Active Directory: Upgrade to Win2k8 R2   Leave a comment


Upgrade Tasks – checklist
– Prepare AD infrastructure for upgrade
o Run “adprep /x”
– Install AD DS on a member server that runs Win2k8 (R2) in forest root domain
o Using “dcpromo”
– Upgrade existing controllers
o As appropriate (can’t go from x86 to x64 OS)
– Modify default security policies
o SMB packet signing
– Update Group Policy permissions
o Not needed (required if going from Win2k to Win2k8 AD)
– Perform clean-up tasks
o Off-line defragmentation of each dB of upgraded DC
o Create system state backup on 2 DC’s

Background info for upgrading AD domains
– ADPrep
o Extends the schema, resets permissions
– DNS: Application directory partitions
o For ForestDNSZones & DomainDNSZones
o Moving AD integrated DNS zones into domain/forest-wide application directory partitions benefits:
 Don’t have to dp DNS transfer to DNS servers outside domain
 Can target DC’s to receive DNS zone data
 Can target forest-wide replication as DNS data no longer part of GC
– Service (SRV) resource records
o Dynamic updates through Netlogon service
 _._.
 _msdcs.domain_name subdomain
• Location of DC’s and DC’s that have specific roles
 _service._protocol.DcTyle._msdcs.
 _msdcs.forest_root_domain subdomain
• Forest-wide resource records for all computers & DC’s
• Recommended to replicate to all DNS servers in forest
– Intra-site replication frequency
o Win2k intrasite default is 300/30 (replication to other DC’s within 300 seconds with 30 second offset before notifying next DC)
o Win2k3 is 15/3 (Win2k3 Forest Functional Level)
– New groups when upgrading/migrating PDC to Win2k8
 Note that some groups/users added to these groups
o Builtin\IIS_IUSRS,-Cryptographic Operators,-Event Log readers,-Certificate Service DCOM Access
o Allowed,-denied RODC Password Replication Group
o Read-only Domain Controllers
o Enterprise Read-only Domain Controllers (when root PDC upgraded/migrated)
– Security policy considerations when upgraded from Win2k to Win2k3
o SMB packet signing & secure channel signing are enabled by default on Win2k8
 SMB packet signing
• Server-side signing is required by default
 Secure channel signing & encryption
• Required by default to Win2k8 DC’s

o References:
– Performing the Upgrade of AD Domains
– Transferring FSMO roles
– Background info for upgrading AD domains
– Modify security policies in Default Domain Controllers Policy

various Links
– Compact the directory database file (offline defragmentation)
– Modify Security Policies in Default Domain Controllers Policy
– Appendix A: Background Information for Upgrading Active Directory Domains
– Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
– Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2
– Virtualizing a Windows Active Directory Domain Infrastructure
– Things to consider when you host Active Directory domain controllers in virtual hosting environments
– Running Domain Controllers in Hyper-V

Posted March 1, 2013 by terop

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: