{"id":65,"date":"2011-03-31T18:57:00","date_gmt":"2011-03-31T18:57:00","guid":{"rendered":"http:\/\/web03.partners.extranet.chrisse.com\/wordpress\/?p=65"},"modified":"2011-03-31T18:57:00","modified_gmt":"2011-03-31T18:57:00","slug":"upgrade-active-directory-from-ws03-to-ws08-r2","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=65","title":{"rendered":"Upgrade Active Directory from WS03 to WS08 R2"},"content":{"rendered":"

First of all thanks to everyone that attended my session ” Upgrade Active Directory from WS03 to WS08 R2″ at Microsoft Tech Days 2011 in Sweden. For those of you that couldn’t attend on site I did a session on upgrading a Windows Server 2003 Active Directory environment to Window Server 2008 R2 with a focus on automated processes. The scripts used in this session (also available for download at this blog) were developed by the Enfo Zipper \u2013 Directory Services Team and used in a real world scenario to upgrade an enterprise customer’s forest.<\/p>\n

FYI: The session will be available online later during the spring.<\/p>\n

 <\/p>\n

Note: The steps below including the sample scripts is provided “AS-IS” with no warranties. Some of the sample scripts have a dependence that the Windows Support Tools for Windows Server 2003 \u2013 Service Pack 2 are installed on all Domain Controllers.<\/p>\n

 <\/p>\n

Table\u00a01.1\u00a0Upgrade Active Directory from WS03 to WS08 R2 Sample Scripts <\/span><\/p>\n

 <\/p>\n

\n\n\n<\/colgroup>\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\nName<\/span><\/td>\n\n

Description<\/span><\/p>\n<\/td>\n<\/tr>\n

\nCopyLogs.VBS<\/span><\/td>\n\nThis script will backup all event logs and store them in C:migdata.<\/span><\/td>\n<\/tr>\n
\nGetDHCPConfig.BAT<\/span><\/td>\n\nThis script will backup the DHCP database and the DHCP Server configuration and store them in C:migdata<\/span><\/td>\n<\/tr>\n
\nGetDNSConfig.BAT<\/span><\/td>\n\nThis script will backup none-Active Directory primary zones and store them in C:migdata<\/span><\/td>\n<\/tr>\n
\nGetIASConfig.VBS<\/span><\/td>\n\nThis script has a prerequisite that the iasmigreader.exe has been run (You can find this tool at your Windows Server 2008 R2 DVD at the following location: “sourcesdlmanifestsmicrosoft-windows-iasserver-migplugin” the script will move the config to C:migdata.<\/span><\/td>\n<\/tr>\n
\nGetIPConfig.BAT<\/span><\/td>\n\nThis script will save the current IP-config and save it in a text file stored in C:migdata<\/span><\/td>\n<\/tr>\n
\nGetPrefBH.VBS<\/span><\/td>\n\nThis script can be used to locate preferred bridgehead servers that can use replication issues during domain controller replacement.<\/span><\/td>\n<\/tr>\n
\nGetTombstone.VBS<\/span><\/td>\n\nThis script can be used to determine the current tombstone life time, if less than 180 days, we recommend to set it to 180 days.<\/span><\/td>\n<\/tr>\n
\nRetireDC.cmd<\/span><\/td>\n\nThis script will change the name of a demoted Windows Server 2003 domain controller to its current name __RET (retired) and configure it to acquire an IP address from DHCP. <\/span><\/td>\n<\/tr>\n
\nRunDcPromo.VBS<\/span><\/td>\n\nThis script is a wrapper around DCPROMO to demote a Windows Server 2003 DC, It has a feature to work around the “NETLOGN timeout bug” <\/span><\/td>\n<\/tr>\n
\nSetDHCPConfig.BAT<\/span><\/td>\n\nThis script will read and restore the previous backed up the DHCP database and the DHCP Server configuration from C:restore<\/span><\/td>\n<\/tr>\n
\nSetDNSConfig.BAT<\/span><\/td>\n\nThis script will read and the previous backed up none-Active Directory Integrated DNS Zones from C:restore<\/span><\/td>\n<\/tr>\n
\nSetIASConfig.BAT<\/span><\/td>\n\nThis script will read and import the previous backed up IAS config in C:restore to NPS<\/span><\/td>\n<\/tr>\n
\nunattend_demote.txt<\/span><\/td>\n\nThis file contains environment specific parameters that need to be changed to reflect your environment. <\/span>
\nThe file is used to demote Windows Server 2003 DCs<\/span><\/td>\n<\/tr>\n
\nunattend_first.txt<\/span><\/td>\n\nThis file contains environment specific parameters that need to be changed to reflect your environment. <\/span>
\nThe file is used to promote the first Windows Server 2008 R2 DC<\/span><\/td>\n<\/tr>\n
\nunattend_promote.txt<\/span><\/td>\n\nThis file contains environment specific parameters that need to be changed to reflect your environment. <\/span>
\nThe file is sued to promote additional Windows Server 2008 R2 DCs using IFM.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

<\/div>\n

 <\/p>\n

Download the Sample Scripts<\/a><\/strong><\/div>\n

 <\/p>\n

In addition to the presentation slide’s I will also share some additional information about compatibility between a forest\/domain running Windows Server 2003 DCs compared to running Windows Server 2008 R2 and how this can effect LOB apps, services and your business.<\/p>\n

 <\/p>\n


\nPrepare a new Windows Server 2008 R2 Domain Controller <\/span><\/p>\n

 <\/p>\n


\nOperating System Configuration <\/strong><\/span><\/p>\n

 <\/p>\n

We generally recommend that customers apply its standard Windows Server 2008 R2 Standard Edition image as long as your desired “Domain Controller Configuration” (Disk layout, Unnecessary agents are uninstalled) is applied.
\nNote: If you’re going to reuse the name that the previous Windows Server 2003 DC you’re replacing had, assign a temporary name. <\/span><\/p>\n

 <\/p>\n

The following hotfixes should be installed to prevent known issues when introducing Windows Server 2008 R2 Domain Controllers: <\/span><\/p>\n

 <\/p>\n


\nNote: The listed hotfixes has to be installed before the machine is promoted to domain controller (Or Windows Server 2008 R2 Service Pack 1). <\/span><\/p>\n

 <\/p>\n

Table\u00a03.2\u00a0\u00a0\u00a0Required Domain Controller Hotfixes before promotion <\/span><\/p>\n

 <\/p>\n

\n\n\n<\/colgroup>\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
\nMicrosoft KB<\/span><\/td>\n\n

Description<\/span><\/p>\n<\/td>\n<\/tr>\n

\n977158 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=178225)<\/span><\/td>\n\nWindows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502<\/span><\/td>\n<\/tr>\n
\n974639 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=165961)<\/span><\/td>\n\nEvent ID 1202 logged with status 0x534 if security policy modified<\/span><\/td>\n<\/tr>\n
\n2001086 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=178226)<\/span><\/td>\n\nTimeZoneKeyName registry entry name is corrupt on 64-bit upgrades<\/span><\/td>\n<\/tr>\n
\n2005074 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=185205)<\/span><\/td>\n\nEvent ID 1988 Logged in Directory Service Log after Schema Update<\/span><\/td>\n<\/tr>\n
\n832223 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=186576)<\/span><\/td>\n\nWindows Server 2008 R2 DNS servers that use root hints are unable to resolve some DNS queries.<\/span><\/td>\n<\/tr>\n
\n978055 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=185219)<\/span><\/td>\n\nWindows Server 2008 R2 domain controllers fail to authenticate DES-enabled clients.<\/span><\/td>\n<\/tr>\n
\n977073 (http:\/\/go.microsoft.com\/fwlink\/?LinkId=186934)<\/span><\/td>\n\nDigest authentication fails on a Windows XP or Windows Server 2003 member server when authenticating against a Windows Server 2008 R2 domain controller<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

 <\/p>\n

We recommend that in addition to those hotfixes, the customer should ensure that the machine has reached the desired\/approved patch level within the organization. <\/span><\/p>\n

 <\/p>\n

 <\/p>\n

    \n
  1. \n
    Replace an existing Windows Server 2003 Domain Controller <\/span><\/div>\n

    DHCP Service <\/strong><\/span>
    \nIf the particular domain controller also acting as a DHCP Server, Logon using Domain Admin or DHCP Administrator credentials (the later also requires the logon locally right). <\/span>
    \nUse the following steps to backup the DHCP database: <\/span><\/li>\n<\/ol>\n

     <\/p>\n

     <\/p>\n