First of all thanks to everyone that attended my session ” Upgrade Active Directory from WS03 to WS08 R2″ at Microsoft Tech Days 2011 in Sweden. For those of you that couldn’t attend on site I did a session on upgrading a Windows Server 2003 Active Directory environment to Window Server 2008 R2 with a focus on automated processes. The scripts used in this session (also available for download at this blog) were developed by the Enfo Zipper – Directory Services Team and used in a real world scenario to upgrade an enterprise customer’s forest.
FYI: The session will be available online later during the spring.
Note: The steps below including the sample scripts is provided “AS-IS” with no warranties. Some of the sample scripts have a dependence that the Windows Support Tools for Windows Server 2003 – Service Pack 2 are installed on all Domain Controllers.
Table 1.1 Upgrade Active Directory from WS03 to WS08 R2 Sample Scripts
| Name |
Description |
| CopyLogs.VBS | This script will backup all event logs and store them in C:migdata. |
| GetDHCPConfig.BAT | This script will backup the DHCP database and the DHCP Server configuration and store them in C:migdata |
| GetDNSConfig.BAT | This script will backup none-Active Directory primary zones and store them in C:migdata |
| GetIASConfig.VBS | This script has a prerequisite that the iasmigreader.exe has been run (You can find this tool at your Windows Server 2008 R2 DVD at the following location: “sourcesdlmanifestsmicrosoft-windows-iasserver-migplugin” the script will move the config to C:migdata. |
| GetIPConfig.BAT | This script will save the current IP-config and save it in a text file stored in C:migdata |
| GetPrefBH.VBS | This script can be used to locate preferred bridgehead servers that can use replication issues during domain controller replacement. |
| GetTombstone.VBS | This script can be used to determine the current tombstone life time, if less than 180 days, we recommend to set it to 180 days. |
| RetireDC.cmd | This script will change the name of a demoted Windows Server 2003 domain controller to its current name __RET (retired) and configure it to acquire an IP address from DHCP. |
| RunDcPromo.VBS | This script is a wrapper around DCPROMO to demote a Windows Server 2003 DC, It has a feature to work around the “NETLOGN timeout bug” |
| SetDHCPConfig.BAT | This script will read and restore the previous backed up the DHCP database and the DHCP Server configuration from C:restore |
| SetDNSConfig.BAT | This script will read and the previous backed up none-Active Directory Integrated DNS Zones from C:restore |
| SetIASConfig.BAT | This script will read and import the previous backed up IAS config in C:restore to NPS |
| unattend_demote.txt |
This file contains environment specific parameters that need to be changed to reflect your environment. The file is used to demote Windows Server 2003 DCs |
| unattend_first.txt |
This file contains environment specific parameters that need to be changed to reflect your environment. The file is used to promote the first Windows Server 2008 R2 DC |
| unattend_promote.txt |
This file contains environment specific parameters that need to be changed to reflect your environment. The file is sued to promote additional Windows Server 2008 R2 DCs using IFM. |
In addition to the presentation slide’s I will also share some additional information about compatibility between a forest/domain running Windows Server 2003 DCs compared to running Windows Server 2008 R2 and how this can effect LOB apps, services and your business.
Prepare a new Windows Server 2008 R2 Domain Controller
Operating System Configuration
We generally recommend that customers apply its standard Windows Server 2008 R2 Standard Edition image as long as your desired “Domain Controller Configuration” (Disk layout, Unnecessary agents are uninstalled) is applied.
Note: If you’re going to reuse the name that the previous Windows Server 2003 DC you’re replacing had, assign a temporary name.
The following hotfixes should be installed to prevent known issues when introducing Windows Server 2008 R2 Domain Controllers:
Note: The listed hotfixes has to be installed before the machine is promoted to domain controller (Or Windows Server 2008 R2 Service Pack 1).
Table 3.2 Required Domain Controller Hotfixes before promotion
| Microsoft KB |
Description |
| 977158 (http://go.microsoft.com/fwlink/?LinkId=178225) | Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502 |
| 974639 (http://go.microsoft.com/fwlink/?LinkId=165961) | Event ID 1202 logged with status 0x534 if security policy modified |
| 2001086 (http://go.microsoft.com/fwlink/?LinkId=178226) | TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades |
| 2005074 (http://go.microsoft.com/fwlink/?LinkId=185205) | Event ID 1988 Logged in Directory Service Log after Schema Update |
| 832223 (http://go.microsoft.com/fwlink/?LinkId=186576) | Windows Server 2008 R2 DNS servers that use root hints are unable to resolve some DNS queries. |
| 978055 (http://go.microsoft.com/fwlink/?LinkId=185219) | Windows Server 2008 R2 domain controllers fail to authenticate DES-enabled clients. |
| 977073 (http://go.microsoft.com/fwlink/?LinkId=186934) | Digest authentication fails on a Windows XP or Windows Server 2003 member server when authenticating against a Windows Server 2008 R2 domain controller |
We recommend that in addition to those hotfixes, the customer should ensure that the machine has reached the desired/approved patch level within the organization.
-
Replace an existing Windows Server 2003 Domain Controller
DHCP Service
If the particular domain controller also acting as a DHCP Server, Logon using Domain Admin or DHCP Administrator credentials (the later also requires the logon locally right).
Use the following steps to backup the DHCP database:
- Click Start, click Run, type cmd in the Open box, and then click OK.
- Type md C:migdata and then press enter.
- Type net use X: \serverprojectshare <TBD>
- Type CD scripts and press enter.
- Type GetDHCPConfig.BAT -export and press enter.
Note: While the export command runs, DHCP server is stopped and does not respond to clients seeking new leases or lease renewals. (Verify if there is another DHCP server with overlapping scopes in the same site and/or service interruption is approved)
DNS Service
If the particular domain controller also acting as a DNS Server and hosting additional none Active Directory Integrated Zones. (Active Directory Integrated Zones are stored in Active Directory and will be replicated to the destination domain controller)
Logon using Domain Admins or DNS Admins (the later also requires the logon locally right).Use the following steps to backup none Active Directory Integrated Zones:
- Click Start, click Run, type cmd in the Open box, and then click OK.
- Type md C:migdata and then press enter (if not already created in a previous step)
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
-
Type GetDNSConfig.BAT and press enter.
Note: While the export command runs, The DNS Services is stopped and started.
Event Logs
We recommend to backup the event logs of the domain controller prior to the replacement since it can help with troubleshooting.
- Click Start, click Run, type cmd in the Open box, and then click OK.
- Type md C:migdata and then press enter (if not already created in a previous step)
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
- Type script copyLogs.vbs and press enter (make sure the logs where successfully backed up)
TCP/IP Settings
Save the TCP/IP Settings configuration so those can be applied to the destination domain controller.
- Click Start, click Run, type cmd in the Open box, and then click OK
- Type md C:migdata and then press enter (if not already created in a previous step)
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
-
Type GetIPConfig.bat and press enter
System State Backup
Ensure there is enough and health system backups before proceeding to next step.
Backup the captured configuration in previous step by taking the following steps:
- Type net use X: \serverprojectshare <TBD>
- Type xcopy C:migdata X:DCs%computername% /E and then press enter.
Directory Services
This is the final step and enters the critical point of no return where the Windows Server 2003 Domain Controller is going to be demoted to a member server and will no longer acting as a Directory Service Agent (DSA) or a replica (Replication Partner) and won’t keep an instance of the Directory Services Database.
Enfo Zipper recommends to run the demotion process unattended and automated to avoid mistakes and errors.
- Click Start, click Run, type cmd in the Open box, and then click OK.
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
- Type cscript RunDCPromo.VBS . (The demotion process should now start, please wait while the Windows Server 2003 Domain Controller being demoted and restarts)
Decommissioning
Logon to the server as local administrator using the password specified in the unattended_demote.txt file above and either shutdown the server and/or disconnect it from the network. For safety reasons we recommend that the server is renamed to something else before its shutdown and that the IP-address is changed from static to dynamic.
- Click Start, click Run, type cmd in the Open box, and then click OK
- Type netdom renamecomputer %computername% /NewName:%computername%_retired and press enter
- Type netsh interface ip set address “Local Area Connection” dhcp and press enter.
Note: The name “Local Area Connection” may differ from server to server.
- Type shutdown –s –t 00 and press enter.
-
Promote a new Windows Server 2008 R2 Domain ControllerConfigure TCP/IP Settings and Names
Logon locally to the domain controller and take the following steps in order to restore the name and TCP/IP Settings from the retired Windows Server 2003 Domain Controller that this domain controller is intend to replace:- Click Start, click Run, type cmd in the Open box, and then click OK
- Type net use X: \serverprojectshare <TBD>
- Type CD scripts and press enter.
