Windows Server - Upgrade

Asked By Carl

08-Jan-10 09:42 AM

Are there any known issues when migrating AD from 2003 Native mode to 2008
native mode...are there any known application issues?? Can you provide a
link to some additional info

08-Jan-10 09:47 AM

Howdie!

Carl schrieb:

By writing "native mode" -- you mean domain functional level or forest
functional level?

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

08-Jan-10 10:18 AM

If Windows 2003 is at 2003 Functional Levels, there is no problem adding a
2008 DC, however you do not want to make the forest and domain 2008
functional levels until all of the 2003 DCs have beeen demoted. You can also
run the two DCs indefinitely, if you like. The only thing is the forest and
domain features will remain 2003 features. The 2008 AD
features will not be available until the Forest and Domain Functional Levels
have been bumped up to Windows 2008, but you cannot do that until all of the
2003 DCs have been demoted.

Here are some links. I hope you find them helpful.

Add windows 2008 to existing 2003 domain - Petri.co.il forums
I have 2 windows 2003 domain controllers and I want to upgrade them to
windows server 2008. What is correct sollution? Add new DC on windows ...
http://www.petri.co.il/forums/showthread.php?t=23330

Screencast – Install Windows 2008 DC in Existing Windows 2003 ...In the
following screencast, we demonstrate an upgrade of Windows 2003 Domain, by
adding a new Windows Server 2008 Domain Controller. ...
http://www.netometer.com/video/tutorials/windows-dc-2008-add-upgrade/

Screencast - How to Install a Windows 2008 Domain Controller ...Screencast -
How to Install a Windows 2008 Server Forest, Adding AD Domain Services Role
... If you are planning to upgrade an existing Windows 2003 domain, ...
www.netometer.com/video/tutorials/ad-services-install/

Installing an Additional Domain ControllerIf you are installing an
additional Windows Server 2008 domain ... first Windows Server 2008 domain
controller in an existing Windows Server 2003 or Windows ... power in the
domain, we recommend that you add members to it with caution. ...
http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx

I hope you find them helpful.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

08-Jan-10 01:50 PM

Hello carl,

If you mean with the native mode the functional levels, this requires for
Windows server 2008 that no earlier OS DC is in the domain.

Which applications do you like to install? Then it will be more easy to help
you. Also a DC should not run any application, it should do it is basic job
AD/DNS/GC and maybe DHCP, that is it.

For upgrading see:
!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!

- Do you use any kind of Exchange in the 2003 domain? If yes, which one?

- On the old server open DNS management console and check that you are running
Active directory integrated zone (easier for replication, if you have more
then one DNS server)

- run replmon from the run line or repadmin /showrepl(only if more then one
DC exist), dcdiag and netdiag from the command prompt on the old machine
to check for errors, if you have some post the complete output from the command
here or solve them first. For this tools you have to install the support\tools\suptools.msi
from the 2003 installation disk.

- run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
the 2008 installation disk against the 2003 schema master(forestprep) / infrastructure
master(domainprep/rodcprep), with an account that is member of the Schema/Enterprise/Domain
admins, to upgrade the schema to the new version (44) or 2008 R2 (47)

- you can check the schema version with "schupgr" or "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local
-scope base -attr objectVersion" without the quotes in a command prompt

- Install the new machine as a member server in your existing domain

- configure a fixed ip and set the preferred DNS server to the old DNS server
only, think about disabling IPv6 if you are not using it, some known problems
exist with it. Follow (http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx)
to disable it

- run dcpromo and follow the wizard to add the 2008 server to an existing
domain, make it also Global catalog and DNS server.

- for DNS give the server time for replication, at least 15 minutes. Because
you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear

- if the new machine is domain controller and DNS server run again replmon,
dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
both domain controllers

- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801
applies also for 2008), FSMO should always be on the newest OS DC

- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to
an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie
now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual
/reliable:yes /update" where PEERS will be filled with the ip address or
server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier
/reliable:no /update" and stop/start the time service on the old one. All
commands run in an elevated command prompt without the quotes.

