?
Solved

Upgrading 2003 AD DNS DHCP WINS Server to 2008 R2

Posted on 2011-10-26
13
Medium Priority
?
491 Views
Last Modified: 2012-05-12
We currently have 2 AD servers. Both are 2003.
I would like to upgrade at least one to 2008. Ideally the main server that runs WINS, DNS and DHCP.

We are a small office, all client PCs are on Win 7 Pro. We have 1 network, all on one subnet.
Nothing fancy.

Our servers are all virtualized with vmware.

Can you tell me what is the best way to go about this as simply as possible, with the least disruption to users.

Thanks
0
Comment
Question by:HICT
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 37029830
Hi,
if you wish, you may follow an article on my blog, how to introduce the first 2008R2 DC in existng 2003 environment at
http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/

after that install DHCP and WINS roles on a server (if it will be on a DC, if not install them on separate server).

Now, migrate DHCP database. Very good walkthrough at DHCP team blog at
http://blogs.technet.com/b/teamdhcp/archive/2009/02/18/migration-of-dhcp-server-from-windows-server-2003-to-windows-server-2008.aspx

and as the last step, configure WINS role (set up Push/Pull partenrship) and records will be replicated
http://technet.microsoft.com/en-us/library/cc786754%28WS.10%29.aspx

OK, it's time to modify a little bit existing environment settings. In your DHCP server/scope options (depends on your configuration) fix options 006 (DNS list) and 044 (WINS list). Add there new IP address of your new server to tell DHCP clients about new DNS and WINS servers.

For staticaly configured server, do it manually.

That's all. If you have more questions, do not hesitate to ask.

Regards,
Krzysztof
0
 

Author Comment

by:HICT
ID: 37030054
Hi Krzysztof....


Is it possible to do an inplace upgrade of our existing 2003 AD/DNS/DHCP/WINS server?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 37030112
Hi,

there is only possibility if your 2003 server is 64bit platform. You cannot do in-place upgrade from 32bit to 64bit platform (2008R2 is only 64bit). However, I do not recoomed doing in-place upgarde especially for Domain Controllers to prevent any mess on it after that activity.

The bet choice for that is clean install of 2008 R2 server and promotion it as additional DC. After that you may transfer FSMO roles to the new DC and decommison the old one.

How to do that is also on my blog (if you're interested)
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/

when you transfer PDC Emulator master then you need to advertise new time server in your forest
[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]

it's an extract from MVP blog at
http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx

after that, if you wish, you may decommission the old DC
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

Krzysztof
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37031858
Since you are a single location entity, you don't need WINS. WINS generally hasn't been needed since Windows 2000. Otherwise follow the instructions from Krzysztof.
0
 

Author Comment

by:HICT
ID: 37031904
Hi Krzysztof....

At the DCDiag /v stage i fail on one check: failed test frsevent.
Is this normal?
If not do you know how to fix this issue...or is that a whole other question?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 37033430
That might be related with AD replication problem. Please post here dcdiag /v output to analyze.
Maybe SYSVOL and NETLOGON don't replicate between DCs?

Krzysztof
0
 

Author Comment

by:HICT
ID: 37033512
This includes DCDiag /v and FRSDiag


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator.DOMAIN>dcdiag /v
'dcdiag' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Administrator.DOMAIN>cd..

C:\Documents and Settings>cd..

C:\>cd windows

C:\WINDOWS>cd servicepackfiles

C:\WINDOWS\ServicePackFiles>cd i386

C:\WINDOWS\ServicePackFiles\i386>dcdiag /v

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine DC01, is a DC.
   * Connecting to directory service on server DC01.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server:SERVER DESCRIPTION\DC01
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: SERVER DESCRIPTION\DC01
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=DOMAIN,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=DomainDnsZones,DC=DOMAIN,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=DOMAIN,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=DOMAIN,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         ......................... DC01 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC01.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=DOMAIN,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=DOMAIN,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=DOMAIN,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=DOMAIN,DC=local
            (Domain,Version 2)
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC01\netlogon
         Verified share \\DC01\sysvol
         ......................... DC01 passed test NetLogons
      Starting test: Advertising
         The DC DC01 is advertising itself as a DC and having a DS.
         The DC DC01 is advertising as an LDAP server
         The DC DC01 is advertising as having a writeable directory
         The DC DC01 is advertising as a Key Distribution Center
         The DC DC01 is advertising as a time server
         The DS DC01 is advertising as a GC.
         ......................... DC01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Offic
e-Southend,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Offic
e-Southend,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Office-S
outhend,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Office-S
outhend,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC01,CN=Server
s,CN=Head-Office-Southend,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4855 to 1073741823
         * DC01.DOMAIN.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3855 to 4354
         * rIDPreviousAllocationPool is 3855 to 4354
         * rIDNextRID: 3950
         ......................... DC01 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC01 on DC DC01.
         * SPN found :LDAP/DC01.DOMAIN.local/DOMAIN.local
         * SPN found :LDAP/DC01.DOMAIN.local
         * SPN found :LDAP/DC01
         * SPN found :LDAP/DC01.DOMAIN.local/DOMAIN
         * SPN found :LDAP/68307533-8a8b-4a59-8963-f77ce7c83d6e._msdcs.DOMAIN.lo
cal
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/68307533-8a8b-4a59-89
63-f77ce7c83d6e/DOMAIN.local
         * SPN found :HOST/DC01.DOMAIN.local/DOMAIN.local
         * SPN found :HOST/DC01.DOMAIN.local
         * SPN found :HOST/DC01
         * SPN found :HOST/DC01.DOMAIN.local/DOMAIN
         * SPN found :GC/DC01.DOMAIN.local/DOMAIN.local
         ......................... DC01 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC01 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC01 is in domain DC=DOMAIN,DC=local
         Checking for CN=DC01,OU=Domain Controllers,DC=DOMAIN,DC=local in doma
in DC=DOMAIN,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Office-South
end,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local in domain CN=Configuration,DC=h
i-tec,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... DC01 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC01 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Error Event occured.  EventID: 0xC00034F7
            Time Generated: 10/26/2011   00:59:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00034F7
            Time Generated: 10/26/2011   05:19:48
            (Event String could not be retrieved)
         ......................... DC01 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... DC01 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... DC01 passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC01,OU=Domain Controllers,DC=DOMAIN,DC=local and backlink on
         CN=DC01,CN=Servers,CN=Head-Office-Southend,CN=Sites,CN=Configuration,
DC=DOMAIN,DC=local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Se
rvice,CN=System,DC=DOMAIN,DC=local
         and backlink on CN=DC01,OU=Domain Controllers,DC=DOMAIN,DC=local are
         correct.
         The system object reference (serverReferenceBL)
         CN=DC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Se
rvice,CN=System,DC=DOMAIN,DC=local
         and backlink on
         CN=NTDS Settings,CN=DC01,CN=Servers,CN=Head-Office-Southend,CN=Sites,
CN=Configuration,DC=DOMAIN,DC=local
         are correct.
         ......................... DC01 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : DOMAIN
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom

   Running enterprise tests on : DOMAIN.local
      Starting test: Intersite
         Skipping site Head-Office-Southend, this site is outside the scope
         provided by the command line arguments provided.
         ......................... DOMAIN.local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\DC01.DOMAIN.local
         Locator Flags: 0xe00001fd
         PDC Name: \\DC01.DOMAIN.local
         Locator Flags: 0xe00001fd
         Time Server Name: \\DC01.DOMAIN.local
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\DC01.DOMAIN.local
         Locator Flags: 0xe00001fd
         KDC Name: \\DC01.DOMAIN.local
         Locator Flags: 0xe00001fd
         ......................... DOMAIN.local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

C:\WINDOWS\ServicePackFiles\i386>cd C:\Program Files\Windows Resource Kits\Tools
\FRSDiag\

C:\Program Files\Windows Resource Kits\Tools\FRSDiag>dir/w
 Volume in drive C is Boot & System
 Volume Serial Number is F4D9-3640

 Directory of C:\Program Files\Windows Resource Kits\Tools\FRSDiag

[.]                      [..]                     frsdiag.exe
frsdiag.htm              frsdiag.ini              ntfrsapi.dll
ntfrsutl.exe             repadmin.exe             tooldownloadreadme.htm
               7 File(s)        460,343 bytes
               2 Dir(s)   4,659,355,648 bytes free

