Windows Server 2008 R2 Unleashed (103 page)

exceptions to this, in which certain forestwide and domainwide functionality must be

held by a single domain controller in the forest and in each domain respectively. These

exceptions are known as Operation Master (OM) roles, also known as Flexible Single

Master Operations (FSMO) roles. There are five OM roles, as shown in Table 16.1.

TABLE 16.1

FSMO Roles and Their Scope

FSMO Roles

Scope

Schema master

Forest

ptg

Domain naming master

Forest

Infrastructure master

Domain

RID master

Domain

PDC emulator

Domain

If the server or servers that hold the OM roles are not directly upgraded to Windows

Server 2008 R2 but will instead be retired, these OM roles will need to be moved to

another server. The best tool for this type of move is the NTDSUTIL command-line utility.

Follow these steps using NTDSUTIL to move the forestwide OM roles (schema master and

domain naming master) to a single Windows Server 2008 R2 domain controller:

1. Open a command prompt on the Windows Server 2008 R2 domain controller

(choose Start, type cmd, and press Enter).

2. Type ntdsutil and press Enter. The prompt will display “ntdsutil:”.

3. Type roles and press Enter. The prompt will display “fsmo maintenance:”.

4. Type connections and press Enter. The prompt will display “server connections:”.

5. Type connect to server , where is the name of the

target Windows Server 2008 R2 domain controller that will hold the OM roles, and

press Enter.

6. Type quit and press Enter. The prompt will display “fsmo maintenance:”.

7. Type transfer schema master and press Enter.

Phased Migration

501

8. Click Yes at the prompt asking to confirm the OM change. The display will show the

location for each of the five FSMO roles after the operation.

9. Type transfer naming master and press Enter.

10. Click Yes at the prompt asking to confirm the OM change.

11. Type quit and press Enter, then type quit and press Enter again to exit the NTDSUTIL.

12. Type exit to close the Command Prompt window.

Now the forestwide FSMO roles will be on a single Windows Server 2008 R2 domain

controller.

The domainwide FSMO roles (infrastructure master, RID master, and PDC emulator) will

need to be moved for each domain to a domain controller within the domain. The steps

to do this are as follows:

1. Open a command prompt on the Windows Server 2008 R2 domain controller

(choose Start, click Run, type cmd, and press Enter).

2. Type ntdsutil and press Enter.

3. Type roles and press Enter.

4. Type connections and press Enter.

5. Type connect to server , where is the name of the

ptg

target Windows Server 2008 R2 domain controller that will hold the OM roles, and

16

press Enter.

6. Type quit and press Enter.

7. Type transfer pdc and press Enter.

8. Click Yes at the prompt asking to confirm the OM change.

9. Type transfer rid master and press Enter.

10. Click Yes at the prompt asking to confirm the OM change.

11. Type transfer infrastructure master and press Enter.

12. Click Yes at the prompt asking to confirm the OM change.

13. Type quit and press Enter, then type quit and press Enter again to exit the NTDSUTIL.

14. Type exit to close the Command Prompt window.

The preceding steps need to be repeated for each domain.

Retiring Existing Windows Server 2003/2008 Domain Controllers

After the entire Windows Server 2003/2008 domain controller infrastructure is replaced by

Windows Server 2008 R2 equivalents and the OM roles are migrated, the process of demot-

ing and removing all down-level domain controllers can begin. The most straightforward

and thorough way of removing a domain controller is by demoting it using the dcpromo

utility, per the standard Windows Server 2003/2008 demotion process. After you run the

dcpromo command, the domain controller becomes a member server in the domain. After

disjoining it from the domain, it can safely be disconnected from the network.

502

CHAPTER 16

Migrating from Windows Server 2003/2008 to Windows Server

2008 R2

Retiring “Phantom” Domain Controllers

As is often the case in Active Directory, domain controllers might have been removed

from the forest without first being demoted. They become phantom domain controllers

and basically haunt the Active Directory, causing strange errors to pop up every so often.

This is because of a couple remnants in the Active Directory, specifically the NTDS

Settings object and the SYSVOL replication object. These phantom DCs might come about

because of server failure or problems in the administrative process, but you should remove

those servers and remnant objects from the directory to complete the upgrade to

Windows Server 2008 R2. Not doing so will result in errors in the event logs and in the

DCDIAG output as well as potentially prevent raising the domain and forest to the latest

functional level.

Simply deleting the computer object from Active Directory Sites and Services does not

work. Instead, you need to use a low-level directory tool, ADSIEdit, to remove these

servers properly. The following steps outline how to use ADSIEdit to remove these

phantom domain controllers:

1. Launch Server Manager.

2. Expand the Roles node and select the Active Directory Domain Services node.

3. Scroll down to the Advanced Tools section of the page and click on the ADSI Edit link.

ptg

4. In the ADSIEdit window, select Action, Connect To.

5. In the Select a Well Known Naming Context drop-down menu, select Configuration,

and click OK.

6. Select the Configuration node.

7. Navigate to Configuration\CN=Configuration\CN=Sites\CN=\

CN=Servers\CN=, where and correspond to

the location of the phantom domain controller.

8. Right-click the CN=NTDS Settings, and click Delete, as shown in Figure 16.5.

9. At the prompt, click Yes to delete the object.

10. In the ADSIEdit window, select the top-level ADSIEdit node, and then select Action,

Connect To.

11. In the Select a Well Known Naming Context drop-down menu, select Default

Naming Context, and click OK.

12. Select the Default Naming Context node.

13. Navigate to Default naming context\CN=System\CN=File Replication

Service\CN=Domain System Volume(SYSVOL share)\CN=, where

corresponds to the name of the phantom domain controller.

14. Right-click the CN=, and select Delete.

15. At the prompt, click Yes to delete the object.

16. Close ADSIEdit.

At this point, after the NTDS Settings are deleted, the server can be normally deleted from

the Active Directory Sites and Services snap-in.

Phased Migration

503

FIGURE 16.5

Deleting phantom domain controllers.

ptg

16

NOTE

ADSIEdit was included in the Support Tools in Windows Server 2003, but is now includ-

ed in the AD DS Tools that are installed automatically with the Active Directory Domain

Services role in Windows Server 2008 R2.

Upgrading Domain and Forest Functional Levels

Windows Server 2008 R2 Active Directory Domain Services does not immediately begin

functioning at a new functional level, even when all domain controllers have been

migrated. The domains and forest will be at the original functional levels. You first need to

upgrade the functional level of the domain to Windows Server 2008 R2 before you can

realize the full advantages of the upgrade. See Chapter 4 for a detailed discussion of the

forest and domain functional levels.

NOTE

The act of raising the forest or domain functional levels is irreversible. Be sure that any

Windows Server 2003/2008 domain controllers do not need to be added anywhere in

the forest before performing this procedure.

After all domain controllers are upgraded or replaced with Windows Server 2008 R2

domain controllers, you can raise the domain level by following these steps:

1. Ensure that all domain controllers in the forest are upgraded to Windows Server

2008 R2.

504

CHAPTER 16

Migrating from Windows Server 2003/2008 to Windows Server

2008 R2

2. Launch Server Manager on a domain controller.

3. Expand the Roles node and then expand the Active Directory Domain Services node.

4. Select the Active Directory Users and Computers snap-in.

5. Right-click on the domain name, and select Raise Domain Functional Level.

6. In the Select an Available Domain Functional Level drop-down menu, select

Windows Server 2008 R2, and then select Raise, as shown in Figure 16.6.

ptg

FIGURE 16.6

Raising the domain functional level.

7. Click OK at the warning and then click OK again to complete the task.

Repeat steps 1 through 7 for each domain in the forest. Now the forest functional level

can be raised. Depending on the current forest functional level, this change might not

add any new features, but it does prevent non-Windows Server 2008 R2 domain

controllers from being added in the future. To raise the forest functional level, execute the

following steps:

1. Launch Server Manager.

2. Expand the Roles node and select the Active Directory Domain Services node.

3. Scroll down to the Advanced Tools section of the page, and click on the AD

Domains and Trusts link.

4. With the topmost Active Directory Domains and Trusts node selected, select Action,

Raise Forest Functional Level.

5. In the Select an Available Forest Functional Level drop-down menu, select Windows

Server 2008 R2, and then select Raise.

6. Click OK at the warning and then click OK again to complete the task.

After each domain functional level is raised, as well as the forest functional level, the

Active Directory environment is completely upgraded and fully compliant with all the AD

DS improvements made in Windows Server 2008 R2.

Multiple Domain Consolidation Migration

505

Moving AD-Integrated DNS Zones to Application Partitions

The final step in a Windows Server 2008 R2 Active Directory upgrade is to move any AD-

integrated DNS zones into the newly created application partitions that Windows Server

2008 R2 uses to store DNS information. To accomplish this, follow these steps: