You might be running Windows Server 2003 (R2) and Windows Server 2008 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 R2 Domain Controllers to utilize the new features of Windows Server 2008 R2.
You might also be looking to replace your aging Windows Server 2003 (R2) and Windows Server 2008 Domain Controllers with spanking new Windows Server 2008 R2 Domain Controllers, while keeping your Active Directory running smoothly.
Transitioning Active Directory is the most common way to migrate Active Directory. This post intends to help you with this transition in a structured, balanced and thorough way and describes:
- Ways to migrate
- Reasons to transition
- Steps to transition
- Before you begin
- Prepare your Active Directory environment
- Install the first Windows Server 2008 R2 Domain Controller
- Install additional Domain Controllers
- Check proper installation, replication and updates
- Take care of FSMO roles and Global Catalog placement
- Demote your old Domain Controllers
- Raise the domain functional level
- Raise the forest functional level
- Enable Active Directory Optional Features
- Run the Active Directory Best Practices analyzer
- Concluding
Ways to migrate
Upgrading your Windows Server 2003 (R2) / 2008 Active Directory environment to Windows Server 2008 R2 can be done in three distinct ways:
- In-place upgrading
x64 installations of Windows Server 2003 (R2) and Windows Server 2008 can both be upgraded in-place to Windows Server 2008 R2, as long as you keep the following in mind:- The Windows Server 2003 patch level should be at least Service Pack 2
- Standard Edition can be upgraded to both Standard and Enterprise Edition
- Enterprise Edition can be upgraded to Enterprise Edition only
- Datacenter Edition can be upgraded to Datacenter Edition only
- Foundation Edition (2008 only) can be upgraded to Standard Edition only
- Server Core installations can only be upgraded to Server Core installations
- Transitioning
Migrating this way means adding Windows Server 2008 R2 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.
Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native. - Restructuring
A third way to go from Windows Server 2003 (R2) / 2008 Domain Controllers to Windows Server 2008 R2 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008 R2 ) domain. Tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.
Reasons to transition
I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008 R2:
- Restructuring means filling a new Active Directory from scratch
- In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
- Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.
Transitioning is good when:
- You worked hard to get your Active Directory in the shape it's in.
- Your servers are faced with aging.
- In-place upgrading leaves you with an undesired outcome
(for instance Server Core or Enterprise Domain Controllers) - You need a chance to place your Active Directory files on different partitions/volumes.
When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.
Steps to transition
Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:
Before you begin
Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it (twice). Most of the contents also apply to transitioning to Windows Server 2008 R2.
Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 R2 with ease.
Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008 R2, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows server 2008 R2. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).
Map out your 64bit transition
Since Windows Server 2008 R2 is only available in 64bit flavors, you’ll need to make sure every aspect of your Active Directory Domain Controller implementation is 64bit ready. The MAP tool will not sort everything out for you, so you will have to dive into stuff like anti-malware, backup, software for uninterruptible power supplies, monitoring, systems management, time synchronization and your licensing (VAMT/ MAK / KMS) solution.
Review the considerations for upgrading
Active Directory Domain Services in Windows Server 2008 R2 breaks some functionality present in previous versions of Active Directory. For instance, NT 4.0 compatible encryption is off by default on Windows Server 2008 R2 Domain Controllers. Review these considerations and determine whether they are show stoppers in your environment.
Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.
Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.
Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me…
Prepare your Active Directory environment
Before you can begin to introduce the first Windows Server 2008 R2 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.
