Solved

Upgrading Primary DC's Windows OS

Posted on 2013-05-22
13
270 Views
Last Modified: 2013-06-03
Hi,

My primary domain controller for our company is a Hyper-V virtual server, running on Windows Server 2008 x64.  I've upgraded other DC's in the company to Windows Server 2008 R2 over the last 2 years, and feel that the primary should be on the same level or higher than them.  No rationale behind that thought, just makes sense in my head.

Regardless, I'm wondering what opinion's are out there for the path to do so.  Can I safely run an in-place upgrade to 2008 R2 or 2012 or should I start from scratch and build a new virtual.  Obviously the downfall to that is that I would have to demote the current and promote the new one, which has its challenges.

Any thoughts?

Thanks!
0
Comment
Question by:SGCAdmin
  • 5
  • 5
  • 3
13 Comments
 
LVL 8

Expert Comment

by:jpgobert
ID: 39187554
An in-place upgrade from 08 x64 to 08 R2 or 2012 is supported.  If you want to cover your six then consider moving the FSMO roles to one of the other DC's, have fresh backups on-hand, and then run the upgrade.

I think you'll find the upgrade will go smoothly and you'll be fine.  Granted I don't know your environment but if everything is healthy  you should be fine.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 39187592
Thanks for the quick reply.  Yes, everything is healthy.  So does my rationale make sense, about the PDC being at the same level or higher of other DC's?  If it were you, would you do an in-place upgrade?

Thanks :-)
0
 
LVL 8

Accepted Solution

by:
jpgobert earned 155 total points
ID: 39187628
So does my rationale make sense, about the PDC being at the same level or higher of other DC's?  

It doesn't not make sense :)  Personally I think if you have the available licensing and have no reason why it shouldn't be upgraded to match the rest of the controllers then it should be done.  Other guys would say if it isn't broken then don't change it...

If it were you, would you do an in-place upgrade?

It really depends on the age, use case and health of the box.  If the server is running well and is pretty clean (clean event logs, no sludge build up in the registry, etc.) then yeah I would.  If it were going from 2003 to 2008 R2 then no, I wouldn't.  That's just a personal preference though...

I'd definitely make sure to move the FSMO roles and take my backups first though... always better to be safe.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:SGCAdmin
ID: 39187784
Thanks for the insight.  Ok, 2 more things then while its fresh in your mind.  Not sure if your a Hyper-V person or not, but being that it is a virtual, I wonder if I can do the upgrade off-line, meaning, 1) back up the virtual server, 2) run the upgrade, 3) if something goes wrong, go back to original.  

Also, do you think I will need to run the 2 dcpromo commands if I go to 2008 R2 being that I have 3 other DC's that are already there.  I'm pretty sure no, but just want to double check.

Much appreciated.
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 39187867
I'm definitely a hyper-v person... big time :)

I'm not sure if it would cause a problem if you disconnected the virtual network during the upgrade.  If it were a regular member server it would be fine but with it being a DC it might throw a fit since all of the services of that role are network based... on the flip side, if it does throw a fit and fail while off the network it wouldn't have a chance to make any updates to the domain that you couldn't reverse... so what the hell, give it a shot...

I'm sure you've already done all the research but just in case you might want to give this site a once over:  Technet:  Upgrade Domain Controllers....

What DCPromo commands are you talking about?  Once you've moved the FMSO roles before the upgrade (because we're being safe) the server will still be a DC.  The upgrade to 08 R2 automatically handles the directory updates for that DC and after the last reboot it comes up as a fully functional 08 R2 DC.  Are you talking about something else that I'm not thinking of?
0
 
LVL 5

Assisted Solution

by:Eddie-Lopez
Eddie-Lopez earned 155 total points
ID: 39187888
Hi there,

Sure, you should be able to back it up and restore it to the original version if you have any problems during the upgrade. Just don't use Hyper-V snapshots for that, since it's a domain controller.

And I second your thought of upgrading your PDC. If you have all your DCs on 2008R2 except your PDC, you will have to keep you Forest/Domain functionality at 2008 or lower. This may cause problems in the future if you need to install a new application that need a higher functionality level, plus you will be missing some nice new features that comes with 2008R2 functionality (like the AD Recycle Bin, for example).

Hope this helps,

Eddie
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 39188053
Actually, forget what I said about dcpromo.  I was asking about the adprep commands : /forestprep and /domainprep.  But I'm fairly sure that I only need to run that once for each OS level I go to and I've already got 3 of 6 DC's @ 2008 R2.  Also, any chance you have a 'best practice' walk through of moving the FMSO roles from one DC to another?


Eddie,   Yeah, I dont use snapshots anyway.  Just nightly backups using a Hyper-V agent for BE 2012.  And yep, thats what my brain is saying too about my rationale of upgrading.  My only question is whether I go to Server 2012 or not at this point.  I would have to buy user cals for the entire company, which can get pricey, but I have to do it at some point.
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 39188159
I could look one up for you (best practice guide) but from my experience here's the key things:
Never assume you know what roles are held by what servers.  Always check first.
Verify replication is working by running dcdiag /test:replications
Take action on any problems you find
Decide which DC you want to transfer the roles to
Go ahead and perform the transfers

The following KB from Microsoft provides the steps to transfer the roles using ntdsutil:  Using Ntdsutil.exe to transfer or seize FSMO roles

The following TechNet page shows step by step on transferring the roles using the GUI AD management tools:  Transferring FSMO Roles in Windows Server 2008
0
 
LVL 5

Expert Comment

by:Eddie-Lopez
ID: 39188169
Here's some info about transferring FSMO roles:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e4c605ff-b74c-46d5-b72a-f0033e4412fa

If you can do the investment, I would go directly to 2012. And you can go from 2008 to 2012 directly, as long as your 2008 environment is 64 bits. More info on that:

http://technet.microsoft.com/en-us/library/hh994618.aspx
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 39188699
Great, thanks guys.  I need to convince the CIO that Server 2012 is worth going to, but he's in the mindset to wait for SP1.  I am going to leave this open for a couple days in case there is any more suggestions/feedback, but I appreciate all the helpful comments.  

Thanks again.
0
 
LVL 8

Expert Comment

by:jpgobert
ID: 39188785
I can help you there easily.

Put the information together on the advances in hyper-v for 2012.  Also explain to him about the new licensing schema and the fact that 2012 Standard and Datacenter have absolutely no feature differences anymore.  The only difference is in the number of VM's you're licensed for with each license you buy,

For 2-socket systems:

One Standard = bare metal install + 2 VM's on the same box.
One Datacenter = bare metal install + unlimited VM's on the same box.

I'm telling you man you can sell him on it... just gotta play your cards right :)
0
 
LVL 5

Expert Comment

by:Eddie-Lopez
ID: 39189389
That's a common mindset ("let's wait until SP1 is out before implementing it"), and it is not necessarily a bad practice. But at least I can give you my personal experience, we started implementing WS2012 about 1 month after launch. So far we got about 50 servers (both physical and virtual) running WS2012, including Domain Controllers, Hyper-V Hosts, DHCP, WSUS, Application Servers, Web Servers, etc. and no OS-related issues so far.
0
 
LVL 1

Author Closing Comment

by:SGCAdmin
ID: 39217304
Thanks to all for your knowledgeable and quick answers.  I will be upgrading before the end of the month.

Much appreciated!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question