IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Domain Controllers and Active Directory Domains Part 6

with 2 comments

If you want to review part 1, part 2, part 3, part 4 or Part5 of these series click the hyperlinks.

In part 6 of this series, we’re going to discuss “How to introduce Windows 2008 and 2008 R2 domain controllers in 2003 domains“. Windows 2008 and 2008 R2 have new features and roles, some of those were Microsoft response to their client needs/requests, the result is a great server operating system where (between others) security, stability and management were largely improved.
Before discussing how to introduce windows 2008 / 2008 R2 into 2003 domains, let’s check some of the new Active Directory features in Microsoft Windows 2008 and 2008 R2:

 Windows 2008:
– Auditing
– Fine-Grained Password Policies
– Read-Only Domain Controllers
– Restartable Active Directory Domain Services
– Database Mounting Tool
– User Interface Improvements

Windows 2008 R2, all features in windows 2008 and:
-Active Directory Recycle Bin
-Active Directory module for Windows PowerShell and Windows PowerShell™ cmdlets
-Active Directory Administrative Center
-Active Directory Best Practices Analyzer
-Active Directory Web Services
-Authentication mechanism assurance
-Offline domain join
-Managed Service Accounts

Cool!!! 🙂 In future blog posts I will show you how to use some of these new tools and how to setup some of the new features described earlier.

Before Start:
– Make sure that your forest is healthy, use diagnostic tools like repadmin, nltest, netdiag, dcdiag, etc… to diagnose the health of all existing domains, domain controllers within that forest.
– Design a good rollback plan, this can be achieved in different ways, in most  scenarios the rollback plan includes a complaint backup solution that will allow you to rollback changes if necessary. Some actions may be irreversible (e.g.: Schema upgrades) and the only way to revert them is to rollback all DCs to the state that they were before that change, and that can be a challenge if you’ve a big forest,  keep that in mind. Make sure that you test all procedures before going to production so you won’t be sorry latter… 🙂
– Make sure that the new Domain Controllers or existing ones to be upgraded have the hardware requirements for Windows 2008/2008 R2.
– Create a lab, test, test, test and test again all steps and document everything.
– If you’ve DCs running W200, make sure that SP4 is installed.
Note: To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.
By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, Microsoft recommends that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security.

AD Upgrade Options:
You can upgrade your Active Directory environment in 2 different ways: Introducing new DCs with W2008/2008R2 or Performing an in-place upgrade of all existing domain controllers. From my experience you should avoid in-place upgrades when possible and use newly installed DCs, from my experience, newly installed DCs can save you a lot of headaches.
In-Place Upgrade Notes: Direct in-place upgrades from W2000 DCs to W2008 DCs are not supported, if you need to do that you must first upgrade your 2000 DC to 2003 and then to W2008. Windows 2008 R2 is a 64Bit OS, in-place upgrades are only possible in DCs with Windows 2003 64Bit installed.

Prepare the Forest and Domains:
– Check your Forest Functional Level and make sure that is set to 2000 Native or Latter. Check KB322692
– Before introducing a new DC with Windows 2008 / 2008 R2 in our existing Active Directory forest we must prepare the forest schema and each existing domain with a tool called adprep.exe:
Check the Forest Schema version , from cmd type (after running “adprep /forestprep” you should run this commands again to confirm that the forest was upgraded):
dsquery * cn=schema,cn=configuration,dc=domainname,dc=tld -scope base -attr objectVersion
Additional methods to find the schema version – HERE
Update the Forest schema by running “adprep /foretsprep” from command line (Run this command at the schema master, to find the DC holding the Schema Role type from cmd: “netdom query fsmo“. This action requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups).
After running adprep /foretsprep“, wait for replication or force replication between all existing DCs. After having all DCs in sync, go to each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 and run from cmd: “adprep /domainprep /gpprep” (in the Infrastructure master)
Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by running “adprep /rodcprep” (optional).

After upgrading your Active Directory:
Be patience, wait for replication to occur between all DCs in ALL domains in the AD Forest.
Make sure that everything is working as expected, run diagnostic tools (dcdiag, nltest, repadmin, netdiag) and inspect the update logs (“Adprep.log – %SystemRoot%\Windows\Debug\ADPrep\Logs” – “Dcpromoui.log and Dcpromo.log – %systemroot%\Windows\debug”).
Consider an offline defragmentation of Active Directory Database in all existing DCs.
If everything is ok, do a backup now to guarantee all steps performed until now.
The next process is to start adding the new 2008 / 2008 R2 Domain Controllers. It’s recommended that you start at the forest root domain and then to existing child domains. If you’re doing in-place upgrades, you should start the upgrade in servers with the PDCe FSMO role for each domain. If you’re introducing new DCs with 2008/2008 R2 installed, is recommended after introducing them in each domain, you should transfer the FSMO roles to that new Domain Controllers and set the Toop Root Domain PDCe authoritative Time server for the Forest.
Once again be patience during this process, make sure that new information is replicated across all existing DCs before introducing new ones, also make sure that replication is working as expected.

Additional Notes:
– Review, update, and document the domain architecture to reflect any changes that you made during the domain upgrade process.
– Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer.
– Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704.
– Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered in Domain Name System (DNS).
– Verify Windows Firewall status.
Note: Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel.
– Continuously monitor your domain controllers and Active Directory Domain Services.

Additional Links:
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains & from TechNet
Migrate Server Roles to Windows Server 2008 R2
ADMT Guide: Migrating and Restructuring Active Directory Domains
Windows Server 2008 R2 Migration Utilities x64 Edition
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default
How to view and transfer FSMO roles
Compact the directory database file
AD DS Backup and Recovery Step-by-Step Guide

Check the next demo for “How to deploy a Read-only Domain Controller in a Windows 2003 domain” in Part 7 of this series.

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation


Written by IT Core

April 3, 2010 at 12:01 AM

Posted in Deployment, How to..., Videos

Tagged with

2 Responses

Subscribe to comments with RSS.

  1. […] How to introduce the First Domain Controller in Active Directory Domain How to create the second domain controller in Active Directory How to add a Domain Controller in a Remote Site using the new Windows 2008 R2 How to create a child domain in a remote site How to Create a new Domain Tree in a Remote Site How to introduce Windows 2008 and 2008 R2 domain controllers in 2003 domains […]

  2. […] a comment » Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: