button.
10. Press OK all the way out.

 

Make sure that the Active directory module for the Power Shell is installed

Then Run Dcdiag

• ·         In the Starting test: fsmocheck

Then run the netdom query fsmo

If the server couldn’t locate the Roles

Restart the following services on w2k8

Active directory Domain services

And Netlogon service

30     After installing and removing Roles

Test the DNS and the new Server

Client test

Modify the DNS of some clients so that the primary DNS is

then new W2k8 server

Server test

Modify the DNS of some Servers to be

Then new W2k8 server

31     Revision History

 

 

32     References

http://www.petri.co.il/windows-server-2008-adprep.htm

http://www.ditii.com/2008/11/12/upgrade-to-windows-2008-domain-controllers-adprep/

http://blogs.dirteam.com/blogs/tomek/archive/2006/04/17/787.aspx

http://technet.microsoft.com/en-us/library/cc780661(WS.10).aspx  (DNS)

http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx  (Active  Directory)

 (http://go.microsoft.com/fwlink/?LinkId=93656). ( DNS)

 How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkId=177813).

netlogon cryptographic support changes in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=106380). For more information about additional security policy changes in Windows 7 and Windows Server 2008 R2, see Secure default settings in Windows Server 2008 and Windows Server 2008 R2.

http://go.microsoft.com/fwlink/?LinkId=99285. System requirements

. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

http://technet.microsoft.com/en-us/library/cc770662(WS.10).aspx

http://www.maradns.org/tutorial/dnsmaster.html  (DNS(SOA and NS))

http://www.windowsreference.com/windows-server-2008/step-by-step-tutorial-how-to-migrate-dhcp-server-from-a-windows-server-2003-to-windows-server-2008/ (DHCP)

http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine.aspx  (DHCP)

Related articles

• Enable Windows Server 2008 R2 Features During Installation Using A System Center Configuration Manager Task Sequence (richardstk.wordpress.com)
• Raise functional levels on Windows Server 2008 Server Core (letitknow.wordpress.com)
• Installing DHCP Server on Windows Server 2008 R2 (gunnalag.wordpress.com)
• Active Directory Forest Functional Level and Domain Functional Level (sandeshvidhate.wordpress.com)
• Fixing Windows Server 2008 R2 Boot Problem (nerhood.wordpress.com)