- Type xcopy X:DCs<NAME OF SOURCE DC> C:restore /E
- Type netdom renamecomputer %computername% /NewName:<NAME> and press enter (if you wish to re-use the same name)
- Type netsh interface ip set dns “Local Area Connection” static <IP_OF_WIN2K3DC>
Note: The name “Local Area Connection” may differ from server to server
- Type netsh interface ip set dns “Local Area Connection” static <IP_OF_NEARESTBYDC>
Note: The name “Local Area Connection” may differ from server to server
- Type shutdown –r –t 00
Promote the server to a Domain Controller
Logon locally to the domain controller and take the following steps in order to promote the server to Domain Controller, Enfo Zipper recommends to run the promotion process unattended and automated to avoid mistakes and errors.- Click Start, click Run, type cmd in the Open box, and then click OK.
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type dcpromo /answer: X:scriptsunattended_first.txt and press enter. (The promotion process should now start, please wait while the Windows Server 2008 R2 Domain Controller is being promoted and restarts)
Verify that the promotion to Doman Controller was successful
Logon as Domain Admin to the domain controller and take the following steps in order to verify that the promotion of the Domain Controller completed successfully without errors- Once logged on back, Review the DCPROMO.txt log file. Click Start, Click run and type Notepad C:WindowsDebugdcpromo.log and press enter. Search the file for the word error using notepad, ensure there were no errors, close notepad.
- Quickly review the DCPROMOUI.log file. Click Start, Click run and type Notepad C:WindowsDebugdcpromoui.log and press enter. Close notepad.
DNS Service
Enfo Zipper recommends that full replication has taken place before you proceed with the following step, in order to ensure that please run the DNSConvergeCheck script between the local domain controller and one of the domain controllers in the hub site.
The DNSConvergeCheck script can be found at: http://go.microsoft.com/fwlink/?LinkId=135502
If full replication has taken place, please proceed with the following commands in order to import DNS Zone data (None-Active Directory integrated Zones).- Click Start, click Run, type cmd in the Open box, and then click OK
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
- Type SetDNSConfig.BAT
- All DNS Zones should now successfully have been restored.
DHCP Service
Logon as Enterprise Admin and take the following steps to install the DHCP Server service and restore the database and settings for the Windows Server 2003 Domain Controller.- Click Start, click Run, and click Administrative Tools and then Click PowerShell Modules
- Type Add-WindowsFeature DHCP and press enter. (if asked to/promoted to restart the server, please follow the instructions given)
- If a restart was required, Logon back as Enterprise Admin, Click Start, click Run, type cmd in the Open box, and then click OK
- Type net use X: \serverprojectshare <TBD> (if not already created in a previous step)
- Type CD scripts and press enter.
- Type sc config dhcpserver start= auto
- Type SetDHCPConfig.BAT -import
Post-Operating System Configuration
The following hotfixes should be installed to prevent known issues when introducing Windows Server 2008 R2 Domain Controllers:
Note: The listed hotfixes has to be installed after the machine is promoted to domain controller (Or Windows Server 2008 R2 Service Pack 1)Table 3.6 Required Domain Controller Hotfixes after promotion
Microsoft KB
Description
978387 (http://go.microsoft.com/fwlink/?LinkId=184915): Dcdiag fails with error code 0x621 978277 (http://go.microsoft.com/fwlink/?LinkId=184911): The specified account does not exist 978516 (http://go.microsoft.com/fwlink/?LinkId=185190) Significant delays when you read the same set of files several times 978837 (http://go.microsoft.com/fwlink/?LinkId=185191) Group Policy Management Editor window crashes when you apply some changes for NRPT policy settings Disable EDNS
Disable EDNS to avoid issues with global DNS servers that doesn’t support EDNS, (Not needed if forwarders is configured to handle external DNS queries outside the forest and to the internet)- Click Start, click Run, type cmd in the Open box, and then click OK
- Type dnscmd /config /EnableEDNSProbes 0 and press enter.
Configure Kerberos supported encryption types
Note this step is only required if the domain contains service accounts and/or computer accounts that are configured to use DES-only encryption.- In the Group Policy Management Console (GPMC), locate the following location: Computer Configuration Windows Settings Security Settings Local Policies Security Options
- Click to select the Network security: Configure encryption types allowed for Kerberos option.
- Click to select Define these policy settings and all the six check boxes for the encryption types
.
-
Click OK. Close the GPMC.
Note: The policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosparameters
