Migrating our Active Directory to Windows 2008 R2

Print Friendly, PDF & Email

This document explains the steps to migrate an active directory based on “Windows Server 2003” or “Windows Server 2008” a “Windows Server 2008 R2”, in addition to indicating the recommended steps to follow or the requirements to be taken into account.

To migrate Active Directory to Windows 2008 R2, We must take the following steps:

0. Pre. Confirm that our Active Directory is consistent, Replication between all domain controllers is fine, and it would be nice to do a little cleanup of the metadata. In addition to meeting the requirements.

First of all, we must raise the functional level of our forest and our(s) Domains A “Windows Server 2003”. From the console “Active Directory Domains and Trusts”, Right-click on each domain > “Raising the Funion Level of the Domain…”. Later we will do the same for our forest from the same console, con botón derecho en “Active Directory Domains and Trusts” > “Raising the forest level…”

We will be able to confirm that our active directory is working correctly thanks to tools such as:

  • DCDIAG. Running “dcdiag.exe > FICHERO_DE_LOG” to obtain diagnostics for each domain controller. It also analyzes the status of one or all domain controllers in a forest and reports any issues to facilitate resolution.
  • REPADMIN. Running “repadmin.exe /showreps > FICHERO_DE_LOG” We will verify that replicas between sites and between domain controllers are correct.
  • GPOTOOL. Running “gpotool.exe > FICHERO_DE_LOG” we will check the status of each policy we have in our Active Directory, we can have replication failures and have the same GPO in different sites with different configurations.

 

1. Active Directory Preparation to support Windows domain controllers 2008 R2. Previously our domain controllers will be Windows 2000 SP4 or higher, http://www.bujarra.com/?p=3718

 

2. Promote a new driver Windows Server domain 2008 R2 in our Active Directory.

  • To promote a Windows server 2008 R2 to the domain controller we must run the dcpromo.exe utility on the server and previously we will install the “Active Directory Domain Services”.
  • Once we have a write domain controller we can always add a read or RODC. If we want information on how to use script's with dcpromo we can consult http://support.microsoft.com/kb/947034 To use response files.

 

3. Server configurations DNS:

  • Zone transfers. Zone transfers to the new server must be configured. From the DNS console of any server, In the properties of the area we go to the tab “Zone transfers”, We will enable the “Allow zone transfers” and “Only to servers named on the Name Servers tab”. Let's go to the tab “Nameservers” and add if the target DNS server is not there.
  • Changes to client computers. We will have to change this configuration on our DHCP server pointing to the new DNS servers or directly on the computers (if they have fixed IP addressing) following this document: http://www.bujarra.com/?p=802.

 

4. Migrate FSMO to the new server. Apart from transferring the roles http://www.bujarra.com/?p=3711, We will need to verify that the new domain controller is “Global Catalog”, from the tool “Active Directory sites and services” > “Sites” > PLACE > “Servers” > SERVER > Properties of “NTDS Settings”, that has marked “Global Catalog”.

 

5. Depromotion of old servers: Before you unpromote a domain controller, we have to take into account what services may depend on it, if we have LDAP applications that point to it, or Exchange organizations, all this must be modified to avoid problems. To unpromote a Windows domain controller 2003 o Windows 2008, we'll run DCPROMO and follow the wizard. Once the wizard has finished and a replication time has passed, we must check that there are no remains and if not,, remove the old domain controllers from the references we find, such as in zone transfers from our DNS servers or in the Organizational Unit of “Domain Controllers”, nor should they be reflected in the “Active Directory sites and services” in addition to performing a cleanup in our Active Directory. Totally recommended to use ADSIEdit for proper cleaning.

 

6. Level Raising Worksl of the forest and the domain.

Once we have all the Windows-based domain controllers 2008 R2, we will be able to raise the functional level of the forest and the domain(s) a “Windows Server 2008 R2”. From the console “Active Directory Domains and Trusts”, Right-click on each domain > “Raising the Funion Level of the Domain…”. Later we will do the same for our forest from the same console, con botón derecho en “Active Directory Domains and Trusts” > “Raising the forest level…”. What's new in the new Windows features 2008 R2: HERE.

Official Microsoft Migration Documentation: HERE.

Recommended Posts

Monitoring Windows Events from Centreon
Read
Deploying Crowdsec on a Windows machine
Read
Auditing access to removable storage devices
Read
Windows metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Understanding and Migrating FSMOs to Windows Server 2008 R2

20 of January 2010

Exchange Migration 2003 to Exchange 2010

21 of January 2010