Active Directory: Upgrade to Win2k8 R2   Leave a comment

UNDERSTANDING THE AD UPGRADE PROCESS FROM WIN2K3 TO WIN2K8 R2

Upgrade Tasks – checklist
– Prepare AD infrastructure for upgrade
o Run “adprep /x”
– Install AD DS on a member server that runs Win2k8 (R2) in forest root domain
o Using “dcpromo”
– Upgrade existing controllers
o As appropriate (can’t go from x86 to x64 OS)
– Modify default security policies
o SMB packet signing
– Update Group Policy permissions
o Not needed (required if going from Win2k to Win2k8 AD)
– Perform clean-up tasks
o Off-line defragmentation of each dB of upgraded DC
o Create system state backup on 2 DC’s

Background info for upgrading AD domains
– ADPrep
o Extends the schema, resets permissions
– DNS: Application directory partitions
o For ForestDNSZones & DomainDNSZones
o Moving AD integrated DNS zones into domain/forest-wide application directory partitions benefits:
 Don’t have to dp DNS transfer to DNS servers outside domain
 Can target DC’s to receive DNS zone data
 Can target forest-wide replication as DNS data no longer part of GC
– Service (SRV) resource records
o Dynamic updates through Netlogon service
 _._.
 _msdcs.domain_name subdomain
• Location of DC’s and DC’s that have specific roles
 _service._protocol.DcTyle._msdcs.
 _msdcs.forest_root_domain subdomain
• Forest-wide resource records for all computers & DC’s
• Recommended to replicate to all DNS servers in forest
– Intra-site replication frequency
o Win2k intrasite default is 300/30 (replication to other DC’s within 300 seconds with 30 second offset before notifying next DC)
o Win2k3 is 15/3 (Win2k3 Forest Functional Level)
– New groups when upgrading/migrating PDC to Win2k8
 Note that some groups/users added to these groups
o Builtin\IIS_IUSRS,-Cryptographic Operators,-Event Log readers,-Certificate Service DCOM Access
o Allowed,-denied RODC Password Replication Group
o Read-only Domain Controllers
o Enterprise Read-only Domain Controllers (when root PDC upgraded/migrated)
– Security policy considerations when upgraded from Win2k to Win2k3
o SMB packet signing & secure channel signing are enabled by default on Win2k8
 SMB packet signing
• Server-side signing is required by default
 Secure channel signing & encryption
• Required by default to Win2k8 DC’s

o References:
– Performing the Upgrade of AD Domains
o http://technet.microsoft.com/en-us/library/cc725611(v=ws.10).aspx
– Transferring FSMO roles
o http://support.microsoft.com/kb/324801
– Background info for upgrading AD domains
o http://technet.microsoft.com/en-us/library/cc732838(v=ws.10).aspx
– Modify security policies in Default Domain Controllers Policy
o http://technet.microsoft.com/en-us/library/cc731654(v=ws.10).aspx

various Links
– Compact the directory database file (offline defragmentation)
o http://technet.microsoft.com/en-us/library/cc772931(v=WS.10).aspx
– Modify Security Policies in Default Domain Controllers Policy
o http://technet.microsoft.com/en-us/library/cc731654(v=ws.10).aspx
– Appendix A: Background Information for Upgrading Active Directory Domains
o http://technet.microsoft.com/en-us/library/cc732838(v=ws.10).aspx
– Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
o http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx#BKMK_SystemReq
– Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2
o http://technet.microsoft.com/en-us/library/cc755103(v=ws.10).aspx
– Virtualizing a Windows Active Directory Domain Infrastructure
o http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf
– Things to consider when you host Active Directory domain controllers in virtual hosting environments
o http://support.microsoft.com/kb/888794
– Running Domain Controllers in Hyper-V
o http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

Advertisements

Posted March 1, 2013 by terop

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: