Solved

Upgrading AD to 2008 from existing 2003/2000 level

Posted on 2008-10-20
10
427 Views
Last Modified: 2012-08-13
Hi There,

Currently we are running a Windows 2003 Server and a Windows 2000 Server as Domain Controllers.  As far as I remember the 2003 server is the FSMO role holder, but I will check this and make it so if it isn't.

I am looking to make our new Windows 2008 member server into a domain controller and demote the existing controller.

Having done some reading on this I want to confirm that the following steps are correct.

1. Ensure the 2003 server is the FSMO role holder and transfer the roles to it if not.

2. On the 2003 server run the forest prep and domain prep commands from the 2008 server DVD.

3. Promote the new 2008 server to be a DC.

4. Install and configure DNS on the new 2008 server.

5. Demote the 2000 server and uninstall the DNS role from it.

6. Install the DNS role on the new 2008 server and configure it.

7. Transfer the FSMO roles to the new 2008 server.

I know step 7 isn't required here but I also need to rename my existing 2003 server to bring it in line with parent company naming convention so I will have to demote it, rename it then promote it again.

If I have missed anything, or got the order wrong I would be very grateful for any corrections or hints.

Many Thanks

Steve
0
Comment
Question by:stevencUK
  • 5
  • 4
10 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 175 total points
ID: 22756441

Hey Steve,

4 and 6 are duplicated :) 4 is the right position for this move in my opinion. Although I seem to remember that you'll be prompted for DNS installation as an optional role during promotion.

Renaming a DC is well documented here:

http://technet.microsoft.com/en-us/library/cc782761.aspx

Don't forget to check the Forest and Domain functional levels in there. You need at least Windows 2000 (Native). The higher the better, but do remember that changes in functional level are not reversible.

Chris
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 75 total points
ID: 22759302

I've posted my run-down which I usually post on Domain Controller Switches below. The main point I'd suggest you focus on is ensuring you are running AD-integrated DNS (links below); this makes the steps of DNS migrations over to the new server so much easier, because it replicates with Active Directory.

Renaming a DC isn't as difficult as requiring a demotion and repromotion. The article Chris posted pretty much details the steps, although remember a rename with Netdom will only work if your Domain Functional Level is set to Windows Server 2003 - impossible while you still have that Windows 2000 DC running! In critical cases where the DC cannot be promoted, I usually perform a Computer Name change in Control Panel, System, and restart the server to update DNS records; not the best solution, but it does the job.

Matt
-tigermatt

--

Install Windows Server 2008 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of one of the Domain Controllers which is running the DNS server service on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Since you are upgrading the Operating System on the new Domain Controller, you will need to add some values to the existing Active Directory schema, in order for the new server to become a Domain Controller. Windows Server 2008 supports more functionality than before, so a schema upgrade for the domain and forest is required to facilitate this and make this new feature set fully functional on the domain. To make the necessary changes, you must be logged on as the built-in Administrator user account, or a user with Domain, Schema and Enterprise Admin privileges.

Insert the Windows Server 2008 media into your current server which is holding the Schema Master Operations Role (FSMO role). Open a command prompt and browse to sources\adprep folder within the Windows Server 2008 DVD media. Execute the command adprep /forestprep. Once complete, you must wait for the changes to be replicated to all domain controllers in the domain and forest before you can continue.

Next, execute adprep /domainprep . You must be logged on as a Domain Admin user for these steps to work correctly. Once these commands have run and replication has taken place your Active Directory schema will have been extended to support Windows Server 2008 as a Domain Controller.

Promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

Since you intend on removing the old Domain Controller from the domain, you need to transfer all the Operations (FSMO) roles to the new Domain Controller.

The current FSMO role configuration for your network can be found by running the command "netdom query fsmo" at a command prompt on a Domain Controller.

To transfer these FSMO roles to the new domain controller, follow the information detailed in the following Microsoft Support article: http://support.microsoft.com/kb/324801. Please ensure any other information you follow is information regarding the TRANSFER of FSMO roles. Seizing FSMO roles is an emergency operation which should not be performed during this procedure.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://technet2.microsoft.com/WindowsServer2008/en/library/3cf4d1b1-7a6e-4438-bf4f-22d9468c17321033.mspx You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.

To move DHCP to the new server, you will need to first install the role. To install the role in Windows Server 2008, check the DHCP Server role option within the Add Roles wizard in the Server Manager. To correctly configure DHCP after the role is installed on your new server, you will need to ensure you configure it to distribute IP addresses which are in a different range to the IP scope defined on the other DHCP servers. You should also ensure the correct DNS and WINS servers are entered into the scope options. Remember that the only DNS servers which should be configured on workstations are the Domain Controllers which are also acting as DNS servers - no ISP DNS server should ever be set through DHCP.

Once all of these steps have been completed, you should have successfully transferred all of the Active Directory roles to the new domain controller. At this stage, I would suggest you shut down the old domain controller and check to ensure all services on workstations and servers are working correctly - including logins. If they are, you should be safe to switch the old DC back on, run dcpromo and demote it from its Domain Controller role. This will remove the DC as a Domain Controller, leaving it as a member server on the network.

To completely remove the DC from the network, you will need to remember that any other data - including folder redirection folders and user profiles - should be replicated or otherwise transferred to either the new server or another location on the network.
0
 

Author Comment

by:stevencUK
ID: 22765895
Thanks for all the help guys.

Chris, I must have had a "moment" when I duplicated the DNS bit. Doh!

Looking in AD Domains and Trusts I can see the forest functional level is currently 2000.  Obviously I can't raise that until I get rid of the old 2000 DC.  The domain functional level is currently 2000 mixed.  Should that be changed to Native and will there be any problems in doing this?

Matt, looking in the DNS manager I can see that my forward lookup zone is AD Integrated primary as are the 4 reverse lookup zones.  We have 4 different IP subnets across the company.  Hopefully this means that DNS won't be an issue.

Cheers so far.

Steve
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 175 total points
ID: 22765927

The forest functional level is fine as 2000 :) But getting out of Mixed mode is a good plan. I don't anticipate any problems with a change like this, at least I've yet to see one. Mixed mode is only required if you need to run NT4 BDCs.

Chris
0
 

Author Comment

by:stevencUK
ID: 22765978
OK, domain moved to native mode.  Nothing broken yet ;o)
0
 

Author Comment

by:stevencUK
ID: 22766013
Just checked the FSMO role holders and got this.

C:\>netdom query fsmo
Schema owner                2003 DC

Domain role owner           2003 DC

PDC role                    2003 DC

RID pool manager            2003 DC

Infrastructure owner        2000 DC

The command completed successfully.


Do I need to change the Infrastructure owner before I start the 2008 adprep?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 175 total points
ID: 22766072

No, ADPrep only modifies the Schema and therefore the Schema Master :)

Chris
0
 

Author Comment

by:stevencUK
ID: 22766356
Cool.  I have looked into transferring the Infrastructure owner to the 2003 server, however when I tried to do it I got a warning that the 2003 server was a global catalog server and that the two shouldn't be the same.

Given that I will eventually demote the 2000 DC, will the infrastructure owner be transferred to either the 2003 DC or the new 2008 DC automatically?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 175 total points
ID: 22766483

In my opinion you should make all DCs Global Catalogs. That's pretty standard for small networks. The rule for the Infrastructure Master doesn't apply if all DCs are Global Catalogs. You should find a statement to that effect in the MS description for the Infrastructure Master as well :)

It should attempt to transfer automatically, but I always do it as a separate step before beginning demotion just to be absolutely sure it won't bother me.

Chris
0
 

Author Closing Comment

by:stevencUK
ID: 31507775
Thanks for all the help, especially to Chris.  Job Done. :o)
0

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now