Download - ADDS DomainUpgradeWin2003toWin2008
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
1/75
Upgrading Active Directory Domains toWindows Server 2008 and Windows Server2008 R2 AD DS Domains
Microsoft Corporation
Published: November 2009
Writer: Justin Hall
Editor: Jim Becker
Abstract
This guide explains the process for upgrading Active Directory domains to Windows Server 2008
and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and
how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an
existing domain.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
2/75
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is theresponsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
3/75
Contents
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD
DS Domains ................................................................................................................................. 7
About this guide............................................................................................................................ 7
In this guide .................................................................................................................................. 7
Related information ...................................................................................................................... 7
Overview of Upgrading Active Directory Domains .......................................................................... 8
Planning to Upgrade Active Directory Domains .............................................................................. 8
In this guide .................................................................................................................................. 8
Checklist: Preupgrade Tasks ........................................................................................................... 9
Assign Appropriate Credentials ..................................................................................................... 10
Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2 ..... 12
Determine Supported Software Upgrades .................................................................................... 13
Assess Hardware Requirements ................................................................................................... 15
Disk space requirements for upgrading to Windows Server 2008 ............................................. 16
Disk space requirements for upgrading to Windows Server 2008 R2 ....................................... 17
Determine Domain Controller Upgrade Order ............................................................................... 20
Develop a Test Plan for Your Domain Upgrade Process .............................................................. 21
Determine Service Pack Levels ..................................................................................................... 22
Back Up Domain Data ................................................................................................................... 24
Resolve Upgrade and Application Compatibility Problems ........................................................... 24
Known issues for upgrading to Windows Server 2003 .............................................................. 25
Performing the Upgrade of Active Directory Domains ................................................................... 26
In this guide ................................................................................................................................ 26
Checklist: Upgrade Tasks .............................................................................................................. 26
Prepare Your Infrastructure for Upgrade ....................................................................................... 27
Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008
or Windows Server 2008 R2 ...................................................................................................... 28
Upgrade Existing Domain Controllers ........................................................................................... 30
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
4/75
Unattended upgrade .................................................................................................................. 31
Modify Default Security Policies .................................................................................................... 35
Update Group Policy Permissions ................................................................................................. 38
Perform Clean-up Tasks ................................................................................................................ 39
Completing the Upgrade of Active Directory Domains .................................................................. 40
In this guide ................................................................................................................................ 40
Checklist: Post-Upgrade Tasks ..................................................................................................... 40
Raise the Functional Levels of Domains and Forests ................................................................... 41
Move DNS Data into DNS Application Directory Partitions ........................................................... 42
Redirect Users and Computers ..................................................................................................... 44
Complete the Upgrade .................................................................................................................. 45
Finding Additional Information About Upgrading Active Directory Domains ................................. 46
Appendix A: Background Information for Upgrading Active Directory Domains ........................... 47
Active Directory preparation tool ................................................................................................ 47
Application directory partitions for DNS ..................................................................................... 48
Service (SRV) resource records ............................................................................................. 48
_msdcs.domain_name subdomain ......................................................................................... 49
_msdcs.forest_root_domain subdomain ................................................................................. 49
Intrasite replication frequency ................................................................................................. 50
New groups and new group memberships that are created after upgrading the PDC .............. 51
Security policy considerations when upgrading from Windows 2000 to Windows Server 2003 53
SMB packet signing ................................................................................................................ 53
Secure channel signing and encryption .................................................................................. 53
Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2
Domain Controllers to Existing Domains ................................................................................... 54
What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2 ....................... 54
System requirements for installing Windows Server 2008 and Windows Server 2008 R2 ....... 56
Supported in-place upgrade paths ............................................................................................. 57
Functional level features and requirements ............................................................................... 58 Client, server, and application interoperability ........................................................................... 58
Secure default settings in Windows Server 2008 and Windows Server 2008 R2 ..................... 58
Virtualized domain controllers on Hyper-V™, VMware, and other virtualization software ......... 59
Administration, remote administration, and cross-version administration .................................. 60
Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2
................................................................................................................................................ 61
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
5/75
Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2 .............. 62
Verifications you can make and recommended hotfixes you can install before you begin ........ 62
Run Adprep commands ............................................................................................................. 66
Add schema changes using adprep /forestprep ..................................................................... 66 If you are deploying RODCs, run adprep /rodcprep ............................................................... 67
Run adprep /domainprep /gpprep ........................................................................................... 68
Upgrade domain controllers ....................................................................................................... 69
Background information about the in-place upgrade process ................................................ 69
Upgrading and promoting new domain controllers into an existing domain ........................... 69
Post-installation tasks ............................................................................................................. 71
Fixes to install after AD DS installation ................................................................................... 71
Troubleshooting errors ............................................................................................................... 72
Adprep errors .......................................................................................................................... 72
Forestprep errors ................................................................................................................. 72
Domainprep errors............................................................................................................... 73
Rodcprep errors ................................................................................................................... 73
Dcpromo errors ....................................................................................................................... 73
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
6/75
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
7/75
7
Upgrading Active Directory Domains to
Windows Server 2008 and Windows Server2008 R2 AD DS Domains
Upgrading your network operating system requires minimal network configuration and typically
has a low impact on user operations. The upgrade process is straightforward, efficient, and allows
your organization to take advantage of the improved security that is offered by the
Windows Server® 2008 and Windows Server 2008 R2 operating systems.
About this guide
This guide is intended for use by system administrators and system engineers. It providesdetailed guidance for upgrading Windows 2000 or Windows Server 2003 Active Directory
domains to Active Directory Domain Services (AD DS) domains that have domain controllers
running Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment
experience, use the checklists that are provided in this guide and complete the tasks in the order
in which they are presented.
In this guide Overview of Upgrading Active Directory Domains
Planning to Upgrade Active Directory Domains
Performing the Upgrade of Active Directory Domains
Completing the Upgrade of Active Directory Domains
Finding Additional Information About Upgrading Active Directory Domains
Appendix A: Background Information for Upgrading Active Directory Domains
Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2
Domain Controllers to Existing Domains
Related information For more information about the AD DS logical structure and the Domain Name System (DNS)
infrastructure that is necessary to support AD DS, see Designing the Logical Structure for
Windows Server 2008 AD DS [LH].
For more information about AD DS functional levels, see Enabling Advanced Features for
AD DS.
For more information about installing and configuring a DNS server, see Deploying Domain
Name System (DNS) (http://go.microsoft.com/fwlink/?LinkId=93656).
http://go.microsoft.com/fwlink/?LinkId=93656http://go.microsoft.com/fwlink/?LinkId=93656http://go.microsoft.com/fwlink/?LinkId=93656http://go.microsoft.com/fwlink/?LinkId=93656
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
8/75
8
Overview of Upgrading Active DirectoryDomains
By upgrading your network operating system, you can maintain your current network and domain
configuration while improving the security, scalability, and manageability of your network
infrastructure.
Before you upgrade your Windows 2000 or Windows Server 2003 Active Directory domains,
review your business objectives and decide how they relate to your existing Active Directory
infrastructure. Although your objectives might not require other significant changes to your
existing environment, the operating system upgrade is an opportune time to review your existing
Active Directory design, including your Active Directory logical structure, site topology, and
domain controller capacity. You might find opportunities for increased efficiencies and cost
savings that you can incorporate into your upgrade process. In addition, ensure that you test your
upgrade process in a lab and pilot program.
When the domain upgrade process is complete, all domain controllers will be running Windows
Server 2008 or Windows Server 2008 R2, and the Active Directory Domain Services (AD DS)
domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2
functional level. At the Windows Server 2008 R2 forest functional level, you can take advantage
of all the advanced AD DS features. For more information about advanced AD DS features for
AD DS functional levels, see Enabling Advanced Features for AD DS.
Planning to Upgrade Active Directory
DomainsTo plan the upgrade of your Active Directory domains, complete the tasks in Checklist:
Preupgrade Tasks.
In this guide Checklist: Preupgrade Tasks
Assign Appropriate Credentials
Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2
Determine Supported Software Upgrades Assess Hardware Requirements
Determine Domain Controller Upgrade Order
Develop a Test Plan for Your Domain Upgrade Process
Determine Service Pack Levels
Back Up Domain Data
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
9/75
9
Resolve Upgrade and Application Compatibility Problems
Checklist: Preupgrade TasksComplete the tasks in this checklist in the order in which they are presented. If a reference link
takes you to a conceptual topic, return to this checklist after you review the conceptual topic so
that you can proceed with the remaining tasks.
Checklist: Preupgrade Tasks
Task Reference
Assign appropriate credentials to
the users who are responsible for
preparing the forest and domain foran Active Directory upgrade.
Assign Appropriate
Credentials
Introduce a newly installed member
server into the forest.
Introduce a Member Server
That Runs Windows Server
2008 or Windows Server 2008
R2
Identify the editions of
Windows 2000 or
Windows Server 2003 that are
running in your environment. Then
determine if you can upgrade theseeditions or if you must perform a
complete reinstallation for each.
Determine Supported
Software Upgrades
Review and document the existing
hardware configuration of each
domain controller that you plan to
upgrade.
Assess Hardware
Requirements
Determine the order in which you
will upgrade your domain
controllers before you begin the
domain upgrade process.
Determine Domain
Controller Upgrade Order
Develop a test plan for your
domain upgrade process.
Develop a Test Plan for
Your Domain Upgrade Process
Determine service pack levels. Determine Service Pack
Levels
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
10/75
10
Task Reference
Back up your Windows 2000 or
Windows Server 2003 domain data
before you begin the upgrade.
Back Up Domain Data
Resolve upgrade and application
compatibility problems.
Resolve Upgrade and
Application Compatibility
Problems
Assign Appropriate Credentials
Assign appropriate credentials to the users who are responsible for preparing the forest and
domain for an Active Directory upgrade. The adprep /forestprep command requires a useraccount that is a member of the Schema Admins, Enterprise Admins, and Domain Admins
groups. The adprep /domainprep command requires a user account that is a member of the
Domain Admins group in the targeted domain. The adprep /rodcprep command requires a user
account that is a member of the Enterprise Admins group.
In addition, the security context can affect the ability of an administrator to complete the upgrade
of domain controllers. Members of the Builtin\Administrators group can upgrade the operating
system and install software on a computer. The following groups are members of the
Builtin\Administrators group by default:
The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain
and in each regional domain in the forest.
The Domain Admins group is a member of Builtin\Administrators in their domain.
The Domain Admins group is a member of Builtin\Administrators on member servers in their
domain.
The following table shows the credentials that are required to upgrade servers, depending on the
domain membership of the servers.
Credential Domain
controller in
forest root
domain
Member server
in forest root
domain
Domain
controller in
regional domain
Member server
in regional
domain
Enterprise Admins in
forest root domain
Domain Admins in forest
root domain
Builtin\Administrators in
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
11/75
11
Credential Domain
controller in
forest root
domain
Member server
in forest root
domain
Domain
controller in
regional domain
Member server
in regional
domain
forest root domain
Domain Admins in
regional domain
Builtin\Administrators in
regional domain
You also need to ensure that the administrator who is upgrading the domain controllers has the
following rights:
Backup files and directories (SE_BACKUP_NAME)
Modify firmware environment values (SE_SYSTEM_ENVIRONMENT_NAME)
Restore files and directories (SE_RESTORE_NAME)
Shut down the system (SE_SHUTDOWN_NAME)
The setup program cannot run properly if these rights are not defined or if they are disabled by a
domain Group Policy setting on the computer.
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
1. In the Run dialog box, type mmc, and then click OK.
2. Click File, and then click Add/Remove snap-in.
3. In the Available snap-ins dialog box, select Group Policy Management Editor , and
then click Add.
4. On the Welcome to the Group Policy Wizard page, verify that Local Computer
appears in the Group Policy Object box, and then click Finish.
5. In the console tree, navigate to the Local Computer Policy\Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment folder.
6. In the details pane, verify that the user who will perform the upgrade is a member in one
of the groups that has the necessary rights assigned. The policies are named identically
to the user rights listed above.
Assign the appropriate credentials in advance to allow both Active Directory domain upgrade
testing and deployment to proceed without unexpected security delays.
To verify if user rights assignments are disabled by a domain Group Policy setting
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
12/75
12
Introduce a Member Server That RunsWindows Server 2008 or Windows Server
2008 R2You can upgrade your Active Directory environment in the following ways:
Introduce newly installed domain controllers that run Windows Server 2008 or Windows
Server 2008 R2 into the forest, and then retire or upgrade all existing domain controllers.
Perform an in-place upgrade of all existing domain controllers.
If you want to upgrade the operating system of a Windows 2000 domain
controller to Windows Server 2008, you must first perform an in-place upgrade of
a Windows 2000 operating system to a Windows Server 2003 operating system.
Then, perform an in-place upgrade of this Windows Server 2003 operating
system to a Windows Server 2008 operating system. A direct Windows 2000 –to –
Windows Server 2008 operating system upgrade is not supported.
The information in this guide also applies to Windows Server 2008 R2. If you perform an in-
place upgrade of the existing domain controllers running Windows Server 2003 in the forest
to Windows Server 2008 R2, remember that Windows Server 2008 R2 is an x64-based
operating system. If your server is running an x64-based version of Windows Server 2003,
you can successfully perform an in-place upgrade of this computer's operating system to
Windows Server 2008 R2. If your server is running an x86-based version of
Windows Server 2003, you cannot upgrade this computer to Windows Server 2008 R2.
Use the following procedure to introduce a member server that runs Windows Server 2008 orWindows Server 2008 R2 into your environment.
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
1. Insert the operating system DVD into the DVD drive, and then select the option to install
the operating system.
As an alternative, you can use an unattended installation method.
2. Use the NTFS file system to format the partitions.
Enter the computer name, static IP address, and subnet mask that are specified by your
design. Enter a strong administrator password.
3. Enable Remote Desktop to enable administrators to log on remotely, if necessary.
To enable Remote Desktop, in Server Manager , click Configure Remote Desktop, and
then click Allow connections from computers running any version of Remote
Important
To install Windows Server 2008 or Windows Server 2008 R2
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
13/75
13
Desktop (less secure) or Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure).
You can introduce this member server to any domain in the forest. However, if your forest root
domain is a dedicated root, introduce the member server into the forest root domain. Placing thismember server into a dedicated root domain has the lowest impact on your environment because
users generally do not log on to a dedicated forest root domain. Therefore, user authentications
are minimal.
After you prepare your forest and domains for the upgrade (see Prepare Your Infrastructure for
Upgrade), install AD DS on the new member server (see Install Active Directory Domain Services
on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2).
Determine Supported Software Upgrades
Identify the editions of Windows 2000 or Windows Server 2003 that are running in your
environment. Then, determine if you can upgrade these editions or if you must perform complete
operating system reinstallations.
To upgrade Windows 2000 Active Directory domains to Windows Server 2008
Active Directory Domain Services (AD DS) domains, you must perform an in-place
upgrade of all existing domain controllers running Windows 2000 in the forest to domain
controllers running Windows Server 2003. Then, perform an in-place upgrade of those
domain controllers to Windows Server 2008. A direct in-place upgrade of a
Windows 2000 edition to a Windows Server 2008 edition is not supported.
The following table lists Windows 2000 editions and indicates what editions can be upgraded
directly to each edition of Windows Server 2003.
Windows 2000 editions Upgrade to Windows
Server 2003 Standard
Edition
Upgrade to Windows
Server 2003 Enterprise
Edition
Upgrade to Windows
Server 2003
Datacenter Edition
Windows 2000
Professional
Windows 2000 Server
Windows 2000
Advanced Server
Windows 2000
Datacenter Server
Important
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
14/75
14
The following table lists Windows Server 2003 editions and indicates what editions can be
upgraded directly to each edition of Windows Server 2008.
With the exception of Windows Server 2008 editions for Itanium-Based Systems, this
table applies equally to 32-bit and 64-bit Windows Server 2008 editions. However,
upgrades from 32-bit to 64-bit (and from 64-bit to 32-bit) are not supported.
The information in this guide also applies to Windows Server 2008 R2. If you perform an
in-place upgrade of the existing domain controllers running Windows Server 2003 in the
forest to Windows Server 2008 R2, remember that Windows Server 2008 R2 is an x64-
based operating system. If your server is running an x64-based version of
Windows Server 2003, you can successfully perform an in-place upgrade of this
computer's operating system to Windows Server 2008 R2. If your server is running an
x86-based version of Windows Server 2003, you cannot upgrade this computer to
Windows Server 2008 R2. For more information about supported upgrade options, see
Supported in-place upgrade paths.
Notes
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
15/75
15
Windows Server 2003
editions
Upgrade to Windows
Server 2008 Standard
Upgrade to Windows
Server 2008
Enterprise
Upgrade to Windows
Server 2008
Datacenter
Windows Server 2003
Standard Edition with
Service Pack 1 (SP1)
Windows Server 2003
Standard Edition with
Service Pack 2 (SP2)
Windows Server 2003
R2 Standard Edition
Windows Server 2003
Enterprise Edition with
SP1
Windows Server 2003
Enterprise Edition with
SP2
Windows Server 2003
R2 Enterprise Edition
Windows Server 2003
Datacenter Edition with
SP1
Windows Server 2003
Datacenter Edition with
SP2
Windows Server 2003
R2 Datacenter Edition
Assess Hardware Requirements
Review and document the existing hardware configuration of each domain controller that you plan
to upgrade. Use this information to identify the domain controllers in your environment that youcan upgrade and the domain controllers that do not meet the hardware requirements necessary
to run Windows Server 2008 or Windows Server 2008 R2. You can retain domain controllers that
do not meet the necessary hardware requirements to serve as rollback servers if you must roll
back your deployment. In most cases, a Windows 2000 –based domain controller meets the
requirements to be upgraded to Windows Server 2008 as long as it has adequate disk space.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
16/75
16
At minimum, a domain controller requires available free disk space for the Active Directory
Domain Services (AD DS) database, AD DS log files, SYSVOL, and the operating system. Use
the following guidelines to determine how much disk space to allot for your AD DS installation:
On the drive that will contain the AD DS database, NTDS.dit, provide 0.4 gigabytes (GB) ofstorage for each 1,000 users. For example, for a forest with two domains (domain A and
domain B) with 10,000 users and 5,000 users, respectively, provide a minimum of 4 GB of
disk space for each domain controller that hosts domain A and provide a minimum of 2 GB of
disk space for each domain controller that hosts domain B. Available space must equal at
least 10 percent of your existing database size or at least 250 megabytes (MB), whichever is
greater.
On the drive containing the AD DS log files, provide at least 500 MB of available space.
On the drive containing the SYSVOL shared folder, provide at least 500 MB of available
space.
On the drive containing the operating system files, to run setup, provide at least 1.25 GB to
2 GB of available space.
Disk space requirements for upgrading toWindows Server 2008The upgrade process from Windows Server 2003 to Windows Server 2008 requires free disk
space for the new operating system image, for the Setup process, and for any installed server
roles. An error is logged when the domain controller role detects insufficient disk space to perform
the upgrade.
Additional disk space information may appear in the compatibility report that Setup displays.
For the domain controller role, the volume or volumes that host the following resources also have
specific free disk space requirements:
Application Data (%AppData%)
Program Files (%ProgramFiles%)
Users Data (%SystemDrive%\Documents and Settings)
Windows Directory (%WinDir%)
The free space on the %WinDir% volume must be equal or greater than the current size of the
resources listed above and their subordinate folders when they are located on the %WinDir%
volume. By default, Dcpromo.exe places the Active Directory database and log files under
%Windir%, in which case, their size is included in the free disk space requirements for the
%Windir% folder.
For example, suppose that you have the following resources located on the %WinDir% volume,
with the sizes listed in the following table.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
17/75
17
Resource Size
Application Data (%AppData%) 100 MB
Program Files (%ProgramFiles%) 100 MB
Users Data (%SystemDrive%\Documents and
Settings)
50 MB
Windows Directory (%WinDir%) 1 GB
Total size 1.25 GB
In this example, the free space on the %WinDir% volume must be equal to 1.25 GB or greater.
However, if the Active Directory database is hosted outside any of the folders above, then the
hosting volume or volumes must only contain additional free space equal to at least 10 percent of
the current database size or 250 MB, whichever is greater. Finally, the free space on the volumethat hosts the log files must be at least 50 MB.
A default installation of Active Directory in Windows Server 2003 has the Active Directory
database and log files under %WinDir%\NTDS. With this configuration, the Ntds.dit database file
and all the log files are temporarily copied over to the quarantine location and then copied back to
their original location; this is why additional free space is required for those resources. Although
the SYSVOL directory is also under %WinDir% (that is, %WinDir%\SYSVOL), it is moved and not
copied. Therefore, it does not require any additional free space.
After the upgrade, the space that was reserved for the copied resources will be returned to the file
system.
Disk space requirements for upgrading toWindows Server 2008 R2The Active Directory database, NTDS.dit, on Windows Server 2008 R2 domain controllers can be
larger than in previous versions of Windows for the following reasons:
The "partial merge" feature is disabled on Windows Server 2008 R2 domain controllers.
Windows Server 2008 R2 domain controllers add two new indices on the large link table.
The Active Directory Recycle Bin Windows Server 2008 R2 preserves attributes on deleted
objects for the Recycle object lifetime.
For Active Directory Recycle Bin, the database increases in size at the following moments: After Windows Server 2008 R2 adprep /forestprep completes and the first Windows
Server 2008 R2 domain controller is installed, there is a new indexed attribute,
isRecycled, whose value is set for all deleted objects.
After the Active Directory Recycle Bin is enabled, all attributes are kept on deleted
objects. More disk space is required as more object deletions occur.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
18/75
18
In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle
Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the
original database size, using the default deletedObjectLifetime and
recycledObjectLifetime values of 180 days. Additional space requirements depend on the
size and count of the objects that are recycled.
An in-place upgrade of a domain controller to Windows Server 2008 R2 requires sufficient disk
space for the upgrade process to copy the following folders:
%SystemRoot%
%ProgramFiles%
%SystemDrive%\Program Files
%ProgramFiles(x86)%
%SystemDrive%\build
%SystemDrive%\InstalledRepository
%ProfilesFolder%
%ProgramData%
%SystemDrive%\Documents and Settings
The following table shows the test results for an upgrade of a domain controller from Windows
Server 2008 to Windows Server 2008 R2. In this table:
= 15 GB (the minimum amount of free space on a Windows hard drive that Windows
setup requires)
The original size of Ntds.dit was 5 GB.
Ntds.dit location Free space (GB) onthe system drive
Result
Ntds.dit is located on the
same drive as the system,
but it is out of %windir%.
1 In this scenario, Ntds.dit does not have to
be copied from the Windows.old folder to
the Windows folder, but there is not enough
space to copy Windows setup files.
The compatibility report finds there is not
enough space to copy Windows files.
The upgrade is blocked at the compatibility
report.
Ntds.dit is located on a
different drive than the
system.
In this scenario, the disk meets the
minimum free-space requirements for the
Windows files to be installed, and Ntds.dit
does not have to be copied from the
Windows.old folder to the Windows folder.
The compatibility report warns the user that
the amount of free space meets the
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
19/75
19
Ntds.dit location Free space (GB) on
the system drive
Result
minimum requirements and that the
upgrade process would take longer.
The domain controller is upgraded
successfully.
Ntds.dit is located on the
default folder:
%windir%\ntds\
+ 1 In this scenario, the disk meets the
minimum free-space requirements for the
Windows Files to be installed, which causes
the compatibility report to be bypassed.
However, Ntds.dit is located under the
Windows folder, which causes the upgrade
to copy it from the Windows.old folder to the
Windows folder. This last step fails becausethere is not enough space on the disk to fit
Ntds.dit because the database was not
copied to the new operating system. On its
first start, Windows Server 2008 R2 is not
able to locate Ntds.dit, which causes an
error and forces the computer to roll back to
the previous operating system.
ERROR_CODE: (NTSTATUS) 0xc00002ec
- Directory Services could not start because
of the following error: %hs Error Status:
0x%x. Click OK to shut down the system.
You can use the recovery console to
diagnose the system further.
Err 0xc00002ec =
STATUS_DS_INIT_FAILURE_CONSOLE
The domain controller is rolled back to
Windows Server 2008 successfully.
Ntds.dit is located on the
same drive as the system,
but it is out of %windir%.
In this scenario, the disk meets the
minimum free-space requirements for the
Windows Files to be installed, and Ntds.dit
does not have to be copied from the
Windows.old folder to the Windows folder.
The compatibility report warns the user that
the amount of free space meets the
minimum requirements and that the
upgrade process would take longer.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
20/75
20
Ntds.dit location Free space (GB) on
the system drive
Result
The domain controller is upgraded
successfully.
Determine Domain Controller Upgrade Order
Determine the order in which you will upgrade your domain controllers before you begin the
domain upgrade process. Record the name, IP address, the domain in which the domain
controller will be located, and the operations master roles held by each domain controller before
and after the upgrade. Finally, record the order in which you will upgrade the operating system on
each domain controller.
One possible order for upgrading domain controllers is as follows:
Install Active Directory Domain Services (AD DS) on a member server that runs Windows
Server 2008 or Windows Server 2008 R2 in the forest root domain by using the
Active Directory Domain Services Installation Wizard (Dcpromo.exe).
In each domain, upgrade the operating system on the domain controller that holds the
primary domain controller (PDC) emulator operations master role, or transfer the role to a
domain controller that runs Windows Server 2008 or Windows Server 2008 R2.
Some tasks, such as creation of the Enterprise Read-Only Domain Controllers group, are
performed on the PDC emulator only if it is running Windows Server 2008 or Windows
Server 2008 R2. It may be preferable to upgrade the PDC emulator for that reason, but it is
not a requirement. If the PDC emulator is not upgraded, the Enterprise Read-Only Domain
Controllers group is created when the first read-only domain controller (RODC) is added to
the domain.
Continue upgrading domain controllers or retiring domain controllers that you no longer want
to keep in your infrastructure, until the domain upgrade is complete.
This order for upgrading or adding new domain controllers is a recommendation only. It is
safe to upgrade the domain controllers holding any operations master role at any time in
the upgrade process.
Similarly, you can independently upgrade each domain within a forest that has multiple
domains. For example, you can begin upgrading domain controllers in a child domain
before you upgrade domain controllers in the root domain of the same forest.
