IT Core Blog

When setting up VMs with dynamic memory remember that your hyper-v host may stop if those VMs consume (or try to) use all existing memory on the host leaving nothing for the parent partition. 

To prevent that Crete the following Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Virtualization
RED_DWORD value
Name = MemoryReserve
Setting = amount of MB to reserve for the parent partition.
After setting up the desired value you must reboot the host to the setting become active.

Note: if you set this value too low; VMs will be able to use too much memory and cause performance issues for you. Equally – the higher you set this the fewer VMs you can run.
For more information about memory reserve with dynamic memory check the Virtual PC Guy’s Blog

Documentation for DPM 2010

Planning a System Center Data Protection Manager 2010 Deployment
Deploying System Center Data Protection Manager 2010
Data Protection Manager 2010 Operations Guide
Data Protection Manager 2010 Troubleshooting Guide

Here’s some interesting sessions for virtualization from TechEd.

Networking and Windows Server 2008 R2 Hyper-V: Deployment Considerations

Microsoft System Center Virtual Machine Manager 2008 R2: Advanced Virtualization Management

The Microsoft System Center Operations Manager Top 20 Must-Have Customizations

Microsoft System Center Operations Manager and Virtual Machine Manager: Monitoring the Service Stack

See the Largest Mission Critical Deployment of Microsoft SQL Server around the World

Check the Latest Videos from TechEd North America

Have Fun

Recently published videos for Virtual Desktop Infrastructure sessions.
Have a look at: TechNet Edge.

Session 1: VDI Day: Citrix & Microsoft Desktop Virtualization Strategy

In this session we will guide you through the desktop virtualization strategy and show you how Citrix and Microsoft will help you reduce the costs of Managing your virtual desktop infrastructure. We will answer questions like: “Will desktop virtualization really fit every user?”

Session 2: VDI Day: Planning and Deploying VDI with Citrix and Microsoft

In this more technical session we will drill down into the Microsoft virtualization architecture of VDI and determine what key questions need to be asked and answered around required components, networking, capacity and end user experience. In the second part of the Presentation we will drill down into the Citrix components of our joint VDI solution. You will learn what the different key components are and how to setup your own test environment.

Session 3: VDI Day: Planning and Deploying VDI with Citrix and Microsoft

In the second part of the Presentation we will drill down into the Citrix components of our joint VDI solution. You will learn what the different key components are, what they add on top of the Virtualization back-end. By then end of this session you will be geared up with the knowledge to setup your own test environment.

The video demonstrates Long Distance Live Migration with Microsoft Hyper-V achieved with the HP StorageWorks EVA or XP Disk Array. A similar demo was given to the bloggers that attended the HP StorageWorks Tech Day in Houston.

If you’re one of those guys that are thinking about SQL 2008 R2 virtualization, a number of useful docs are available to help you with the process.

High Performance SQL Server Workloads on Hyper-V White Paper
This white paper describes the advantages of deploying Microsoft® SQL Server® database application workloads to a virtualization environment using Microsoft Windows® Server® 2008 R2 Hyper-V™. It demonstrates that Hyper-V provides the performance and scalability needed to run complex SQL Server workloads in certain scenarios. It also shows how Hyper-V can improve performance when used in conjunction with advanced processor technologies. This paper assumes that the reader has a working knowledge of virtualization, Windows Server Hyper-V, SQL Server, Microsoft System Center concepts and features.

Additional Resources:

SQL Server 2008 Virtualization

• SQL Server 2008 Virtualization
• SQL Server 2008 Virtualization and Server Consolidation
• SQLCAT White Papers – Running SQL Server 2008 in a Hyper-V Environment – Best Practices and Performance Recommendations
• SQL Server Virtualization Best Practices Webcast

SQL Server Analysis Services Virtualization

• SQL Server 2008 Analysis Services
• SQLCAT White Papers – Scale-Out Querying with Analysis Services
• SQLCAT Technical Notes – Microsoft SQL Server 2008 Analysis Services Consolidation Best Practices
• SQL Server 2008 Analysis Services Performance Guide

Have Fun

If you’re one of those guys that are thinking about SharePoint 2010 virtualization, a number of useful docs are available to help you with the process.

SharePoint 2010 – Virtualization Planning
This section contains articles that are designed to help you plan and implement a server virtualization solution for Microsoft SharePoint Server 2010 server farms. In this section:

• Virtualization support and licensing (SharePoint Server 2010)
• Hyper-V virtualization requirements (SharePoint Server 2010)
• Plan virtual architectures (SharePoint Server 2010)
• Plan for virtualization (SharePoint Server 2010)
• Capacity management and high availability in a virtual environment (SharePoint Server 2010)

Additionally a webcast delivered by the TechNet team, will come soon on the same topics:
TechNet Webcast: Deep Dive – Microsoft Virtualization Best Practices for SharePoint 2010 (Level 300)
Language(s): English.
Product(s): Hyper-V.
Audience(s):  IT Generalist.
Duration: 60 Minutes
Start Date: Tuesday, June 15, 2010 7:00 PM GMT
Event Overview: Virtualising business-critical applications can deliver significant customer benefits, including cost savings, enhanced business continuity, and an agile and efficient management solution. In this webcast, we discuss virtualising Microsoft SharePoint 2010 using Microsoft solutions. We present the benefits of Microsoft virtualization technologies over key competitors such as VMware, and we provide guidance for virtualising SharePoint 2010 for production and test/development scenarios, focusing on scale, load balancing, dynamic provisioning, and high availability. Other topics we cover include Microsoft virtualization technical details with best practices and customer evidence and results from lab deployment tests.
Presenters: Arno Mihm, Senior Program Manager, Microsoft Corporation and Bill Baer, Program Manager, Microsoft Corporation
If you’re interested, and you’re free at that time, you can register here.

This white paper describes the advantages of deploying Microsoft® SQL Server® database application workloads to a virtualization environment using Microsoft Windows® Server® 2008 R2 Hyper-V™. It demonstrates that Hyper-V provides the performance and scalability needed to run complex SQL Server workloads in certain scenarios. It also shows how Hyper-V can improve performance when used in conjunction with advanced processor technologies. This paper assumes that the reader has a working knowledge of virtualization, Windows Server Hyper-V, SQL Server, Microsoft System Center concepts and features.

From Arlindo’s blog here’s some helpful articles to help you Managing and deploying Windows 7~

Wouldn’t it be handy to have one place on the web where you could find an updated list of ALL the AV exclusions you might want to configure? This wiki stub topic is meant to be that list. Feel free to add to the list, it is the wiki way!  

  

Windows:
KB822158 Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

Windows / Active Directory: 
http://support.microsoft.com/kb/822158
http://support.microsoft.com/kb/837932
http://support.microsoft.com/kb/943556

Cluster:
http://support.microsoft.com/kb/250355

Forefront: Considerations when using antivirus software on FF Edge
Products
http://support.microsoft.com/kb/943620
http://technet.microsoft.com/en-us/library/cc707727.aspx

FRS:
http://support.microsoft.com/kb/815263

SQL:
http://support.microsoft.com/kb/309422

IIS:
http://support.microsoft.com/kb/821749
http://support.microsoft.com/kb/817442

DHCP:
http://support.microsoft.com/kb/927059

SCOM / MOM:
http://support.microsoft.com/kb/975931

Hyper-V:
http://support.microsoft.com/default.aspx/kb/961804

Exchange:
Exchange 2010: http://technet.microsoft.com/en-us/library/bb332342.aspx
Exchange 2007: http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
http://support.microsoft.com/kb/328841
http://support.microsoft.com/kb/823166
http://support.microsoft.com/kb/245822
http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb332342.aspx

SharePoint:
http://support.microsoft.com/kb/952167
http://support.microsoft.com/kb/320111
http://support.microsoft.com/kb/322941

SMS:
http://support.microsoft.com/kb/327453

ISA:
http://support.microsoft.com/kb/887311

WSUS:
http://support.microsoft.com/kb/900638

SBS:
http://support.microsoft.com/kb/885685

 Med-V
Recommended Anti-Virus exclusions for MED-V client and workspace installations

System Center:
Recommendations for antivirus exclusions in MOM 2005 and Operations Manager 2007

The Operations Manager Support Team Blog posted some nice report samples.

From Operations Manager Support Team Blog:

“Just in case you missed their post last week, The System Center Operations Manager team blog posted a bunch of reporting samples you could use with OpsMgr 2007, including:
- “Customer X needs to produce a report that shows the processor, memory, logical disk performance for his 100 servers and needs to see the average performance over multiple time ranges”
- “Customer X needs to produce a report showing detailed information about how long servers spent in maintenance mode and what happened during that time”
- “Customer Y is looking for physical servers in his environment that may be suitable candidates for Virtualization, he needs a report that can show overtime the most suitable servers”
and more.
You can find their original post here but they recently uploaded an newer, updated batch of files to correct some issues they saw in the first one.  You can find that here.
If you’re looking to really maximize how OpsMgr 2007 can help you save money and manage your resources more wisely then you’ll definitely want to check these out.”

As VMST 2.1, VMST 3.0 builds on the functionality of VMST 2.1 and adds some new features, which are designed to streamline the process of keeping offline virtual machines, templates and VHDs up-to-date with the latest operating system and application updates, without introducing vulnerabilities into your virtualization infrastructure.

New available features in VMST 3.0:
- Offline virtual machines in a SCVMM library.
- Stopped and saved state virtual machines on a host.
- Virtual machine templates.
- Offline virtual hard disks in a SCVMM library by injecting update packages.
- Windows Server 2008 R2 failover clusters running Hyper-V.

VMST 3.0 is designed to work with Microsoft System Center Virtual Machine Manager (SCVMM) 2008 or SCVMM 2008 R2, and with the following technologies:
- Windows Server Update Services (WSUS) 3.0 SP1 or WSUS 3.0 SP2.
- System Center Configuration Manager (SCCM) 2007 SP1, SCCM 2007 R2, or SCCM 2007 SP2.
- VMST 3.0 also provides the option to manually copy updates to service offline VHDs.
- The tool works with Windows Task Scheduler to enable scheduling the servicing job.

To sign up to the beta go to Microsoft Connect (Connect ID required).

Like other Dummies books it is a easy reference tool that you can refer back to whenever you need to learn more about what HP Virtual Connect

So what does HP Virtual Connect do? Well it simplifies the setup of server connections to both LANs and SANs, thus allowing IT Professionals to quickly add or replace servers and move workloads without needing to involve network and storage teams.

Download it free

Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory Domains series.

“How to deploy a Read-only Domain Controller in a Windows 2003 domain”

In part 7 of this series, we’re going to discuss a new type of domain controllers, the Read-only domain controllers (RODCs).

Read-only domain controllers (RODCs) are additional domain controllers that host read-only partitions of the Active Directory database. RODCs were introduced in Windows 2008 as new feature of Active Directory Domain Services. This new type of domain controllers are the Microsoft solution to clients that had the need to deploy domain controllers at locations where security could not be 100% guaranteed (e.g. branch offices, perimeter networks). With RODCs Microsoft “offers” a solution that may help to resolve a number of security or manageability issues that existed in older operating system versions .

 So what make the RODCs so especial and what do they have that Read/Writable Domain Controllers (RWDCs) don’t? RODCs have:

• Read-only copy of Active Directory Database. (Applications can only read data from AD database on RODCs. RODCs will forward certain write operations to writable domain controllers, and they will also send referrals to writable domain controllers when necessary).
• RODCs have a read-only copy of the SYSVOL folder contents.
• Unidirectional Replication (RODCs get information from WRDCs, but RWDCs do NOT get information from RODCs, this applies to both AD database and SYSVOL data).
• Administration Role Separation (ARS) – Domain administrators can delegate both the installation and the administration of RODCs to any domain user, without granting them any additional rights in the domain and without compromising the security of the rest of the domain.
• Credential caching. By default an RODC does not store user credentials or computer credentials, except for its own computer account and a special krbtgt account for that RODC, this means that by default all authentication requests will be forwarded by RODCs to RWDCs).
• Password Replication Policy (PRP) – Ability to configure which passwords that are allowed to be cached in a RODC.
• Filtered Attribute Set (FAS) – Control which attributes are not replicated to RODCs – this allows you to protect sensitive data in scenarios where RODCs are stolen or compromised.

 Active Directory prerequisites to deploy the a RODC?

• The Forest functional level (FFL) must be set to Windows Server 2003 or higher. FFL 2003 is needed because linked-value replication (LVR) and constrain delegation are only available at this FFL or latter. This also means that all domain controllers (DCs) in the forest must have windows 2003 or later Operating system installed.
• Before introducing RODCs in a Forest, a  writable domain controller running Windows Server 2008 or Windows Server 2008 R2 MUST exist in the same domain as the RODC. The writable domain controller must be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. RODCs must be able to replicate domain updates from a writable domain controllers running Windows Server 2008 or Windows Server 2008 R2.
• IF you’ve a Windows Server 2003 domains, you must also run adprep /rodcprep before introducing a RODC in that Forest. Note: The infrastructure master for each domain and for each application directory partition must be available within the environment for the operation to succeed. If these requirements are not met, you may experience the symptoms described at KB 949257. Also read (Known Issues for Deploying RODCs).
• To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.

 Some considerations to be aware of with RODCs:

• As discussed before, RODCs need at least one 2008 RWDC, this requirement is due the nature of RODCs context in AD. Write operations, DNs updates, Authentication (non-cached accounts), will be forwarded to RWDCs/ authoritative DNS servers. With these operations in mind is generally a good idea to have enough (more than 1) windows 2008 DC available to serve RODCs requests. To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.
• When a RODC that runs 2008 R2 is added to a domain that has RWDC that runs Windows Server 2008, the RODC logs Event ID 2916.This error can be disregarded, and it will not be logged if there is a RWDC that runs Windows Server 2008 R2 in the domain.
• Cross-domain authentication will fail if the WAN is offline. RODC domain authentication for cached accounts (including User and Computer accounts) succeeds even if the WAN is offline. RODC domain authentication for accounts that are not cached will fail if the WAN is offline.
• RODCs can only synchronize their time from a RWDCs that run Windows Server 2008, they are restricted from synchronizing with other RODCs and they are restricted from synchronizing with domain controllers outside their own domain (Client computers can synchronize time from any domain controller, including an RODC).
• Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.
• Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups (Applications That Are Known to Work with RODCs).
• Perform staged RODC Installations. The first stage of the installation (requires Domain Admin credentials) is to create an account for the RODC in AD. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a non-administrative group or user.
• When you upgrade a Windows Server 2003 domain controller it always remains a writable domain controller. You cannot make a Windows Server 2003 domain controller an RODC during the upgrade. If you want to upgrade a Windows Server 2003 domain controller and make it an RODC, you must remove Active Directory Domain Services (AD DS). You can remove AD DS either just before or just after you upgrade the operating system. After you upgrade the server and it is no longer a domain controller, reinstall AD DS and choose the RODC option during the AD DS installation.
• You cannot convert from a full installation to a Server Core installation, or the reverse.

 Deploy RODCs:

Currently there are, at least, 2 ways to deploy RODCs, Staged installation and Direct installation.

Direct installation is the “normal” way to deploy any Domain Controller, basically you complete a full promotion of an RODC as a member of the Domain Admins group or as a member of an additional group with equivalent delegated permissions.

In this blog post I’m going to show you the Staged installation because I think that makes more sense due the nature of the RODCs security context (RODCs are normally placed at unsecure/un-trusted locations, right ).

 The Staged Installation is divided in 2 stages:

1. The Domain Admin prepares the Active Directory to receive the new RODC and delegates the final stage of an RODC installation to any user or group.
2. The delegated user or group installs the RODC at the remote site and adds the RODC to the domain without the need to have a highly privileged account.

 I suggest the use of the IFM installation option in conjunction with a Staged installation (I’ll show you how during the video). Using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. After you create the IFM installation media for a RODC, you can secure the installation media before transporting it to the branch office by removing secrets such as user account passwords from it. If the installation media is lost or stolen while it is being transported, it cannot be compromised to reveal passwords. This is valid for RODCs because the RODC does not cache any passwords by default, they do not need to be present in the RODC installation media. 

