2003 A 2008purpose

Purpose & Objective
This guide explains the process for upgrading Active Directory domains toWindows
Server 2008 and Windows Server 2008 R2, how to upgrade the operating system of domain
controllers, and how to add domain controllers that run Windows Server 2008 or Windows
Server 2008 R2 to an existing domain.
1 Introduction
Upgrading your network operating system requires minimal network configuration and typically
has a low impact on user operations. The upgrade process is straightforward, efficient, and
allows organization to take advantage of the improved security that is offered by the
Windows Server 2008 and Windows Server 2008 R2 operating systems.
This guide is intended for use by system administrators and system engineers. It provides
detailed guidance for upgrading Windows Server 2003Active Directory domains
to Active Directory Domain Services (AD DS) domains that have domain controllers running
Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use
the checklists that are provided in this guide and complete the tasks in the order in which they
are presented.
Purpose & Objective
This guide explains the process for upgrading Active Directory domains to Windows Server 2008
and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and
how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an
existing domain.
1 Introduction
Upgrading your network operating system requires minimal network configuration and typically
has a low impact on user operations. The upgrade process is straightforward, efficient, and
allows organization to take advantage of the improved security that is offered by the
Windows Server 2008 and Windows Server 2008 R2 operating systems.
This guide is intended for use by system administrators and system engineers. It provides
detailed guidance for upgrading Windows Server 2003 Active Directory domains to
Active Directory Domain Services (AD DS) domains that have domain controllers running
Windows Server 2008 or Windows Server 2008 R2. For a seamless deployment experience, use
the checklists that are provided in this guide and complete the tasks in the order in which they
are presented.
2 Overview of Upgrading Active
Directory Domains
When the domain upgrade process is complete, all domain controllers will be running Windows
Server 2008 or Windows Server 2008 R2, and the Active Directory Domain Services (AD DS)
domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2
functional level. At the Windows Server 2008 R2 forest functional level, you can take advantage
of all the advanced AD DS features. For more information about advanced AD DS features for
AD DS functional levels, see Enabling Advanced Features for AD DS.
3 Reinstallation information
3.1 System requirements
The following are estimated system requirements for Windows Server 2008. If your computer
has less than the minimum requirements, you will not be able to install this product correctly.
Actual requirements will vary based on your system configuration and the applications and
features you install.
3.1.1 Processor
Processor performance depends not only on the clock frequency of the processor, but also on the
number of processor cores and the size of the processor cache. The following are the processor
requirements for this product:
Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors)
Recommended: 2 GHz or faster

3.1.2 RAM
The following are the RAM requirements for this product:
Minimum: 512 MB
Recommended: 2 GB or more
Maximum (32-bit systems): 4 GB (for Windows Server 2008 Standard) or 64 GB (for
Windows Server 2008 Enterprise or Windows Server 2008 Datacenter)
Maximum (64-bit systems): 32 GB (for Windows Server 2008 Standard) or 2 TB (for
Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, or Windows
Server 2008 for Itanium-Based Systems)
3.1.3 Disk space requirements
The following are the approximate disk space requirements for the system partition. Itanium-
based and x64-based operating systems will vary from these estimates. Additional disk space
may be required if you install the system over a network. For more information, see
Minimum: 10 GB
Recommended: 40 GB or more
DVD-ROM drive
Super VGA (800 x 600) or higher-resolution monitor
Keyboard and Microsoft mouse (or other compatible pointing device)
4 Planning to Upgrade Active Directory
Domains
To plan the upgrade of your Active Directory domains, complete
the tasks in Checklist: Preupgrade Tasks.
5 Checklist: Preupgrade Tasks
Complete the tasks in this checklist in the order in which they
are presented. If a reference link takes you to a conceptual
topic, return to this checklist after you review the conceptual
topic so that you can proceed with the remaining tasks.
Checklist: Preupgrade Tasks

Task Reference
Assign appropriate credentials
to the users who are
responsible for preparing the
forest and domain for an
Active Directory upgrade.
Assign
Appropriate
Credentials
Introduce a newly installed
member server into the forest.
Introduce a
Member
Server That Runs
Windows Server
2008 or Windows
Server 2008 R2
Review and document the
existing hardware configuration
of each domain controller that
you plan to upgrade.
Assess Hardware
Requirements
Determine the order in which
you will upgrade your domain
controllers before you begin the
domain upgrade process.
Determine
Domain Controller
Upgrade Order
Develop a test plan for your
domain upgrade process.
Develop a Test
Plan for Your
Domain Upgrade
Process
Back up your
Windows Windows Server 2003
domain data before you begin
the upgrade.
Back Up Domain
Data

6 Assign Appropriate Credentials
Assign appropriate credentials to the users who are responsible for preparing the forest and
domain for an Active Directory upgrade. The adprep /forestprepcommand requires a user
account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins
groups. The adprep /domainprepcommand requires a user account that is a member of the
Domain Admins group in the targeted domain. The adprep /rodcprep command requires a
user account that is a member of the Enterprise Admins group.
In addition, the security context can affect the ability of an administrator to complete the
upgrade of domain controllers. Members of the Builtin\Administrators group can upgrade the
operating system and install software on a computer. The following groups are members of the
Builtin\Administrators group by default:
The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain and
in each regional domain in the forest.
The Domain Admins group is a member of Builtin\Administrators in their domain.
The Domain Admins group is a member of Builtin\Administrators on member servers in their
domain.
The following table shows the credentials that are required to upgrade servers, depending on the
domain membership of the servers.

Credential Domain
controller in
forest root
domain
Member
server in
forest root
domain
Domain
controller in
regional
domain
Member
server in
regional
domain
Enterprise Admins in
forest root domain

Domain Admins in
forest root domain

Builtin\Administrators
in forest root domain

Domain Admins in
regional domain

Builtin\Administrators
in regional domain

7 To install Windows Server 2008 or
Windows Server 2008 R2
1. Insert the operating system DVD into the DVD drive, and then select the option to install the
operating system.As an alternative, you can use an unattended installation method.2. Use the
NTFS file system to format thepartitions.Enter the computer name, static IP address, and subnet
mask that are specified by your design. Enter a strong administrator password.3. Enable
Remote Desktop to enable administrators to log on remotely, if necessary.Toenable Remote
Desktop, in Server Manager, click Configure Remote Desktop, and then click Allow connections
from computers running any version of Remote Desktop (less secure) or Allow connections only
from computers running Remote Desktop with Network Level Authentication (more secure).
8 Develop a Test Plan for Your Domain
Upgrade Process
It is important to develop a plan for testing your domain upgrade procedures throughout the
upgrade process. Before you begin, test your existing domain controllers to ensure that they are
functioning properly. Continue to test your domain controllers throughout the process to verify
that Active Directory Domain Services (AD DS) replication is consistent
and successful.The following table lists the tools and log files to use in your test plan
Tool/log file Description Location
Repadmin.exe Checks
replication
consistency and
monitors both
inbound and
outbound
replication
partners.
Displays
replication status
of inbound
replication
partners and
directory
partitions.
%systemroot%\Windows\System32Note This
tool is added to the server as part of the
AD DS installation.
Dcdiag.exe Diagnoses the
state of domain
controllers in a
forest or
enterprise, tests
for successful
Active Directory
connectivity and
functionality, and
returns the
results as passed
or failed.
AD DS installation.
Nltest.exe Queries and
checks the status
of trusts and can
AD DS installation.
forcibly shut
down domain
controllers.
Provides domain
controller
location
capabilities.
Dnscmd.exe Provides the
properties of
Domain Name
System (DNS)
servers, zones,
and resource
records.
AD DS installation.
Adprep.log Provides a
detailed progress
report of the
forest and
domain
preparation
process.
%SystemRoot%\Windows\Debug\ADPrep\Logs
Dcpromoui.logandDcpromo.log Provides a
detailed progress
report of the
Active Directory
installation.
Includes
information
regarding
replication and
services in
addition to
applicable error
messages.
%systemroot%\Windows\debugNote These
logs are added to the server as part of the
AD DS installation.
Adsiedit.exe A Microsoft
Management
Console (MMC)
snap-in that acts
as a low-level
editor for AD DS
and allows you to
view, add,
AD DS installation.
delete, and move
objects and
attributes within
the directory.
9 Performing the Upgrade of Active
Directory Domains
To upgrade your Active Directory domains, complete the tasks
in Checklist: Upgrade Tasks.
10 Checklist: Upgrade Tasks
Complete the tasks in this checklist in the order in which they are presented. If a reference link
takes you to a conceptual topic, return to this checklist after you review the conceptual topic so
that you can proceed with the remaining tasks.
Checklist: Upgrade Tasks

Task Reference
Prepare your
Active Directory
infrastructure for
upgrade.
Prepare Your
Infrastructure for
Upgrade
Install Active Directory
Domain Services
(AD DS) on a member
server that runs
Windows Server 2008 or
Windows
Server 2008 R2 in the
forest root domain.
Install Active
Directory Domain
Services on the
Member Server That
Runs Windows
Server 2008 or
Windows Server
2008 R2
Upgrade existing
domain controllers.
Upgrade Existing
Domain Controllers
Modify default security
policies as needed.
Modify Default
Security Policies
11 Prepare Your Infrastructure for
Upgrade
Preparing your Active Directory infrastructure for upgrade includes the following tasks:
prepare the forest schema by running adprep /foretsprep.
Prepare each domain where you want to install a domain controller that runs Windows
Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.
Prepare the forest for read-only domain controllers (RODCs), if you plan to install them, by
running adprep /rodcprep.
11.1 32 Bit windows 2003 preparation
11.1.1 Preparation
Schema owner olddc.Domain .com adprep32 /forestprep
Domain role owner olddc.Domain .com
PDC role olddc.Domain .com
RID pool manager olddc.Domain .com adprep32 /domainprep /gpprep
You need to run the following commands on the following servers in your Active Directory
environment:
Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master

The first Windows Server 2008 Domain Controller in the forest must be a Global
catalog server, and it cannot be a Read Only Domain Controller, RODC.
11.2 To prepare the infrastructure
In order to run ADPREP
1- Insert the DVD media of Windows Server 2008 into the DVD
drive of the appropriate Windows 2000/2003 DC, which, as
noted above, should be the Schema Master of a forest.

