Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory upgrade from Win 2008 to Win 2008 R2

Posted on 2011-11-01
7
Medium Priority
?
440 Views
Last Modified: 2012-05-12
Hi, we have a Win 2008 (NOT R2) forest root with four Win 2003 R2 child domains under it.

We want to introduce a Win 2008 R2 domain controller into one of the child domains so we will need to update the schema with Adprep /forest and adprep /domain commands.

If I understand correctly, this will update the AD schema on the forest and all child domains.

However, I am wondering what testing we would need to do? We have Exchange, domino, ISA, IIS and other applications in our environment and obviously updating the AD schema will affect the underlying domain security for all of these.

Should we be performing an extensive test of everything, or am I being overly cautious??

Thanks!
0
Comment
Question by:paulo999
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Accepted Solution

by:
needleboy earned 800 total points
ID: 37061909
Hi Paulo,
Upgrading AD scheme will not affect domain security and definitely not affect any Microsoft application servers like Exchange or ISA.
Procedure is very common and the only thing you should do before upgrading schema is to perform system state backup in case of a failure, which is very rare for this procedure.

Regards,
Marko
0
 

Assisted Solution

by:Vinulraja
Vinulraja earned 800 total points
ID: 37061965
Hi Paulo,

The upgrade is not changing any permission model in the forest. Preparing the schema only extends the schema configuration with new attributes for windows server 2008 R2.

For more details,

http://technet.microsoft.com/en-us/library/cc753437%28WS.10%29.aspx

Cheers,
Vinu
0
 

Author Comment

by:paulo999
ID: 37062058
Thank you both for the fast responses.

What are the back out procedures available if it does all go badly wrong? Is it to ensure that you have system state backups of the domain controllers updated to restore if needed?

Thanks.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 10

Assisted Solution

by:abhijitwaikar
abhijitwaikar earned 400 total points
ID: 37065721
ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.

It does not give any problem with current environment but for safer side please do take a system state backup of DC and go ahead for further steps.

You need to run below commands on 2003 DC.
adprep /forestprep
-Must be run on the schema operations master for the forest.
-Once for the entire forest

adprep /domainprep
-Must be run on the infrastructure operations master for the domain.
-Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.

adprep /domainprep /gpprep
-Must be run on the infrastructure operations master for the domain.
-Once in each domain within the forest

You mentioned the server is 2008-
-If its a windows 2008 then use ADPREP.
-In Windows Server 2008 R2 includes a 32-bit version and a 64-bit version of Adprep.exe. The 64-bit version runs by default. If you want to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of Adprep.exe (Adprep32.exe).
0
 

Assisted Solution

by:Vinulraja
Vinulraja earned 800 total points
ID: 37067655
Hi Paulo,

System state back up of the DC which hold the schema role is a must. Apart from that you can have backup of other primary domain controller in each domain.

Thanks.
0
 
LVL 4

Assisted Solution

by:needleboy
needleboy earned 800 total points
ID: 37070031
Hi Paulo,

Just run the ADPREP cmdlets and everything will be fine :)
If you are performing regular backups, then you don't need to worry about damage to your AD environment.

When you run this commands just look at white dots and think positive :)

Marko

0
 

Author Closing Comment

by:paulo999
ID: 37152008
Thanks for all comments
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question