That said, let’s check “How to deploy a Read-only Domain Controller in a Windows 2003 domain“
(Note: Before introducing RODCs into 2003 domains, you must have at least 1 Windows 2008/2008R2 DC, to learn how to introduce Windows 2008/2008 R2 DCs in an existing 2003 Forest/domain check part 6 of this series).

Final Notes:
- Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.

- Consider the RODC installation in Windows Server Core.

- Consider the use of Bit Locker on RODCs to protect data more efficiently.

- Unless you’re using DFS Replication, any changes in the RODC SYSVOL  will not be replicated to RWDCs and this change can affect any computer that obtains Group Policy objects or logon scripts from that RODC, not only computers that are defined in the PRP.  To synchronize the contents of the SYSVOL folder again, you can make a change on a writable domain controller to force the directory or file to replicate to the RODC, or you can set the Burflags registry setting to D2, check KB315457 for more information. This behavior is by design because FRS provides limited support for read-only SYSVOL on an RODC.

- Extend the RODC FAS to include any attributes that you want to prevent from replicating to any RODC in the forest. When the attributes are prevented from replicating to RODCs, they cannot be exposed unnecessarily if an RODC is stolen or compromised. (As a best practice, make sure that the forest functional level is Windows Server 2008 or latter if you plan to configure the RODC FAS)

- Use remote management tools to administer RODCs (Microsoft Remote Server Administration Tools (RSAT) – Windows Remote Management (WinRM) protocol and Windows Remote Shell (WinRS))

- Reliable time synchronization is required for Kerberos authentication. Client computers can synchronize time from any domain controller, including an RODC. An RODC can synchronize time only from a writable domain controller that runs Windows Server 2008 or later.

- After 1,500 security principals are in the Allowed List and the RODC stops caching passwords, if you attempt to cache the password for a user in the Allowed List—using repadmin /rodcpwdrepl for example—you will see the following error message (Check: Administering the Password Replication Policy):
“Unable to replicate secrets for user CN=user… on read-only DC dsp17a30 from full DC <GUID=126c27dc-cbb2-41b0-b847-71e5d6b69ea2>.
Error: Replication access was denied. (8453)”

 Additional Documentation:
Read-Only Domain Controller Planning and Deployment Guide
RODC Technical Reference Topics
Known Issues for Deploying RODCs
Applications That Are Known to Work with RODCs
Read-only Domain Controllers Step-by-Step Guide
Understanding “Read Only Domain Controller” authentication
Read-Only Domain Controllers and Account Lockouts
KB 944043: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
Active Directory and Active Directory Domain Services Port Requirements
To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

If you want to review part 1, part 2, part 3, part 4 or Part5 of these series click the hyperlinks.

In part 6 of this series, we’re going to discuss “How to introduce Windows 2008 and 2008 R2 domain controllers in 2003 domains“. Windows 2008 and 2008 R2 have new features and roles, some of those were Microsoft response to their client needs/requests, the result is a great server operating system where (between others) security, stability and management were largely improved.
Before discussing how to introduce windows 2008 / 2008 R2 into 2003 domains, let’s check some of the new Active Directory features in Microsoft Windows 2008 and 2008 R2:

 Windows 2008:
- Auditing
- Fine-Grained Password Policies
- Read-Only Domain Controllers
- Restartable Active Directory Domain Services
- Database Mounting Tool
- User Interface Improvements
Windows 2008 R2, all features in windows 2008 and:
-Active Directory Recycle Bin
-Active Directory module for Windows PowerShell and Windows PowerShell™ cmdlets
-Active Directory Administrative Center
-Active Directory Best Practices Analyzer
-Active Directory Web Services
-Authentication mechanism assurance
-Offline domain join
-Managed Service Accounts

Cool!!!  In future blog posts I will show you how to use some of these new tools and how to setup some of the new features described earlier.