Microsoft provides two tools to facilitate this preparation. Depending on your current Active Directory environment you need to use either one of them:
| adprep.exe | Use adprep.exe to prepare your Active Directory environment for Windows Server 2008 R2 on 64bit (x64) Domain Controllers. |
| adprep32.exe | Use adprep.exe to prepare your Active Directory environment for Windows Server 2008 R2 on 32bit (x86) Domain Controllers. |
You need to run the following commands on the following Domain Controllers in your current Active Directory environment:
| Command | Domain Controller |
| adprep.exe /forestprep adprep32.exe /forestprep |
Schema Master |
| adprep.exe /domainprep adprep32.exe /domainprep |
Infrastructure Master |
| adprep.exe /domainprep /gpprep adprep32.exe /domainprep /gpprep |
Infrastructure Master |
| adprep.exe /rodcprep * adprep32.exe /rodcprep |
Domain Naming Master |
* Optional when you want to deploy Read Only Domain Controllers.
After preparing your Active Directory for Windows Server 2008 R2 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.
Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the repadmin tool to check and optionally troubleshoot Active Directory replication. The following one-liner will show you the schema version per Domain Controller:
repadmin /showattr * "cn=schema,cn=configuration,dc=domain,dc=tld" /atts:objectVersion
When all your Domain Controllers report Schema version 47, you’re good to go with the next steps.
Install the first Windows Server 2008 R2 Domain Controller
You could already start installing Windows Server 2008 R2 on a fresh box and make it a member of the domain, while preparing your Active Directory. Taking care of an update, a backup and an anti-malware infrastructure might take some time, so why not spend it wisely?
When you're done preparing your Active Directory and checking the replication process, you can safely go ahead installing the first Windows Server 2008 Domain Controller by promoting a Windows Server 2008 box to a Domain Controller, using dcpromo.exe.
When running dcpromo.exe make sure you select to make this Domain Controller an extra Domain Controller for the Active Directory domain you're transitioning. Type a secure password for Directory Services Restore Mode (DSRM).
Tip:
Write down the the Directory Services Restore Mode (DSRM) password.
Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 R2 Domain Controller will be open for business after you restarted it to complete the wizard.
Install additional Domain Controllers
Installing additional Windows Server 2008 R2 Domain Controllers is as easy as purchasing them, licensing them, installing them and promoting them. There's really nothing to it: Once you've introduced the first Windows Server 2008 R2 Domain Controller you know how to do it.
If you find installing loads of Domain Controllers is a tedious job you might want to promote servers to Domain Controllers using answer files. When Domain Controllers need to be placed in locations with limited connectivity or bandwidth constraints you might want to explore the Install from Media (IFM) possibilities.
Check proper installation, replication and updates
It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:
- dcpromo.log
All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services - dcpromoui.log
all the events from a graphical interface perspective
Also check the event viewer.
Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.)
Since Windows Server 2008 updates for Server Roles are targeted towards Windows Servers, actually having the role installed. After you’ve promoted your Windows Servers, make sure you’re running Windows Update on them to make sure no nasty bugs in the Active Directory Domain Controller role remain.
Take care of FSMOs and GCs
Using the Active Directory Sites and Services MMC Snap-in make new Windows Server 2008 R2 Domain Controllers Global Catalog servers appropriately.
Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO), or go full out on the command line using ntdsutil.
In multiple Domain scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:
- Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog;
- Make all Domain Controllers Global Catalog servers.
When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.
Make sure your Windows Server 2003 (R2) / 2008 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, or the following command using netdom.exe:
netdom.exe query fsmo
Demote your old Domain Controllers
I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your ex-Domain Controllers though! Remember: “Everyone has a test environment, not just everyone has a production environment…”
From my personal experience I can tell you it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.
When your Windows Server 2003 (R2) / 2008 Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2008 R2 Domain Controller would then suffice to migrate DNS settings. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.
You can safely demote a Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory the hard way, which Jorge describes here. (leaving out the percussive maintenance option though)
Raise the domain functional level
After you've successfully demoted the last Windows Server 2003 (R2) / 2008 Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2008 R2 Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.
Upgrading the domain functional level to Windows Server 2008 R2 adds two features to your environment:
- Authentication Mechanism Assurance
This mechanism adds information to the user’s Kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password. - Automatic SPN management
In the past administrators regularly used Active Directory user accounts as service accounts for Exchange Server, SQL Server and Internet Information Services (IIS).
Managed Service Accounts (MSAs) can now be used since Windows Server 2008 R2 and this features allows for automatic SPN management, one of the two main benefits of these accounts.
Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.
Raising the domain functional level in Windows Server 2008 R2 looks remarkably similar to raising the domain functional level on Windows Server 2003:
- Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
- Open Active Directory Domains and Trusts.
- In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
- In Select an available domain functional level, click Windows Server 2008 R2, and then click Raise.
Raise the forest functional level
After you've successfully upgraded the domain functional level of all the domains in your Active Directory forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default and allows for enabling the Active Directory Recycle Bin feature.
Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.
To upgrade the forest functional level to Windows Server 2008 R2 perform the following actions:
- Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
- Open Active Directory Domains and Trusts.
- In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
- Under Select an available forest functional level, click Windows Server 2008 R2, and then click Raise.
Alternatively you can use the following two PowerShell commands:
Import-Module Active Directory
Set-ADForestMode domain.tld Windows2008R2Forest
Enable Active Directory Optional Features
When your Active Directory environment runs the Windows Server 2008 R2 Forest Functional Level you can enable the Windows Server 2008 R2 Active Directory Optional Feature: Active Directory Recycle Bin.
To enable this feature, run the following simple PowerShell one-liner:
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=tld' -Scope ForestOrConfigurationSet -Target 'domain.tld'
Run the Active Directory Best Practices analyzer
Another cool new feature in Windows Server 2008 R2 is the Active Directory Domain Services Best Practices Analyzer (BPA). Using the BPA you can scan your Active Directory infrastructure for compliance with the Best Practices.
The Active Directory Domain Services BPA can be run using the Server Manager or using the PowerShell Cmdlets. To run the scan from Server Manager perform the following steps:
Tip!
Server Manager can be used to scan a local or remote computer. To scan a remote computer, simply use the Connect to Another Computer option in Server Manager.
- Logon to a domain controller that has Windows Server 2008 R2 installed.
- Open Server Manager.
- In the console tree of Server Manager, expand the Roles node, and then select the Active Directory Domain Services role.
- Scroll down to the Best Practice Analyzer section.
- Click on the Scan This Role link on the right.
Using your common sense, make the configuration changes for the noncompliant settings listed as warnings and errors.
Concluding
Transitioning your Active Directory to Windows Server 2008 R2 seems as easy as running adprep.exe or adprep32.exe and installing Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in one single Active Directory domain in its own forest with one single Active Directory site.
In larger environments de sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!
Related posts
Considerations when upgrading your Active Directory to Windows Server 2008 and 2008 R2
An early look at new Active Directory features
Further reading
Active Directory in Windows Server 2008 and Windows Server 2008 R2
Migrate Server Roles to Windows Server 2008 R2
Migrating to Active Directory 2008 R2
Migrating to Active Directory 2008 R2
Migrating an Active Directory Domain Controller from Windows 2000 to Windows 2008 R2
Migrate Active Directory from 2003 R2 to 2008 R2 Server Core
Windows Server 2008 R2 Migration Guide – Replacing Existing Domain Controllers
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains (DOC)
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains (WEB)
Upgrading Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
Running ADPREP To Upgrade the AD Forest/Domain
Really great blog with a ton of great info Sander. Hope things are going well and hope to see you in Seattle again next year.
Thanks
Mike
Do I need to demote 2003 domain controller? or I can just simpely shut it down.
Also i want to ask about DNS, I have an intgrated DNZ with 2003 Active Dir with Ip let say 192.168.1.10, and the same Ip is for the 2003 Domain controller which I want to shutdown, how to fix DNS with new server ip let say 192.168.1.20.
It is best to demote the Windows Server 2003 Domain Controller, since you'll want to remove it as a replication partner in your Active Directory infrastructure. You can perform a demotion by running dcpromo.exe and walking through the wizard. You will need to reboot the Windows Server 2003 box afterwards. Only when normal demotion fails, you need to perform a force removal and/or metadata cleanup.
When your Windows Server 2003 Domain Controller is also a DNS Server for an Active Directory-integrated DNS Zone you will need to point your clients and member servers to the IP address of the new Windows Server 2008 Domain Controller as their DNS Server. Perform the following actions:
Good luck!
Hi,
I am planning a transitional upgrade to AD 2008 R2, Can I do the following so that I do not need to change my DHCP, DFS and DNS settings:
1. Refresh-readiness phase complete – servers up to Windows 2003 Service Pack 2.
2. Backup of Active Directory and System State completed and verified.
3. Move FSMO roles from DC-01 to DC-02.
4. Backup of Active Directory and System State completed and verified.
5. DCPROMO down DC-01.
6. Remove DC-01 from domain.
7. Power down DC-01.
8. Build new 2008 R2 Server (DC-01) on virtual environment (as per old DC-01 settings).
9. On DC-02 run ADPREP /Forest & /Domain.
10. Backup of Active Directory and System State completed and verified.
11. Join new DC-01 to domain.
12. DCPROMO new DC-01.
13. Backup of Active Directory and System State completed and verified.
14. Move roles back to new DC-01 – NO Global Catalog
15. DCPROMO down DC-02.
16. Remove DC-02 from domain.
17. Power down DC-01.
18. Build new 2008 R2 Server (DC-02) on virtual environment (as per old DC-02 settings).
19. Join new DC-02 to domain.
20. DCPROMO new DC-02.
21. Enable DC-02 as a Global Catalog.
22. Backup of Active Directory and System State completed and verified.
Main thing here is that any config in my network services pointing to the original server names will not need updating as the new 2008 DC's will be brought back in with the same hostnames.
Thanks
Hi Hedgesn2,
Your high-level steps seem to be well thought through and OK.
Below are some pointers, that might be of help:
Also verify correct replication between the two Domain Controllers. You can use repadmin or replmon for that. The Active Directory Topology Diagrammer (ADTD) is also a good option.
As described above, after moving the FSMO roles, verifiy correct transfer. Using the command netdom.exe query fsmo on both Domain Controllers should be enough when both Domain Controllers return the same information.
If demotion is unsuccessful for any reason, perform metadata cleanups using the information in this TechNet article.
Also keep in mind you'll want to delete the computeraccount for the Domain Controllers in Active Directory Users and Computers and Active Directory Sites and Services. This might have implications on SPNs you might have configured.
Use adprep32.exe (instead of adprep.exe) from the Windows Server 2008 R2 DVD on your x86 Windows Server 2003 Domain Controller.
Also, check for correct replication afterwards as described above.
Additional side notes:
Make sure you have an understanding of the implications of running virtualized Domain Controllers. When you're not the virtualization admin, you should make sure (s)he does not pause or snapshot your Domain Controllers, ever.
Your virtualization environment might also point to your current Domain Controllers, which might pose problems a. when performing the steps above b. when running the environment post-migration c. when troubleshooting the environment post-migration d, when rebooting the environment post-migration.
For more information on running virtualized Domain Controllers, read these blogposts:
Hi,
Thanks for the guide! Great summary!
I read through microsoft notes on best practice when upgrading to a 2008r2 AD (transitioning with a new r2 server from an old 2003/2008 DC) and found one part a bit peculiar… Perhaps anyone can shed some light.
Why do MS recomend that you transfer the IP-adress and hostname from the source server to the destination server?
I could see a reason that you don't have to specify a new DNS server IP for the clients to use…. but in my point of view it would be a much cleaner upgrade to just have a completly new server with a new IP and a new Hostname and just change the IP for the clients to use… Or have i missed something else that needs to have the old servers IP-address still in use?
Thanks for any hints!
Thank you so much for taking the time to post this very useful guide. I'm preparing to transition a global network from 2003 to 2008 R2 in the upcoming weeks, and this has been great information.
Larry