Retiring Existing Windows 2000/2003 Domain Controllers
After the entire
Windows 2000/2003 domain controller infrastructure is replaced by
Windows 2008 equivalents and the OM roles are migrated, the process of
demoting and removing all down-level domain controllers can begin. The
most straightforward and thorough way of removing a domain controller is
by demoting them using the dcpromo utility,
per the standard Windows 2000/2003 demotion process. After you run the
dcpromo command, the domain controller becomes a member server in the
domain. After disjoining it from the domain, it can safely be
disconnected from the network.
Retiring “Phantom” Domain Controllers
As is often the
case in Active Directory, domain controllers might have been removed
from the forest without first being demoted. They become phantom domain
controllers and basically haunt the Active Directory, causing strange
errors to pop up every so often. This is because of a couple remnants in
the Active Directory, specifically the NTDS Settings object and the
SYSVOL replication object. These phantom DCs might come about because of
server failure or problems in the administrative process, but you
should remove those servers and remnant objects from the directory to
complete the upgrade to Windows 2008. Not doing so will result in errors
in the event logs and in the DCDIAG output.
Simply deleting
the computer object from Active Directory Sites and Services does not
work. Instead, you need to use a low-level directory tool, ADSIEdit, to
remove these servers properly. The following steps outline how to use
ADSIEdit to remove these phantom domain controllers:
1. | Launch Server Manager.
|
2. | Expand the Roles node and select the Active Directory Domain Services node.
|
3. | Scroll down to the Advanced Tools section of the page and click on the ADSI Edit link.
|
4. | In the ADSIEdit window, select Action, Connect To.
|
5. | In the Select a Well Known Naming Context drop-down menu, select Configuration, and click OK.
|
6. | Select the Configuration node.
|
7. | Navigate
to Configuration\CN=Configuration\CN=Sites\CN=<Sitename>\
CN=Servers\CN=<Servername>, where <Sitename> and
<Servername> correspond to the location of the phantom domain
controller.
|
8. | Right-click the CN=NTDS Settings, and click Delete, as shown in Figure 3.
|
9. | At the prompt, click Yes to delete the object.
|
10. | In the ADSIEdit window, select the top-level ADSIEdit node, and then select Action, Connect To.
|
11. | In the Select a Well Known Naming Context drop-down menu, select Default Naming Context, and click OK.
|
12. | Select the Default Naming Context node.
|
13. | Navigate
to Default naming context\CN=System\CN=File Replication
Service\CN=Domain System Volume(SYSVOL share)\CN=<Servername>,
where <Servername> corresponds to the name of the phantom domain
controller.
|
14. | Right-click the CN=<Servername>, and select Delete.
|
15. | At the prompt, click Yes to delete the object.
|
16. | Close ADSIEdit.
|
At
this point, after the NTDS Settings are deleted, the server can be
normally deleted from the Active Directory Sites and Services snap-in.
Note
ADSIEdit was included
in the Support Tools in Windows Server 2000/2003, but is now included in
the AD DS Tools that are installed automatically with the Active
Directory Domain Services role in Windows 2008.
Upgrading Domain and Forest Functional Levels
Windows 2008 Active
Directory Domain Services does not immediately begin functioning at a
native level, even when all domain controllers have been migrated. The
domains and forest will be at the original functional levels. You first
need to upgrade the functional level of the domain to Windows Server
2008 before you can realize the full advantages of the upgrade.
Note
The act of raising
the forest or domain functional levels is irreversible. Be sure that any
Windows 2000/2003 domain controllers do not need to be added anywhere
in the forest before performing this procedure.
After all domain
controllers are upgraded or replaced with Windows 2008 domain
controllers, you can raise the domain level by following these steps:
1. | Ensure that all domain controllers in the forest are upgraded to Windows 2008.
|
2. | Launch Server Manager on a domain controller.
|
3. | Expand the Roles node and then expand the Active Directory Domain Services node.
|
4. | Select the Active Directory Users and Computers snap-in.
|
5. | Right-click on the domain name, and select Raise Domain Functional Level.
|
6. | In
the Select an Available Domain Functional Level drop-down menu, select
Windows Server 2008, and then select Raise, as shown in Figure 4.
|
7. | Click OK at the warning and then click OK again to complete the task.
|
Repeat steps 1 through
7 for each domain in the forest. Now the forest functional level can be
raised. Although this does not add any new features, it does prevent
non-Windows Server 2008 domain controllers from being added in the
future. To raise the forest functional level, execute the following
steps:
1. | Launch Server Manager.
|
2. | Expand the Roles node and select the Active Directory Domain Services node.
|
3. | Scroll down to the Advanced Tools section of the page, and click on the AD Domains and Trusts link.
|
4. | With the topmost Active Directory Domains and Trusts node selected, select Action, Raise Forest Functional Level.
|
5. | In the Select an Available Forest Functional Level drop-down menu, select Windows Server 2008, and then select Raise.
|
6. | Click OK at the warning and then click OK again to complete the task.
|
After each domain
functional level is raised, as well as the forest functional level, the
Active Directory environment is completely upgraded and fully compliant
with all the AD DS improvements made in Windows 2008.
Moving AD-Integrated DNS Zones to Application Partitions
The
final step in a Windows 2008 Active Directory upgrade is to move any
AD-integrated DNS zones into the newly created application partitions
that Windows 2008 uses to store DNS information. To accomplish this,
follow these steps:
1. | Launch Server Manager on a domain controller.
|
2. | Expand the Roles node and then expand the DNS Server node.
|
3. | Select the DNS snap-in.
|
4. | Navigate to DNS\<Servername>\Forward Lookup Zones and select the zone to be moved.
|
5. | Right-click the zone to be moved, and click Properties.
|
6. | Click the Change button to the right of the Replication description.
|
7. | Select
either To All DNS Servers in This Forest or To All DNS Servers in This
Domain, depending on the level of replication you want, as shown in Figure 5. Click OK when you are finished and click OK again to save the changes.
|
Repeat the process for any other AD-integrated zones.