Before Start:
- Make sure that your forest is healthy, use diagnostic tools like repadmin, nltest, netdiag, dcdiag, etc… to diagnose the health of all existing domains, domain controllers within that forest.
- Design a good rollback plan, this can be achieved in different ways, in most  scenarios the rollback plan includes a complaint backup solution that will allow you to rollback changes if necessary. Some actions may be irreversible (e.g.: Schema upgrades) and the only way to revert them is to rollback all DCs to the state that they were before that change, and that can be a challenge if you’ve a big forest,  keep that in mind. Make sure that you test all procedures before going to production so you won’t be sorry latter…
- Make sure that the new Domain Controllers or existing ones to be upgraded have the hardware requirements for Windows 2008/2008 R2.
- Create a lab, test, test, test and test again all steps and document everything.
- If you’ve DCs running W200, make sure that SP4 is installed.
Note: To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.
By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, Microsoft recommends that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

AD Upgrade Options:
You can upgrade your Active Directory environment in 2 different ways: Introducing new DCs with W2008/2008R2 or Performing an in-place upgrade of all existing domain controllers. From my experience you should avoid in-place upgrades when possible and use newly installed DCs, from my experience, newly installed DCs can save you a lot of headaches.
In-Place Upgrade Notes: Direct in-place upgrades from W2000 DCs to W2008 DCs are not supported, if you need to do that you must first upgrade your 2000 DC to 2003 and then to W2008. Windows 2008 R2 is a 64Bit OS, in-place upgrades are only possible in DCs with Windows 2003 64Bit installed.

Prepare the Forest and Domains:
- Check your Forest Functional Level and make sure that is set to 2000 Native or Latter. Check KB322692
- Before introducing a new DC with Windows 2008 / 2008 R2 in our existing Active Directory forest we must prepare the forest schema and each existing domain with a tool called adprep.exe:
-Check the Forest Schema version , from cmd type (after running “adprep /forestprep” you should run this commands again to confirm that the forest was upgraded):
dsquery * cn=schema,cn=configuration,dc=domainname,dc=tld -scope base -attr objectVersion
or
schupgr
Additional methods to find the schema version – HERE
- Update the Forest schema by running “adprep /foretsprep” from command line (Run this command at the schema master, to find the DC holding the Schema Role type from cmd: ”netdom query fsmo“. This action requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups).
- After running “adprep /foretsprep“, wait for replication or force replication between all existing DCs. After having all DCs in sync, go to each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 and run from cmd: ”adprep /domainprep /gpprep” (in the Infrastructure master)
- Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running “adprep /rodcprep” (optional).

After upgrading your Active Directory:
- Be patience, wait for replication to occur between all DCs in ALL domains in the AD Forest.
- Make sure that everything is working as expected, run diagnostic tools (dcdiag, nltest, repadmin, netdiag) and inspect the update logs (“Adprep.log – %SystemRoot%\Windows\Debug\ADPrep\Logs” – “Dcpromoui.log and Dcpromo.log – %systemroot%\Windows\debug”).
- Consider an offline defragmentation of Active Directory Database in all existing DCs.
- If everything is ok, do a backup now to guarantee all steps performed until now.
- The next process is to start adding the new 2008 / 2008 R2 Domain Controllers. It’s recommended that you start at the forest root domain and then to existing child domains. If you’re doing in-place upgrades, you should start the upgrade in servers with the PDCe FSMO role for each domain. If you’re introducing new DCs with 2008/2008 R2 installed, is recommended after introducing them in each domain, you should transfer the FSMO roles to that new Domain Controllers and set the Toop Root Domain PDCe authoritative Time server for the Forest.
- Once again be patience during this process, make sure that new information is replicated across all existing DCs before introducing new ones, also make sure that replication is working as expected.

Additional Notes:
- Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.
- Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.
- Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.
- Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).
- Verify Windows Firewall status.
Note: Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel.
- Continuously monitor your domain controllers and Active Directory Domain Services.

Additional Links:
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains & from TechNet
Migrate Server Roles to Windows Server 2008 R2
ADMT Guide: Migrating and Restructuring Active Directory Domains
Windows Server 2008 R2 Migration Utilities x64 Edition
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default
How to view and transfer FSMO roles
Compact the directory database file
AD DS Backup and Recovery Step-by-Step Guide

Check the next demo for “How to deploy a Read-only Domain Controller in a Windows 2003 domain” in Part 7 of this series.

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation