W2K3 To W2K8/W2K8R2 Active Directory Upgrade Considerations

Pre-Migration

 

"Microsoft Product Support Quick Start to Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains" can be found here. https://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

 

NOTE: It´s recommended preparing a virtual Lab of the production AD environment to certify and test some procedures.

 

Scenarios for Migration: New hardware, P2V, Upgrade SO

 

1. Review Supported in-place upgrade paths:

· Computers running Windows NT 4.0 or Windows 2000 cannot be upgraded to Windows 2008 or Windows 2008 R2

· In place upgrades from Windows 2003 or Windows 2003 R2 to Windows 2008 or Windows 2008 R2 are supported. (note: considerations for x86 and x64 bits versions)

· A x64 based version of Windows 2008 can be upgraded to Windows 2008 R2

· A writeable DC cannot be upgraded to be an RODC

· A Server running a full installation of Windows 2008 R2 cannot be upgraded to be Windows 2008 R2 Server Core

2. Monitor AD and Sysvol replication. Some tools are commended in case you don´t have a monitoring tools. Here are some of them:

3. https://www.microsoft.com/en-us/download/details.aspx?id=30005

4. https://www.microsoft.com/en-us/download/details.aspx?id=3745

5. https://www.microsoft.com/en-us/download/details.aspx?id=3660

6. Verify trust relationships

7. PDC-Server Windows Time and other roles

8. LDAP limits for applications integrated with AD

9. Validate applications which are working with AD and how are they working?

10. NSPI connections limited to 50 per user

11. DES crypto disabled on R2 (this can affect pre-windows 2000 workstations)

12. What other services are working with AD or are installed in the DCs?

13. Updates fixes or Download fixes if you have any issue

14. Review Forest and domain functional level (at least Windows 2000 Native, Adprep /domainprep requires a Windows 2000 native or higher domain functional level in each target domain. However, The promotion of read-only domain controllers (RODCs) requires Windows Server 2003 forest functional level or higher)

15. ADPREP /FORESTPREP

16. ADPREP /DOMAINPREP

17. If you have DCs with Windows 2000 you should run DOMAINPREP /GPPREP

 

 

18. If you are considering RODC, please validate your needs and run ADPREP /RODCPREP. At least you should have forest functional level Windows 2003. A writeable Domain Controller Windows 2008 or Windows 2008 R2 must exist in the target domain.

19. DCPROMO new DCs with Windows 2008 R2

20. Monitor AD and Sysvol replication.

 

Checklist Pre-Migration

 

1. Compatibility issues you should address before beginning the upgrade

a. https://support.microsoft.com/kb/946405 - No LM Hash

b. https://support.microsoft.com/kb/942564 - NT 4.0 domains

c. https://support.microsoft.com/default.aspx?scid=kb;en-US;2021766 W2K8R2/Windows 7 and NT4 domains.

d. https://technet.microsoft.com/en-us/library/cc731654.aspx - SMB Signing

e. https://support.microsoft.com/kb/944043 - RODC Client Pack

f. https://support.microsoft.com/default.aspx?scid=kb;EN-US;968614- Outlook 2003 hotfix

g. https://support.microsoft.com/kb/958980 - Issue with OCS 2007 or LCS 2005

h. https://support.microsoft.com/kb/947039 - You cannot locally configure or locally delete the application partitions that are created for IP telephony after you upgrade from Windows Server 2003 to Windows Server 2008

i. https://support.microsoft.com/kb/948680 - Description of the Microsoft server applications that are supported on Windows Server 2008

j. Browse list fails. If dependant on browse list, then set browser service to auto on PDCe and one DC per segment.

k. DFS site costed referrals are enabled on W2K8 DCs. This is a good change, but may result in W2K8 providing referrals in a different order than W2K3 DCs which have this feature disabled by default

l. Lmcompatabilitylevel increased to 3. See https://technet.microsoft.com/en-us/library/cc960646.aspx

m. NullSessionPipes list is shorter. See the Threats and Countermeasures guide

n. NullSessionShares has been removed. See the Threats and Countermeasures guide

o. NSPI connections limited to 50 per user. https://support.microsoft.com/kb/949469

p. DES crypto disabled on R2. See technet doc above and the following. https://support.microsoft.com/kb/978055

q. ldap query policy hard coded limits https://support.microsoft.com/default.aspx?scid=kb;en-US;2009267 . Need to override these limits? See https://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx

r. RFC2696 Section 3 more stringently enforced by W2K8R2 DCs. i.e., Subsequest requests for each page of a query must contain identical values (with the exception of the messageID, the cookie, and optionally a modified pageSize) as the original request. W2K3 DCs did not enforce this. W2K8R2 DCs do and will return error UNAVAIL_EXTENSION to caller rather than the requested page if request parameters differ from original request in violation of the RFC.

s. For other operating system implementations (such as Netapp, Samba, EMC, etc), it is strongly suggested to contact those vendors to get their supportability matrix for Windows as client and as DC.

2. Fixes you should have downloaded in advance

a. If you use devolution to resolve single-label or non-qualified DNS names, get KB957579 and integrate into build process

b. Have you ever auth restored your domain KRBTGT account? If so, https://support.microsoft.com/kb/939820 & https://support.microsoft.com/kb/968140 & https://support.microsoft.com/kb/976424

c. LDAP client fails to connect LDAPS servers using canonical name. https://support.microsoft.com/kb/2275950 & https://support.microsoft.com/kb/2282241

3. ADPREP /FORESTPREP failures include

a. Insufficient credentials used to run forestprep

b. Schema FSMO not assigned to live DC or hasn’t inbound replicated since last boot

c. Antivirus agent creates locks on LDIF files resulting in error “the callback function failed”

d. running incorrect version of ADPREP

e. Schema conflicts including conflicting ldapdisplay names, linkids, oids, Dn paths, attribute syntax, missing “may contains” attributes (KB969307)

4. RODCPREP failures include

a. Infrastructure masters not assigned to live DC. See MKSB 949257

5. DOMAINPREP /GPPREP fails because

a. Infrastructure master assigned to offline or deleted NTDSA

b. Insufficient credentials used

c. Error “callback function failed” = sysvol not shared, default policy missing or missing default GUID or problem with reparse point

6. DCPROMO

a. DNS Delegation warning https://technet.microsoft.com/en-us/library/dd379526(WS.10).aspx

b. Option to install DNS Server role grayed out if DNS server role already installed.

7. RODCPROMO

a. Option to install RODCs only enabled if FFL = W2K3 or higher

b. Cannot make the first W2K8 DC in a domain an RODC

8. POST UPGRADE

a. For RODCs

                                                    i. Install RODC compatibility pack (MSKB 944043 ) on relevant OS versions in environment

                                                   ii. The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008. KB981370

                                                  iii. Delegation scenarios may break in mixed environments that have RODCs and still contain W2K3 DCs in the same domain as the RODC. KB2360265

 

b. For DNS Servers

                                                                   i. EDNS (RFC 2671) is turned on for W2K8 R2 DNS servers. Review the following KBs for examples of compatibility issues. KB828263 KB977158 KB832223

                                                                  ii. W2K8 and W2K8 R2 DNS servers do not reuse DNSnode objects once dnstombstoned=true for a given node, instead these objects are tombstoned. The effect of this will result in a larger AD database, the amount of which will depend on the DNS record churn rate and volume. Aggressive DNS scavenging and/or short DHCP lease durations where DHCP is configured to de-register client records at lease expiration will exacerbate this.

 

c. For DCs running on hyper-V & VMWARE

1. install a UPS

2. brief all admins on the risks of USN rollbacks caused by restoring snapshots on DC role guests. Review https://technet.microsoft.com/en-us/library/dd363553(WS.10).aspx

3. P2V conversions should be done in offline mode. If converting multiple DC’s in same forest, then all need to be offline @ same time.

d. Disaster Avoidance & Recovery

1. Enable delete protection on OU containers

2. Enable system state backups

3. If using 3rd party backup, test system state restores + alternant backup like Windows Server backup so that PSS can restore when 3rd party product fails to restore

9. ADMIN STUFF

a. Execute 948690 if EFS on W2K3 computer upgraded to W2K8

b. If using GPP, install 943729

 

10. RECYCLE BIN STUFF (It´s optional)

a. With Identity Lifecycle Manager (ILM), including Feature Pack 1 (FP1), the Management Agent for Active Directory is not supported with the Recycle Bin feature. KB2018683

Post-Migration

 

1. Monitor AD and Sysvol replication.

2. Enable delete protection on OU containers (optional)

3. Test and enable new features of Windows 2008 R2 in Lab and then in Production

4. Enable system state backups.

5. Verify AD exclusions for antivirus: https://support.microsoft.com/kb/822158

6. Prepare or modify DRP for AD.

 

Anderson Lacruz

Premier Field Engineer (Venezuela)