Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Transitioning your Active Directory to Windows Server 2008

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

This post intends to help you with this transition in a structured, balanced and thorough way and describes:

  • Choosing between In-place upgrading, transitioning or restructuring
  • Reasons to transition to Windows Server 2008
  • Steps to transition
    • Prepare your Active Directory environment
    • Installing the first Windows Server 2008 Domain Controller
    • Installing additional Windows Server 2008 Domain Controllers
    • Taking care of Flexible Single Master Operations and Global Catalogs
    • Checking proper installation and replication
    • Demoting Windows Server 2003 Domain Controllers
    • Raising the domain functional level
    • Raising the forest functional level
  • Concluding

Ways to migrate

Upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in three distinct ways:

  • In-place upgrading
    Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows Server 2008, as long as you keep the following in mind:
     
    • The Windows Server 2003 patchlevel should be at least Service Pack 1
    • You can't upgrade across architectures (x86, x64 & Itanium)
    • Standard Edition can be upgraded to both Standard and Enterprise Edition
    • Enterprise Edition van be upgraded to Enterprise Edition only
    • Datacenter Edition van be upgraded to Datacenter Edition only

In-place upgrading requires you to run adprep.exe before starting the upgrade process on the Domain Controllers. Check this post from Jorge for more information.

  • Transitioning
    Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.

    Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.
     
  • Restructuring
    A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Using tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Reasons to transition

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

  • Restructuring means filling a new Active Directory from scratch
  • In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
  • Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your servers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

Steps to transition

Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:

Before you begin

Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts.  I suggest you read it. (twice) Most of the contents also apply to transitioning from Windows Server 2003 (R2) to Windows Server 2008

Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 with ease.

Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows server 2008. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.

Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...

Prepare your Active Directory environment

Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master

                               * Optional when you want to deploy Read Only Domain Controllers.

After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files. If your life depends on it, you can use the HowTo Jorge wrote to check forestprep and domainprep succesfully replicated to all Domain controllers.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.

Install the first Windows Server 2008 Domain Controller

You could already start installing Windows Server 2008 on a fresh box and make it a member of the domain, while preparing your Active Directory. When you're done preparing your Active Directory you can safely go ahead installing the first Windows Server 2008 Domain Controller by promoting a Windows Server 2008 box to a Domain Controller, using dcpromo.exe.

When running dcpromo.exe make sure you select to make this Domain Controller an extra Domain Controller for the Active Directory domain you're transitioning. Type a secure password for Directory Services Restore Mode (DSRM).

Tip:
Write down the the Directory Services Restore Mode (DSRM) password.

Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 Domain Controller will be open for business after you restarted it to complete the wizard.

Install additional Domain Controllers

Installing additional Windows Server 2008 Domain Controllers is as easy as purchasing them, licensing them, installing them and promoting them. There's really nothing to it: Once you've introduced the first Windows Server 2008 Domain Controller you know how to do it.

If you find installing loads of Domain Controllers is a tedious job you might want to promote servers to Domain Controllers using answer files. When Domain Controllers need to be placed in locations with limited connectivity or bandwidth constraints you might want to explore the Install from Media (IFM) possibilities.

Take care of FSMOs and GCs

Using the Active Directory Sites and Services MMC Snap-in make new Windows Server 2008 Domain Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO) from your Windows Server 2003 servers to Windows Server 2008. Another option is using ntdsutil.

In multiple Domain Controller scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog;
  • Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following command using netdom.exe from the Resource Kit:

netdom.exe query fsmo

Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:

  • dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
  • dcpromoui.log
    all the events from a graphical interface perspective

Also check the event viewer.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot proper Active Directory replication.

Demote Windows Server 2003 Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your Windows Server 2003 ex-Domain Controllers though!

From my personal experience I can tell you it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.

When your Windows Server 2003 Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2008 would then suffice to migrate DNS settings. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory the hard way, which Jorge describes here. (leaving out the percussive maintenance option though)

Raise the domain functional level

After you've successfully demoted the last Windows Server 2003 Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:

  • Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
  • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
  • Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.

Note:
Raising the functional level is a one way procedure. Once you've raised your domain functional level there's no way to return to the previous domain functional level.

Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain functional level on Windows Server 2003:

  1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
  4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.

Upgrade the forest functional level

After you've successfully upgraded the domain functional level of all the domains in your Active Directory forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.

To upgrade the forest functional level to Windows Server 2008 perform the following actions:

  1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
  4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.

Concluding

Transition your Active Directory to Windows Server 2008 seems as easy as running adprep and installing Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in one single Active Directory domain in its own forest with one single Active Directory site.

Be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!

Further reading

WS2008: Upgrade Paths, Resource Limits & Registry Values 
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
Windows Server Longhorn - Installing, Removing and Upgrading to AD
Windows Server Longhorn - Install From Media (IFM)
Win Server 2008 Directory Services, Functional Levels Overview
Functional Levels In Windows Server 2008 Part I 
Functional Levels In Windows Server 2008 Part II 
Appendix of Functional Level Features
Active Directory Installation and Removal Issues 
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
Using Repadmin.exe to troubleshoot Active Directory replication 
HOW TO: Use the Replication Monitor to Determine the Operations Master and GC Roles
HOW TO: troubleshoot intra-site replication failures 
Windows Server 2008 dcpromo Changes 
Active Directory Domain Services: UI changes - Part 1 
Active Directory Domain Services: UI changes - Part 2  
How to raise domain and forest functional levels in Windows Server 2003 
FSMO placement and optimization on Active Directory domain controllers
How to optimize Active Directory replication in a large network

Comments

Transitioning your Active Directory to Windows Server 2008 - Microsoft Product's said:

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

# March 2, 2008 12:13 PM

TrackBack said:

Time: 08:09 EST/13:09 GMT | News Source: Dirteam | Posted By: Kenneth van Surksum

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

# March 2, 2008 11:17 PM

TrackBack said:

Sander Berkouwer opublikował na swoim blogu interesujący materiał poświęcony w całości kwestiom uaktualnienia kontrolerów domeny pracujących pod kontrolą systemu Windows Server 2003 i Windows Server 2003 R2 do Windows Server 2008, a co z tym idzie - uaktualnienia samej domeny Active Directory do wersji 2008.

Artykuł opisuje zarówno różne metody uaktualnienia (in-place upgrade, restrukturyzacja, migracja) wraz z ich problematyką, jak i czynności krok po kroku dla każdego przypadku. Na koniec przygotowano pokaźną listę linków do innych, uzupełniających publikacji w Internecie.

# March 3, 2008 2:09 PM

natasham said:

I love your work. Thanks for providing such an well structured summary.

# March 3, 2008 10:24 PM

TrackBack said:

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

Read more over at {The things that are better left unspoken}

# March 4, 2008 12:00 AM

Transitioning your Active Directory to Windows Server 2008 | Savage Nomads said:

We’ve talked about starting from scratch again with our AD forest. This post has some great information about the new features of a 2008 AD and options you have to get there.

# March 4, 2008 4:34 PM

TrackBack said:

Transitioning is a good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your servers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

# March 4, 2008 11:27 PM

Windows Server 2008 said:

Wszystkim osobom zainteresowanym AD DS w w2k8 gorąco polecam artykuł na blogu Sander Berkouwera . Znajdziecie

# March 5, 2008 4:10 AM

subject: exchange said:

Rui Silva's Weekend reading

  • Microsoft Helps Connect Apple iPhone Users to Microsoft’s Exchange Server
  • Optimize Entourage to better work with Exchange
  • Transitioning your Active Directory to Windows Server 2008
  • The six-layered secret of effective Exchange Server email filtering
  • How to set up email disclaimers on a single, back-end Exchange server
  • Online Exchange & Sharepoint - Finally
  • Oh lord, now the Exchange team is doing it
  • 16,000 Exchange mailboxes on one server with VMware
  • Exchange Server 2007 and Universal Groups
  • Q&A 3: Entering and grouping contacts
    ...
# March 7, 2008 12:22 PM

The things that are better left unspoken said:

Server Core installations can be specifically targeted at situations where single server roles are needed. Combining some of these roles on one server might also be very powerful, as I will show you in this post of my Easter SC'enarios series, where I'll try to construct the ultimate Branch Office server using Server Core roles. The roles and features I'll be using are:

  • Active Directory Read Only Domain Controller
  • Active Directory Integrated Dynamic DNS Server and DHCP Server
  • File Server with Distributed File System and Bitlocker Drive Encryption
  • Windows Backup

This will result in a headless server, that can be safely stored in a kitchen cupboard of a remote location of your company.

# March 24, 2008 1:42 AM

The things that are better left unspoken said:

The Read-only Domain Controller is one of the new and most existing features of Windows Server 2008.

# July 13, 2008 12:54 AM

Bogdancev said:

Thanks, Sander.

It works excellent. I checked adprep.log-s, saw in event viewer - OK, active directory is replicated.

Now I have 2 servers: 2003 & 2008.

2008 has only AD and empty. I gonna put shared folders with data and sites here(2008) from 2003 and throw it away.

So, how can I do it best?

Is it rigth: At nigth, copy all data and re-create shared folders on the new server, swicth off 2003 and rename 2008 to 2003-name?

And what would be with users, which synchronize their data with server?

# August 12, 2008 11:40 AM

Sander Berkouwer said:

I think the File Server Migration Toolkit (FSMT) is an excellent tool to migrate your file shares from the Windows Server 2003 box to the Windows Server 2008 box. (version 1.1 with Windows Server 2008 is currently in beta)

Migrating users with Offline files will be more tricky, but CSCCMD.EXE can help you out there. Check out Microsoft Knowledge Base Article 884739.

# August 12, 2008 1:44 PM

Bogdancev said:

Dankie, Sander.

I have another question about AD, I've put it here because I did not find proper thread in your blog and I didn`t find an answer in Microsoft site.

There is a picture of my AD computers:

http://img7.imagevenue.com/img.php?image=71405_AD_122_1034lo.jpg

So, some computers are lost (like DSK0008, DSK0009 ...). It was since previous 2003 server crash - nobody saved AD, then AD was created from the beginning, some computers were just rejoined to the domain, others not. Those users which are not rejoined still can log on, but I see the event on the server:

Event ID:    5513

Source:      Netlogon

Description: The computer name <computer name> connected to server <name>

            using the trust relationship to the <name> domain. However,

            the computer doesn't properly know the security identifier

            (SID) for the domain. Reestablish the trust relationship.

The problem is: I can simply rejoin those computers(Microsoft's answer). But in this case I would have so much problems - because new profile will be created and I must move all staff and mail and funny things... on each computer. And speak with blond girls and explain them things ...

So, is there a way to restore those "trust relationships" between computers and new 2008 server without troubles?

# August 25, 2008 6:37 AM

Sander Berkouwer said:

Yeah, sure!

The only problem you seem to be experiencing is the loss of user profiles. (which are actually not lost)

I'll assume you're the one changing the domain membership of the computer and you don't have any roaming profiles.

After you've made the workstation a member of the new domain and after the user has logged on and off once, you can log in as an administrator and copy the contents of the old profile in C:\Documents and Settings\UserName to the new profile in C:\Documents and Settings\UserName.DomainName. (check datestamps to determine the old and new profile)

This will restore the user profiles. Now you can ask these blond girls meaningful questions instead of merely fixing their computer troubles Cool

# August 27, 2008 1:21 PM

Bogdancev said:

Hello Sender again.

So, step by step and with your BIG help I do things.

The next is a spare Windows Server 2008 problem:

I bought second server to make it spare. I plan to copy (automatic replication) AD on it only for emergency. If first server crashes - users can logon using another one. I can quickly restore data from backup, ...

But when I try to install AD on it using dcpromo.exe - in the last stage (installing) it says funny thing:

"No mapping between account names and security IDs was done."  

Microsoft KB answers everything but this. So, do you know the reason?

P.S. When adjust setting in dcpromo I use: logon of domain administrator and password, check "Add to existing domain", Global Catalogue.

# September 30, 2008 5:56 AM

TrackBack said:

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you’re looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.
# February 11, 2009 8:56 AM

Pieter said:

You can use the HowTo Jorge wrote to check forestprep and domainprep succesfully replicated to all Domain controllers.

Update for Win 2008 adprep:

Check for a successful Forest Update:

repadmin.exe /SHOWOBJMETA * "CN=ActiveDirectoryUpdate,CN=ForestUpdates,CN=Configuration,DC=domain,DC=com"

Check for a successful Domain Update :

repadmin.exe /SHOWOBJMETA * "CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=domain,DC=com"

# April 2, 2009 5:41 AM

BillMSTI said:

O boy, this is EXACTLY what I was looking for! Thanks for a well thought out and structured outline.

I feel a bit better now that I read this. Messing with AD is not something for the faint-of-heart.

I have had the Win 2008 DVD sitting around gathering dust long enough.

Bill

# April 16, 2009 9:47 AM

Windows Server 2003 / 2008 | keyongtech said:

Hi!

I have a doubt. I have a Domain hosted on Windows 2003 Server R2. I'd like
to add a secod domain controller to avoid any disaster. Which is the
recommendation? Is it better if I install a clean Windows 2008 Server an
migrate the Domain and after that add a RODC Windows 2008 Server? OR Can I
add a second domain controller to the Windows Server 2003 I already have? I
know the first option sounds better BUT it's just I'd like to test Windows
2008 Server first.

Thanks for you answers...
# May 6, 2009 9:07 AM

upgrading windows 2003 to windows 2008 - IT Community - Software Programming, Web Development and Technical Support said:

Transitioning DHCP
To transition  DHCP see these links:

Transitioning a CA
To transitioning a Certificate Authority use these steps:

  1. Backup the CA database and private key and export the CA registry configuration from the Windows Server 2003. 
  2.  Remove Certificate Services from the Windows Server 2003 server. 
  3.  Set up a enterprise root CA on a computer running Windows Server 2008 with the root CA certificate (with private key) that is exported from the Windows Server 2003 server. 
  4. Restoring the CA Database on the Windows Server 2008 Computer.
  5. After I restart the certificate service on the Windows Server 2008, it functions well for enrolling certificates without restoring the CA Configuration (registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CertSvc\configuration from the Windows Server 2003).

Please make sure to perform a complete server backup on the Windows Server 2003 before migrating the CA (remove Certificate Services).

Transitioning WINS
For WINS follow the following two steps:

  1. backup: http://technet.microsoft.com/en-us/l.../cc727901.aspx 
  2. restore: http://technet.microsoft.com/en-us/l.../cc727960.aspx
# July 3, 2009 3:53 AM

jcombalicer said:

Where will you run the adprep? is it form the source or destination server.

When i'm trying to run adrep from win2k3 server(source) i got an error. i'm running adprep from the i386 sp2 which i extract from .exe

it says that i cannot run it from there

------------------------------------------------

Adprep was unable to copy file C:\win2k2sp2\i386\dcpromo.cs_ from installation p

oint to local machine under directory C:\WINDOWS\system32\debug\adprep\data.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs dire

ctory for more information.

Adprep encountered a Win32 error.

Error code: 0x2 Error message: The system cannot find the file specified..

Adprep was unable to copy setup files from installation point to local machine.

----------------------------------------------------

thank you...

# August 11, 2009 11:42 PM

Sander Berkouwer said:

You should run adprep on the Domain Controllers holding the respective FSMO roles. These are your current Windows Server 2003 Domain Controllers.

I recommend using adprep from the sources\adprep folder from either a Windows Server 2008 DVD or Windows Server 2008 with integrated Service Pack 2 DVD. Be sure to use DVD media corresponding to the architecture (x86 or x64) of your Windows Server 2003 Domain Controllers. You can use trial media of Windows Server 2008 for this purpose, if need be.

Also, when you copy adprep to a local folder on your Domain Controller, be sure to copy the whole folder containing adprep.exe and not just adprep.exe itself.

# August 12, 2009 1:22 AM

links for 2009-12-04 | benway.net said:

links for 2009-12-04


  • (tags: thinstall vmware vdi office2010)
  • (tags: windows2008 activedirectory)
  • (tags: activedirectory windows2008)
  • (tags: windows2008 activedirectory)
# December 4, 2009 2:05 AM

links for 2009-12-04 | Savage Nomads said:

links for 2009-12-04


  • (tags: thinstall vmware vdi office2010)
  • (tags: windows2008 activedirectory)
  • (tags: activedirectory windows2008)
  • (tags: windows2008 activedirectory)
# December 4, 2009 3:01 AM

Unable to transfer the Schema Owner FSMO Role (2003 to 2008R2) | Stefan Jagger said:

You should find it relatively easy to transfer 4 of the 5 FSMO roles (if not check Sander Berkouwer’s migration article), but the 5th role of schema owner might be tricky. The GUI might spring up an error like this:

Active Directory
The parameter is incorrect.
The transfer of the current Operations Master could not be performed.

# August 10, 2010 4:13 PM

Domain Migration said:

We are a Windows shop here at First Church. For the past 2 years we have been running a Windows Server 2003 R2 domain. Recently though, we began having some trouble with our primary server and domain controller. The techie folks out there understand that this is a significant problem. For those of you who aren’t familiar with Windows domains, suffice to say that this server controlled internet access, shared drives, printing, and anti-virus. Basically everything that happens everyday.

We hobbled along for 2 weeks while some new hardware arrived. Finally our Dell R710 server and half rack came in on a semi-truck. It was an ordeal just to get it onto a cart (think pallet jack, forklift, mega cart, smaller cart, elevator, and 4 strong backs). It took me about 16 hours to change over our physical equipment and install a fresh copy of Windows Server 2008 R2. This is our OS of choice now since the R710 supports tons of memory allowing us to run virtual servers.

Meanwhile we were still hobbling along with our old equipment. I was able to install 2008 R2 onto a donated Dell PowerEdge 1800. This is a fairly robust box with dual 3.6Ghz Xeons, 4GB of RAM, and RAID 5 SATA drives. We will call this server #3. I then added this server as a member server to our existing 2003 domain, promoted it to a secondary domain controller, and adjusted the DNS settings of the primary server to point to the secondary server in the event of a failure. Things were stable finally.

I researched for roughly a week on the migration process from 2003 to 2008 R2. My main areas of concerning were:

  • Active Directory
  • Network Printers
  • DNS/DHCP
  • Shared Drives
  • Sophos Anti-Virus

I will list the steps I used in order to complete the migration. The main process was to use Server #3 as a temporary server while I recreated Server #1. I began at 6:00 on Friday evening and was finished by 2:00 AM.

I used this guide for the high level steps

# October 11, 2010 9:11 PM

Migrating from 2003 to 2008 (R2) - Paraguin Consulting said:

For one of my small local clients, we assisted them recently with migrating the domain from 2003 to 2008 R2.  It was a move from 32 bit 2003 to 64 bit 2008 R2.  This is for 2 physical boxes (one on 2003 and one of 2008 R2) since we didn’t want to have any down time and plus the 2003 server’s physical equipment was out of warranty.  There were some gotchas that we ran across, but based on some Google searches we were able to get through the issues.  We tested this on the Paraguin domain first as a trial run and of course we do this because we have less valuable stuff running and our production network is like a test network since anything goes.

# December 2, 2010 6:12 AM

Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers | vishwajit's space said:

One question which I often come across is how to upgrade your domain from windows 2003 to windows 2008 or 2008 R2.
# December 20, 2011 4:31 PM

Migrating from 2003 to 2008 (R2) said:

For one of my small local clients, we assisted them recently with migrating the domain from 2003 to 2008 R2. It was a move from 32 bit 2003 to 64 bit 2008 R2. This is for 2 physical boxes (one on 2003 and one of 2008 R2) since we didn’t want to have any down time and plus the 2003 server’s physical equipment was out of warranty. There were some gotchas that we ran across, but based on some Google searches we were able to get through the issues. We tested this on the Paraguin domain first as a trial run and of course we do this because we have less valuable stuff running and our production network is like a test network since anything goes.

This is one of the links that we utilized and piece-meal together to perform what we needed to do.

# January 12, 2012 7:43 AM

chudless said:

Do you have any links to any articles on moving/migrating from an existing domain, i.e. thedomain.com to a new one, i.e. thenewdomain.com? I basically want a fresh domain but need to migrate or move all existing servers & clients to the new domain, including exchange and app servers.

Hoping to find an article that at least outlines all the areas to consider so I don't screw it up!!

# March 16, 2012 6:17 PM

Sander Berkouwer said:

Hi chudless,

Thanks for your reply.

I don't have a blogpost in this series on the 'migrating' scenario. Huge differences between networking environments and their impact on the migration process make that an impossible blogpost to write.

Microsoft has an extensive 267-page Word document, detailing how to use the Active Directory Migration Tool (ADMT) to perform the type of migrations you describe.

Note:
Although the downloadpage talks about version 3.0 of the tool, the documentation applies to version 3.0, 3.1 and version 3.2.

Note:
ADMT versioning is not about bugfixes, but about the support matrix of the source and target domains/forests. Later versions of ADMT support more recent Windows Server OS's and Functional Levels as target domains and forests, but also limit the Windows Server OS's and Functional Levels as source domains and forests.

Good luck!

# March 16, 2012 6:45 PM
Anonymous comments are disabled