2- Check the FSMO roles assignments. When you prepare the
existing AD, you should run adprep /forestprep on the Schema
operations master and adprep /domainprep on the infrastructure
master.
Run adprep32
First run adprep32 /forestprep
Next, go to the Infrastructure Master of each domain that you wish
to upgrade and insert the DVD media of Windows Server 2008
into the DVD drive. Repeat the instructions to open the Command
Prompt window, and type:
Before you can run ADPREP /domainprep, you must be sure that
the updates from /forestprep have replicated to all domain
controllers in the forest.
You can view detailed output of the ADPREP command by
looking at the log files in
the%Systemroot%system32debugadpreplogs directory. Each time
ADPREP is executed, a new log file is generated that contains
the actions taken during that particular invocation. The log files
are named based on the time and date ADPREP was run.
Then run adprep32 / domainprep /gpprep
NOTE:
Once youve run both /forestprep and /domainprep and allowed time for the changes to replicate
to all domain controllers, you can then start upgrading your domain controllers to Windows
Server 2008 or installing new Windows Server 2008 domain controllers. For installing RODC in
the future also run Adprep/rodcprep
Note: before running this command you must be member of enterprise admin group, schema
admin group and domain admins group
Open the local path which contains the Adprep folder
Open your C:\Windows\Debug\Adprep\Logs folder
There will be a separate file each time that you run ADPREP.
12 Check if the adprep has success or not
Run adsiedit.msc
12.1 Forest Upgrade
adprep /forestprep
A new container CN=ForestUpdates,CN=Configuration,DC= forest root domain is created
on the schema master.
A new container CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root
domain is created on the schema master.
For each operation that is performed by the adprep /forestprepcommand, a unique
alpha-numeric string (or GUID) is written under the
CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain container.
Each operational GUID identifies the operation.
If all 36 operations are successfully added, the
CN=Windows2003Update,CN=ForestUpdates,CN=Configuration,DC=forest root
domain object will be created and its revision attribute (CN=Revision in the schema, syntax
Integer) set to 9.
12.2 Domain Upgrade
adprep /domainprep
A new container
CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=DomainNameis created on
the infrastructure master.
A new container CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName is
created on the infrastructure master.
For each operation that is performed by the adprep /domainprepcommand, a unique
alpha-numeric string (or GUID) is written under the
CN=Operations,CN=DomainUpdates,CN=System,DC=DomainNamecontainer. Each
operational GUID identifies the operation.
If all the operations in the following list succeed, the CN=Windows2003Update object
overall task will be stamped as completed successfully by setting the revision attribute
(CN=Revision in the schema, syntax Integer) to 8.
13 Install Active Directory
Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or
Windows Server 2008 R2 by using the Active Directory Domain Services Installation Wizard (Dcpromo.exe). The
member server should be located in the forest root domain. After you install AD DS successfully, the member
server will become a domain controller. You can install AD DS on any member server that meets the domain
controller hardware requirements
To install AD DS on a member server by using the Windows interface
1. Click Start, and then click Server Manager.2. In Roles Summary, click Add
Roles.3. If necessary, review the information on the Before You Begin page, and then
click Next.4. On the Select Server Roles page, select the Active Directory Domain
Services check box, and then click Next.5. If necessary, review the information on the Active
Directory Domain Services page, and then click Next.6. On the Confirm Installation
Selections page, clickInstall.7. On the Installation Results page, click Close this wizard
and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
8. On the Welcome to the Active Directory Domain Services Installation Wizard page,
click Next.
If you want to install from media, identify the source domain controller for AD DS replication, or
specify the Password Replication Policy (PRP) for an RODC as part of the installation of the
additional domain controller, click Use advanced mode installation.
9. On the Operating System Compatibility page, review the warning about the default
security settings for Windows Server 2008 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Existing forest, click Add a
domain controller to an existing domain, and then click Next.
11. On the Network Credentials page, type the name of any existing domain (DOMAIN .COM)
in the forest where you plan to install the additional domain controller. Under Specify the
account credentials to use to perform the installation, click My current logged on
credentials ( must be Enterprise Amdin) or click Alternate credentials, and then click Set. In
the Windows Security dialog box, provide the user name and password for an account that can
install the additional domain controller. To install an additional domain controller, you must be a
member of the Enterprise Admins group or the Domain Admins group. When you are finished
providing credentials, click Next.
12. On the Select a Domain (Domain .com) page, select the domain of the new domain
controller, and then click Next.
13. On the Select a Site (Default-firs-site) page, select a site from the list or select the option
to install the domain controller in the site that corresponds to its IP address, and then
click Next.
14. On the Additional Domain Controller Options page, make the following selections, and
then click Next:
DNS server: This option is selected by default so that your domain controller can
function as a DNS server. If you do not want the domain controller to be a DNS
server, clear this option.
15. Clear the DNS check BOX
Because you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear. For DNS give the server time for replication, at least 15 minutes.
Important
1. 1. If you do not have static IPv4 and IPv6 addresses assigned to your network
adapters, a warning message might appear advising you to set static addresses for
both of these protocols before you can continue. If you have assigned a static IPv4
address to your network adapter and your organization does not use IPv6, you can
ignore this message and click, Yes, the computer will use a dynamically
assigned IP address (not recommended).
After configuring the DNS and after making sure it is successfully installed
Please change the following
Go to the DNS mgmt console
Right click the Domain .com Zone
1- Primary then name servers then add servername
2- And remove servername

3- Then change the primary server to point to servername
4- And change the response person to be admin@Domain .com

Note
If you select the option to install DNS server, you might receive a message that indicates that a
DNS delegation for the DNS server could not be created and that you should manually create a
DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an
additional domain controller in either the forest root domain or a tree root domain, you do not
have to create the DNS delegation. In this case, click Yes and disregard the message.
Global Catalog: This option is selected by default. It adds the global catalog, read-only
directory partitions to the domain controller, and it enables global catalog search functionality.
Read-only domain controller. This option is not selected by default. It makes the additional
domain controller read only.
15. If you selected Use advanced mode installation on the Welcome page, the Install
from Media page appears. You can provide the location of installation media to be used to
create the domain controller and configure AD DS, or you can have all the replication done over
the network. Note that some data will be replicated over the network even if you install from
media. For information about using this method to install the domain controller, seeInstalling
AD DS From Media.
16. If you selected Use advanced mode installation on the Welcome page, the Source
Domain Controller page appears. Click Let the wizard choose an appropriate domain
controller or click Use this specific domain controller to specify a domain controller that you
want to provide as a source for replication to create the new domain controller, and then
click Next. If you do not choose to install from media, all data will be replicated from this source
domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the
volume and folder locations for the database file, the directory service log files, and the system
volume (SYSVOL) files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and recovery
efficiency, store these files on separate volumes that do not contain applications or other no
directory files.
18. On the Directory Services Restore Mode Administrator Passwordpage, type and
confirm the restore mode password, and then click Next. This password must be used to start
AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline.
19. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you have selected to an answer file that you can use to automate
subsequent Active Directory operations, click Export settings. Type the name for your answer
file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
20. On the Completing the Active Directory Domain Services Installation
Wizard page, click Finish.
21. You can either select the Reboot on completion check box to have the server restart
automatically or you can restart the server to complete the AD DS installation when you are
prompted to do so.
14 Modify Default Security Policies
To increase security, domain controllers that run Windows
Server 2008 and Windows Server 2008 R2 require (by default)
that all client computers attempting to authenticate to them
perform Server Message Block (SMB) packet signing and secure
channel signing. If your production environment includes client
computers that run platforms that do not support SMB packet
signing (for example, Microsoft Windows NT 4.0 with Service
Pack 2 (SP2)) or if it includes client computers that run
platforms that do not support secure channel signing (for
example, Windows NT 4.0 with Service Pack 3 (SP3)), you
might have to modify default security policies to ensure that
client computers running older versions of the Windows
operating system or non-Microsoft operating systems will be
able to access domain resources in the upgraded domain.
Note
By modifying the settings of the default security policies, you are weakening the default security
policies in your environment. Therefore, we recommend that you upgrade your Windowsbased
client computers as soon as possible. After all client computers in your environment are running
versions of Windows that support SMB packet signing and secure channel signing, you can re-
enable default security policies to increase security.
To configure a domain controller to not require SMB packet signing or secure channel signing,
disable the following settings in the Default Domain Controllers Policy:
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)
Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify
it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be
restored, if necessary.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required
to complete this procedure
To disable SMB packet signing enforcement based domain controllers
1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2. In the console
tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group
Policy objects\Default Domain Controllers Policy, and then click Edit.3. In the Group Policy
Management Editorwindow, in the console tree, go to Computer
Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.4. In
the details pane, double-click Microsoft network server: Digitally sign communications
(always).5. Verify that the Define this policy setting check box is selected,
click Disabled to prevent SMB packet signing from being required, and then clickOK.To apply
the Group Policy change immediately, either restart the domain controller or open a command
prompt, type the following command, and then press ENTER:gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change theDefault Domain
Controllers Policy. Policy changes that you make here will be replicated to all other domain
controllers in the domain. Therefore, you only have to modify these policies one time to affect
the Default Domain Controllers Policy on all domain controllers.
to complete this procedure.
To disable secure channel signing enforcement on domain controllers
1. To open GPMC, click Start, click Run, type gpmc.msc, and then
clickOK.2. In the console tree, right-click Default Domain Controllers Policy in
Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy,
and then click Edit.3. In the Group Policy Management Editorwindow, in the
console tree, go to Computer Configuration/Policies/Windows Settings/Security
Settings/Local Policies/Security Options.4. In the details pane, double-click Domain
member: Digitally encrypt or sign secure channel data (always), clickDisabled to
prevent secure channel signing from being required, and then clickOK.To apply the Group
Policy change immediately, either restart the domain controller or open a command
prompt, type the following command, and then press ENTER:gpupdate /forceNote
Modifying these settings in the Domain Controllers container will change theDefault
Domain Controllers Policy. Policy changes that you make here will be replicated to all
other domain controllers in the domain. Therefore, you only have to modify these policies
one time to affect the Default Domain Controllers Policy on all domain controllers.
Allow cryptography algorithms compatible with Windows NT 4.0
To allow cryptography algorithms that is compatible with Windows NT 4.0
1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.2. In the console
tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group
Policy objects/Default Domain Controllers Policy, and then click Edit.3. In the Group Policy
Management Editorwindow, in the console tree, go to Computer Configuration/Administrative
Templates: Policy definitions (ADMX files) retrieved from the local machine/System/Net
Logon.4. In the details pane, double-click Allow cryptography algorithms compatible with
Windows NT 4.0, and then click Enabled.Note By default, theNot Configured option is
selected, but, programmatically, after you upgrade a server to Windows Server 2008 domain
controller status, this policy is set toDisabled.To apply the Group Policy change immediately,
either restart the domain controller or open command line, type the following command, and
then press ENTER:
gpupdate /force
Note
Modifying these settings in the Domain Controllers container will change theDefault Domain
Controllers Policy. Policy changes that are made here will be replicated to all other domain
controllers in the domain. Therefore, you only have to modify these policies one time to affect
the Default Domain Controllers Policy on all domain controllers.
15 Completing the Upgrade of Active
Directory Domains
To complete the upgrade of your Active Directory domains,
perform the tasks in Checklist: Post-Upgrade Tasks.
16 Checklist: Post-Upgrade Tasks
Complete the tasks in this checklist in the order in which they are presented.
Checklist: Post-Upgrade Tasks

Task Reference
Raise the functional levels
of domains and forests to
enable all advanced
features of
Active Directory Domain
Services (AD DS).
Raise the
Functional Levels of
Domains and
Forests
Complete the upgrade. Complete the
Upgrade

17 Raise the Functional Levels of Domains
and Forests
To enable all Windows Server 2008 advanced features in Active Directory Domain Services
(AD DS), raise the functional level of your forest to Windows Server 2008. This will automatically
raise the functional level of all domains to Windows Server 2008. To enable all Windows
Server 2008 R2 advanced AD DS features, raise the functional level of your forest to Windows
Server 2008 R2. This will automatically raise the functional level of all domains to Windows
Server 2008 R2.
Caution
Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any
domain controllers running Windows Server 2008 or earlier.
Important
After you set the forest functional level to a certain value, you cannot roll back or lower the
forest functional level, with one exception: when you raise the forest functional level to Windows
Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling
the forest functional level back to Windows Server 2008. You can lower the forest functional
level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level
is set to Windows Server 2008 R2, it cannot be rolled back, for example, to
Windows Server 2003.
For more information about the Active Directory Recycle Bin, see Active Directory Recycle Bin
Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).
Use the following procedure to raise the forest functional level to Windows Server 2008.
To raise the forest functional level
1. Open the Active Directory Domains and Trusts snap-in. Click Start, clickAdministrative
Tools, and then click Active Directory Domains and Trusts.2. In the console tree, right-
click Active Directory Domains and Trusts, and then click Raise Forest Functional
Level.3. In Select an available forest functional level, do one of the following:To raise the
forest functional level to Windows Server 2003, click Windows Server 2003, and then
click Raise.
To raise the forest functional level to Windows Server 2008, click Windows Server 2008,
and then click Raise.
To raise the forest functional level to Windows Server 2008 R2, click Windows Server 2008 R2,
and then click Raise.
For more information about Windows Server 2008 advanced AD DS features, see Enabling
Advanced Features for AD DS.
18 Complete the Upgrade
Complete the following tasks to finalize the process:
Review, update, and document the domain architecture to reflect any changes that
you made during the domain upgrade process.
Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service
(FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event
Viewer.
Verify that Group Policy is being applied successfully by checking the application log in Event
Viewer for Event ID 1704.
Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered
in Domain Name System (DNS).
Verify Windows Firewall status.
Important
Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that
Windows Firewall is turned on, if you upgrade a Windows Server 2003 computer that had
Windows Firewall turned off, the firewall will remain off after the upgrade unless you turn it on
using the Windows Firewall control panel.
Continuously monitor your domain controllers and Active Directory Domain Services (AD DS).
Using a monitoring solution (such as Microsoft Operations Manager (MOM)) to monitor
distributed Active Directory Domain Services (AD DS)and the services that it relies onhelps
maintain consistent directory data and a consistent level of service throughout the forest.
After these tasks have been completed successfully, you will have completed the in-place
upgrade process.
18.1 Know Issues for upgrading
Extension mechanisms for DNS (EDNS) are enabled by default on
Windows Server 2008 R2. If you notice queries that used to work on DNS
servers that run Windows 2000, Windows Server 2003, or Windows
Server 2008 fail after those DNS servers are upgraded or replaced with DNS
servers that run Windows Server 2008 R2, or queries that the old DNS
servers can resolve cannot be resolved by Windows Server 2008 R2 DNS
servers, then disable EDNS using the command:dnscmd /Config
/EnableEDnsProbes 0
19 Verifications you can make and
recommended hotfixes
you can install before you begin
1. All domain controllers in the forest should meet the following conditions:
a. Be online.
b. Be healthy (Run dcdiag /v to see if there are any problems.)
c. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory
partitions (repadmin /showrepl * /csv viewed in Excel). d. Have successfully inbound-
replicated and outbound-replicated SYSVOL.

3. Download the latest service pack and relevant hotfixes that apply to your Active Directory
forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers.
a. For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated
installation media (slipstream) by adding the latest service pack and hotfixes for your
operating system.
i. If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the
Windows computers and scenarios that apply to your computing environment.
ii. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed
on Windows Server 2008 computers that are being upgraded in-place to Windows
Server 2008 R2, remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In
addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers.
iii. The following table lists hotfixes for Windows Server 2008. You can install a hotfix
individually, or you can install the service pack that includes it.

Description Microsoft Knowledge Base article Service
pack
Domain
controllers
that are
configured to
use the
Japanese
language
locale
949189(http://go.microsoft.com/fwlink/?LinkId=164588) Windo
ws
Server
2008
SP2
EFS file
access
encrypted on
a
Windows Ser
ver 2003 file
server
upgraded to
Windows Ser
ver 2008
948690(http://go.microsoft.com/fwlink/?LinkID=106115) Not
include
d in
any
Windo
ws
Server
2008
Service
Pack
Records on
Windows Ser
ver 2008
secondary
DNS server
are deleted
following
zone transfer
ws
Server
2008
SP2
Use root
hints if no
forwarders
are available
2001154(http://go.microsoft.com/fwlink/?LinkId=165959)
Setting
Locale info in
GPP causes
Event Log
and
dependent
For prevention and resolution,
see 951430(http://go.microsoft.com/fwlink/?LinkId=165960).
To be
include
d in
Windo
ws
Server
services to
fail. If you
change
Regional
Option
User Locale
enabled, the
Windows
Event Log
Service, DNS
Server
Service, task
Scheduler
Service fail
to start.
2008
SP3
GPMC Filter
fix
949360 Windo
ws
Server
2008
SP2
If you use
devolution to
resolve DNS
names
(instead of
suffix search
list), apply
the DNS
devolution
hotfix.
ws
Server
2008
SP2
Group Policy
Preferences
rerelease
943729(http://go.microsoft.com/fwlink/?LinkId=164591)974266(http:
//go.microsoft.com/fwlink/?LinkID=165035)
Windo
ws
Server
2008
SP2
Synchronize
the Directory
Services
Restore Mode
(DSRM)
Administrato
r password
with a
961320(http://go.microsoft.com/fwlink/?LinkId=177814)
domain user
account

The following table
19.1 lists hot fixes for Windows Server 2008 R2.

Description Microsoft Knowledge Base article Comment
Windows
Server 2008 R2
Dynamic DNS updates
to BIND servers log
NETLOGON event 5774
with error status 9502
2002490(http://go.microsoft.com/fwlink/?LinkId=178
225)
[The article
will include a
hotfix.]
Event ID 1202 logged
with status 0534 if
security policy
modified
961)
Hotfix is in
progress. Also
scheduled for
Windows
Server 2008 R
2 SP1.
TimeZoneKeyNameregist
ry entry name is
corrupt on 64-bit
upgrades
226)
Occurs only
on x64-based
server
upgrades in
Dynamic DST
time zones.
To see if your
servers are
affected, click
the taskbar
clock. If the
clock fly-out
indicates a
time zone
problem, click
the link to
open the date
and time
control panel.
Deploying the first
Windows
Server 2008 R2
domain controller in an
existing
2002034
Active Directory forest
may temporarily halt
Active Directory
replication to strict-
mode destination
domain controllers.

19.2 Run Adprep commands
19.2.1 Add schema changes using adprep /forestprep
1. Identify the domain controller that holds the schema operations master role (also known
as flexible single master operations or FSMO role) and verify that it has inbound-replicated the
schema partition since startup:
a. Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a
domain controller with a deleted NTDS settings object,
b. Log on to the schema operations master with an account that has Enterprise Admins,
Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-
in administrator account in a forest root domain has these credentials.
c. On the schema master, run the repadmin /showreps command. If schema master has
inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use
the replicate now command Dssite.msc to trigger inbound replication of the schema partition
to the schema master.
You can also use the repadmin /replicate <name of schema master> <GUID of
replication partner> command. The showreps command returns the globally unique identifier
(GUID) of all replication partners of the schema master.

20 Configure the Windows Time service
on the PDC emulator in the Forest Root
Domain
20.1 To configure the Windows Time service on the
PDC emulator
1. 1. Open a Command Prompt.
2. 2. Type the following command to display the time
difference between the local computer and a target
computer, and then press ENTER:
w32tm /stripchart /computer: target /samples: n /dataonly
1. Open User Datagram Protocol (UDP) port 123 for outgoing traffic if needed.
2. Open UDP port 123 (or a different port that you have selected) for incoming NTP
traffic.
5. Type the following command to configure the PDC emulator, and then press ENTER:
For example, to configure your PDC emulator to use the following list of fictional time servers:
ntp1.Domain .com
1. Run the following command:
w32tm /config /manualpeerlist:ntp1.Domain .com /reliable:yes /update
21 Upgrade Existing Domain Controllers
Note
To increase security, domain controllers that run Windows Server 2008 and Windows
Server 2008 R2 require (by default) that all client computers attempting to authenticate to them
perform Server Message Block (SMB) packet signing and secure channel signing
By modifying the settings of the default security policies, you are weakening the default security
policies in your environment
22 Complete the Upgrade
Complete the following tasks to finalize the process:
Review, update, and document the domain architecture to reflect any changes that you made
during the domain upgrade process.
Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service
(FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event
Viewer.
Verify that Group Policy is being applied successfully by checking the application log in Event
Viewer for Event ID 1704.
Verify that all service (SRV), alias (CNAME), and host (A) resource records have been registered
in Domain Name System (DNS).
Verify Windows Firewall status.
23 Check proper installation and
replication
It is a best practice to review the logs to identify any problems that might have occurred during
the promotion. The logs to scrutinize specifically are:
dcpromo.log
All the events regarding the creation and removal of Active Directory, SYSVOL trees and
the installation, modification and removal of key services
dcpromoui.log
all the events from a graphical interface perspective
Also check the event viewer.
23.1.1 After replication
Check replication
repadmin /showreps
24 Migration of DHCP Server from
Windows Server 2003 to Windows Server
2008R2
Note: Backup and Restore are not expected to work across server versions as the DHCP
database format has changed between Windows Server 2003 and Windows Server 2008.
The recommended procedure for DHCP server migration is to use the export import commands
through netsh. Following is the procedure for migrating DHCP server from Windows Server 2003
to Windows Server 2008 outlined in brief:
In the following Four steps
24.1 Export the DHCP database from the server that
is running Microsoft Windows Server 2003
Log on to the source DHCP server by using an account that is a member of the
local Administrators group or the DHCP Administrators group.
-Click Start, click Run, type cmd in the Open box, and then click OK.
-Type netsh dhcp server export C:\dhcpdatabase.dat all, and then press ENTER.
Note: While the export command runs, DHCP server is stopped and does not respond to clients
seeking new leases or lease renewals.
You can now stop the DHCP service on the source server.
24.2 Install the DHCP server service on the server
that is running Windows Server 2008
To install the DHCP Server service on an existing Windows Server 2008 computer:
1. Start Server Manager.
2. Click on Add Roles.
3. Select the DHCP server role and press Next.
4. Click through the next sequence for screens of the installation wizard to complete the
DHCP server installation. You should not authorize the DHCP server at this point.
24.3 Import the DHCP database
Log on as a user who is a member of the local Administrators group or DHCP administrators
group.
2. Copy the exported DHCP database file to the local hard disk of the Windows Server 2008
computer.
3. Verify that the DHCP service is started on the Windows Server 2008 computer.
4. Click Start, click Run, type cmd in the Open box, and then click OK.
5. At the command prompt, type netsh dhcp server importc:\dhcpdatabase.dat all,
and then press ENTER, where c:\dhcpdatabase.dat is the full path and file name of the database
file that you copied to the server.
6. After you receive the message that the command completed successfully, quit the
command prompt.

24.4 Authorize the DHCP server
1. Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.
You must be logged on to the server by using an account that is a member of the Administrators
group. In an Active Directory domain, you must be logged on to the server by using an account
that is a member of the Enterprise Administrators group.
2. In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red
arrow in the lower-right corner of the server object, the server has not yet been authorized.
3. Right-click the server object, and then click Authorize.
4. After several moments, right-click the server again, and then click Refresh. A green arrow
indicates that the DHCP server is authorized.

http://www.windowsreference.com/windows-server-2008/step-by-step-
tutorial-how-to-migrate-dhcp-server-from-a-windows-server-2003-to-
windows-server-2008/
http://blogs.technet.com/b/networking/archive/2008/06/27/steps-to-
move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-
windows-server-2008-machine.aspx
Note: Note When you try to export a DHCP database from a 2003 domain controller to a
Windows Server 2008 member server of the domain, you may receive the following error
message:
Error initializing and reading the service configuration Access Denied
To resolve this issue, add the Windows Server 2008 DHCP server computer to the DHCP Admins
group at the Enterprise level and redo Steps 4 &5 Under 25.3 section
25 Recommendations for FSMO roles
Place the RID and PDC emulator roles on the same domain controller. Goodcommunication
from the PDC to the RID master is desirable as down level clients and Target the PDC, making it
a large consumer of RIDs. It is also easier to keep track of FSMO roles if you cluster them on
fewer machines Place the RID and primary domain controller emulator roles on separate domain
controllers.
The infrastructure master should be located on a no global catalog server that has a direct
connection object to some global catalog in the forest, preferably in the same Active Directory
site.
http://www.pcreview.co.uk/forums/thread-1456278.php
http://www.planning-tech.com/?p=78
26 What are FSMO ROLES?
Names OF 5 FSMO roles and place
Schema owner servername.Domain .com
Domain Role Owner servername.Domain .com
PDC role servername.Domain .com
RID pool manager servername.Domain .com
Infrastructure owner servername.Domain .com

