tech2010
asked on
Active Directory migration from 2000 to 2003
Hi
we have got 5 domain controllers of windows 2000 at head quarter. FSMO roles are spread across these domain controllers in a way like one of them is Schema Master, other one of them is RID,PDC Emulator, and other one has got Domain Name Master and Infrastructure Master on same box.
Now we are looking to migrate from 2000 to 2003. What is the best way to upgrade our Active Directory from 2000 to 2003? How can we achive this whole project? I mean if we had just one DC and all the roles on one DC then it was easy but in out scnerio who can i do the best?
Thanks
we have got 5 domain controllers of windows 2000 at head quarter. FSMO roles are spread across these domain controllers in a way like one of them is Schema Master, other one of them is RID,PDC Emulator, and other one has got Domain Name Master and Infrastructure Master on same box.
Now we are looking to migrate from 2000 to 2003. What is the best way to upgrade our Active Directory from 2000 to 2003? How can we achive this whole project? I mean if we had just one DC and all the roles on one DC then it was easy but in out scnerio who can i do the best?
Thanks
Mike has pretty much all you need. "adprep" and "domainprep" will definitely be the first thing to do.
Just in addtion, since you have 5 domain controller in Windows 2000, I suggest you to push for at least a new box start from scratch with Windows Server 2003 R2 and add it as a DC to your existing W2k Domain. This way, you don't have to do inplace upgrade while keeping your domain intact and everntually have a healthy and clean DC in win2k3 to begin with. Once you have a healthy win2k3 DC, you can follow Mike's reference above to take care of the FSMO. Then later you can do inplace upgrade or complete replacement with less worry. Hopefully you have ADIZ DNS and during the promotion of the new Win2k3 DC, your DNS will be inplaced. DHCP should not be a concern as you can leave it as is or if you want to move to the win2k3 box, you can following the instruction here without manually recreating all your DHCP data:
http://support.microsoft.com/default.aspx?kbid=325473
Just in addtion, since you have 5 domain controller in Windows 2000, I suggest you to push for at least a new box start from scratch with Windows Server 2003 R2 and add it as a DC to your existing W2k Domain. This way, you don't have to do inplace upgrade while keeping your domain intact and everntually have a healthy and clean DC in win2k3 to begin with. Once you have a healthy win2k3 DC, you can follow Mike's reference above to take care of the FSMO. Then later you can do inplace upgrade or complete replacement with less worry. Hopefully you have ADIZ DNS and during the promotion of the new Win2k3 DC, your DNS will be inplaced. DHCP should not be a concern as you can leave it as is or if you want to move to the win2k3 box, you can following the instruction here without manually recreating all your DHCP data:
http://support.microsoft.com/default.aspx?kbid=325473
Ditto -- definitely use a new box for the upgrade. It's much less painful than an in place upgrade on a box that has been around the box a few times.
ASKER
Hi mkline71: yes I have two DNS servers and are AD integrated (2000).
Hi Americom: I think your idea is briliant, I would do whatever is the easier and less painful. I can certainly add new hardware as DC 2003 after running ADprep on existing schema master and infra master. But here are my concerns in this:
1- Can i still use my existing DNS server (2000 DC's) after installing new 2003 DC, I mean during new 2003 DC can i point it to use 2000 DNS of my existing DC? i would like to upgrade my DNS as well.
2- All my existing FSMO roles still be on the same existing servers even installing new 2003 DC so i will not be taking full benifit from 2003 DC. I mean is it still ok that my roles are on 2000 DC and i will be running 2003 DC but without Roles?
3-After installing new 2003 DC, should i then not transfer all roles onto new 2003 DC. And once all the roles are transfered then i can either decommission old DC's or upgrade to 2003?
4-The way i was thinking to do whole this project was that i should first transfer all roles to one DC and then upgrade that DC first and then once successfull then upgrading remaining DC's but i think Americom's idea is good.?
Hi Americom: I think your idea is briliant, I would do whatever is the easier and less painful. I can certainly add new hardware as DC 2003 after running ADprep on existing schema master and infra master. But here are my concerns in this:
1- Can i still use my existing DNS server (2000 DC's) after installing new 2003 DC, I mean during new 2003 DC can i point it to use 2000 DNS of my existing DC? i would like to upgrade my DNS as well.
2- All my existing FSMO roles still be on the same existing servers even installing new 2003 DC so i will not be taking full benifit from 2003 DC. I mean is it still ok that my roles are on 2000 DC and i will be running 2003 DC but without Roles?
3-After installing new 2003 DC, should i then not transfer all roles onto new 2003 DC. And once all the roles are transfered then i can either decommission old DC's or upgrade to 2003?
4-The way i was thinking to do whole this project was that i should first transfer all roles to one DC and then upgrade that DC first and then once successfull then upgrading remaining DC's but i think Americom's idea is good.?
1- Can i still use my existing DNS server (2000 DC's) after installing new 2003 DC, I mean during new 2003 DC can i point it to use 2000 DNS of my existing DC? i would like to upgrade my DNS as well.
You can but you will want to make your new 2003 boxes DNS servers too and the DNS info will replicate to them. There are features such as conditional forwarding in 2003 DNS that can be very helpful
2- All my existing FSMO roles still be on the same existing servers even installing new 2003 DC so i will not be taking full benefit from 2003 DC. I mean is it still ok that my roles are on 2000 DC and i will be running 2003 DC but without Roles?
Yes that is fine during the upgrade project. You don't get the full beneift of 2003 until you upgrade your domain and forest to Windows 2003 functional levels
3-After installing new 2003 DC, should i then not transfer all roles onto new 2003 DC. And once all the roles are transfered then i can either decommission old DC's or upgrade to 2003?
Yes I"d transfer them to the 2003 boxes as they will be newer and more reliable. You can do either to the old DC's either remove them or upgrade them. In our case we demoted all our old 2000 boxes because they were no longer needed after all the 2003 boxes went up.
4-The way i was thinking to do whole this project was that i should first transfer all roles to one DC and then upgrade that DC first and then once successful then upgrading remaining DC's but i think Americom's idea is good.?
If you can afford a new box then definitely do that, Americom was on the money with his suggestion.
Thanks
Mike
You can but you will want to make your new 2003 boxes DNS servers too and the DNS info will replicate to them. There are features such as conditional forwarding in 2003 DNS that can be very helpful
2- All my existing FSMO roles still be on the same existing servers even installing new 2003 DC so i will not be taking full benefit from 2003 DC. I mean is it still ok that my roles are on 2000 DC and i will be running 2003 DC but without Roles?
Yes that is fine during the upgrade project. You don't get the full beneift of 2003 until you upgrade your domain and forest to Windows 2003 functional levels
3-After installing new 2003 DC, should i then not transfer all roles onto new 2003 DC. And once all the roles are transfered then i can either decommission old DC's or upgrade to 2003?
Yes I"d transfer them to the 2003 boxes as they will be newer and more reliable. You can do either to the old DC's either remove them or upgrade them. In our case we demoted all our old 2000 boxes because they were no longer needed after all the 2003 boxes went up.
4-The way i was thinking to do whole this project was that i should first transfer all roles to one DC and then upgrade that DC first and then once successful then upgrading remaining DC's but i think Americom's idea is good.?
If you can afford a new box then definitely do that, Americom was on the money with his suggestion.
Thanks
Mike
1. Yes, you can still install win2k3 DC but point to the win2k DNS first so that it can resolve name of your existing DCs. When done, it should have a replicated copy of your ADIZ from your existing DC to your win2k3 DC. Afterall, it's ADIZ DNS a part of your AD. Then when everything is working, you should verify that your win2k3 is pointing to itself as preferred DNS.
2. When you have successfully added a win2k3 DC, leave eveything as is for now. YOu can later transfer the FSMO but you still cannot take advantage of your win2k3 DC features but it's okay. Later when you get to upgrade or replace all your win2k DC and have all DCs in win2k3 then you can raise your domain functional level to win2k3 native from win2k native(if that's what you have now).
3. Yes and answered on #2 above.
4. This is the most painless way to most of us as your DC hardware may be old and OS will not be as clean as from scratch, even more junk if you do inplace upgrade. Your partitions size may need to increase etc....and the reason why we usually add new win2k3 DC instead of inplace upgrade. I'm sure all the experts above were thinking the same thing on this we are on the same page.
2. When you have successfully added a win2k3 DC, leave eveything as is for now. YOu can later transfer the FSMO but you still cannot take advantage of your win2k3 DC features but it's okay. Later when you get to upgrade or replace all your win2k DC and have all DCs in win2k3 then you can raise your domain functional level to win2k3 native from win2k native(if that's what you have now).
3. Yes and answered on #2 above.
4. This is the most painless way to most of us as your DC hardware may be old and OS will not be as clean as from scratch, even more junk if you do inplace upgrade. Your partitions size may need to increase etc....and the reason why we usually add new win2k3 DC instead of inplace upgrade. I'm sure all the experts above were thinking the same thing on this we are on the same page.
Mike, you always beat and i can never keep up with your super speed :)
haha, I knew taking typing in high school would payoff someday :)
ASKER
Mike/Americom
What you recomend, can i run adprep and install new 2003 DC during work hours or it all has to be in out of hours?.
Thanks
What you recomend, can i run adprep and install new 2003 DC during work hours or it all has to be in out of hours?.
Thanks
We always do all maintenance after hours. (6 PM or later for us). That is just in case something goes wrong.
The chances of anything going wrong are minimal here...but just in case is why we do it later.
Thanks
Mike
The chances of anything going wrong are minimal here...but just in case is why we do it later.
Thanks
Mike
Making update to your existing domain such as running adprep and adding a DC will create update and create replication between DCs. Even it's a very safe process but you should still do it after hour as Mike suggested.
ASKER
Thanks for both of your replies.
Just to confirm, while i will be installing/introducing new 2003 DC I will install DNS server on it as well but where i would tell new server to point to the existing 2000 DNS so that it will pull/replicate all the records onto itself?
Just to confirm, while i will be installing/introducing new 2003 DC I will install DNS server on it as well but where i would tell new server to point to the existing 2000 DNS so that it will pull/replicate all the records onto itself?
Just put the 2000 DNS server as the primary DNS server on your NIC. It will know to look there for the info.
Thanks
Mike
Thanks
Mike
Once the the Active diretory integrated DNS got replcated and done. You may want to point the DNS back to it's own IP as preferred(or primary) DNS on your NIC.
ASKER
Once new 2003 DC is installed, i believe there is no need to run AD migration tool to migrate users/groups etc. from 2000 to 2003 because it will automatically replicate across, is this true?
Also i will be installing new exchange 2003 as well (i have currently two exchange 2000 servers running in live), so the same question for exchange 2003. Once i have installed exchange 2003 i think i have to then run exchange migration wizard to move all mailboxes across or can i just right click on users under AD and under exchange task i just click move mailbox but that will not be good as i have 1000 mailboxes. So please tell me the best way to migrate mailboxes across as well. thanks
Also i will be installing new exchange 2003 as well (i have currently two exchange 2000 servers running in live), so the same question for exchange 2003. Once i have installed exchange 2003 i think i have to then run exchange migration wizard to move all mailboxes across or can i just right click on users under AD and under exchange task i just click move mailbox but that will not be good as i have 1000 mailboxes. So please tell me the best way to migrate mailboxes across as well. thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Mike and Americom
http://support.microsoft.c
So the first thing you will want to do is prepare your forest for 2003. You will hear people refer to that as adprep. You will run the forestprep on your schema master and I run domainprep on my infrastructure master.
Daniel has some steps here
http://www.petri.co.il/win
Some follow up questions, how is your DNS setup now (is it AD integrated)
Are you planning to add new 2003 servers or do you want to upgrade in place?
Thanks
Mike