Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
asia.companyabc.com domain has all Windows Server 2003 SP2 domain controllers. The
entire forest will be upgraded to Windows Server 2008 R2, but they need to be migrated
over time. Thus, a phased migration will be used.
companyabc.com
asia.companyabc.com
FIGURE 16.3
Company ABC forest.
Phased Migration
495
Migrating Domain Controllers
There are two approaches to migrating domain controllers, similar to the logic used in the
“Performing an Upgrade on a Single Domain Controller Server” section. The domain
controllers can either be directly upgraded to Windows Server 2008 R2 or replaced by
newly introduced Windows Server 2008 R2 domain controllers. The decision to upgrade
an existing server largely depends on the hardware of the server in question. The rule of
thumb is, if the hardware will support Windows Server 2008 R2 now and for the next two
to three years, a server can be directly upgraded. If this is not the case, using new hard-
ware for the migration is preferable.
The prerequisites for upgrading an Active Directory forest and domain discussed earlier
still apply. The prerequisites to upgrade to Windows Server 2008 R2 Active Directory are
as follows:
. The operating system on the domain controllers is Windows Server 2003 SP2 or higher.
. The current domain functional level is Windows 2000 Native or Windows Server
2003. You cannot upgrade directly from Windows NT 4.0, Windows 2000 Mixed, or
Windows Server 2003 interim domain functional levels.
These prerequisites are required to upgrade to Windows Server 2008 R2.
ptg
NOTE
16
A combined approach can be and is quite commonly used, as indicated in Figure 16.4,
to support a scenario in which some hardware is current but other hardware is out of
date and will be replaced. Either way, the decisions applied to a proper project plan can
help to ensure the success of the migration.
Replace
Old
Hardware
Upgr
Upg ade
r
New
Hardware
Replace Domain Controllers
Upgrade Domain Controllers
FIGURE 16.4
Combined approach to the upgrade process.
The scenario in this section will use the combined approach to the upgrade, replacing the
Windows 2000 SP4 companyabc.com domain controllers and upgrading the Windows
Server 2003 asia.companyabc.com domain controllers.
The health of the domain controllers should be verified prior to upgrading the domain
controllers. In particular, the Domain Controller Diagnostics (DCDIAG) utility should be
496
CHAPTER 16
Migrating from Windows Server 2003/2008 to Windows Server
2008 R2
run and any errors fixed before the upgrade. The Windows Server 2003 DCDIAG utility is
part of the Support Tools, which can be found on the installation media under
\support\tools\. The Support Tools are installed via an MSI package named
SUPTOOLS.MSI in Windows Server 2003. After installing the tools, the DCDIAG utility
can be run. The dcdiag /e option should be used to check all domain controllers in the
enterprise. Verify that all tests passed.
Preparing the Forest and Domains Using adprep
The introduction of Windows Server 2008 R2 domain controllers into a Windows Server
2003/2008 Active Directory requires that the core AD database structure, the schema, be
updated to support the increased functionality. In addition, several other security changes
need to be made to prepare a forest for inclusion of Windows Server 2008 R2. The
Windows Server 2008 R2 DVD includes a command-line utility called adprep that will
extend the schema to include the extensions required and modify security as needed.
Adprep requires that both forestprep and domainprep be run before the first Windows
Server 2008 R2 domain controller can be added.
The adprep utility must be run from the Windows Server 2008 R2 DVD or copied from
its location in the \support\adprep\ folder. This installs the schema updates that are
new to Windows Server 2008 R2 Active Directory. The following steps should be run on
ptg
the Flexible Single Master Operations (FSMO) role holder, specifically the Schema Master
role holder:
1. Insert the Windows Server 2008 R2 DVD into the drive. If the Install Windows
autorun page appears, close the window.
2. Select Start, Run.
3. Enter d:\support\adprep\adprep.exe /forestprep and click OK, where d: is the
DVD drive.
4. A warning appears to verify that all Windows 2000 Server domain controllers are at
Service Pack 4 or later. Enter C and press Enter to start the forest preparation.
NOTE
Any previous extensions made to the Active Directory schema, such as those made
with Exchange Server 2003 or Exchange Server 2007, are not affected by the adprep
procedure. This procedure simply adds additional attributes and does not change those
that currently exist.
Now that the schema updates have been installed, the domain is ready to be prepared.
The operation must be run once in every domain in a forest. It must be physically
invoked on the server that holds the infrastructure master Operations Master (OM) role.
The steps for executing the domainprep procedure are as follows:
1. On the Operations Master domain controller, insert the Windows Server 2008 R2
DVD into the drive. If the Install Windows autorun page appears, close the window.
Phased Migration
497
2. Select Start, Run.
3. Enter d:\support\adprep\adprep.exe /domainprep /gpprep and click OK, where d:
is the DVD drive.
4. Enter d:\support\adprep\adprep.exe /rodcprep and click OK. This update allows
Read-Only Domain Controllers by updating the permissions on all the DNS applica-
tion directory partitions in the forest and allows them to be replicated by all RODCs
that are also DNS servers.
Repeat steps 1 through 4 for each domain that will be upgraded.
After the forestprep and domainprep operations are run, the Active Directory forest will
be ready for the introduction or upgrade of Windows Server 2008 R2 domain controllers.
The schema is extended and includes support for Active Directory Recycle Bin and other
enhancements. After these updates have had sufficient time to replicate across all
domains, the process of upgrading the domain controllers to Windows Server 2008 R2
can commence.
