Haven't posted in a while and i recently transitioned our 2003 Forest/Domain to 2008.
So i would like to share my experience.
We have a network of 10 Server, 3 of which are Domain Controllers 1 of which is located over a VPN, we use AD sites rather than Sub-domains, we also Run Exchange 2003.
AD Roles, for those who do not know or are Unclear there are 5 main Roles reffered to as "FSMO" (Flexible Single Master Opertation) these roles are the Backbone of Active Directory Operation and Replication and even Exchange.
An easy way to remeber the FSMO roles are like this "DRIPS"
D = Domain Naming Master
R = Relative ID Master
I = Infrastructure Master
P = PDC Emulator
S = Schema Master
These roles by default are assigned to the First DC in a Forest, the first DC will contain your first Domain.
When creating further domains the First DC in that new domain will be assigned "RIP" these Roles are Domain roles and will be present in each domain.
i wont go into too much detail about the roles as i already have a post here regarding this.
You can if you feel confident and have the resources available, setup a brand new Windows Server 2008 Server and join it to the domain as a Member server.
your first task "SHOULD" be to check you have healthy replication between your DC's and as i have a second Site accross a VPN link, Replication works differently in costed links (cross site boundaries) first thing to check (and i cant stress this enough) is the Event log for Replication errors or warning, secondly use "replmon" located in the windows 2003 support tools and "repadmin"
These tools are very important for trouble shooting AD replication.
If you are happy with replication then you can move on to my next step.
Now use the Windows Server 2008 DVD and insert it in to your DC, locate the ADPREP folder and find the tool "adprep.exe"
from the command prompt specify the path to the tool and run
"adprep.exe /forestprep" then
"adprep.exe /domainprep" then
"adprep.exe /domainprep /gpprep" then
"adprep.exe /rodcprep" (optional if you later wants to add Read only DC)
once these tools have successfully completed, again you must check event logs and log files, after running these tools a log file is created in the Windows directory called adprep.log
At this point depending on weather you are transitioning or Upgrading you can choose what to do.
Transition is to Move the FSMO roles from 2003 to 2008 after a 2008 DC is added.
Upgrade is an Upgrade from Server 2003 to 2008 (not always wise) .
I however did both.
i transitioned my main DC's in the main office as we had new servers.
I installed My Server 2008 an added it to the domain as a member server, remember at this point we have 2003 DC's still and just Upgraded our AD schema and Domain to support 2008.
we can now DCPROMO our 2008 server to be a member of an existing domain, 2008 has a new improved DCPROMO nothing to different, Important during the wizard please select the server to be a Global Catalogue.
Now our 2008 Server is a DC after a reboot, we now need to wait for replication to finish, unfortunately "replmon" is not available for 2008 Server as of yet, but you can still use "repadmin", one trick is to use "replmon" on one of the 2003 DC's that are still running.
there is also no need to install Support tools, the new server manager is really really improved for newbies, it now lists under roles the tools available for each role.
Again after the transfer we need to wait for replication to occur using the same tools to troubleshoot.
you can use this command on all DC's "netdom query fsmo" this will list the current role holders, run this on all dc and make sure they all agree who holds the roles.
we can now plan to remove 2003 servers from the domain and reinstall them as 2008 servers if you so wish.
IMPORTANT if you run exchange, make sure your new server 2008 is a "Global Catalogue server" The Global Catalogue is required heavily by exchange, you can check this by using AD sites and Services, browse to the server and rigth click properties on NTDS settings.
i advise you to reboot exchange while all DC's are available, in the Exchange system manage after a reboot you can look at the "directory access" tab in the properties of the server.
if and when the Directory access tab shows the 2008 server listed is it safe to shut down your 2003 DC's and test AD access abnd Exchange, reboot exchange again and make sure it comes up in a normal amount of time.
after you are happy with the Server 2008 providing domain services then you can start to dcpromo /remove your 2003 DC's
Remember DNS, DNS is the root cause of most problems, make sure all Servers and Desktops ( DHCP server) have the new 2008 DNS server as there primary DNS.
Also Replication of DNS and Active Directory can take a little while to fully replicate, make sure you dont decommission any old server untill you have check DNS IP settings and the DNS server its self you can check in DNS that SRV records have been created for the new Server.
After Decommissioning my 2003 server i then drove to our remote site and did a Direct Upgrade from 2003 to 2008, pretty simple process if you have ever upgraded an OS before
Hope this may help some of you.
If you need any more info please reply.
Edited: for fun
MCSE Sec+ 2003
Re: Upgrading/Transitioning from 2003 to 2008
9 years 3 weeks ago #31648
That was an AMAZING post!!! Thanks! Replication...transferring of FSMO roles.....I know those are critical.....what was your recovery plan if something went wrong? How many days/weeks of planning did you put into it? How large was your team?
Hope you don't mind all these questions, I'm just fascinated about the details of this.
Re: Upgrading/Transitioning from 2003 to 2008
9 years 3 weeks ago #31672
Believe it or not i solo'd it, i am the only IT guy here apart from our web developer.
we only had 3 DC's 1 of which was remote so i didn't really need a team, i can imagine 50 DC's spanned across multiple sites will be a little more tricky but you follow the same procedure and patience with replication and check and recheck i don't see a problem, but i imagine you need help
About a weeks worth of planning went into it, making sure i had System state backups of all Domain Controllers.
The beauty of a Transition is that you do not touch the Live DC's untill you have finished and successfully added Windows 2008 DC and transferred the roles.
As i had a Fresh server ready for windows server 2008 i didn't need to mess with the existing DC's so all i needed was a recent System state backup of all the DC's, as long as the backup is withing the tomb stone lifetime its fine, but i made sure my AD backup was up to date.
I had a good grasp of Upgrading the Schema already from windows 2003 to windows 2003 R2, the same process is needed to use a 2003 Server R2 as a DC in a Windows 2003 domain.
I used a Server that has VMware installed to create windows 2003 domain just like mine, then added a 2008 Server VM, and went ahead and did the transition process (the ADPREP was very fast compared to production), i learnt alot from doing it this way, which is why i made the guide for those less fortunate to have the Hardware i have.
However i didnt setup exchange in my VMware testing, so that was one thing i found out in my production upgrade, im a pretty cautious guy anyway so i only shut down my 2003 servers to test AD and guess what... Exchange wouldnt start, i knew that Exchange absolutely requires a Global Catalogue so i went ahead turned back on my 2k3 servers, rebooted exchange and low and behold it started fine, i checked the Directory Access tab in System Manager and my shiny new 2008 machine was not listed, there is no way to force exchange to update this list, however you can manually add it but its not recommended as its disables the Automatic detection of GC's.
so i just rebooted Exchange with all DC's Avaliable and they all Appeared, shutdown 2k3 servers all worked fine inc Exchange and went ahead and DCPROMO's the Boxes, then reinstalled these boxes with 2k8, there is a way to force exchange to pick up GC's but you must run the setup.exe on the exchange CD with the domainprep/forestprep command, buu it shouldn't be necessary.
My disaster recovery plan was to restore AD to my 2003 Domain Controllers if a failure was the occur.
i believed i had a good plan and tested an upgrade first so i was pretty confident. The most important thing is learning to troubleshoot AD, that gives people a lot of confidence in any case. so i strongly recommend getting to grips with tools such as NETDOM, NTDSUTIL, replmon and repadmin.
Hope This answer your questions
PS. Checking SRV records in DNS is a great manual way to check that new DC's and even OLD DC's removed previous are recorded or removed properly, i don't mind making a small How To on this is any one would like?