Upgrading Active Directory from 2003 to 2008

· Microsoft’s Preupgrade check list

· Before upgrading AD verify all current applications are compatible

o Verify you are on the correct version for 2008

§ For example, does your SAN at its current release support 2008

§ Does the version of Exchange you are running support 2008

o Ensure all dc’s Windows 2000 dc’s are at least at SP4

§ From a command prompt run

Ø repadmin/showattr

· Verify that your Active Directory forest is healthy

o DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

o netdiag.exe /v > c:\netdiag.log (On each dc)

o repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

o ntfrsutl ds your_dc_name > c:\sysvol.log

o dnslint /ad /s "ip address of your dc"

· Get a backup up of at least two separate dc’s, including your PDCe

· Although you can upgrade, I would strongly urge you to do fresh install on all new 2008 installations

o Upgrading

§ Verify that the hardware will be compatible with 2008

§ You cannot directly upgrade from W2K to W2K8, you must go W2K to W2K3 and then W2K3 to W2K8

§ The bloat associated with patching, etc… just is a waste of space

Ø Verify you have plenty of disk space available

Ø If you don’t have a good 20gb of free space, you are probably going to run into space issues, trust me on this. All future patches, etc… that roll into the o/s are kept in the system folder and slowly over time start to chew your volume.

§ verify that the machine upgrading holds the FSMO role of operations Master (Upgrade DC order)

o Fresh install

§ Ensure you had at least a 50gb system partition

§ Consider using x64, all future Windows server operating systems are going to x64 bit, starting with 2008 R2

Prep the forest, domain and dns zones

· Prep your forest

o Copy the adprep folder to a local folder on your dc or run from the cd

o Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

o Execute adprep (See KB753437, Be sure this is run on the Schema master, otherwise it will not run)

C:\adprep>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

Opened Connection to DCTEST

SSPI Bind succeeded

Current Schema Version is 30

Upgrading schema to version 44

Connecting to "DCTEST"

Logging in as current user using SSPI

Importing directory from file "C:\WINDOWS\system32\sch31.ldf"

Loading entries............................................................................................................................................

139 entries modified successfully.

You should see multiple entries similar to above. Just let the system spin and you can go take a break while waiting. At the end you will see the following (Hopefully!).

................................................................................

Adprep successfully updated the forest-wide information.

o Although this dc has completed the schema upgrade, you must wait until ALL dc’s in your forest receive this change via replication (Converge).

§ Depending on your forest this could be in a few minutes to possibly days

· Once the proper amount of time has passed, the domain’s should now also be ready to be prep’ped

o If you would like to verify that the forest has been upgraded

§ Start up ADSIEdit

1. Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

1. Right Click and select Properties

1. Revision = 2

Ø Connect to Schema / Schema

Right click and select properties

1. ObjectVersion = 44

o Adprep /domainprep (Domain must be in Native Mode 2003)

§ Adprep /domainprep /gpprep (Use this command line if upgrading from Windows 2000, Windows must be in Native Mode 2000)

C:\adprep>adprep /domainprep

Running domainprep ...

Adprep successfully updated the domain-wide information.

The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory Domain Services permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running "adprep.exe /domainprep /gpprep" on the Active Directory Domain Controller that holds the infrastructure operations master role.

This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the AD DCs in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group policy Objects.

o Although this dc has completed the domain prep upgrade, you must wait until ALL dc’s in this domain receive this change via replication (Converge).

§ Depending on your domain this could be in a few minutes to possibly days

· Once the proper amount of time has passed

o If you would like to verify that the domain has been upgraded

§ Start up ADSIEdit

Ø Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

· If there are any near or far term plans to install RODC’s, prep your dns zones

o Adprep /rodcprep

§ This will traverse through the separate partitions and update the permissions

Ø Verify that the prep completed without error

Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.

· Prep your domain

o Connect to the FSMO Infrastructure Master role holder

o From the cd either copy the \sources\adprep or run the following:

§ Adprep /domainprep /gpprep

Begin the actual installation

· New 2008 DC

o Verify that the AD DS role has been installed on your 2008 member server

o From an elevated command prompt promote this new DC

§ Dcpromo

· The following will pop up

· Followed by, Select Next

· Read the description on new secure channel controls and verify that you understand its impact and then select next

o KB942564 explains in greater details its impact within your organization

· Select Existing Forest and click next

· Verify the forest and credentials are properly set and click next

· Select a domain for this additional domain controller and click next

· Select the site where you would like the new dc to be placed in and click next

· Select those additional services you would require this dc to have and click next

· If the following pop up box appears

§ If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message.

· Verify the default locations are as expected and click Next

· Enter the AD DS password and click Next

· On the Summary dialog box, verify all settings are correct and hit Next

· The following box will appear while the promotion advances. Please be patient during this process, depending on the size of your AD environment this could take a few minutes to multiple hours.

· Once the promotion is complete, click Finish and Restart the newly promoted dc

· Once complete allow all DC’s to properly replicate all changes within the infrastructure

· Microsoft recommends moving the FSMO roles to a 2008 DC

o From Active Directory Users and Computers (ADUC) right click on the domain and select Operations Masters

o From each of the three tabs (RID, PDC and Infrastructure) change to a 2008 DC

§ If your destination IM is also a GC, make sure all other dc’s are gc’s or that this is a single domain forest. Otherwise you can create phantom object problems.

o From Active Directory Domain and Trusts

§ Verify you are connected to the DC you want to transfer the Domain Naming role to

§ Right click and select Operations Manager

o From Schema Management

§ If you haven’t already, register the schema management

· From a command prompt

o regsvr32 schmmgmt.dll

· In the mmc console add the Schema management

· Select the Schema management console and connect to the DC you want to move the FSMO role to

· Right click on Schema management and Select operations Management

o To verify all fsmo roles have been transferred run the following from a command prompt

§ Netdom query fsmo