migration from windows 2003 to windows 2008 n-place upgrading Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows Server 2008, as long as you keep the following in mind: 

The Windows Server 2003 patchlevel should be at least Service Pack 1 You can't upgrade across architectures (x86, x64 & Itanium) Standard Edition can be upgraded to both Standard and Enterprise Edition Enterprise Edition can be upgraded to Enterprise Edition only Datacenter Edition can be upgraded to Datacenter Edition only

This might be your preferred option when:

Your Active Directory Domain Controllers can still last three to five years (economically and technically)

You worked hard to get your Active Directory in the shape it's in. Your servers are in tip-top shape. 

Transitioning Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window. Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.

 

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

Restructuring means filling a new Active Directory from scratch In-place upgrading means you're stuck with the same hardware and limited to certain

upgrade paths Transitioning means you get to keep your current Active Directory lay-out, contents,

group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

You worked hard to get your Active Directory in the shape it's in. Your servers are faced with aging. In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)

You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this useful piece of information.   

Restructuring A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

 

Restructuring is good when:

Your current Active Directory environment is a mess or is uncontrolable You want to build a new Active Directory environment and import (pieces of) your

existing Active Directory environment. You need to merge (information from)(domains from) two Active Directory forests

together You need to split (information from)(domains from) two Active Directory forests

Hello folks,

I am in testing phase for migrate from 2003 domain to new 2008 R2 domain (completely new domain). In the past I had used ADMT tool to migrate users, computes, profiles and password from NT to 2003. I have two doamin one is 2003 and other one the new 2008R2, have a two way trust between them. I tried to install ADMT v3.1 tool in windows 2008 R2 domain but it always complains "The Active Directory Migration Tool V3.1 must be installed on windows server 2008" and i am installing in 2008R2 server. Is it a bug or there is a workaround for this. Any tips/help ideas would be great.

Ans :- The ADMT 3.1 tool will not work with Windows 2008 R2. Microsoft is currently taking applications for ADMT 3.2 that will work with 2008 R2. If you want to move to a new 2008 domain it is a multi-step process, but is pretty easy.

1) Create a new Windows 2008 domain with Windows 2008 64bit DC's and a 2008 domain level2) Use ADMT 3.1 to move AD items to this new domain

3) Once the move is complete upgrate your servers or install new Windows 2008 R2 DC's as part of your domain4) Transfer the roles and then demote/remove the old 2008 DC's5) Bring your new domain to 2008 R2 function once the 2008 DC's are gone

Just plan and test it first and you should be good.

Good Migrations: How To Move To Windows Server 2008

Page 1 of 3

All right, let's get this out of the way: server migration of any kind is fraught with the potential for headaches, trial and error, incompatibilities and worse. Expect the same when migrating environments to Microsoft (NSDQ:MSFT)'s just-launched Windows Server 2008. Questions have emerged, such as how to upgrade existing servers to Server 2008 without breaking Exchange. Breaking Exchange? Yes, even Microsoft's own flagship enterprise e-mail technology could be a nightmare to migrate to the new platform if best practices aren't observed. Nevertheless, it is possible to migrate environments from Server 2003 to Server 2008. It's not easy, but it can be done successfully.

The CRN Test Center examined Server 2008 in the lab to develop a better understanding of migration issues specific to the platform. The Test Center also called on Carl Mazzanti, CEO of eMazzanti Technologies, a Hoboken, N.J.-based VAR who has already begun successfully migrating customers to the Server 2008 platform, to find out how he's done it.

First, though, a note about Server 2008: Microsoft plans to closely integrate the platform with Hyper-V, which is still in beta testing for the next few months. In the Test Center, though, it's been a surprisingly useful, stable piece of technology. It has an insatiable thirst for memory, though, so even though it's not yet officially supported by Microsoft, VARs will need to keep hardware requirements top-of-mind as they enter this process. For now, here are five steps toward making life easier during Windows Server 2008 migration:

Assessment and Hardware PlanningAlthough there is a 32-bit version of Windows Server 2008, it won't support Hyper-V virtualization. Also, there's no migration path from 32-bit Server 2008 to 64-bit Server 2008—if VARs install the 32-bit version, they can't upgrade that server to the 64-bit version later on. Clearly, Microsoft is bent on kicking the market into 64-bit

waters in one shot with Server 2008. That puts a clear wrinkle into migration planning for some enterprises and that means almost all enterprise assessments will need to take this into consideration. To help with that assessment, Microsoft has re-launched its Microsoft Assessment and Planning Solution Accelerator, originally deployed to the market for Windows Vista.

MAP needs to be run on at least the .NET 2.0 Framework, and the software tool supports Server 2008, Server 2003 SP2, Windows Vista and Windows XP. MAP is, at its core, an inventory collection tool and database; installation calls for deployment of SQL Server 2005 Express (it installs the light database on command if it's not already on the system).

The network assessment function in MAP is wizard-based and uses SNMP and Windows server protocols to evaluate hardware on the network that is capable of supporting Server 2008. The Test Center installed and ran MAP on virtual Server 2003 SP2 and Vista environments on the same network. It worked quicker on a Vista PC on the network. The conundrum of running MAP on Server 2008 is that it won't run on the 64-bit version of Server 2008, only a 32-bit version—not the most efficient way to deploy MAP. But the tool does its job on Vista and Server 2003 SP2 and can speed up the inventory and assessment process to give VARs additional time for other tasks.

Like with the Vista roll-out, Microsoft makes the entire migration process a lot easier for those deploying systems with Server 2008 factory-installed over those upgrading the software on the same box. For some VARs, system builders and their customers, it might provide the "here we go again" feeling of aggravation much of the market has felt with Vista migration.

Mazzanti said almost all of the deployment of Server 2008 he has done in its early stage has been with brand-new hardware. That may be more practical in many cases than trying to get one more year out of that old box in the back room. In any event, though, he said, memory can't be ignored.

"We maxed it out," Mazzanti said. "Exchange 2007 will use as much memory as you give it." In most cases, maxing out means 32 Gbytes of memory.

StagingSolution providers that work the kinks out first during a virtual migration, before they start an actual migration, will avoid much aggravation.

"We staged each migration before doing it live," Mazzanti said. Each migration, Mazzanti said, was performed in a virtual environment first using either Microsoft Virtual Server 2005 R2 or VMware, depending on the customer's resources and environment.

A critical task during the staged migrations, he found, was also a simple one: reading. "For Windows Server 2008, you have to read the manual," Mazzanti said.

Hardware, security, compatibility—all can be played with during a virtual, staged migration with details specific to a customer's infrastructure and needs. Checklists can be written, procedures verified.

ExchangeNot every enterprise runs Exchange as its e-mail and messaging solution. But Exchange as an element of Server 2008 migration warrants its own special step here because of the potential for disaster. Microsoft has said that if you upgrade a box that runs Exchange 2007 SP1, from Server 2003 to Server 2008, you risk breaking Exchange. Here's what Microsoft says you should do, in its own words:

"When upgrading stand-alone servers, it is not supported to upgrade your operating system to Windows Server 2008 and then upgrade Exchange 2007 to SP1. It is also not supported to upgrade Exchange 2007 to SP1 and then upgrade your operating system to Windows Server 2008. To deploy Exchange 2007 SP1 on Windows Server 2008, you must install Windows Server 2008 on a computer that does not have Exchange installed, and then install Exchange 2007 SP1.

"For clustered mailbox servers, Exchange SP1 introduces support for clustered mailbox servers running on Windows Server 2008. However, as a result of the significant changes introduced in Windows Server 2008 failover clusters (called server clusters in previous versions of Microsoft Windows), rolling upgrades of a failover cluster from Windows Server 2003 to Windows Server 2008 are not possible. Therefore, to upgrade a clustered mailbox server from Windows Server 2003 to Windows Server 2008, you must build a new failover cluster using Windows Server 2008 as the operating system for all nodes, and then migrate the data from the old cluster to the new cluster." Got all that?

Page 3 of 3

InstallationMicrosoft has changed the installation procedure for Server 2003. Windows services are now kept on a hidden partition. Unlike with Server 2008 and previous server operating systems, not all services are installed at once—with the administrator left to disable the services that aren't required. It's just the opposite: No services are installed by default; the administrator is then left to enable each service, one at a time, as needed.

That's good, in that installations can be done in a fraction of the time it took to install previous operating systems. But it also means that administrators will need to more closely manage each server's services after installation. Mazzanti told CRNtech that it made his migration much easier to write PowerShell scripts for a number of different functions required for server deployment and then were able to re-use them—so that re-inventing the wheel for each server function wasn't necessitated.

Hyper-VIf Server 2008 was a Broadway production, Hyper-V would get the biggest dressing room. It's the star of the show, even though it won't officially launch until later this year.

But that doesn't mean it shouldn't factor into migration planning and actual migration, since the beta is available now and, as mentioned earlier, testing has shown it to be somewhat stable. Using Hyper-V along with System Center Virtual Machine Manager, subsequent migrations (or consolidations or disaster recovery deployments or new test beds) can be performed using Hyper-V itself. To do this, Microsoft has created a "quick migration" capability—allowing an administrator to create a server with client services in a virtual machine on a physical host, and then move that server to another physical host by re-writing the memory. In that case, the migration could be done in seconds—or the time it takes to write memory to disk.

In this case, once the migration from Server 2003 or earlier environments is done to Server 2008, the next generation of server migrations should be a snap.

As long as everyone reads the manual.

Migration of DHCP Server from Windows Server 2003 to Windows Server 2008Rate This

teamdhcp

18 Feb 2009 6:34 AM

23

Microsoft product support team often encounters migrated DHCP servers which are dysfunctional. The

reason quite often for the bad state of the DHCP server is because backup/restore has been used by the

customers for migrating the DHCP server across server versions (e.g. migrating from Windows Server

2003 DHCP to Windows Server 2008). Backup and Restore are not expected to work across server

versions as the DHCP database format has changed between Windows Server 2003 and Windows

Server 2008.

The recommended procedure for DHCP server migration is to use the export import commands through

netsh. Following is the procedure for migrating DHCP server from Windows Server 2003 to Windows

Server 2008 outlined in brief:

Export the DHCP database from the server that is running Microsoft Windows

Server 2003

To migrate a DHCP database and configuration from a server that is running Windows Server 2003 to

another server that is running Windows Server 2003:

1. Log on to the source DHCP server by using an account that is a member of the local

Administrators group or the DHCP Administrators group

2. Click Start, click Run, type cmd in the Open box, and then click OK.

3. Type netsh dhcp server export C:\dhcpdatabase.dat all, and then press ENTER.

Note: While the export command runs, DHCP server is stopped and does not respond to clients seeking

new leases or lease renewals.

At the end of this step, you will have the DHCP configuration as well as address lease information exported into the dhcpdatabase.dat file. You can now stop the DHCP service on the source server.

Install the DHCP server service on the server that is running Windows Server 2008

To install the DHCP Server service on an existing Windows Server 2008 computer:

1. Start Server Manager.

2. Click on Add Roles.

3. Select the DHCP server role and press Next.

4. Click through the next sequence for screens of the installation wizard to complete the DHCP

server installation. You should not authorize the DHCP server at this point.

Import the DHCP database

1. Log on as a user who is a member of the local Administrators group or DHCP administrators

group.

2. Copy the exported DHCP database file to the local hard disk of the Windows Server 2008

computer.

3. Verify that the DHCP service is started on the Windows Server 2008 computer.

4. Click Start, click Run, type cmd in the Open box, and then click OK.

5. At the command prompt, type netsh dhcp server import c:\dhcpdatabase.dat all, and then

press ENTER, where c:\dhcpdatabase.dat is the full path and file name of the database file

that you copied to the server.

6. After you receive the message that the command completed successfully, quit the command

prompt.

Authorize the DHCP server

1. Click Start, point to All Programs, point to Administrative Tools, and then click DHCP. You

must be logged on to the server by using an account that is a member of the Administrators

group. In an Active Directory domain, you must be logged on to the server by using an

account that is a member of the Enterprise Administrators group.

2. In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow

in the lower-right corner of the server object, the server has not yet been authorized.

3. Right-click the server object, and then click Authorize.

4. After several moments, right-click the server again, and then click Refresh. A green arrow

indicates that the DHCP server is authorized.

While the netsh export command exports the lease database as well as the configuration of the DHCP

server, the DHCP server registry settings are not handled by export/import. Attached with this post is a

tool which will help you migrate all the DHCP configuration including the registry settings. Type

dhcmpmig -help for usage information on the tool.

The scripted tool (bat file) is provided on an "as is" basis and not supported by Microsoft.

Migrating Windows Certificate Authority Server from Windows 2003 Standard to windows 2008 Enterprise Server

Posted by Krishna - MVP on January 16, 2010

Migrating Windows Certificate Authority Server from Windows 2003 Standalone on DC to windows 2008 Enterprise Server. Dude to Various advantages on Installing CA on Windows 2008 Server like windows 2008 server supports v1, v2 and v3 certificate templates, R2 windows 2008 Enterprise CA server also supports Cross Forest Certificates. Below article helps to you migrate CA From windows 2003 Standard Edition to windows 2008 Enterprise Edition

Moving Certificate Server in Simple Steps

1. Perform System State backup on Source CA Server2. Backup CA from CA Console3. Backup CA registry Configuration4. Uninstall CA from the Source Server using Add remove programs5. Install the CA as Role on the target Windows 2008 computer using existing certificate key6. Restore the CA database on the target CA7. Import the CA Registry configuration on the target CA8. Complete post-migration tasks

Perform  System State backup on Source CA

1. Log in to Source server and Take System State backup using Ntbackup to C:\CertBackup

Backup CA from CA Console

1. Open the Certification Authority snap-in2. Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.3. On the Welcome page of the CA Backup wizard, click Next. On the Items to Back Up page, select

the Private key and CA certificate and Certificate database and certificate database log check boxes, enter the backup location, and then click Next

4. On the Select a Password page, enter a password to protect the CA private key and click Next.

5. On Completing the Backup Wizard page, click Finish.

6. This will create Files in C:\Certbackup

Ef.com.p12

Database

Backup CA registery Configuration

1.   Click Start, point to Run, and type regedit to open the Registry Editor.

2.   In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

3.   Enter a location and file name, and then click Save. This creates a .reg file with the registry configuration information for your CA.

UnInstall CA from the Server using Add remove programs

1. Go To Add remove programs -> Add remove Windows components -> click on Certificate Services and uncheck on Certificate Services CA and Certificate Services Web Enrollment Support

Install the CA as Role on the target computer using exisintg certificate key

1. Install New Widows 2008 Enterprise Edition Sever2. Open Server Manager and Add New Role3. Select Active Directory Certificate Services4. Select Certificate Authority and Next5. Select Enterprise CA and Next6. Use Existing Private Key as show below and select selct a certificate and user its associated

private key and Next

7. Click on Browse buttong to Search folder containing certificate and private key which you exported from Source computer

8. Enter the password which was used to export

9. Next , Next and click on Install

Restore the CA database on the target CA

1. Open the Certification Authority snap-in.2. Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to

confirm stopping the CA service.3. In the CA Restore wizard, on the Welcome page, click Next.4. On the Items to Restore page, select Certificate database and certificate database log. Click

Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.

5. Enter the password you used to export the CA database from the source CA, if a password is requested.

6. Click Finish, and then click Yes to confirm restarting the CA.

Import the CA Registery configuration on the target CA.

1. Double click on registery file which you exported from the source server to import the same into the server and Yes to confirm the same

Complete post-migration tasks

Updating CRL Distribution Point and Authority Information Access Extensions

1. Loging to Windows 2008 New CA Server2. Open Certificate MMC3. Right click on the CA and click on Extenstion and click on ADD and add the below line by

changing SourceServername.

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=SourceServername,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

4. Check Publish CRLs to this location

5. Publish Delta CRLs to this location

6. Apply and OK

7. Verify the CA can publish CRLs to the new location.

8. Open the Certification Authority snap-in.

9. Right-click Revoked Certificates, point to All Tasks, and click Publish.

10. Click either New CRL or Delta CRL only, and click OK.

To verify ACLs on the AIA and CDP containers

1. Loging to DC and open Active Direcotry Sites in Services2. On the Console click on Top Node3. Click View and Show Services node4. you will find Services folder on the Left and expand to reach Public key Services as shown below

5. Expand Public Key Services

6. click AIA folder and In the details pane, select the name of the source CA.

7.  On the Action menu, click Properties.

8.  Click the Security tab, and then click Add.

9.  Click Object Types, click Computers, and then click OK.

10. Type the host name of the target CA, and click OK.

11. In the Allow column, select Full Control, and click OK.

12. In the left pane, select CDP and the host name of the source CA.

13. In the details pane, select the first CRL object.

14. On the Action menu, click Properties, and then click the Security tab.

15. In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

16. Click Object Types, select Computers, and then click OK.

17. Type the host name of the target CA, and click OK.

18. In the Allow column, select Full Control, and then click OK.

19.     In the details pane, select the next CRL object, and repeat steps 14 through 18 until you have reached the last object.

Verifying ReGistery

1. Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

2. Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

3.  Check the remaining registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc registry key, with emphasis on any values that have been customized to ensure that they are free of data containing the old CA host name or other invalid CA settings. For example:

Configuration\ConfigurationDirectory Configuration\CAName\CACertFilename

Migrating Active Directory Domain Controller from Windows Server 2003 to Windows Server 2008

Published : September 05, 2009

Last Updated : September 05, 2009

     Introduction

Most people are running their Active Directory Domains now on Windows Server 2003 or Windows Server 2003 R2, and want to upgrade their domain controllers to Windows Server 2008 to benefit from the new features that Windows 2008 AD offers. In a previous article, I have shown you how to perform an In-Place Upgrade from W2K3 DC to Windows Server 2008 , in today's article, I will be showing how to migrate your Active Directory Domain Controller from Windows Server 2003 to Windows Server 2008 on a new hardware server.

n my lab, I have the following:

MACHINE NAME

DESCRIPTIONSERVICE PACK LEVEL

IP Address Architecture

ELMAJ-DC

A Windows Server 2003 Standard Edition with Service Pack 2. This is the domain controller in my lab that I intend to migrate.

SP2 192.168.1.2 X86

ELMAJ-DC2k8

A Windows Server 2008 Enterprise Edition. This is the machine I intend to setup as my new domain controller that will replaceELMAJ-DC

SP1 192.168.1.3 X64

In a nutshell, we will perform the following:

1. Raise Domain Functional Level

2. Prepare your current Windows 2003 Active Directory for Windows Server 2008 domain controllers.

3. Then, we will need to setup the server ELMAJ-DC2K8 as an additional domain controller, read my previous article Setting Up an Additional Domain Controller With Windows Server 2008 to know the steps required to setup an additional domain controller.

4. Transfer FSMO roles to the Windows Server 2008 Domain Controller

 

So lets starts :

1. Raise Domain Functional Level

We need to configure the domain to run in native mode, this is done by:

On the Windows Server 2003 Domain Controller, run Active Directory User and Computers snap-in by clicking on Start > Administrative Tools > Active Directory User and Computers

Right Click the Domain Name node, then click on Raise Domain Functional Level

If you have Windows 2000 Active Directory domain controllers then choose Windows 2000 native, if you do not have any Windows 2000 Active Directory domain controllers and all of your domain controllers are Windows Server 2003, then choose Windows Server 20003. I don't have any Windows 2000 Active Directory domain controllers, so using the drop down list, I will select Windows Server 2003 and then click the Raise button.

A warning message will be displayed, informing you that the changes cannot be reversed. Click OK

A confirmation message will be displayed stating that the functional level was raised successfully. Click OK

Close Active Directory User and Computers snap-in

 

2. Prepare current Windows 2003 Active Directory

Before you can have a 2008 server domain controller in your existing 2003 domain, we will need to prepare both the Forest Level and the Domain level, this is done by running the following commands on the Windows Server 2003 Domain Controller.

Insert the Windows Server 2008 DVD inside the Windows Server 2003 DVD Drive Open Command Prompt, this is done by Clicking on Start > Run > type CMD > click

OK

Type D:\sources\adprep\adprep /forestprep (Where D: is the drive of your Windows 2008 DVD)

Click Enter

Read the warning message, in my lab I don't have any Windows 2000 Active Directory Domain Controllers, so I can simply skip this by typing C and then press Enter, else quite the Forest Preparation step and upgrade Windows 2000 Active Directory Domain

Controller(s) to SP4, then run forestperp again.

After Forest preparation is completed successfully, run the Domain preparation command

Inside CMD, type D:\sources\adprep\adprep /domainprep (Where D: is the drive of your Windows 2008 DVD)

If you have not Raised the Domain Functional Level from Windows 2000 Mixed to Windows 2000 Native or Windows 2003 as was illustrated earlier in step # 1, then you

will receive the following error message after you run domainprep command:

If you did raise the domain functional level, adprep will successfully update the domain-wide information

Although adprep /domainprep will update the domain-wide information, you can still run the last command adprep /domainprep /gpprep

Inside CMD, type D:\sources\adprep\adprep /domainprep /gpprep  (Where D: is the drive of your Windows 2008 DVD)

As you can see, Domain-wide information has already been updated when we ran the domainprep command, as no Group Policy Object (GPO) updates needed, or GPO information has already been updated.

3. Setting Up an Additional Domain Controller with Windows Server 2008

Now that Windows Server 2003 Active Directory has been prepared for Windows Server 2008 Domain Controllers, its time to Set Up an Additional Domain Controller With Windows Server 2008 and set it as a Global Catalog. If you already have an additional Windows Server 2008 domain controller and you want to check if it is a Global Catalog or not, then check my article Setting a Windows Server 2008 Domain Controller as a Global Catalog

4. Transfer FSMO roles to the Windows Server 2008 Domain Controller

The last step in migrating a domain controller, is transferring the FSMO roles to the new domain controller. I have covered this part in a detailed step by step article, check it here : Transferring FSMO Roles in Windows Server 2008

 

With all the previous four major steps, you will successfully be able to migrate your old Windows Server 2003 Domain controller to Windows Server 2008. 

 

Summary

Upgrading Windows Server 2003 domain controller to a Windows Server 2008 domain controller is an easy process if you follow the required steps carefully. The process consist of four major steps and they are : raising the domain

level, preparing active directory for Windows Server 2008 domain controllers, setting a Windows Server 2008 as an additional global catalog domain controller and then transferring the FSMO Roles.Now, you can simply demote the Windows Server 2003 domain controller, if you no longer need it.

 

etting Up an Additional Domain Controller With Windows Server 2008

Published : February 17, 2008

Last Updated : February 17, 2008

     Introduction

In a previous article, we have set up our first Active Directory Domain Services (AD DS) using Windows Server 2008. In this article, we are going to see how to set up an Additional Domain Controller for AD DS replication.

To set up an Additional Domain Controller, I will use the dcpromo.exe command.

1. To use the command, click on Start   > Run > and then write dcpromo > Click OK

2. The system will start checking if Active Directory Domain Services ( AD DS) binaries are installed, then will start installing them. The binaries could be installed if you had run the dcpromo command previously and then canceled the operation after the binaries were installed.

                        

3. The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside Use Advanced mode installation and Click Next , or keep it unselected and click on Next

The following table lists the additional wizard pages that appear for each deployment configuration when you select the Use advanced mode installation check box.

Deployment configuration Advanced mode installation wizard pages

New forest Domain NetBIOS name

New domain in an existing forest

On the Choose a Deployment Configuration page, the option to create a new domain tree appears only in advanced mode installation.

Domain NetBIOS name

Source Domain Controller

Additional domain controller in an existing domain

Install from Media

Source Domain Controller

Specify Password Replication Policy (for RODC installation only)

Create an account for a read-only domain controller (RODC) installation

Specify Password Replication Policy

Attach a server to an account for an RODC installation

Install from Media

Source Domain Controller

4. The Operating System Compatibility page will be displayed, take a moment to read it and click Next

5. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next.

6. On the Network Credentials page, type your domain name, my domain name is elmajdal.net ( was set in the previous article ) , so I will type elmajdal.net.

7. To set up an Additional Domain Controller, you will need an account that must be either a member of the Enterprise Admins group or the Domain Admins group. We have two options:

My Current logged on credentials ( DomainName\Username or MachineName\Username)

Alternate credentials

If you have previously joined this server to the domain and you are currently logged in to it with an Enterprise Admin/Domain Admin user, then you can use the first option (My current logged on credentials) . As you can see this option is grayed here, and the reason for this is below it. It is because I'm currently logged in with a local user, the machine is not a domain member. I'm left out with the second option: Alternate credentials

8. To enter the Alternate credentials, click Set. In the Windows Security dialog box, enter the user name and password for an account that must be either a member of the Enterprise Admins group or the Domain Admins group > then click Next.

If you have entered a wrong username/password , you will receive the following error message

9. On the Select a Domain page, select the domain of the Additional Domain Controller, and then click Next, as I already have only one domain, then it will be selected by default.

10. On the Select a Site page, either enable the checkbox beside Use the site that corresponds to the IP address of this computer, this will install the domain controller in the site that corresponds to its IP address, or select a site from the list and then click Next. If you only have one domain controller and one site, then you will have the first option grayed and the site will be selected by default as shown in the following image

11. On the Additional Domain Controller Options page, By default, the DNS Server and Global Catalog checkboxes are selected. You can also select your additional domain controller to be a Read-only Domain Controller (RODC) by selecting the checkbox beside it.

My primary domain controller is a DNS Server is well, and this can be verified by reading the additional information written in the below image, that there is currently 1 DNS server that is registered as an authoritative name server for this domain. I do want my Additional DC to be a DNS server and a Global catalog, so I will keep the checkboxes selected. Click Next

12. If you select the option to install DNS server in the previous step, then you will receive a message that indicates a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain (or a tree root domain) , you do not need to create the DNS delegation. In this case, you can safely ignore the message and click Yes.

13. In the Install from Media page ( will be displayed if you have selected Use advanced mode installation on the Welcome page, if you didn't select it, then skip to step # 15), you can choose to either replicate data over the network from an existing domain controller, or specify the location of installation media to be used to create the domain controller and configure AD DS. I want to replicate data over the

network, so I will choose the first option > click Next

14. On the Source Domain Controller page of the Active Directory Domain Services Installation Wizard, you can select which domain controller will be used as a source for data that must be replicated during installation, or you can have the wizard select which domain controller will be used as the source for this data. You have two options :

Let the wizard choose an appropriate domain controller Use this specific domain controller

If you want to choose from the list, any domain controller can be the installation partner. However, the following restrictions apply to the domain controllers that can be used as an installation partner in other situations:

o A read-only domain controller (RODC) can never be an installation partner. o If you are installing an RODC, only a writable domain controller that runs

Windows Server 2008 can be an installation partner. o If you are installing an additional domain controller for an existing domain, only a

domain controller for that domain can be an installation partner.

15. Now you will have to specify the location where the domain controller database, log files and SYSVOL are stored on the server.The database stores information about the users, computers and other objects on the network. the log files record activities that are related to AD DS, such information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the Windows directory

Either type or browse to the volume and folder where you want to store each, or accept the defaults and click on Next

Note : Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files.

16. In the Directory Services Restore Mode Administrator Password (DSRM) page, write a password and confirm it. This password is used when the domain controller is started in Directory Services Restore Mode, which might be because Active Directory Domain Services is not running, or for tasks that must be performed offline.

Make sure the password meet the password complexity requirements of the password policy, that is a password that contains a combination of uppercase and lowercase letters, numbers, and symbols. else you will receive the following message  :

17. Summary page will be displayed showing you all the setting that you have set . It gives you the option to export the setting you have setup into an answer file for use to automate subsequent AD DS operations, if you wish to have such file, click on the Export settings button and save the file. Then click Next to begin AD DS installation

18. Active Directory Domain Services installation will be completed, click Finish, then click on Restart Now to restart your server for the changes to take effect.

Open Active Directory Users & Computers, and then click on the Domain Controllers Organizational Unit, and you will see your Additional Domain Controller along with your Primary Domain Controller.

 

Summary

Additional domain controllers improve the performance of authentication requests and global catalog server lookups. They also help Active Directory Domain Services (AD DS) overcome hardware, software, or administrator errors. When you add a domain controller, information is replicated over the network.

Unattended Installation of Active Directory Domain Services

Unattended installation means no user interaction, and this is exactly what we are going to do in this article, we are going to setup our first domain controller without going through the Server Manager, or going through the Active Directory Domain Services Installation Wizard the follows executing the dcpromo command.

Note: This article was written when Windows Server 2008 was still RC1. Changes might occur later once the product is RTM'd

In a previous article, Setting Up Your First Domain Controller With Windows Server 2008, we have setup a domain controller through executing the dcpromo command and then going through the The Active Directory Domain Services Installation Wizard. At the end of the wizard and on the Summary page of the Active Directory Domain Services Installation Wizard, you can click Export settings to save the settings that you specified in the wizard to an answer file. You can then use the answer file to automate subsequent installations of Active Directory Domain Services (AD DS).

The answer file is a plain text file with a [DCInstall] header. The answer file provides answers

to the questions that are asked by the Active Directory Domain Services Installation Wizard. Using the answer file eliminates the need for an administrator to interact with the wizard. The Active Directory Domain Services Installation Wizard adds text to the answer file that explains how to use it, such as how to invoke it with the dcpromo command and which settings must be updated to use it.

To use an answer file to install AD DS, type the following command at a command prompt, and then press ENTER:

dcpromo /answer [: filename ]

or dcpromo /unattend [: filename ]

Where filename is the name of your answer file.

The answer file to set up a new forest would look like this :

; DCPROMO unattended file ; Usage:; dcpromo.exe /unattend:C:\answer_file.txt; or dcpromo.exe /answer:\answer_file.txt;[DCInstall]; New forest promotionReplicaOrNewDomain=DomainNewDomain=Forest                     NewDomainDNSName=elmajdal.netForestLevel=3DomainNetbiosName=ELMAJDALDomainLevel=3InstallDNS=YesConfirmGc=YesCreateDNSDelegation=NoDatabasePath="C:\Windows\NTDS"LogPath="C:\Windows\NTDS"SYSVOLPath="C:\Windows\SYSVOL"; Set SafeModeAdminPassword to the correct value prior to using the unattend fileSafeModeAdminPassword=MyPassword23$; Run-time flags (optional); RebootOnCompletion=Yes

Download it from here , and make sure that you adjust it to the configurations that you need.for example:

NewDomainDNSName=elmajdal.net , make sure that you replace elmajdal.net with the domain name you want.

ForestLevel=3 , This mean the Forest Functional Level will be set to Windows Server 2008, if you want to set it for Windows Server 2003, then set it to 2, whereas Windows 2000 Serve level is = 1

DomainNetbiosName=ELMAJDAL , this is the NETBIOS name of my domain elmajdal.net , replace it with your Domain name NETBIOS name

DomainLevel=3, this means the Domain Functional Level will be set to Windows Server 2008, if you want to set it for Windows Server 2003, then set it to 2, whereas Windows 2000 Serve level is = 1

InstallDNS=Yes, DNS Service will be installed on your DC, if you do not wish to setup you DC as a DNS Server as well, then set it to NO

DatabasePath="C:\Windows\NTDS"LogPath="C:\Windows\NTDS"SYSVOLPath="C:\Windows\SYSVOL"

Either change the path where each of the above will be stored or keep them as they are by default. SafeModeAdminPassword=MyPassword23$, the password meet the password complexity requirements

of the password policy, that is a password that contains a combination of uppercase and lowercase letters, numbers, and symbols

 Now that you have customized the answer file, lets run it and enjoy a cop of coffee while the server is being setup to be our first Domain Controller

1. Run the answer file , I have saved the answer file inside the C: drive, so i will run it using : dcpromo.exe /unattend:C:\answer_file.txt

2. The installation of AD DS will start with first checking if Active Directory Domain Services binaries are installed

3. The system will start checking if Active Directory Domain Services (AD DS) binaries are installed, then will start installing them. The binaries could be installed if you had run the dcpromo command previously and then canceled the operation after the binaries were installed.

4. Validating environment and parameters ..

5. DNS Installation will start as we have the InstallDNS=Yes in the answer file

6. When the DNS Server service installation is completed, the system will check if Group Policy Management Console (GMPC) is installed or not, then will start installing it if it was not found to be installed previously

7. Creating the SYSVOL folder, configuring the local computer to host Active Directory Domain Service by creating the directory partition

8. Then will start creating AD objects, and then Completing AD installation

9. Few services will be configured, and security configurations as well

10. Once the setup is completed, the server will automatically reboot (RebootOnCompletion=Yes )

 

Summary

Performing an unattended installation using an answer file is easy and can be performed without any user interaction, using the answer file eliminates the need for an administrator to interact with the wizard, and can be used to automate subsequent installations of Active Directory Domain Services.

How to migrate DNS information to Windows Server 2008Takeaway: If you’re running an older version of Windows DNS services or some other DNS service on your network and you want to deploy Active Directory, Scott Lowe says migrating to Windows Server 2008’s DNS services should be the first step in your plans.

Until Windows 2000 Server and Active Directory entered the scene, DNS was an optional Windows component. Although DNS has always been necessary at some level in the IP world, Windows-only environments running Active Directory require this service in order to function. Technically, even though Active Directory used to be able to use other DNS services to operate, using Windows Server’s built-in DNS services to provide the best overall integration capabilities and results in fewer issues.

If you’re running an older version of Windows DNS services or some other DNS service on your network and you want to deploy Active Directory, migrating to Windows Server 2008’s DNS services should be the first step in your plans. In this article, I will discuss ways in which you can achieve this goal.

DNS migration options

There are two ways you can migrate your DNS services to Windows Server 2008 — although one is definitely better than the other. Your available options are:

Manually copying the zone data files. Manually performing a zone transfer.

It is recommended that you manually initiate a zone transfer to transfer the zone data from the old server to the new Windows Server 2008 DNS server, as it usually results in fewer errors and is more complete. If you decide to go ahead and manually copy the zone data files, you need to manually verify the integrity of the zones. Also, you cannot directly migrate to an Active Directory-integrated zone when you manually copy the zone data files; Active Directory-integrated zones do not use the standard zone data files that you can copy from one location to another. If you are currently using standard zones and your long-range goal is to move to Active Directory-integrated zones, you will be able to do so after migrating the zone data using either available method.

Zone transfers

The easiest, and preferred method, to migrate your DNS zone data is to manually imitate a zone transfer from the DNS server you are replacing to your new Windows Server 2008 DNS server. But what does this really entail? What must you do ahead of time?

You first should determine what type of DNS system you are migrating from. Is it a Windows-based DNS or a UNIX BIND system that uses only standard DNS zone servers? Or is it a Windows 2000/2003 Server-based system that is currently operating with an Active Directory-integrated zone? Migrating Active Directory-integrated zones is a simple task — just add the new server to the Name Servers tab of the zone properties and ensure that the new server is authorized to perform zone replication with the zone. Once DNS is operating properly on the new Windows Server 2008, you can remove it from the older Windows server, if desired. Figure A gives you a look at the Name Servers tab on an Active Directory-integrated zone on a server running Windows Server 2008.

Figure A

Windows Server 2008 Name Servers tab

If you are migrating from a system that uses standard DNS zones, things get a little more complicated — but not horribly difficult. The first thing to remember about zone transfers is how the standard DNS zone servers are arranged. Standard DNS zones operate in a single master arrangement where only one DNS server has the master writable copy of the DNS zone data; all other servers have read-only copies. The two types of standard zone servers you may encounter are:

Standard primary server: This server is the one that holds the one and only master writable copy of the zone data file. The zone data file is then replicated (via zone transfer) to all configured secondary zone servers using the standard zone data file text format. This server must make all the changes that must be made to the zone data file.

Standard secondary server: This server holds a read-only copy of the zone data file in standard zone data file text format. Secondary zones can be created and used for many reasons, but the most common reason is to provide increased performance and redundancy for the DNS zone. Secondary zones are commonly seen in locations such as screen subnets (the DMZ) or in remote offices connected to the central office over a low-speed WAN link.

In order to migrate your DNS zone data to a Windows Server 2008 computer, you will need to have a functioning standard primary server; you will also need to make the new Windows Server 2008 DNS server a standard secondary server in that zone by creating a new standard secondary zone on that server. Once this is done, you will need to configure the standard primary server to allow zone transfers with the new Windows Server 2008 computer.

To create a new standard secondary zone, follow these steps:

1. Right-click the Forward Lookup Zones node in your DNS console.2. From the shortcut menu, choose New Zone.3. On the Zone Type page of the New Zone Wizard, select Secondary Zone (Figure B).

Figure B

The Zone Type page

On the Zone Name page (Figure C), specify the Zone Name, exactly as it exists on the other DNS server.

Figure C

Provide the zone name that should be added to your DNS server.

In order to transfer the zone file, you need to specify the name or IP address of the server that holds the master zone file. Specify the name or IP address in the Master DNS Servers page of the New Zone Wizard (Figure D).

Figure D

The IP address of the master DNS server for this domain.

If you get an error indicating that the transfer could not take place and your master server is running Windows, make sure that the server to which you’re attempting to transfer the zone is allowed to initiate the transfer. On the server with the master records, right-click the zone and choose Properties. On the Zone Transfers tab, provide the IP address of the server on which you just created a secondary zone and click OK.  Afterwards, on the target server, right-click the new secondary zone and select Transfer From Master (Figure E).

Figure E

Manually initiate the zone transfer if it fails the first time.

Once the transfer completes, check the zone on the new server and see if your DNS records made their way to the new server. Once you verify that the new standard secondary zone is functioning properly, you can decommission the existing primary zone server if you like. You will now need to quickly change the secondary zone into a primary zone. For even better performance and security, you should consider making it Active Directory-integrated. Either way, you will need to right-click the zone node and open the Properties dialog box. On the General tab, click the Change button in the Type area. This will open the dialog box seen in Figure F, allowing you to change the zone into a standard primary zone or an Active Directory-integrated zone, as desired. You will be prompted to confirm your decision. (In Figure F, the option to integrate the new zone into Active Directory is not enabled because my test server is not joined to a domain.)

Figure F

Change the new zone to a primary zone.

If you change the zone into an Active Directory-integrated zone, it will, by default, be configured to not use dynamic updates. From the General tab of the Zone Properties dialog box, you should change this setting as soon as you can to Secure Only to allow the greatest flexibility and security of your zone data.

Manual zone transfer steps

Alternatively, you can perform the zone transfer method from the command line using the following command:

dnscmd ServerName /ZoneRefresh ZoneName

Again, you will need to have the standard primary zone server available and the secondary zone already created on the new Windows Server 2008 server before performing the zone transfer. You can create the standard secondary zone on your Windows Server 2008 DNS server from the command line as well by issuing this command:

dnscmd ServerName /ZoneAdd ZoneName /Secondary MasterIPaddress

You can specify multiple IP addresses by separating them with a comma. The FileName value must be the exact file name of the standard primary zone, just the same as when you are creating the zone via the DNS console.

Manually copying zone data

For all versions of Windows since Windows NT 4.0, if you still want to manually copy your zone data, you can locate the raw files at %systemroot%\system32\dns.

If you are copying a BIND DNS zone file, Table A provides you with the naming conventions used by BIND DNS and Windows Server 2008 DNS.

Table A

Description UNIX file name Windows Server 2008 file name

Boot file named.boot Boot

Forward lookup zone file db.domain_name domain_name.dns

Reverse lookup zone file Db.IP_network_forward_notation IP_network

Thus, the forward lookup zone data file for the example.com zone would be named db.example.com on the BIND server and would need to be renamed to example.com.dns on the Windows Server 2008 computer. If the zone data was for the IP address range of 192.168.100.x, then the BIND server reverse lookup file would be db.192.168.100 and would need to be renamed to 100.168.192.in-addr.arpa.dns on the Windows Server 2008 computer.

Wrap up

This is about all there is to migrating your older Windows Server-based DNS zones to a new Windows Server 2008 computer. As long as you execute the process in the steps outlined here, you should have no problems.

Related TechRepublic resources

Enable DNS server role on Windows Server 2008 core How do I… Install and configure a DNS server in Windows Server 2008? DNS timestamp field offers an easy view for Active Directory records