- you can see in the event viewer (Directory service) that the roles are
transferred, also give it some time

- reconfigure the DNS configuration on your NIC of the 2008 server, preferred
DNS itself, secondary the old one

- if you use DHCP do not forget to reconfigure the scope settings to point
to the new installed DNS server

- if needed export and import of DHCP database for 2008 choose "netshell
dhcp backup" and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/library/cc772372.aspx)



Demoting the old DC

- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC

- to be sure that everything runs fine, disconnect the old DC from the network
and check with clients and servers the connectivity, logon and also with
one client a restart to see that everything is ok

- then run dcpromo to demote the old DC, if it works fine the machine will
move from the DC's OU to the computers container, where you can delete it
by hand. Can be that you got an error during demoting at the beginning, then
uncheck the Global catalog on that DC and try again

- check the DNS management console, that all entries from the machine are
disappeared or delete them by hand if the machine is off the network for ever

- also you have to start AD sites and services and delete the old servername
under the site, this will not be done during demotion

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers

08-Jan-10 10:21 PM

Domain Functional Level...

I want to know if there will be any impact on Applications which are
integrated with AD (data stored in AD or using AD for authentication)

08-Jan-10 11:43 PM

Thanks Ace, very useful information

09-Jan-10 03:14 AM

Carl,

Carl schrieb:

Ace provided you with excellent material. Just to answer your questions:
there is no impact on applications written for AD - the functional levels
are just a sort of "mode", DC run in to enable features and functions.
It should not impact other applications nor does it change data stored in AD.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

09-Jan-10 11:26 AM

You are welcome. If you have additional questions, do not hesitate to post.

Ace

09-Jan-10 11:43 AM

See my reply to sawyer from 9 Jan 2010 17:34:26 if it can be of some help
...

Message-ID: <91f567ryjn34$.1oziz4703i8xl$.dlg@40tude.net>

09-Jan-10 12:09 PM

Is this the response you are referring to? I had to dig for it, therefore to
make it easier for others, I wanted to post an exact reference to help
others find it easier.

Newsgroups: microsoft.public.windows.server.active_directory
Subject: Re: legacy OS or applications 2008 DC
Date: Sat, 9 Jan 2010 17:34:26 +0100

That was in Sawyer's orginal post:From: "sawyer" <occompguy@cox.net>
Subject: legacy OS or applications 2008 DC
Date: Thu, 7 Jan 2010 10:03:26 -0800

Ace

09-Jan-10 02:19 PM

Yep, that is it! I am using 40tude Dialog to read newsgroups, and when I
click on the message ID it can find the post and immediately jump to it ...

09-Jan-10 07:04 PM

I see. Not many use that reader, and not many use readers at all. Most
readers may also show links such as what you posted as a text string that is
not clickable, as my Windows Mail does. However, I also use MesNews reader,
for posts that do not conform to internet usenet encoding rules, such as
when folks post from Google Groups. Replying in Windows Mail will not format
it in a response style, which then I use MesNews to reply to. MesNews works
like 40Tude regarding clicking on that link.

I was just trying to help others out there that do not use these features so
they can find the post you are referring to, since many do not use readers
that support this feature. Matter of fact, whenever I see that a previous
post I made may be relevant, I simply copy and paste it to the new reply
just in case.

Like I said, I am just trying to make it easier for others ...

Ace

11-Jan-10 12:45 PM

Is there an impact on current applications like Exchange 2003/2007, OCS, LMS
etc.

11-Jan-10 12:56 PM

Anytime you introduce additional DCs into an infrastructure, no matter which
version, it will affect services that are AD-enabled, such as Exchange. OCS
and LMS both use Exchange (IIRC), and Exchange uses AD. Exchange will
discover the additional DCs and use them.

Also, be aware in a single domain forest, all DCs should be a GC. In a
multi-domain forest, the IM role cannot be on a GC or the IM role will fail.

Without knowing specifics and based on your specific question, I hope this
generalization is helpful.

Ace