C:\Program Files\Windows Resource Kits\Tools\FRSDiag>frsdiag

C:\Program Files\Windows Resource Kits\Tools\FRSDiag>ping dougal

Pinging dougal.DOMAIN.local [10.10.10.XX] with 32 bytes of data:

Reply from 10.10.10.XX: bytes=32 time=1ms TTL=128
Reply from 10.10.10.XX: bytes=32 time<1ms TTL=128
Reply from 10.10.10.XX: bytes=32 time<1ms TTL=128
Reply from 10.10.10.XX: bytes=32 time<1ms TTL=128

Ping statistics for 10.10.10.XX:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Program Files\Windows Resource Kits\Tools\FRSDiag>


Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 37036351
Looks like there is problem with SYSVOL replication (group policies)
Do you have still any 2000 DC(s) in your network? Have any of yours DC died recently or was restred from backup?

Can you install Windows Server 2003 Support Tools from CD#1 of 2003 and run

repadmin /showrepl /all /verbose /intersite
and
netdiag

and show output here? Thank you in advance.

Krzysztof
0
 
LVL 11

Expert Comment

by:netballi
ID: 37039981
Hi,

Event ID 0x800034FA = 13562 Warning - This is typically due to some missing Frs
configuration object. This is only a problem if this warning is logged every
time the machine reboots and/or the FRS service is restarted. Check the FRS
event log for more detail on this warning.

The best and easy solution is to promote the win2k8 R2 DC status &  on windows 2000 domain functional level and then transfer all FSMO roles to this server.

Demote the other win2k3 dc gracefully and then raise the domain functional level of Win2k8 r2.

You can add another Win2k8 R2 if the load on this single server is more.
0
 

Author Comment

by:HICT
ID: 37063374
C:\Program Files\Windows Resource Kits\Tools\FRSDiag>repadmin /showreps /all /verbose /intersite

Unknown option "/intersite".

C:\Program Files\Windows Resource Kits\Tools\FRSDiag>repadmin /showreps /all /verbose

Cannot open LDAP connection to /all.
0
 
LVL 11

Expert Comment

by:netballi
ID: 37064357
HICT,

I guess there is an syntax error try the following

repadmin.exe /showrepl dc* /verbose /all /intersite

Regards,
Anil.
0
 

Author Comment

by:HICT
ID: 37064423
Sorry guys, it likes that even less :


Usage: repadmin <cmd> <args> [/u:{domain\\user}] [/pw:{password|*}]

Supported <cmd>s & args:
     /sync <Naming Context> <Dest DSA> <Source DSA UUID> [/force] [/async]
            [/full] [/addref] [/allsources]
     /syncall <Dest DSA> [<Naming Context>] [<flags>]
     /kcc [DSA] [/async]
     /bind [DSA]
     /propcheck <Naming Context> <Originating DSA Invocation ID>
         <Originating USN> [DSA from which to enumerate host DSAs]
     /getchanges NamingContext [SourceDSA] [/cookie:<file>]
     /getchanges NamingContext [DestDSA] SourceDSAObjectGuid
          [/verbose] [/statistics]

     /showreps [Naming Context] [DSA [Source DSA objectGuid]] [/verbose]
         [/unreplicated] [/nocache]
     /showvector <Naming Context> [DSA] [/nocache]
     /showmeta <Object DN> [DSA] [/nocache]
     /showtime <DS time value>
     /showmsg <Win32 error>
     /showism [<Transport DN>] [/verbose] (must be executed locally)
     /showsig [DSA]
     /showconn [DSA] [Container DN | <DSA guid>] (default is local site)
     /showcert [DSA]

     /queue [DSA]
     /failcache [DSA]
     /showctx [DSA] [/nocache]

Note:- <Dest DSA>, <Source DSA>, <DSA> : Names of the appropriate servers
       <Naming Context> is the Distinguished Name of the root of the NC
              Example: DC=My-Domain,DC=Microsoft,DC=Com

Thanks
0
 
LVL 11

Expert Comment

by:netballi
ID: 37064546
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question