Upgrading Existing Domain Controllers
If the decision has been made to upgrade all or some existing hardware to Windows Server
2008 R2, the process for accomplishing this is straightforward. However, as with the stand-
ptg
alone server, you need to ensure that the hardware and any additional software compo-
nents are compatible with Windows Server 2008 R2. The requirements for the server to
16
upgrade are as follows:
. The operating system on the domain controllers must be a 64-bit operating system.
. The operating system on the domain controllers is Windows Server 2003 SP2. The
domain controller hardware exceeds the Windows Server 2008 R2 requirements and
all software is compatible with Windows Server 2008 R2, including antivirus soft-
ware and drivers.
. There is enough disk space free to perform the operating system and Active
Directory upgrade. Specifically, verify that your free space is at least twice the size of
your Active Directory database plus the minimum 32GB needed to install the operat-
ing system.
After establishing this, the actual migration can occur. The procedure for upgrading a
domain controller to Windows Server 2008 R2 is nearly identical to the procedure
outlined in the previous section “Performing an Upgrade on a Single Domain Controller
Server.” Essentially, simply insert the DVD and upgrade, and an hour or so later the
machine will be updated and functioning as a Windows Server 2008 R2 domain controller.
The specific steps are as follows:
1. Insert the Windows Server 2008 R2 DVD into the DVD drive of the server to be
upgraded.
2. The Install Windows page should appear automatically. If not, choose Start, Run and
then type d:\Setup, where d: is the drive letter for the DVD drive.
3. Click Install Now.
498
CHAPTER 16
Migrating from Windows Server 2003/2008 to Windows Server
2008 R2
4. Click the large Go Online to Get the Latest Updates button. This ensures that the
installation has the latest information for the upgrade.
5. Select the operating system you want to install and click Next.
6. Select the I Accept the License Terms option on the License page, and click Next
to continue.
7. Click the large Upgrade button.
8. Review the compatibility report and verify that all issues have been addressed. Click
Next to continue.
9. The system then copies files and reboots as a Windows Server 2008 R2 server,
continuing the upgrade process. After all files are copied, the system is then
upgraded to a fully functional install of Windows Server 2008 R2 and then reboots
again. All this can take some time to complete.
10. After the final reboot, the domain controller will be at the familiar Ctrl+Alt+Del
screen. After logon, the domain controller opens to the Server Manager console. The
domain controller upgrade is complete.
Repeat for all domain controllers that will be upgraded.
Replacing Existing Domain Controllers
ptg
If you need to migrate specific domain controller functionality to the new Active
Directory environment but plan to use new hardware, you need to bring new domain
controllers into the environment before retiring the old servers.
Windows Server 2008 R2 uses a roles-based model. To make a Windows Server 2008 R2
server a domain controller, the Active Directory Domain Services role is added. This is the
most thorough approach, and the following steps show how to accomplish this to estab-
lish a new Windows Server 2008 R2 domain controller in a Windows Server 2003/2008
Active Directory domain:
NOTE
This procedure assumes that the Windows Server 2008 R2 operating system has been
installed on the server. See Chapter 3 for steps to do this. The server does not need
to be a domain member.
1. Log on to the new server as an administrator.
2. Launch Server Manager.
3. Select the Roles node.
4. Click Add Roles.
Phased Migration
499
5. Click Next.
6. Select the Active Directory Domain Services check box, and click Next.
NOTE
The .NET Framework 3.5.1 features are required; if prompted to install, click Add
Required Features.
7. Click Next on the Introduction page.
8. Click Install to install the role. This installs the binaries necessary for the server to
become a domain controller.
9. Click Close on the Installation Results page.
10. In the Server Manager console, expand the Roles node and select the Active
Directory Domain Services node.
11. In the Summary section, click the Run the Active Directory Domain Services
Installation Wizard (dcpromo.exe) link.
12. Click Next on the Welcome page.
ptg
13. Select the Existing Forest option button.
16
14. Select the Add a Domain Controller to an Existing Domain option button, and
click Next.
15. Enter the name of the domain.
16. Click Set to specify alternate credentials to use for the operation.
17. Enter the credentials of a domain administrator in the target domain, and click OK.
18. Click Next to continue.
19. Select the appropriate domain for the new domain controller, and click Next. In this
example, the companyabc.com domain is used.
20. Select a site for the domain, and click Next.
21. Select the Additional Domain Controller Options, which are DNS Server and Global
Catalog by default. The Read-Only Domain Controller option is not available if this
is the first Windows Server 2008 R2 domain controller in the domain. Click Next.
22. Click Yes if presented with a DNS Delegation warning dialog box.
23. Select locations for the database, log files, and the SYSVOL, and then click Next.
24. Enter the Directory Services Restore mode administrator password, and then click
Next.
25. Review the summary, and then click Next. The installation wizard will create the
domain controller and replicate the Active Directory database, which might take
some time depending on the network and the size of the Active Directory database.
500
CHAPTER 16
Migrating from Windows Server 2003/2008 to Windows Server
2008 R2
26. After the wizard completes the installation, click Finish.
27. Click Restart Now to reboot the new domain controller.
This process should be repeated for each new replacement domain controller.
Moving Operation Master Roles
Active Directory Domain Services uses a multimaster replication model, in which any one
server can take over directory functionality, and each full domain controller contains a
read/write copy of directory objects (with the exception of Read-Only Domain Controllers,
which hold, as their name suggests, a read-only copy). There are, however, a few key