Sunday, April 5, 2009

Migration Notes from Windows 2003 AD to Windows 2008

We have finished migration from AD 2003 to AD 2008 last week in our class. Here are the class notes for the migration.

image

We first introduce first windows 2008 DC into existing Forest/Domain Windows 2003. We had to perform Forest prep and domain prep, before bringing first 08 DC. The schema updates done on the existing Win03 DC which was the FSMO roles owner, and we used Windows 2008 CD to do the schema updates/ Forest prep was first one and we did domain prep.

  • adprep /forestprep

http://technet.microsoft.com/en-us/library/cc733027.aspx

Our forest/Domain contained over 20.000 objects, users groups and etc. After successful Schema updates we are able to run DCPromo on the new windows 2008 server.

Couple things to remember

Add the server into domain before DCPromo, this way server will register A record, PTR if reverse lookup zone exist.

Reboot the server log into Domain with sufficient privileges and make sure server has static IP and no other NIC interface, if there is any disable it. Make sure server is configured with correct preferred DNS servers ( don’t point it to itself yet) because the server is not a DNS server yet, thus choose existing DNS server for successful DCPromo.

http://smtp25.blogspot.com/2009/04/dns-basic-configuration-and-common_847.html

  • Run DCPromo, use integrated DNS and make the server GC as well. Remember distributing ADDS database logs and sysVol and use best practices all the times.
  • When DCPromo runs successfully reboot the server
  • Make sure DC/DNS functioning correctly
  • Verify SysVol is accessible and there Verify DNS is loaded Verify replication connections are working and replication is happening, give some time for KCC do its work
  • When replication is working point the preferred DNS to its own IP and select neighbor DC/DNS as alternate
  • At this point we have already replicated .Dit database and ready to move on with bringing additional DC’s.
  • In place migrations in not my favorite thing to do, I like to perform fresh install and that being said if there is opportunity to do hardware refresh as well go ahead and do it, if not first decommission existing 03 DC get it out the domain peacefully and stick windows 2008 CD and perform fresh installation
  • Finding in decommissioning existing 03 servers going forward
  • First thing we have notices if replication is not working DCPromo would fail

Steps we have taken

  • We fixed the replication issue and gone back to site and services deleted dynamic KCC connections and made sure, replication from source DC to destination was working
  • We also point the server which is about to be decommissioned to neighbor DC/DNS server as its primary DNS otherwise DC promo would fail
  • We made sure the time was syncing correctly with PDC emulator
  • We eventually were able to DCPromo out the exiting 03 servers move form domain, delete the computer object from AD and gone back to site and services and delete the orphan server object

Also do remember all existing services need to be transferred to new domain controllers, such as DHCP,WINS,Certificate services, FSMO roles etc.

You may want to preserve IP addresses and if this is the case you will need to do IP address swap, which is fairly safe, all it takes is to re-boot the domain controller to allow the new dynamic records to get register in DNS.

remember all basic things we needed to check to make most of the problems go away and achieved successful migration of ADDS.

Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

http://smtp25.blogspot.com (Blog)
http://telnet25.wordpress.com/ (Blog

4 comments:

Justin@MS said...

What size was your ntds.dit?

Oz Casey Dedeal said...

This is MCITP class; we ran a script and generated over 20.000 users and groups etc

I have seen places over 70.000 users with big mess even those placeless .DIT were close to GIG

I don’t remember the size in the class, the most time it took updating schema if I am not mistaken, rest was pretty easy


Thanks for reading my blog
oz Casey Dedeal

Justin said...

Got you.. Have you guys done anything with actually simulting load on AD servers? Something like the Exchange load generator, but for Active Directory.

I know it would be difficult to rpoduce such a thing and mirror it to real world but anythign would be pretty neat.

Great blog BTW. Hopefully you can start shooting some thigns about Exchange 14 soon.

Oz Casey Dedeal said...

I have done several other project for government, lifting AD from 2003 to 2008. The way it is being done is same and in my opinion dealing AD is real fun and fairly simple speaking of migration.
When first 08 DC successfully introduced in domain, now you got the .DIT database on that DC. The things to worry about the functions the DC’s are holding, and transferring them to new 08 DC’s such as DHCP
Moving FSMO roles and doing some metadata is the nature of lifting AD projects. Some time there are applications hard coded DC;s IP addresses and if that is the case , there might be need for IP swap, but again A DC which IP has changed , just reboot and have him register dynamic record and you are pretty much done
For Exchange 14 I am dying to talk (-: but I cannot since I am under NDA

Best
Oz