For many organizations, a slower or more planned or
phased migration to the latest Active Directory makes more sense. This
might be because the organization has many Active Directory domains that
would need to be staged and migrated, or because the organization has a
lot of domain controllers in remote offices that would need to be
staged for the upgrade, or merely because the organization wants to be
more methodical in the upgrade process.
Key
to note is that a phased migration of Active Directory doesn’t
necessarily make the migration “safer” in that the first domain
controller to be updated advances key components of the domain and/or
forest into the updated Active Directory level. The update occurs
immediately upon the first system update and thus the impact of the new
Active Directory takes place immediately and does not require all domain
controllers to be updated before the effect is seen throughout the
enterprise. However, the phased migration controls the number of systems
that have been physically updated or need to be updated, and thus
controls the number of systems directly being updated.
Because Active Directory is
one of the most important portions of a Microsoft network, it is
subsequently one of the most important areas to focus on in a migration
process. In the phased migration scenario covered in this section, there
are two domains (companyabc.com and asia.companyabc.com), which are
members of the same forest (shown in Figure 1).
The companyabc.com domain has all Windows 2000 SP4 domain controllers
and the asia.companyabc.com domain has all Windows Server 2003 SP2
domain controllers. The entire forest will be upgraded to Windows 2008,
but they need to be migrated over time. Thus, a phased migration will be
used.
Migrating Domain Controllers
The domain controllers can either be directly upgraded to
Windows 2008 or replaced by newly introduced Windows 2008 domain
controllers. The decision to upgrade an existing server largely depends
on the hardware of the server in question. The rule of thumb is, if the
hardware will support Windows 2008 now and for the next two to three
years, a server can be directly upgraded. If this is not the case, using
new hardware for the migration is preferable.
The prerequisites
for upgrading an Active Directory forest and domain discussed earlier
still apply. The prerequisites to upgrade to Windows 2008 and Windows
2008 R2 Active Directory are as follows:
The operating system on the domain controllers is Windows Server 2003 SP1 or higher.
The
current domain functional level is Windows 2000 Native or Windows
Server 2003. You cannot upgrade directly from Windows NT 4.0, Windows
2000 Mixed, or Windows Server 2003 interim domain functional levels.
All Windows 2000 Server domain controllers have Service Pack 4 (SP4) installed.
These
prerequisites are required to upgrade to Windows 2008 and are separate
from the decision to upgrade or replace any given domain controller.
Note
A combined approach can be and is quite commonly used, as indicated in Figure 2,
to support a scenario in which some hardware is current but other
hardware is out of date and will be replaced. Either way, the decisions
applied to a proper project plan can help to ensure the success of the
migration.
The
scenario in this section will use the combined approach to the upgrade,
replacing the Windows 2000 SP4 companyabc.com domain controllers and
upgrading the Windows Server 2003 asia.companyabc.com domain
controllers.
The health of the
domain controllers should be verified prior to upgrading the domain
controllers. In particular, the Domain Controller Diagnostics (DCDIAG)
utility should be run and any errors fixed before the upgrade. The
Windows Server DCDIAG utility is part of the Support Tools, which can be
found on the installation media under \support\tools\. The Support
Tools are installed via an MSI package named SUPTOOLS.MSI. After
installing the tools, the DCDIAG utility can be run. The dcdiag /e
option should be used to check all domain controllers in the enterprise.
Verify that all tests passed.
Preparing the Forest and Domains Using adprep
The introduction
of Windows Server 2008 domain controllers into a Windows 2000/2003
Active Directory requires that the core AD database component, the
schema, be updated to support the increased functionality. In addition,
several other security changes need to be made to prepare a forest for
inclusion of Windows 2008. The Windows Server 2008 DVD includes a
command-line utility called adprep that will extend the schema to
include the extensions required and modify security as needed. Adprep
requires that both forestprep and domainprep be run before the first
Windows 2008 domain controller can be added.
The adprep utility must be
run from the Windows Server 2008 DVD or copied from its location in the
\sources\adprep\ folder. This installs the schema updates that are new
to Windows 2008 Active Directory. The following steps should be run on
the Flexible Single Master Operations (FSMO) role holder, specifically
the schema master role holder:
1. | Insert the Windows Server 2008 DVD into the drive. If the Install Windows autorun page appears, close the window.
Note
Be sure to use the appropriate media for the operating system of the domain controller, specifically 32-bit or 64-bit.
|
2. | Select Start, Run.
|
3. | Enter d:\sources\adprep\adprep.exe /forestprep and click OK, where d: is the DVD drive.
|
4. | A warning appears to verify that all Windows 2000 domain controllers are at Service Pack 4 or later. Enter C and press Enter to start the forest preparation.
|
Note
Any previous
extensions made to a Windows 2000/2003 Active Directory schema, such as
those made with Exchange Server 2003 or Exchange Server 2007, are not
affected by the adprep procedure. This procedure simply adds additional
attributes and does not change those that currently exist.
Now that the schema
updates have been installed, the domain is ready to be prepared. The
adprep/domainprep/gpprep operation must be run once in every domain in a
forest. It must be physically invoked on the server that holds the
infrastructure master Operations Master (OM) role. The steps for
executing the domainprep procedure are as follows:
1. | On
the Operations Master domain controller, insert the Windows Server 2008
DVD into the drive. If the Install Windows autorun page appears, close
the window.
Note
Be sure to use the appropriate media for the operating system of the domain controller, specifically 32-bit or 64-bit.
|
2. | Select Start, Run.
|
3. | Enter d:\sources\adprep\adprep.exe /domainprep /gpprep and click OK, where d: is the DVD drive.
|
4. | Enter d:\sources\adprep\adprep.exe /rodcprep
and click OK. This update allows Read-Only Domain Controllers by
updating the permissions on all the DNS application directory partitions
in the forest and allows them to be replicated by all RODCs that are
also DNS servers.
|
Repeat steps 1 through 4 for each domain that will be upgraded.
After the
forestprep and domainprep operations are run, the Active Directory
forest will be ready for the introduction or upgrade of Windows 2008
domain controllers. The schema is extended and includes support for
application partitions and other enhancements. After these updates have
had sufficient time to replicate across all domains, the process of
upgrading the domain controllers to Windows 2008 can commence.
