The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

The things that are better left unspoken

a blog by Sander Berkouwer
Transitioning your Active Directory to Windows
Server 2008
You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the
moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize
the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server
2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain
Controllers, while keeping your Active Directory running smoothly.

This post intends to help you with this transition in a structured, balanced and thorough way and describes:

Choosing between In-place upgrading, transitioning or restructuring

Reasons to transition to Windows Server 2008
Steps to transition
Prepare your Active Directory environment
Installing the first Windows Server 2008 Domain Controller
Installing additional Windows Server 2008 Domain Controllers
Taking care of Flexible Single Master Operations and Global Catalogs
Checking proper installation and replication
Demoting Windows Server 2003 Domain Controllers
Raising the domain functional level
Raising the forest functional level
Concluding

Ways to migrate
Upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in
three distinct ways:

In-place upgrading
Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows
Server 2008, as long as you keep the following in mind:

The Windows Server 2003 patchlevel should be at least Service Pack 1

You can't upgrade across architectures (x86, x64 & Itanium)
Standard Edition can be upgraded to both Standard and Enterprise Edition
Enterprise Edition van be upgraded to Enterprise Edition only
Datacenter Edition van be upgraded to Datacenter Edition only

In-place upgrading requires you to run adprep.exe before starting the upgrade process on the
Domain Controllers. Check this post from Jorge for more information.

Transitioning
Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active
Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles
you can simply demote the previous Domain Controllers, remove them from the domain and throw
them out of the window.

Transitioning is possible for Active Directory environments which domain functional level is at least
Windows 2000 Native.

Restructuring
A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain
Controllers is restructuring your Active Directory environment. This involves moving all your resources

1 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Using
tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Reasons to transition
I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

Restructuring means filling a new Active Directory from scratch

In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
Transitioning means you get to keep your current Active Directory lay-out, contents, group policies
and schema. Transitioning also means moving to new machines, which can be dimensioned to last
another three to five years without trouble.

Transitioning is good when:

You worked hard to get your Active Directory in the shape it's in.
Your servers are faced with aging.
In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly
what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

Steps to transition
Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:

Before you begin

Avoid common mistakes

There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows
2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it. (twice)
Most of the contents also apply to transitioning from Windows Server 2003 (R2) to Windows Server 2008

Plan your server lifecycle

It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you
should take this in mind when selecting and buying a server. You should plan your partitions (or volumes)
carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows
Server catalog helps you pick systems that will run Windows Server 2008 with ease.

Assess your readiness

Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running
Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation
media) and what problems you might encounter when deploying Windows server 2008. I recommend
checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution
Accelerator (MAP for short).

Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.

Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able
to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password
and credentials for service accounts, which might not be written down anywhere. In multiple Domain
Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table
containing the relevant information per Domain Controller in terms of Flexible Single Master Operations
(FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology,
routing tables, IP addressing, etc.

Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on

2 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

what you're doing. (Make someone) communicate to the end users that you're going to mess with the core
of their infrastructure. This might result in colleagues understanding you're (really) busy and might also
result in problems being reported fast. Both are good things if you'd ask me...

Prepare your Active Directory environment

Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active
Directory environment, you first have to prepare the Active Directory.

Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following
commands on the following servers in your Active Directory environment:

Command Domain Controller

adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master

* Optional when you want to deploy Read Only Domain Controllers.

After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs
to failures may be found in the event viewer, but real men will check the adprep.log files. If your life
depends on it, you can use the HowTo Jorge wrote to check forestprep and domainprep succesfully
replicated to all Domain controllers.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific
replication needs this might take hours.) When you feel all changes have been replicated use the replmon
and repadmin tools to check and optionally troubleshoot Active Directory replication.

Install the first Windows Server 2008 Domain Controller

You could already start installing Windows Server 2008 on a fresh box and make it a member of the
domain, while preparing your Active Directory. When you're done preparing your Active Directory you can
safely go ahead installing the first Windows Server 2008 Domain Controller by promoting a Windows Server
2008 box to a Domain Controller, using dcpromo.exe.

When running dcpromo.exe make sure you select to make this Domain Controller an extra Domain
Controller for the Active Directory domain you're transitioning. Type a secure password for Directory
Services Restore Mode (DSRM).

Tip:
Write down the the Directory Services Restore Mode (DSRM) password.

Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users,
computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 Domain Controller
will be open for business after you restarted it to complete the wizard.

Install additional Domain Controllers

Installing additional Windows Server 2008 Domain Controllers is as easy as purchasing them, licensing
them, installing them and promoting them. There's really nothing to it: Once you've introduced the first
Windows Server 2008 Domain Controller you know how to do it.

If you find installing loads of Domain Controllers is a tedious job you might want to promote servers to
Domain Controllers using answer files. When Domain Controllers need to be placed in locations with limited
connectivity or bandwidth constraints you might want to explore the Install from Media (IFM) possibilities.

Take care of FSMOs and GCs

Using the Active Directory Sites and Services MMC Snap-in make new Windows Server 2008 Domain

3 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the
Graphical Interface to move the Flexible Single Master Operations (FSMO) from your Windows Server 2003
servers to Windows Server 2008. Another option is using ntdsutil.

In multiple Domain Controller scenarios Jorge has a good rule of thumb on Global Catalogs and the
Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations
(FSMO) Role a Global Catalog server;
Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a
Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs
using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to
restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible
Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following
command using netdom.exe from the Resource Kit:

netdom.exe query fsmo

Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the
promotion. The logs to scrutinize specifically are:

dcpromo.log
All the events regarding the creation and removal of Active Directory, SYSVOL trees and the
installation, modification and removal of key services
dcpromoui.log
all the events from a graphical interface perspective

Also check the event viewer.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific
replication needs this might take hours.) When you feel all changes have been replicated use the replmon
and repadmin tools to check and optionally troubleshoot proper Active Directory replication.

Demote Windows Server 2003 Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any
software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was
installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers
like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a
separate (virtual) testing environment could give your a clear picture on the behavior of your Windows
Server 2003 ex-Domain Controllers though!

From my personal experience I can tell you it's not recommended to demote a Domain Controller when it
has Exchange Server or Internet Information Services installed after it was promoted. You're going to have
to find another box to install these services on.

When your Windows Server 2003 Domain Controllers are also Domain Name System (DNS) servers it is
recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they
get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a
Windows Server 2008 would then suffice to migrate DNS settings. Be sure to change the DNS information
on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Domain Controller using the dcpromo.exe command. If you're unsuccessful you
might want to try to remove the server from Active Directory the hard way, which Jorge describes here.
(leaving out the percussive maintenance option though)

4 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

Raise the domain functional level

After you've successfully demoted the last Windows Server 2003 Domain Controller for a specific domain (or
you don't feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory
environment) you're ready to raise the Domain functional level of that domain.

Upgrading the domain functional level to Windows Server 2008 adds the following features to your
environment:

Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and
detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
Last Interactive Logon Information, which displays the time of the last successful interactive logon for
a user, from what workstation, and the number of failed logon attempts since the last logon.
Fine-grained password policies, which make it possible for password and account lockout policies to be
specified for users and global security groups in a domain, instead of per domain only.

Note:
Raising the functional level is a one way procedure. Once you've raised your domain functional
level there's no way to return to the previous domain functional level.

Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain
functional level on Windows Server 2003:

1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a
member of the Domain Administrators group..
2. Open Active Directory Domains and Trusts.
3. In the console tree, right-click the domain for which you want to raise functionality, and then click
Raise Domain Functional Level.
4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.

Upgrade the forest functional level

After you've successfully upgraded the domain functional level of all the domains in your Active Directory
forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all
domains that are subsequently added to the forest will operate at the Windows Server 2008 domain
functional level by default.

Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional
level there's no way to return to the previous forest or domain functional levels.

To upgrade the forest functional level to Windows Server 2008 perform the following actions:

1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a
user account that is a member of the Enterprise Administrators group.
2. Open Active Directory Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest
Functional Level.
4. Under Select an available forest functional level, click Windows Server 2008, and then click
Raise.

Concluding
Transition your Active Directory to Windows Server 2008 seems as easy as running adprep and installing
Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in
one single Active Directory domain in its own forest with one single Active Directory site.

Be sure to check whether what you're doing is successfully installed, performed and replicated before you
screw up your Active Directory environment though!

5 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

Further reading

WS2008: Upgrade Paths, Resource Limits & Registry Values

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
Windows Server Longhorn - Installing, Removing and Upgrading to AD
Windows Server Longhorn - Install From Media (IFM)
Win Server 2008 Directory Services, Functional Levels Overview
Functional Levels In Windows Server 2008 Part I
Functional Levels In Windows Server 2008 Part II
Appendix of Functional Level Features
Active Directory Installation and Removal Issues
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
Using Repadmin.exe to troubleshoot Active Directory replication
HOW TO: Use the Replication Monitor to Determine the Operations Master and GC Roles
HOW TO: troubleshoot intra-site replication failures
Windows Server 2008 dcpromo Changes
Active Directory Domain Services: UI changes - Part 1
Active Directory Domain Services: UI changes - Part 2
How to raise domain and forest functional levels in Windows Server 2003
FSMO placement and optimization on Active Directory domain controllers
How to optimize Active Directory replication in a large network

Posted: Sunday, March 02, 2008 12:14 PM by Sander Berkouwer

Filed under: Active Directory, System Administration, Microsoft Windows Server, Microsoft Windows Server
2008, Best Practices

Comments

Transitioning your Active Directory to Windows Server 2008 - Microsoft Product's said:

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to
replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might
also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new
Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

# March 2, 2008 12:13 PM

TrackBack said:

Time: 08:09 EST/13:09 GMT | News Source: Dirteam | Posted By: Kenneth van Surksum

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the
moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize
the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server
2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain
Controllers, while keeping your Active Directory running smoothly.

# March 2, 2008 11:17 PM

TrackBack said:

Sander Berkouwer opublikował na swoim blogu interesujący materiał poświęcony w całości kwestiom uaktualnienia kontrolerów
domeny pracujących pod kontrolą systemu Windows Server 2003 i Windows Server 2003 R2 do Windows Server 2008, a co z tym
idzie - uaktualnienia samej domeny Active Directory do wersji 2008.

Artykuł opisuje zarówno róŜne metody uaktualnienia (in-place upgrade, restrukturyzacja, migracja) wraz z ich problematyką, jak i
czynności krok po kroku dla kaŜdego przypadku. Na koniec przygotowano pokaźną listę linków do innych, uzupełniających
publikacji w Internecie.

6 of 7 3/6/2008 11:15 AM
The things that are better left unspoken : Transitioning your Active Direc... http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/trans...

# March 3, 2008 2:09 PM

natasham said:

I love your work. Thanks for providing such an well structured summary.

# March 3, 2008 10:24 PM

TrackBack said:

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to
replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might
also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new
Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

Read more over at {The things that are better left unspoken}

# March 4, 2008 12:00 AM

Transitioning your Active Directory to Windows Server 2008 | Savage Nomads said:

We’ve talked about starting from scratch again with our AD forest. This post has some great information about the new features of
a 2008 AD and options you have to get there.

# March 4, 2008 4:34 PM

TrackBack said:

Transitioning is a good when:

You worked hard to get your Active Directory in the shape it's in.
Your servers are faced with aging.
In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing,
because things can go wrong pretty fast. that's why I wrote this post.

# March 4, 2008 11:27 PM

Windows Server 2008 said:

Wszystkim osobom zainteresowanym AD DS w w2k8 gorąco polecam artykuł na blogu Sander Berkouwera . Znajdziecie

# March 5, 2008 4:10 AM

Anonymous comments are disabled

Copyright © 2005-2008 DIRTEAM.COM. All rights reserved

7 of 7 3/6/2008 11:15 AM