Use a domain controller documentation table to document information about each domain
controller in the forest. For a worksheet to assist in documenting your domain controller
information, see Job Aids for Windows Server 2003 Deployment Kit
(http://go.microsoft.com/fwlink/?LinkID=102558). Download
Notes
http://go.microsoft.com/fwlink/?LinkID=102558http://go.microsoft.com/fwlink/?LinkID=102558http://go.microsoft.com/fwlink/?LinkID=102558http://go.microsoft.com/fwlink/?LinkID=102558
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
21/75
21
Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and then open
DSSUPWN_2.doc.
Develop a Test Plan for Your DomainUpgrade Process
It is important to develop a plan for testing your domain upgrade procedures throughout the
upgrade process. Before you begin, test your existing domain controllers to ensure that they are
functioning properly. Continue to test your domain controllers throughout the process to verify that
Active Directory Domain Services (AD DS) replication is consistent and successful.
The following table lists the tools and log files to use in your test plan. For more information about
installing tools to test domain controllers, see How to Administer Microsoft Windows Client and
Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkId=177813).
Tool/log file Description Location
Repadmin.exe Checks replication
consistency and
monitors both inbound
and outbound
replication partners.
Displays replication
status of inbound
replication partners
and directory partitions.
%systemroot%\Windows\System32
Note
This tool is added to the server as part
of the AD DS installation.
Dcdiag.exe Diagnoses the state of
domain controllers in a
forest or enterprise,
tests for successful
Active Directory
connectivity and
functionality, and
returns the results as
passed or failed.
%systemroot%\Windows\System32
Note
This tool is added to the server as part
of the AD DS installation.
Nltest.exe Queries and checks
the status of trusts and
can forcibly shut down
domain controllers.
Provides domain
controller location
%systemroot%\Windows\System32
Note
This tool is added to the server as part
of the AD DS installation.
http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813http://go.microsoft.com/fwlink/?LinkId=177813
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
22/75
22
Tool/log file Description Location
capabilities.
Dnscmd.exe Provides the properties
of Domain Name
System (DNS) servers,
zones, and resource
records.
%systemroot%\Windows\System32
Note
This tool is added to the server as part
of the AD DS installation.
Adprep.log Provides a detailed
progress report of the
forest and domain
preparation process.
%SystemRoot%\Windows\Debug\ADPrep\Logs
Dcpromoui.log and
Dcpromo.log
Provides a detailed
progress report of the
Active Directory
installation. Includes
information regarding
replication and
services in addition to
applicable error
messages.
%systemroot%\Windows\debug
Note
These logs are added to the server as
part of the AD DS installation.
Adsiedit.exe A Microsoft
Management Console
(MMC) snap-in that
acts as a low-level
editor for AD DS and
allows you to view,
add, delete, and move
objects and attributes
within the directory.
%systemroot%\Windows\System32
Note
This tool is added to the server as partof the AD DS installation.
For more information about support tools for Windows, see Help and Support for Windows
Server 2008.
Determine Service Pack Levels
Before preparing your infrastructure for upgrade, all Windows 2000 –based domain controllers in
the forest must be running Windows 2000 Service Pack 4 (SP4). Use the repadmin/showattr
command to perform an inventory of the operating system and service pack revision level on all
domain controllers in a particular domain.
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
23/75
23
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
For each domain in the forest, type the following command at the command line of a
computer that has the support tools for Windows Server 2008 installed, and then press
ENTER:
repadmin /showattr ncobj:domain:
/filter:"(&(objectcategory=computer)(primaryGroupID=516))” /subtree
/atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack
The following text is sample output from this command:
DN: CN=NA-DC-01,OU=Domain Controllers,DC=company,DC=com
1> operatingSystem: Windows Server 2008 Standard
1> operatingSystemVersion: 6.0 (6001)
1> operatingSystemServicePack: Service Pack 1, v.624
Note
The repadmin /showattr command does not show any hotfixes that might
be installed on a domain controller.
Parameter Description
repadmin /showattr Displays the
attributes on an
object.
domain_controller_in_target_domain Specifies the fully
qualified domain
name (FQDN) of
the domain
controller.
/filter:"(&(objectcategory=computer)(primaryGroupID=516))‖ /subtree
/atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack
Filters the output
to display the
object's operating
system, operating
system version,
and operating
system service
pack.
To determine the operating system and service pack revision level on all domaincontrollers
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
24/75
24
Upgrade domain controllers to the appropriate service pack as necessary.
Back Up Domain DataBack up your domain data before you begin the upgrade. This task varies based on the
operations and procedures that already exist in your environment. At a minimum, complete the
following steps:
To allow for fault tolerance, ensure successful replication between two domain controllers in
each domain.
Back up two domain controllers in each domain in the forest, including System State data.
Test all backup media to ensure that the data can be restored successfully.
Store backup media in a secure offsite location designated by (and accessible to)
the upgrade team before you begin the upgrade process.
Develop a recovery plan to use if some portion of your domain upgrade process fails. A
successful recovery plan includes the following:
Step-by-step instructions that enable the upgrade team to restore normal operations to the
organization.
An approval process, ensuring that all team members review, agree on, and approve the
recovery plan.
If you plan to retire or upgrade the first promoted domain controllers of your
Windows 2000 or Windows Server 2003 domains, we highly recommend that you export
and back up the private key of the Encrypting File System (EFS) recovery agent. EFS is
a component of the NTFS file system that enables transparent encryption and decryption
of files by using advanced, standard cryptographic algorithms. You can use EFS to
encrypt data files to prevent unauthorized access. For more information, see article
241201 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=114578).
Resolve Upgrade and Application
Compatibility Problems
For more information about upgrades to Windows Server 2008 and Windows Server 2008 R2,
see Known Issues for Upgrades to Windows Server 2008 and Windows Server 2008 R2.
Important
Note
http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578http://go.microsoft.com/fwlink/?LinkId=114578
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
25/75
25
Known issues for upgrading toWindows Server 2003
Before upgrading a server to Windows Server 2003, use the Winnt32.exe command-line tool withthe /checkupgradeonly parameter to identify potential upgrade problems such as inadequate
hardware resources or compatibility problems.
Two application compatibility problems you might need to resolve include the following:
Distributed File System (DFS) root shares are not supported if they are hosted on a file
allocation table (FAT) partition.
In Windows Server 2003, DFS root shares must be located on NTFS partitions with no files or
directories under the DFS link.
For more information about deploying DFS, see Designing and Deploying File Servers
(http://go.microsoft.com/fwlink/?LinkID=27928).
Windows 2000 –based computers running Windows Deployment Services might cause errorsin a Windows Server 2003 Active Directory domain.
When using a Windows 2000 –based Windows Deployment Services server in your
Windows Server 2003 Active Directory domain, you might receive the following error when
using the Client Installation Wizard:
" Unable to create or Modify Computer account"
Error: 00004E4F
This error occurs because Windows Server 2003 creates machine account objects differently
from Windows 2000. To prevent this error from occurring when creating machine accounts,
configure the Windows 2000 –based Windows Deployment Services servers in your
environment to point to a domain controller running Windows 2000. This is done by addingthe DefaultServer registry parameter to the Windows 2000 –based Windows Deployment
Services servers.
For more information about configuring optional registry parameters for the Boot Information
Negotiation Layer (BINL) service, see article 235979 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=106488).
You must remove the Windows 2000 Administration Tools Pack before upgrading to
Windows Server 2003. For more information about Windows 2000 administration tools and
upgrade issues, see article 304718 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=106490).
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
At the command line, connect to the I386 directory at your installation source, type the
following command, and then press ENTER:
To identify potential upgrade and compatibility problems
http://go.microsoft.com/fwlink/?LinkID=27928http://go.microsoft.com/fwlink/?LinkID=27928http://go.microsoft.com/fwlink/?LinkID=27928http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=106490http://go.microsoft.com/fwlink/?LinkId=106488http://go.microsoft.com/fwlink/?LinkID=27928
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
26/75
26
winnt32 /checkupgradeonly
Parameter Description
winnt32 /checkupgradeonly Checks your computer for upgrade
compatibility with products in the
Windows Server 2003 family.
Performing the Upgrade of Active DirectoryDomains
To upgrade your Active Directory domains, complete the tasks in Checklist: Upgrade Tasks.
In this guide Checklist: Upgrade Tasks
Prepare Your Infrastructure for Upgrade
Install Active Directory Domain Services on the Member Server That Runs Windows Server
2008 or Windows Server 2008 R2
Upgrade Existing Domain Controllers
Modify Default Security Policies
Update Group Policy Permissions
Perform Clean-up Tasks
Checklist: Upgrade Tasks
Complete the tasks in this checklist in the order in which they are presented. If a reference link
takes you to a conceptual topic, return to this checklist after you review the conceptual topic so
that you can proceed with the remaining tasks.
Checklist: Upgrade Tasks
Task Reference
Prepare your Active Directory
infrastructure for upgrade.
Prepare Your Infrastructure
for Upgrade
Install Active Directory Domain
Services (AD DS) on a member
server that runs Windows
Install Active Directory
Domain Services on the
Member Server That Runs
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
27/75
27
Task Reference
Server 2008 or Windows
Server 2008 R2 in the forest root
domain.
Windows Server 2008 or
Windows Server 2008 R2
Upgrade existing domain
controllers.
Upgrade Existing Domain
Controllers
Modify default security policies as
needed.
Modify Default Security
Policies
Update Group Policy permissions.
Note
This step is required only if
you are upgrading
Windows 2000
Active Directory domains.
Update Group Policy
Permissions
Perform clean-up tasks. Perform Clean-up Tasks
Prepare Your Infrastructure for Upgrade
Preparing your Active Directory infrastructure for upgrade includes the following tasks:
Prepare the forest schema by running adprep /foretsprep. Prepare each domain where you want to install a domain controller that runs Windows
Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.
Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by
running adprep /rodcprep.
Review the list of operations that Adprep.exe performs in Windows Server 2008, and test
the schema updates in a lab environment to ensure that they will not conflict with any
applications that run in your environment. There should not be any conflicts if your
applications use RFC-compliant object and attribute definitions. For a list of specific
operations that are performed when you update the Active Directory schema, seeWindows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS and
Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS.
For more information about running Adprep.exe, see Run Adprep commands.
Important
http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177829http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177828http://go.microsoft.com/fwlink/?LinkId=177829
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
28/75
28
Install Active Directory Domain Services onthe Member Server That Runs Windows
Server 2008 or Windows Server 2008 R2Install Active Directory Domain Services (AD DS) on a member server that runs Windows
Server 2008 or Windows Server 2008 R2 by using the Active Directory Domain Services
Installation Wizard (Dcpromo.exe). The member server should be located in the forest root
domain. After you install AD DS successfully, the member server will become a domain controller.
You can install AD DS on any member server that meets the domain controller hardware
requirements.
You can install AD DS using the Windows user interface (UI). The Windows UI provides two
wizards that guide you through the installation process for AD DS. One wizard is the Add Roles
Wizard, which you can access in Server Manager. The other wizard is the Active Directory
Domain Services Installation Wizard (Dcpromo.exe), which you can access in either of the
following ways:
When you complete the steps in the Add Roles Wizard, click the link to start the
Active Directory Domain Services Installation Wizard.
Click Start, click Run, type dcpromo.exe, and then click OK.
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Depending on the operating system installation options that you selected for the computer, the
local Administrator password might be blank or it might not be required. In this case, run the
following command at a command prompt before you start to install AD DS:
net user Administrator password /passwordreq:yes
Replace password with a strong password.
1. Click Start, and then click Server Manager .
2. In Roles Summary, click Add Roles.
3. If necessary, review the information on the Before You Begin page, and then click Next.
4. On the Select Server Roles page, select the Active Directory Domain Services check
box, and then click Next.
5. If necessary, review the information on the Active Directory Domain Services page,
and then click Next.
6. On the Confirm Installation Selections page, click Install.
7. On the Installation Results page, click Close this wizard and launch the Active
Directory Domain Services Installation Wizard (dcpromo.exe).
To install AD DS on a member server by using the Windows interface
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
29/75
29
8. On the Welcome to the Active Directory Domain Services Installation Wizard page,
click Next.
If you want to install from media, identify the source domain controller for AD DS
replication, or specify the Password Replication Policy (PRP) for an RODC as part of theinstallation of the additional domain controller, click Use advanced mode installation.
9. On the Operating System Compatibility page, review the warning about the default
security settings for Windows Server 2008 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Existing forest, click Add a
domain controller to an existing domain, and then click Next.
11. On the Network Credentials page, type the name of any existing domain in the forest
where you plan to install the additional domain controller. Under Specify the account
credentials to use to perform the installation, click My current logged on
credentials or click Alternate credentials, and then click Set. In the Windows Security
dialog box, provide the user name and password for an account that can install the
additional domain controller. To install an additional domain controller, you must be a
member of the Enterprise Admins group or the Domain Admins group. When you are
finished providing credentials, click Next.
12. On the Select a Domain page, select the domain of the new domain controller, and then
click Next.
13. On the Select a Site page, select a site from the list or select the option to install the
domain controller in the site that corresponds to its IP address, and then click Next.
14. On the Additional Domain Controller Options page, make the following selections, and
then click Next:
DNS server : This option is selected by default so that your domain controller can
function as a DNS server. If you do not want the domain controller to be a DNS
server, clear this option.
Note
If you select the option to install DNS server, you might receive a message
that indicates that a DNS delegation for the DNS server could not be created
and that you should manually create a DNS delegation to the DNS server to
ensure reliable name resolution. If you are installing an additional domain
controller in either the forest root domain or a tree root domain, you do not
have to create the DNS delegation. In this case, click Yes and disregard the
message.
Global Catalog: This option is selected by default. It adds the global catalog, read-
only directory partitions to the domain controller, and it enables global catalog search
functionality.
Read-only domain controller . This option is not selected by default. It makes the
additional domain controller read only.
15. If you selected Use advanced mode installation on the Welcome page, the Install
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
30/75
30
from Media page appears. You can provide the location of installation media to be used
to create the domain controller and configure AD DS, or you can have all the replication
done over the network. Note that some data will be replicated over the network even if
you install from media. For information about using this method to install the domain
controller, see Installing AD DS From Media.
16. If you selected Use advanced mode installation on the Welcome page, the Source
Domain Controller page appears. Click Let the wizard choose an appropriate
domain controller or click Use this specific domain controller to specify a domain
controller that you want to provide as a source for replication to create the new domain
controller, and then click Next. If you do not choose to install from media, all data will be
replicated from this source domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the
volume and folder locations for the database file, the directory service log files, and the
system volume (SYSVOL) files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and
recovery efficiency, store these files on separate volumes that do not contain applications
or other nondirectory files.
18. On the Directory Services Restore Mode Administrator Password page, type and
confirm the restore mode password, and then click Next. This password must be used to
start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed
offline.
19. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you have selected to an answer file that you can use to
automate subsequent Active Directory operations, click Export settings. Type the namefor your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
20. On the Completing the Active Directory Domain Services Installation Wizard page,
click Finish.
21. You can either select the Reboot on completion check box to have the server restart
automatically or you can restart the server to complete the AD DS installation when you
are prompted to do so.
For information about installing AD DS by using a command line or an answer file, see Installing
an Additional Domain Controller .
Upgrade Existing Domain Controllers
When you upgrade the operating system on domain controllers, the computer immediately
assumes the role of domain controller after the final restart of the computer. It is not necessary to
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
31/75
31
install Active Directory Domain Services (AD DS) by using the Active Directory Domain Services
Installation Wizard (Dcpromo.exe).
If you want to upgrade the operating system of a Windows 2000 domain controller to
Windows Server 2008, you must first perform an in-place upgrade of a Windows 2000
operating system to a Windows Server 2003 operating system. Then, perform an in-place
upgrade of this Windows Server 2003 operating system to a Windows Server 2008
operating system. A direct Windows 2000 –to –Windows Server 2008 operating system
upgrade is not supported.
The information in this guide also applies to Windows Server 2008 R2. If you want to
perform an in-place upgrade of the existing domain controllers running
Windows Server 2003 in the forest to Windows Server 2008 R2, remember that Windows
Server 2008 R2 is an x64-based operating system. If your server is running an x64-basedversion of Windows Server 2003, you can successfully perform an in-place upgrade of
this computer's operating system to Windows Server 2008 R2. If your server is running
an x86-based version of Windows Server 2003, you cannot upgrade this computer to
Windows Server 2008 R2.
To initiate the installation of the Windows Server 2003 operating system on a Windows 2000 –
based domain controller, insert the Windows Server 2003 operating system CD on the domain
controller. Or, if the Windows Server 2003 media are shared over the network, run the
Winnt32.exe command-line tool. You can also perform an unattended installation of
Windows Server 2003. Instructions for creating an answer file for an Active Directory installation
are located in the Deploy.cab file in the Support\Tools folder on the Windows Server 2003
operating system CD. Inside the Deploy.cab file, open Ref.chm to access the Unattend.txt file.
Expand Unattend.txt in the left pane, and then click DCInstall.
To initiate the installation of the Windows Server 2008 or Windows Server 2008 R2 operating
system on a Windows Server 2003 –based domain controller, insert the operating system DVD on
the domain controller. Or, if the operating system installation media are shared over the network,
run the Setup.exe command-line tool.
Unattended upgradeYou can also perform an unattended upgrade by using an answer file. For more information about
how to create a new answer file, see "Step 2: Building an Answer File" in the Windows Vista
Deployment Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=66066).
Here is a sample of an answer file that can be used to perform an unattended upgrade to
Windows Server 2008:
Important
Important
http://go.microsoft.com/fwlink/?LinkID=66066http://go.microsoft.com/fwlink/?LinkID=66066http://go.microsoft.com/fwlink/?LinkID=66066http://go.microsoft.com/fwlink/?LinkID=66066
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
32/75
32
Machine Name
Product-Key
True
User Name
Organization Name
Never
0
1
Image/Name
W2K8S
Never
0
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
33/75
33
False
1
1
C
True
True
True
EN-US
Domain Name
Administrator
Administrators
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
34/75
34
True
Domain Name
User Name
User Password
9999
1
Command To Execute
"RunOnceItem0"
2
Command To Execute
"Post Install Command Execute"
True
True
After you create the answer file, use the following procedure to perform an unattended upgrade of
a Windows Server 2003 –based domain controller.
Membership in the local Administrator account, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
35/75
35
Depending on the operating system installation options that you selected for the computer, the
local Administrator password might be blank or it might not be required. In this case, run the
following command at a command prompt before you start to install AD DS:
net user Administrator password /passwordreq:yes Replace password with a strong password.
1. At the command prompt, type the following:
setup.exe /unattend:" path to the answer file"
2. Press ENTER.
Modify Default Security Policies
To increase security, domain controllers that run Windows Server 2008 and Windows
Server 2008 R2 require (by default) that all client computers attempting to authenticate to them
perform Server Message Block (SMB) packet signing and secure channel signing. If your
production environment includes client computers that run platforms that do not support SMB
packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it
includes client computers that run platforms that do not support secure channel signing (for
example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security
policies to ensure that client computers running older versions of the Windows operating system
or non-Microsoft operating systems will be able to access domain resources in the upgradeddomain.
By modifying the settings of the default security policies, you are weakening the default
security policies in your environment. Therefore, we recommend that you upgrade your
Windows –based client computers as soon as possible. After all client computers in your
environment are running versions of Windows that support SMB packet signing and
secure channel signing, you can re-enable default security policies to increase security.
To configure a domain controller to not require SMB packet signing or secure channel signing,
disable the following settings in the Default Domain Controllers Policy:
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)
Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it.
Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be
restored, if necessary.
To perform an in-place domain controller upgrade by using an answer file
Note
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
36/75
36
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required
to complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.
2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current
Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click
Edit.
3. In the Group Policy Management Editor window, in the console tree, go to Computer
Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security
Options.
4. In the details pane, double-click Microsoft network server: Digitally sign
communications (always).5. Verify that the Define this policy setting check box is selected, click Disabled to
prevent SMB packet signing from being required, and then click OK.
To apply the Group Policy change immediately, either restart the domain controller or
open a command prompt, type the following command, and then press ENTER:
gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change
the Default Domain Controllers Policy. Policy changes that you make here
will be replicated to all other domain controllers in the domain. Therefore, you
only have to modify these policies one time to affect the Default Domain
Controllers Policy on all domain controllers.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required
to complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.
2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current
Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click
Edit.
3. In the Group Policy Management Editor window, in the console tree, go to Computer
Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security
Options.
4. In the details pane, double-click Domain member: Digitally encrypt or sign secure
channel data (always), click Disabled to prevent secure channel signing from being
To disable SMB packet signing enforcement based domain controllers
To disable secure channel signing enforcement on domain controllers
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
37/75
37
required, and then click OK.
To apply the Group Policy change immediately, either restart the domain controller or
open a command prompt, type the following command, and then press ENTER:
gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change the
Default Domain Controllers Policy. Policy changes that you make here will
be replicated to all other domain controllers in the domain. Therefore, you
only have to modify these policies one time to affect the Default Domain
Controllers Policy on all domain controllers.
For more information about SMB packet signing and secure channel signing, see Appendix A:
Background Information for Upgrading Active Directory Domains.
By default, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 also
prohibit clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to
establish security channels using weak Windows NT 4.0 style cryptography algorithms. Any
security channel dependent operation that is initiated by clients running older versions of the
Windows operating system or non-Microsoft operating systems that do not support strong
cryptographic algorithms will fail against a Windows Server 2008-based domain controller.
Until you are able to upgrade all of the clients in your infrastructure, you can temporarily relax this
requirement by modifying the following default domain policy setting on your domain controllers:
Allow cryptography algorithms compatible with Windows NT 4.0
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required
to complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.
2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current
Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click
Edit.
3. In the Group Policy Management Editor window, in the console tree, go to Computer
Configuration/Administrative Templates: Policy definitions (ADMX files) retrieved from the
local machine/System/Net Logon.
4. In the details pane, double-click Allow cryptography algorithms compatible with
Windows NT 4.0, and then click Enabled.
Note
By default, the Not Configured option is selected, but, programmatically,
after you upgrade a server to Windows Server 2008 domain controller status,
this policy is set to Disabled.
To allow cryptography algorithms that are compatible with Windows NT 4.0
http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
38/75
38
To apply the Group Policy change immediately, either restart the domain controller or
open command line, type the following command, and then press ENTER:
gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change the
Default Domain Controllers Policy. Policy changes that are made here will
be replicated to all other domain controllers in the domain. Therefore, you
only have to modify these policies one time to affect the Default Domain
Controllers Policy on all domain controllers.
For more information, see Effects of netlogon cryptographic support changes in Windows
Server 2008 (http://go.microsoft.com/fwlink/?LinkId=106380). For more information about
additional security policy changes in Windows 7 and Windows Server 2008 R2, see Secure
default settings in Windows Server 2008 and Windows Server 2008 R2.
Update Group Policy Permissions
Group Policy Modeling is a feature of the Group Policy Management Console (GPMC) that
simulates the resultant set of policy for a particular configuration. The simulation is performed by
a service that runs on domain controllers. To perform the simulation across domains, the service
must have read access to all Group Policy objects (GPOs) in the forest.
The procedure in this topic is required only if you are upgrading Windows 2000
Active Directory domains. If you are upgrading Windows Server 2003 Active Directorydomains or creating a new domain with domain controllers that run Windows Server 2008
or Windows Server 2008 R2, the Enterprise Domain Controllers group will automatically
have read access to all newly created GPOs and all GPOs that were created before the
upgrade.
However, if the domain was upgraded from Windows 2000, the Enterprise Domain Controllers
group will not have read access to any existing GPOs that were created before the upgrade. The
GPMC detects this when you click a GPO, and then it notifies the user that the Enterprise Domain
Controllers group does not have read access to all GPOs in this domain. To solve this problem,
use the sample script named GrantPermissionOnAllGPOs.wsf that is provided with the GPMC.
This script will update the permissions on all GPOs in the domain. To download GPMC sample
scripts (including GrantPermissionOnAllGPOs.wsf), see Group Policy Management Console
Sample Scripts (http://go.microsoft.com/fwlink/?LinkId=106342). After the download is complete,
%programfiles%\Microsoft Group Policy\GPMC Sample Scripts folder will be created.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
Note
http://go.microsoft.com/fwlink/?LinkId=106380http://go.microsoft.com/fwlink/?LinkId=106380http://go.microsoft.com/fwlink/?LinkId=106380http://go.microsoft.com/fwlink/?LinkId=106342http://go.microsoft.com/fwlink/?LinkId=106342http://go.microsoft.com/fwlink/?LinkId=106342http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=83477http://go.microsoft.com/fwlink/?LinkId=106342http://go.microsoft.com/fwlink/?LinkId=106380
-
8/20/2019 ADDS DomainUpgradeWin2003toWin2008
39/75
39
1. At a command prompt, type the following, and then press ENTER:
cd /d %programfiles%\Microsoft Group Policy\GPMC Sample Scripts
2. Type the following, and then press ENTER:
Cscript GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers”
/permission:read /domain:DNSDomainName /Replace
Using the Replace switch removes existing permissions for the group or user before
making the change. If a group or user is already granted a permission type that is higher
than the new permission type, and you do not specify Replace, no change is made.
Perform Clean-up Tasks After upgrading your Active Directory infrastructure to Active Directory Domain Services (AD DS),
perform the following clean-up operations:
After the security descriptor propagator has finished building the single-instance store,
perform an offline defragmentation of the database on each upgraded domain controller. This
reduces the size of AD DS on the file system by up to 40 percent, reduces the memory
footprint, and updates pages in the database to the new format. For more information, see
Compact the directory database file (offline defragmentation)
(http://go.microsoft.com/fwlink/?LinkID=106343).
This task is relevant only when you are performing an in-place upgrade from
Windows 2000 to Windows Server 2003. If you are upgrading a Windows 2000
domain controller to Windows Server 2008 (which requires an in-place upgrade
from Windows 2000 to Windows Server 2003, followed by an in-place upgrade
from Windows Server 2003 to Windows Server 2008), we recommend that you
perform this task after your domain controller is upgraded to
Windows Server 2003.
Create a new System State backup for at least two domain controllers in your environment.
For more information about backing up AD DS, see the AD DS Backup and Recovery Step-
by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=93077). Be sure to label all backuptapes with the operating system version that the domain controller is running, including
service packs and hotfixes.
To update permissions on all GPOs in a domain
Note
http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=106343http://go.microsoft.com/fwlink/?LinkID=93077http://go.microsoft.com/fwlink/?LinkID=93077http://go.microsoft.com/fwli