The FSMO (flexible single master operations) roles assigned in our environment
to Domain-Controllers and provide us the ability to manage our environment
without Conflicts , The FSMO roles can be transfer between Domain-Controllers
and thats provide us the ability to manage our environment in much more
flexibility .
There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide
services in the Forest level and the other 3 in the domain level.
The Forest level Fsmo:
Schema Master Role The schema master Role is responsible to
update the Schema Partition. The DC that contains the Schema master is the
only one in our entire environment that can update the Schema directory.
When this update finish the schema will replicate to all other DC in our
directory.
Note!
We have only ONE schema master per directory!
Domain Naming Master Role This role is the one that provide us the ability to make
changes in the Forest-Wide domain name of our directory. The DC that holds this role is
the only one that can add or Remove new DC from our forest.
The Domain level Fsmo:
RID Master Role The RID role hosts on a single DC, This DC responsible for the RID
pool requests from all other DC in a domain. This role is also responsible to add or Remove
objects from a domain and transfer it to other DC (Users, computers).
The RID responsible to add Security Principal to objects in our environment (Users, Computers,
Groups ) called SID ,This SID is unique in all our domain and cannot duplicate to other object
in our domain .
PDC Emulator Role These roles provide us many services, the first responsibility
is to Sync times in windows 2000 environment (W32Time Service) that requires for
Kerberos Authentication, The time that this FSMO provides will gather from an external
source like Microsoft servers for example.
The PDC role is the role that provides us the most services and from this we can Say that this
role is the busy one on our environment, here are few Examples:
- This role helps us to replicate the Sysvol folder in our environment.
- Manage all passwords changes in our domains to ensure that accounts that not supply
the right credentials will be locked and replicate Password across domains.
Infrastructure Master Role This role provide us the ability to update all objects SIDS
and distinguished name in cross domains , this happens when object from one domain
referenced with object from another DC.
FSMO levels:
Schema master : One per forest.
Domain Naming Master : One per forest.
PDC Emulator : One per domain.
RID Master : One per domain.
Infrastructure Master : One per domain.
Worst Case Scenario What Happens if Fsmo fails?
Schema Master - If this FSMO role fails we cannot add object to our Schema Partition.
And for that reason we cannot change object or their Attributes.
Domain Naming Master - Here its easy to understand the problem that we have when
this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also
cannot demote existing Domain-Controllers. We need to pay attention that our
environment will function till we net do manage Domain Controllers in our forest.
PDC Emulator like we describe this role is the one that provides most services for that
reason when this role not function probably will cause us the biggest problems in our
environment.
Rid Master First we need to know that each Domain-Controller In our domain contains
pool of RIDS, so we only have problems if we want to add many object (Users,
Computers).
Infrastructure master Here we need to understand the difference between Single
Domain environment (IF this FSMO fails its not relevant to this scenario) and Multi-Domain
environment (If this FSMO fails we cannot add object from one DC to another).
27 Moving the Roles
New groups and new group memberships that are created after upgrading the PDC After you
upgrade the Windows Server 2003based domain controller holding the role of the PDC emulator
master in each domain in the forest to Windows Server 2008, or after you move the PDC
emulator operations master role to a Windows Server 2008-based domain controller, or after
you add a read-only domain controller (RODC) to your domain, the following new well-known
and built-in groups are created:
Builtin\IIS_IUSRS
Builtin\Cryptographic Operators
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Builtin\Event Log Readers
Enterprise Read-only Domain Controllers (created only on the forest root domain)
Builtin\Certificate Service DCOM Access
The newly established group memberships are:
IUSR security principal added to the Builtin\IIS_IUSRS group
The following groups added to the Denied RODC Password Replication Group:
Group Policy Creator Owners
Domain Admins
Cert Publishers
Domain Controllers
Krbtgt
Enterprise Admins
Schema Admins
Read-only Domain Controllers
Network Service security principal added to Builtin\Performance Log Users
Also, the following new, additional security principals are created in the forest root
domain:
IUSR
Owner Rights
Well-Known-Security-Id-System security principal is renamed to System
28 Transfer the RID Master, PDC
Emulator, and Infrastructure Master Roles
To transfer the FSMO role the administrator must be a member of the following group:
FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID
Domain Admins PDC Emulator
Infrastructure
29 ROLES on our servers
Schema owner servername.Domain .com
Domain role owner servername.Domain .com
29.1 Plan will be
Schema owner servername.Domain .com move role to servername
Domain role owner servername.Domain .com move role to servername
29.2 Transferring the RID Master, PDC Emulator, and
Infrastructure Masters via GUI
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO
Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools
folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
icon next to Active Directory Users and Computers and press Connect to Domain
Controller.(servername)
3. Select the domain controller that will be the new role holder, the target, and press
OK. (servername)
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change
button.
6. Press OK to confirm the change.
7. Press OK all the way out.
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.
icon next to Active Directory Domains and Trusts and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
5. Press the Change button.
6. Press OK to confirm the change.
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
Active Directory Schema icon in the Console Root and press Change Domain
Controller.
7. Press Specify . and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press Operation
Masters.
9. Press the Change button.

Make sure that the Active directory module for the Power Shell is installed
Then Run Dcdiag
In the Starting test: fsmocheck
Then run the netdom query fsmo
If the server couldnt locate the Roles
Restart the following services on w2k8
Active directory Domain services
And Netlogon service
30 After installing and removing Roles
Test the DNS and the new Server
Client test
Modify the DNS of some clients so that the primary DNS is
then new W2k8 server
Server test
Modify the DNS of some Servers to be
Then new W2k8 server
31 Revision History

2003 A 2008purpose

Uploaded by

Copyright:

Available Formats

2003 A 2008purpose

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2003 A 2008purpose

Uploaded by

Copyright:

Available Formats

Purpose & Objective

You might also like