2008 domain upgrade on top of 2003 Current Domain Forest
Want to ensure that all of my check and balances are in-place due to the critical data and architecture on hand. So want to have as many eyes on this as possible and indicate/explain where this may go wrong if implemented. If you see a step, process that is not warranted or needs a different order, please explain why and the results. Thank you in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Before starting AD upgrade just check if your AD is free from errors
i.e. name resolution is working Properly across all domains in forest
intersite and intrasite Replication is working fine across all domains in forest.
Check AD for lingering object presense if any (Directory event IDs 1388, 1988, 2042
http://support.microsoft.com/kb/910205
Mahesh
i.e. name resolution is working Properly across all domains in forest
intersite and intrasite Replication is working fine across all domains in forest.
Check AD for lingering object presense if any (Directory event IDs 1388, 1988, 2042
http://support.microsoft.com/kb/910205
Mahesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have updated this as an attached file. Apparently, it was not attached. I will simply add it in this section.
Current Configuration
Windows Server 2003 SP1 hosting
- Domain Controllers
- Domain Naming System (DNS) Servers
- Flexible Single Master Operation (FSMO ) Roles
- Member Servers (Exchange, Sharepoint, File & Printer,etc)
Assumptions
- All existing 2003 Servers will remain on Current Hardware
- All new 2008 R2 servers will be built on new hardware
- All 2008 R2 servers will be either physical or Virtual
- LDAP queries are associated with AD not a specific Domain Controller host name
Proposed Upgrade
To maintain current user accounts and associated SID and all current file permissions to the existing structure.
Top level Process
- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
- Transfer FSMO roles from 2003 to 2008 R2 Domain Controllers
- Demote (DCPROMO) exisiting 2003 Domain Controllers
At this point, existing architecture would be operating in a Server 2008 R2 with a Forest & Domain Functional level of 2003. All user accounts, group membership, email permissions and file system access remain unchanged
Granular Steps......
- Join 2008 Servers to 2003 Domain
- Verify servers have received current domain policies
- Review audit logs
- Resolve critical errors identified in logs
- Allow servers to function on domain for 24 hours
- Recheck audit logs, resolve critical errors
- Install DNS server role on new 2008 R2
- Create Primary zone
- Establish zone replication
- Review DNS and audit logs for replication errors
- Verify DNS is functional (NSLOOKUP, etc)
- Reconfigure all host to use new DNS Server
- Promote 2008 R2 Servers to DC
- Select (1) 2008 Server
- DCPROMO to domain controller
- Verify successful DC Promotion
- Modify Primary DNS zone to AD Integrated
- Review Audit logs
- Verify Users can authenticate to new DC
- Verify DNS name resolution
- Allow server to function on domain for 24 hours
- Review audit logs, resolve critical errors
Promote Second 2008 R2 Server to Domain Controller
- DCPROMO remaining 2008 R2 to domain controller
- Verify successful DC promotion
- Modify Primary DNS zone to AD integrated
- Review audit logs, etc
- Verify users can authenticate to new DC
- Verify DNS name resolution
- Allow Server to function on domain for 24 hours
- Review audit logs, resolve critical errors
Transfer Global Catalog Server Role
- Transfer GC role to new promoted 2008 R2 Domain Controller
- Verify Successful Transfer
- Review audit logs, etc
Transfer FSMO Roles
- Follow Best Practice for FSMO role replacement
- Transfer roles to newly promoted 2008 R2 DC
- Verify site replication and user authentication
- Review audit logs, etc
- Allow Server to function on Domain for 24 hours
Demote 2003 Domain Controllers
- Verify FSMO Roles and GC have been transferred from 2003 to 2008
- Verify all domain specific errors have been resolved
- Verify all host are using 2008 R2 servers for DNS resolution
- Verify current 2003 DC are not hosting file or printer shares
- Verify LDAP queries are functional
- RUN DCPROMO from Target 2003 DC and demote to member Server
- Verify domain operations
- Review 2008 DC audit logs
- Repeat steps until all 2003 DC are demoted
Current Configuration
Windows Server 2003 SP1 hosting
- Domain Controllers
- Domain Naming System (DNS) Servers
- Flexible Single Master Operation (FSMO ) Roles
- Member Servers (Exchange, Sharepoint, File & Printer,etc)
Assumptions
- All existing 2003 Servers will remain on Current Hardware
- All new 2008 R2 servers will be built on new hardware
- All 2008 R2 servers will be either physical or Virtual
- LDAP queries are associated with AD not a specific Domain Controller host name
Proposed Upgrade
To maintain current user accounts and associated SID and all current file permissions to the existing structure.
Top level Process
- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
- Transfer FSMO roles from 2003 to 2008 R2 Domain Controllers
- Demote (DCPROMO) exisiting 2003 Domain Controllers
At this point, existing architecture would be operating in a Server 2008 R2 with a Forest & Domain Functional level of 2003. All user accounts, group membership, email permissions and file system access remain unchanged
Granular Steps......
- Join 2008 Servers to 2003 Domain
- Verify servers have received current domain policies
- Review audit logs
- Resolve critical errors identified in logs
- Allow servers to function on domain for 24 hours
- Recheck audit logs, resolve critical errors
- Install DNS server role on new 2008 R2
- Create Primary zone
- Establish zone replication
- Review DNS and audit logs for replication errors
- Verify DNS is functional (NSLOOKUP, etc)
- Reconfigure all host to use new DNS Server
- Promote 2008 R2 Servers to DC
- Select (1) 2008 Server
- DCPROMO to domain controller
- Verify successful DC Promotion
- Modify Primary DNS zone to AD Integrated
- Review Audit logs
- Verify Users can authenticate to new DC
- Verify DNS name resolution
- Allow server to function on domain for 24 hours
- Review audit logs, resolve critical errors
Promote Second 2008 R2 Server to Domain Controller
- DCPROMO remaining 2008 R2 to domain controller
- Verify successful DC promotion
- Modify Primary DNS zone to AD integrated
- Review audit logs, etc
- Verify users can authenticate to new DC
- Verify DNS name resolution
- Allow Server to function on domain for 24 hours
- Review audit logs, resolve critical errors
Transfer Global Catalog Server Role
- Transfer GC role to new promoted 2008 R2 Domain Controller
- Verify Successful Transfer
- Review audit logs, etc
Transfer FSMO Roles
- Follow Best Practice for FSMO role replacement
- Transfer roles to newly promoted 2008 R2 DC
- Verify site replication and user authentication
- Review audit logs, etc
- Allow Server to function on Domain for 24 hours
Demote 2003 Domain Controllers
- Verify FSMO Roles and GC have been transferred from 2003 to 2008
- Verify all domain specific errors have been resolved
- Verify all host are using 2008 R2 servers for DNS resolution
- Verify current 2003 DC are not hosting file or printer shares
- Verify LDAP queries are functional
- RUN DCPROMO from Target 2003 DC and demote to member Server
- Verify domain operations
- Review 2008 DC audit logs
- Repeat steps until all 2003 DC are demoted
I have one suggestion in above plan
Why don't you modify AD schema directly to 2012 \ 2012 R2 instead of 2008 R2
Once Schema upgraded, you can install 2008 R2 \ 2012 \ 2012 R2 DCs
Your Comment:
1st of you cannot set DNS zone replication if its non ad integrated (Standard primary)
2nd, you don't need to create standard primary zone on either 2003 \ 2008 R2 servers.If you do that way, it will block replication of AD integrated zone from 2003 server due to conflict (Zone already exists).Then probably u would end up with deletion of primary zone copy on 2008 R2 and then again 2003 will replicate primary zone copy.
I believe, you must have AD integrated zones on 2003 DCs
When u promote 2008 R2 DCs, it will give you option to install AD integrated DNS and once installed it will replicate AD integrated DNS zones automatically
Rest of the Plan of action seems OK
Mahesh
Why don't you modify AD schema directly to 2012 \ 2012 R2 instead of 2008 R2
Once Schema upgraded, you can install 2008 R2 \ 2012 \ 2012 R2 DCs
Your Comment:
[Top level Process
- Introduce Windows 2008 R2 Member servers to existing 2003 Domain
- Install DNS with zone replication (non-AD integrated to existing DNS architecture
- Promote new 2008 R2 servers to Domain Controllers (DCMPROM0)
- Modify Primary DNS zone to AD integrated
1st of you cannot set DNS zone replication if its non ad integrated (Standard primary)
2nd, you don't need to create standard primary zone on either 2003 \ 2008 R2 servers.If you do that way, it will block replication of AD integrated zone from 2003 server due to conflict (Zone already exists).Then probably u would end up with deletion of primary zone copy on 2008 R2 and then again 2003 will replicate primary zone copy.
I believe, you must have AD integrated zones on 2003 DCs
When u promote 2008 R2 DCs, it will give you option to install AD integrated DNS and once installed it will replicate AD integrated DNS zones automatically
Rest of the Plan of action seems OK
Mahesh
Please post.
thanks