?
Solved

Domain controller 2003 to 2008 upgrade

Posted on 2012-09-19
19
Medium Priority
?
433 Views
Last Modified: 2012-10-07
I have been assigned a project to updgrade DC i.e. 2003 to 2008, now under Active Directory Sites and Services, under servers, there are 4 servers, one of them is at offsite at a disaster recovery site, 3 of them are on site, I am not sure out of 3 servers how many are virtual.

Can anyone kindly help me to go through upgrading of DC from server 2003 to 2008? And a fall back plan if it doesn’t work out?

They are using Symantec backup, and I haven’t worked on this site before, just started today.

is SCCM an option? they dont have it, just thought if it would be helpful?

What should i do about the applications running on the server ?  

Thanks.
0
Comment
Question by:Leo
  • 8
  • 7
15 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 2000 total points
ID: 38416236
If you've never done this before you need to.  Not because I think it's terribly difficult, but you should know what to expect.  Setup a couple of VMs and do this in a test environment.

Virtual or not doesn't matter (so long as they VM Hosts are not joined to the domain (ie Hyper-V servers running DCs as VMs while joined to the same domain)).

One point - DO NOT take snapshots of the DCs for any that are virtual.  Restoring a snapshot can seriously corrupt AD.  DON'T DO IT!

Next, three DCs at one site is pointless unless you're GM - and you're not GM or you'd have the in-house experience that you wouldn't be asking this question.  Two DCs is more than enough.  Keep the one off-site for DR, that's fine.

PERFORM A FULL BACKUP OF THE FSMO MASTER(S) - NOT using an imaging method!!
(NTBackup System State is fine)

Now, run DCDIAG /C /E /V and fix any unexplained errors that may come up (I usually redirect DCDIAG output to a file and read through it all, deleting anything that passed, leaving only the fails so I can clearly see the details on those and then I start addressing those items.  You CAN have failures that mean nothing... but research each to ensure you understand what's going on).

PERFORM A FULL BACKUP OF THE FSMO MASTER(S) - NOT using an imaging method!!
(NTBackup System State is fine)

Once you have confirmed AD is healthy, you need to run ADPREP (or ADPREP32) to prepare AD for a new DC.

Next add the new server (join it to the domain) and run DPROMO to promote it to a DC.  Once it's a DC, ensure the NetLogon share and Sysvol shares are there are replicating (this has proven to be an issue for me in the past... actually been more reliable lately, but on several upgrades, I've had this fail.  If it fails, you need to use the BurFlags registry entry to correct FRS replication - google it - it's common).

Once you have a working 2008 DC, you can continue on to the next or demote one of the existing DCs so it's no longer around.  Once you have the 2008 DC you want to hold you FSMO roles, transfer them.

By the way - I DO NOT recommend UPGRADES.  MIGRATE - meaning install new, clean systems virtually (and direct to hardware, though installing to hardware these days SHOULD be done only when absolutely necessary, in my opinion).

DO NOT Seize roles - TRANSFER them.  DO NOT just turn off DCs when you no longer want them - run DCPROMO to DEMOTE them first!
0
 
LVL 8

Author Comment

by:Leo
ID: 38416268
1)There are two DCs under primary site and two under DR site, they are both replicated.

2)As you suggested first test on run Dcdiag, would it affect if I run the test during business hours?

3)Kindly check the following tests and let me know if I need to add or changes anything in them.

dcdiag /test:Connectivity /e /f:c:\dnsConnectivity.log
dcdiag /test:Replications /e /f:c:\dnsReplications.log
dcdiag /test:Topology /e /f:c:\dnsTopology.log
dcdiag /test:CutoffServers /e /f:c:\dnsCutoffServers.log
dcdiag /test:NCSecDesc /e /f:c:\dnsNCSecDesc.log
dcdiag /test:NetLogons /e /f:c:\dnsNetLogons.log
dcdiag /test:Advertising /e /f:c:\dnsAdvertising.log
dcdiag /test:KnowsOfRoleHolders /e /f:c:\dnsKnowsOfRoleHolders.log
dcdiag /test:Intersite /e /f:c:\dnsIntersite.log
dcdiag /test:FsmoCheck /e /f:c:\dnsFsmoCheck.log
dcdiag /test:RidManager /e /f:c:\dnsRidManager.log
dcdiag /test:MachineAccount /e /f:c:\dnsMachineAccount.log
dcdiag /test:Services /e /f:c:\dnsServices.log
dcdiag /test:OutboundSecureChannels /e /f:c:\dnsOutboundSecureChannels.log
dcdiag /test:ObjectsReplicated /e /f:c:\dnsObjectsReplicated.log
dcdiag /test:frssysvol /e /f:c:\dnsfrssysvol.log
dcdiag /test:frsevent /e /f:c:\dnsfrsevent.log
dcdiag /test:kccevent /e /f:c:\dnskccevent.log
dcdiag /test:systemlog /e /f:c:\dnssystemlog.log
dcdiag /test:RegisterInDNS /DnsDomain:nrdc.net /e /f:c:\dnsRegisterinDNS.log
dcdiag /test:CrossRefValidation /e /f:c:\dnsCrossRefValidation.log
dcdiag /test:CheckDRefDom /e /f:c:\dnsCheckDRefDom.log
dcdiag /test:VerifyReplicas /e /f:c:\dnsVerifyReplicas.log
dcdiag /test:VerifyReferences /e /f:c:\dnsVerifyReferences.log
dcdiag /test:VerifyEnterpriseReferences /e /f:c:\dnsVerifyEnterpriseReferences.log
dcdiag /test:CheckSecurityError /e /f:c:\dnsCheckSecurityError.log
dcdiag /test:DNS /e /f:c:\dnsDNS.log

4)What do I have to do with Exchange Server and group policies?
0
 
LVL 8

Author Comment

by:Leo
ID: 38416536
The primary DC is virtual.........would that make a difference?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 2000 total points
ID: 38416773
Two DCs in the DR site is ok.  I don't know that I'd do that... but I won't argue the pros and cons - this to me is a matter of personal choice and not necessarily a best practice issue.

Running DCDIAG should not cause any issues if run during business hours.

You can run those tests separately... but why?  As I said, I just run DCDIAG /C /E /V - the /c switch runs almost every test and I think all the ones you are running separately.  Run DCDIAG /? for more information or reference: http://technet.microsoft.com/en-us/library/cc731968%28v=ws.10%29.aspx

You have to do nothing with Exchange.  And the only thing you may have to do with Group is a switch on ADPREP which should be covered in ADPREP /?.  (ADPREP /GPPREP).  Otherwise, don't overthink this.  There's nothing else to do.

What do you mean "primary"?  There is no such thing as a Primary DC in Active Directory.  Do you mean you have one server with ALL FIVE FSMO roles?  Since the the FSMO roles can be placed on multiple servers, calling any server primary is wrong.  I've actually seen people get wrong (ancient) information using incorrect terminology and referring to a "PDC" in an AD domain.

If really doesn't matter that any DC is virtual.  The only issues with virtual DCs - FSMO role holders or not - is the one I pointed out about snapshots (I do think there have been changes in 2012 to allow this, but I don't recall exactly off hand and it definitely cannot/should not be done in 2008 R2).  Oh, another issue for any NEW DCs, DO NOT sync the VM's clock with the hardware - allow the VM to sync with a time server (don't know what you're using for Virtualization, but in Hyper-V time sync is a checkbox to enable/disable in the Integration features).
0
 
LVL 8

Author Comment

by:Leo
ID: 38426384
Thanks for your input, i have been told by manager, that he wants to install server 2008 on a new virtual server, means he dont want to migrate anything, so what should i do now?
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 38427046
EXACTLY what I told you to.  To highlight:

Second to last paragraph from my first comment:
By the way - I DO NOT recommend UPGRADES.  MIGRATE - meaning install new, clean systems virtually (and direct to hardware, though installing to hardware these days SHOULD be done only when absolutely necessary, in my opinion).

But you should ask your boss - does he want a NEW DOMAIN?  Or or new server installation - a new server installation is a migration.  A new domain is - for a network that large - grounds for committal to a psychiatric hospital unless there's a VERY VERY GOOD REASON.
0
 
LVL 8

Author Comment

by:Leo
ID: 38427210
the domain is same, he dont need a new domain, he just need a new installation server. so its a new server migration.
0
 
LVL 8

Author Comment

by:Leo
ID: 38427245
should i start transferring FSMO roles for windows 2003?

http://support.microsoft.com/kb/324801
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 38427277
To what?  I thought you didn't have any 2008 servers yet?

Question: Why are YOU doing this?  From the sounds of things, you have NEVER done this sort of thing.  What makes your boss think it's a good idea for you to be the one responsible for potentially bringing the company down if you do something wrong?  If you HAVE done this before, then the basic procedure should not be alien to you, but your questions and comments are suggesting it is.  

It seems you have chosen to ignore my advice in my very first post (which outlines the entire process).  At least that's the impression I've gotten.

To repeat and highlight my first three sentences:
If you've never done this before you need to.  Not because I think it's terribly difficult, but you should know what to expect.  Setup a couple of VMs and do this in a test environment.

Once you done this AT LEAST ONCE (preferrably TWICE) , you can follow the rest of the directions.  Or better yet, tell your boss you need to work with someone who has done this before so you can learn from someone with experience, first hand.

I want to be clear here, I'm not trying to insult you or make you angry or irritated or pissed off - I have no doubt with some training/experimenting/reading/experience you have an excellent chance at doing this successfully (EVERY network has idiosyncrasies that could throw even a well experienced tech off, but doing this cold with no experience and formal training of any sort is ASKING for trouble.  If I were your boss and found you asking this question, I would remove you from this job or assign a more experienced person to work with you so you could learn.  DON'T hide your inexperience... that's dangerous (don't know if you are or if your boss doesn't care, in which case, he's the one who should be under review).

As far as FSMO transfer goes, I prefer Petri's documentation on the topic:
www.petri.co.il/transferring_fsmo_roles.htm
0
 
LVL 8

Author Comment

by:Leo
ID: 38435055
I will close off this question, i have recently done a project in which i installed and configured sbs 2011, certificates, Zones, DNS, ACL routes on router.
The questions i asked was from my manager, and i knew what to say or do, i just thought before doing anything i will confirm with an expert.
please in any questions i asked in future dont help me again, no one have give you the authority to put anyone in review. I dont want to argue.
bye.
0
 
LVL 8

Author Comment

by:Leo
ID: 38435231
I've requested that this question be deleted for the following reason:

Please delete this question, i asked the question to get not to get humilated and feel bad.<br /><br />thanks.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 38435228
I'm sorry you felt humiliated or bad.  I tried to help but when you came back with what seemed to be a non-nonsensical comment based on the prior comments we both made, I felt it appropriate to illustrate that EXPERIENCE is invaluable and if you don't have it (which your comments suggested) you needed to obtain it.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 38435232
I object to the deletion because the question, as asked was answered.  He made a sudden left turn that seemed to come out of no where which prompted my last major comment.
0
 
LVL 8

Author Comment

by:Leo
ID: 38461596
I am not going to take any suggestions from leew, as his suggestions were good, but he asked me and my manager job to put under review, i am not sure if people should come to this site to get help or to get their jobs get under reviewed.

You can award the points. I am not going to take any suggestions from Leew.
thanks.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 38461937
I'm sorry you were offended.  As I read your question and comments, I grew concerned about the level of knowledge you currently possess.  I want to see people successfully employ technology but my interpretation of your skill level based on your comments suggested you were not yet ready to undertake this project.  Once again, I apologize if you were offended as my intent was not to offend.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question