Planning for Forestwide and Domainwide Upgrades with Server 2008 : Planning for Upgrades in an Existing Forest

1. Forest and Domain Preparation

adprep /forestprep

This command is used when first setting up an Active Directory forest for Windows Server 2008. This command prepares Active Directory to receive Windows Server 2008 from any version of Windows Server that supports Active Directory (Windows 2000 Server and newer). This command needs to be given only once for the entire forest. Afterward, you can go to the individual domains of your enterprise.

adprep /domainprep

By invoking this command, you are telling a domain within Active Directory that it needs to prepare itself for Windows Server 2008. According to Microsoft, this "prepares the domain for upgrade and adds inheritable access control entries (ACEs) to the Group Policy objects (GPOs) in the SYSVOL shared folder, which causes domainwide replication to occur." In other words, the individual domain is prepared for the impact and changes within Active Directory and Group Policy so that it isn't surprised by anything Windows Server 2008 may request.

In addition to the standard adprep /domainprep command, you may encounter an environment that is still running Windows 2000 Server. If that is the case, you will need to prepare the Windows 2000 Server environment for the accompanying Group Policy changes that occurred in Windows Server 2003 and Windows Server 2003. You do this by appending the gpprep switch to the standard adprep /domainprep command, like this: adprep /domainprep /gpprep.

2. Preparing for a Read-Only Domain Controller

As we referenced earlier in this book, the first step in preparing for a read-only domain controller is to make certain that your domain and forest functional levels are operating at Windows Server 2003 or later. If this is not the case, the environment will not be prepared to receive a read-only domain controller, and it will be unrecognized upon connection. Furthermore, to use a Windows Server 2008 RODC, you must have a writable domain controller of Windows Server 2008 already running within the environment, that is, at the very least, connected by a site link. This is because in order to replicate information, the RODC will need to be fed from a preexistent domain controller with its native version of Windows.

Once these prerequisites have been met, your environment will be prepared to accept a Windows Server 2008 RODC. However, to make any environment completely ready to take an RODC, you will need to execute the following command on the schema master: adprep /rodcprep. This will tell the schema master to look for an RODC and to expect that domain controller to not be writable. Afterward, on the installation level, you can install either an RODC as a normal RODC or an RODC running Windows Server Core. In Exercise 1, we show you the process of installing an RODC on a full installation of Microsoft Windows. The advantage of using Server Core is that the installation is light, efficient, and very stable. Administrators may choose to use a Server Core installation of an RODC if they're running in an insecure location that will not be accessed very often. That way, the server has an extremely light load and is running the bare essentials necessary to accomplish the task at hand.

3. Preparing for a Server Core Installation

If you are considering upgrading from an older version of Windows Server to Windows Server 2008 in any environment, you should consider whether it makes sense to implement a Server Core installation. Windows Server Core is a lightweight, minimalist installation of Windows Server 2008 that doesn't carry as many features and capabilities as a very robust, powerful generalized installation of Windows Server 2008. Basically, the idea behind the Windows Server Core installation is to create a server that is stable and lightweight and that serves a few dedicated purposes that don't tend to change very often.

Windows Server 2008 Server Core doesn't even have a graphical user interface. All the Server Core installations come by default with as few options enabled as possible. To use more features, you have to externally reference remotable MMCs, either through another Windows Server machine or through Microsoft Windows Vista. At the enterprise level, you can take great advantage of this installation capability. In earlier exams, such as the MCTS level, you may have learned about Server Core briefly. You may have installed it once, and you may be familiar with some of its most basic features. However, you most likely haven't considered the drastically impressive advantages that this server can provide. Consider a scenario in which you have a complex environment that has seven sites, six of which are branch offices that have employees who need to use Windows Server to log on to the network in order to access the Internet.

Without Windows Server Core, in this enterprise environment you as an administrator would need, at the very minimum, to be operating seven full-blown installations of Windows Server—one in each of these locations. If you think of it like a computer scientist, that's a lot of unnecessary extra data floating around. And remember, although some new features may become available and some new technologies may slowly begin to be adopted by the rest of the world, the number-one rule of the enterprise is to make it work and keep it simple. Windows Server Core installations do exactly that.

In this example, you could easily reduce the overall server load, hardware requirements, and complexity of your network by maintaining a full installation of Windows Server 2008 at the main office and then installing a Server Core installation in each one of the branch offices. It would keep the brass happy because the servers will still work and work well. And it keeps the administrators happy because there is less of a chance that something can go wrong.

In both my opinion and Microsoft's, Windows Server Core installation was born to be used in branch offices. It just fits! When you're considering an installation in the real world (or that you may see on an exam), remember that.

Windows Server Core does not support managed code, and the .NET Framework is not present. Even more important, PowerShell is not available in Windows Server Core. But in truth, although it may not be a "hot item" on the MCITP level exam, you should really know how to install a Windows Server 2008 Server Core installation and incorporate Active Directory domain services while joining a domain.

Exercise 2: Installing Server Core and Joining It to a Domain Prerequisites: Installing Server Core starts off as simply as an installation of any other version of Windows Server 2008. You can begin the process either by placing the Windows Server 2008 DVD into the drive and booting from the disk or by placing the disk into a machine with a previously running version of Windows and beginning the installation from that point. For the purposes of this exercise, it is assumed you have gone through the install GUI and are now staring at the default Server Core installation, which appears similar to the image here. At the command prompt, type Netsh interface ipv4 show interfaces. This opens a listing of network adapters, each of which will have an identification number labeled in a column called Idx. Since our goal here is to assign an IPv4 address, you can ignore the default pseudo-IPv6 address and get the ID from the local interface, which is usually 2. Next, type Netsh interface ipv4 set address name=<idx number> source=static address=<A static IP address you would like to assign> mask=<Subnet Mask> gateway=<Default Gateway IP Address>. This assigns an IP address so that this server has a static address that can be used for the purposes of Active Directory or domain services. Once you've assigned an IP address to your Server Core server, you need to give it the DNS address of your main domain server. You can do this by again issuing the netsh interface command and appending the dnsserver field by typing Netsh interface ipv4 add dnsserver name=<idx number> address=<dns server address> index=1. This will add a DNS server to the Server Core installation. And now, assuming that everything proceeded correctly and your computer is connected to the Internet, you should be able to ping an address such as Sybex.com from the command prompt using the ping command. Note that, should you want, you can add DNS servers by increasing the index number incrementally for each additional address. For example, you could enter the command again with another IP address and increase the index value by 1 to 2. To join the domain, type netdom join <Name of computer you wish to join> /domain:<The Name of your Domain> /userd:<A Domain User that can add servers to the domain> /passwordd:*. (Note: The second d in password is required.) Restart the computer by executing the shutdown /r /t 0 command. Once this command is executed and the machine reboots, you can install various other roles and features to your specific needs.

4. Planning for Reduction

Surprisingly, and more often than not, one of the biggest processes in "upgrading" an enterprise to Windows Server 2008 is actually downgrading—well, at least downgrading the sheer number of servers. The reason behind this is that the overarching trend in the IT industry is consolidation—consolidation in terms of number of servers, consolidation in terms of roles of servers, and even consolidation in the virtualization of servers. Most of the time, this is because businesses just want their infrastructure to work and to work simply.

Consider that in the era of Windows 2000 Server, the average amount of available RAM was somewhere around 256MB. In Windows Server 2008, it's rare to find a server that doesn't have at least 2GB of RAM. And that's on the small side! We frequently see servers with 4GB, 8GB, and even 16GB of RAM just hungry and read for multitasking. And that's somewhere from 20 to 60 times the amount of memory that's available now per server.

Accordingly, when you're reviewing a campus for upgrades, keep in mind that it may very well suit the enterprise to not do any upgrading at all. Instead, it may make sense to downgrade to something more manageable.

4.1. Maintaining Connectivity

Whenever you think about the word reduction, the instant next thought in your mind should be this: "Will my reduction compromise my connectivity?" At the professional level, it's pretty rare that you will find a single-domain or even single-forest architecture. Most companies have various branches, sister businesses, or completely separate aspects of their company that are divided across a purposefully created line.

Thus, whenever you encounter a fairly complex infrastructure, you need to look to see whether there are forests that are maintained by WAN links, or domains connected through sites by WAN links, and see whether your reduction or consolidation will interrupt or possibly compromise their connectivity issues. Consider Figure 1, where there are three forests that contain three child domains each. If you were to, say, decide to consolidate these into a single forest with a single domain, you would have a problem in that there are several servers still connected by WAN links. And, should a WAN link go down, it's possible that one of the servers may not communicate with another. Just imagine Joe or Jane User, on their first day at the job in the remote office, not being able to get any work done because the server in the branch office doesn't have connectivity to the root domain to receive new account updates from the global catalog.

Figure 1. Three forests connected by wide-area links

In the case of Figure 1, a much more elegant solution if you wanted to reduce the number of domains would be to reduce the number of child domains in each forest and instead maintain the three individual forests and allow each to keep its own Active Directory infrastructure. That way, if one of the WAN links fails, users can still log on to their computers and continue their work.

5. Adding Windows Server 2008 into a Live Environment

When you decide to place Windows Server 2008 into your existing environment, you're making one of two decisions concerning the overall infrastructure. You are deciding whether you want to directly upgrade a server to Windows Server 2008, and you are deciding whether you want to add a server in a pre–Windows 2008 environment; and, in some cases, you are deciding both.

In the first case—placing Windows Server 2008 within a preexisting Windows infrastructure—you really have only one option. You can directly upgrade to Windows Server 2008 only if the servers that you are upgrading are currently running Windows Server 2003. Windows 2000 Server does not support a direct upgrade path.

You can, of course, add a Windows Server 2008 to any Windows 2000 Server or Windows Server 2003 environment and use it as an additional domain controller. However, you will need to use the previously referenced adprep command to prepare the forest. To do so properly, you'd need to take the proper files from your Windows Server 2008 DVD and place them onto the Windows 2000 Server domain controller or the Windows Server 2003 domain controller so that it understand the most recent version of the command. Then, after you have run this command, you can easily place the new server into your environment.

But in some situations, neither of these solutions will suffice. Say, for instance, you are operating a Windows 2000 domain controller in a Windows 2000 native domain and forest mode. If you want to upgrade this forest to Windows Server 2008 with a Windows Server 2008 domain controller, the process is slightly more complicated. Because there is no direct upgrade path, you must instead do the following: