Migrate 2003 domain to 2008 domain

Discussion in 'Server Migration' started by Brian M. White, Feb 20, 2009.

  1. I am starting the process to upgrade a Windows 2003 domain to a
    Windows 2008 domain. We are running a new seperate server for 2008. Is
    there a good white paper for this transition.

    I also have a client whom I am working with that we will be doing
    something similar with but it is a SBS 2003 domain and wanting to go to a
    2008 Domain. Would like to get started with some white papers on the
    process.

    Any help or direction would be great.
     
    Brian M. White, Feb 20, 2009
    #1
    1. Advertisements

  2. Hello Brian,

    Part one:

    !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!


    - On the old server open DNS management console and check that you are running
    Active directory integrated zone (easier for replication, if you have more
    then one DNS server)

    - run replmon from the run line or repadmin /showrepl, dcdiag and netdiag
    from the command prompt on the old machine to check for errors, if you have
    some post the complete output from the command here or solve them first.
    For this tools you have to install the support\tools\suptools.msi from the
    2003 installation disk.

    - run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
    the 2008 installation disk against the 2003 schema master, with an account
    that is member of the Schema admins, to upgrade the schema to the new version
    (44), you can check the version with "schupgr" in a command prompt.

    - Install the new machine as a member server in your existing domain

    - configure a fixed ip and set the preferred DNS server to the old DNS server
    only

    - run dcpromo and follow the wizard to add the 2008 server to an existing
    domain, make it also Global catalog.

    - if you are prompted for DNS configuration choose Yes. If not, install DNS
    role after promotion.

    - for DNS give the server time for replication, at least 15 minutes. Because
    you use Active directory integrated zones it will automatically replicate
    the zones to the new server. Open DNS management console to check that they
    appear

    - if the new machine is domain controller and DNS server run again replmon,
    dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
    both domain controllers

    - Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801
    applies also for 2008)

    - you can see in the event viewer (Directory service) that the roles are
    transferred, also give it some time

    - reconfigure the DNS configuration on your NIC of the 2008 server, preferred
    DNS itself, secondary the old one

    - if you use DHCP do not forget to reconfigure the scope settings to point
    to the new installed DNS server

    - export and import of DHCP database for 2008 choose "netshell dhcp backup"
    and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/library/cc772372.aspx)



    Demoting the old DC (if needed)

    - reconfigure your clients/servers that they not longer point to the old
    DC/DNS server on the NIC

    - to be sure that everything runs fine, disconnect the old DC from the network
    and check with clients and servers the connectivity, logon and also with
    one client a restart to see that everything is ok

    - then run dcpromo to demote the old DC, if it works fine the machine will
    move from the DC's OU to the computers container, where you can delete it
    by hand. Can be that you got an error during demoting at the beginning, then
    uncheck the Global catalog on that DC and try again

    - check the DNS management console, that all entries from the machine are
    disappeared or delete them by hand if the machine is off the network for ever

    - also you have to start AD sites and services and delete the old servername
    under the site, this will not be done during demotion

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Feb 20, 2009
    #2
    1. Advertisements

  3. Hello Brian,

    Part two, SBS:

    Will you transition from the SBS to a "normal" windows domain or should it
    be also SBS 2008?

    For transition to "normal" domain:
    As far as i know until now there is no transition pack available, call MS
    support for that. I suggest to post to: microsoft.public.windows.server.sbs

    To SBS 2008:
    Keep in mind that SBS 2008 will only run on 64bit system, 32bit is not available
    with 2008.
    http://technet.microsoft.com/en-us/library/cc546034.aspx
    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Feb 20, 2009
    #3
  4. Brian M. White

    KC Guest

    I am also starting the process of replacing two of my Windows Server 2003 DCs
    to Windows Server 2008. The approach for my upgrade process is replacing
    domain controllers due to old hardware.

    In my environment, there are three domains controllers and all are running
    Windows Server 2003 Std without any service pack installed. All clients are
    running on WinXP SP2 or SP3. No DHCP server is used in my environment. All
    are IP hard-coded.

    Two of the DCs are GC and AD-integrated zone DNS.

    The steps/procedures I got from Meinolf (thank you) to complete the
    migration are as follows:

    1) Install Win2003 SP1 or SP2 on all three Win2003 DCs.
    2) Run repadmin /showrepl, dcdiag and netdiag on the DC then check for any
    error.
    3) Join the two new Win2008 servers on the domain as member server.
    4) Run adprep.exe /forestprep on the schema master role holder DC.
    5) Run adprep.exe /domainprep /gpprep then run adprep.exe /rodcprep on the
    infrastructure master role holder DC.
    6) Add the AD DS role on to the two Win2008 servers.
    7) Use the NTDSUTIL to move the forestwide OM roles to one of the Win2008 DC.
    8) Use the NTDSUTIL to move the domainwide OM roles to the Win2008 DC chosen
    on step (6).
    9) Run dcpromo to demote the two old Win2003 DCs.
    10) Use ADSIEdit to retire "phantom" DCs.
    11) Move AD-integrated DNZ zones to the newly created partitions.
    12) Turn off the two Win2003 server on step (8).

    Am I missing any steps on the migration?

    So, the question I have is since all devices are IP hard-coded and by
    choosing the replacing approach, will all the clients fail on DNS query until
    I physically change their DNS entry on their LAN settings?

    Any comment or feedback will be greatly appreciated. Thank you.

    KC
     
    KC, Mar 12, 2009
    #4
  5. Hello KC,
    I think your step 3 Join the two new Win2008 servers on the domain as member
    server should be after step 5 and your step 11 should be after step 6.

    As regard to your last question, I will suggest after you dcpromo the 2 w2k8
    servers into DC, wait and make sure they are all replicating and fully
    functional as DC. Then, install DNS on the w2k8 box(es) change the hard
    coded IPs one by one to point to the w2k8 boxes for dns and verify using
    nslookup etc that they can be resolved. Then ove fsmo roles
    So, the hardcoded clients will still be looking on w2k3 boxes for dns until
    you manually change the settings, that is why it is advised to shot down the
    w2k3 boxes until dns is fully functional on the w2k8 boxes
     
    Isaac Oben [MCITP,MCSE], Mar 12, 2009
    #5
  6. Brian M. White

    KC Guest

    Thank you Isaac for the quick response. If I understood you correctly, the
    migration procedures/steps should be as follows:

    1) Install Win2003 SP1 or SP2 on all three Win2003 DCs.
    2) Run repadmin /showrepl, dcdiag and netdiag on the DC then check for any
    error.
    3) Run adprep.exe /domainprep /gpprep then run adprep.exe /rodcprep on the
    infrastructure master role holder DC.
    4) Run adprep.exe /forestprep on the schema master role holder DC.
    5) Join the two new Win2008 servers on the domain as member server.
    6) Add the AD DS role without DNS server and GC on to the two Win2008 servers.
    7) Verify all DC replications are fully functional and check for any error.
    8) Add DNS server and GC to the newly Win2008 servers.
    9) Move AD-integrated DNS zones to the newly created partitions on the new
    Win2008 servers.
    10) Change the client's DNS entry on LAN settings to point to the new
    Win2008 DCs one client at a time and make sure the name resolution is
    working. Check the DNS event log.
    11) Use the NTDSUTIL to move the forestwide OM roles to one of the Win2008 DC.
    12) Use the NTDSUTIL to move the domainwide OM roles to the Win2008 DC
    chosen on step (11).
    13) Run dcpromo to demote the two old Win2003 DCs.
    14) Use ADSIEdit from Win2008 DC to retire "phantom" domain controller.
    15) Turn off the two Win2003 servers.

    Thanks again.
    KC
     
    KC, Mar 12, 2009
    #6
  7. Hello KC,

    See inline

    Best regards

    Meinolf Weber


    SP2 and all latest patches to make sure the OS is complete for the upgrade
    to 2008.
    Check any DC for errors.
    You have to start with adprep /forestprep and then /domainprep, /gpprep is
    not needed when upgrading from 2003 (you can run it if you like). Also run
    adprep /rodcprep to prepare for Read-only domain controllers, maybe you like
    to have them in the future and so this is done. If you have split the FSMO
    roles you have to choose the correct FSMO DC, thats fine.
    See above.
    Ok, make sure to point the preferred DNS only to one acting DC/DNS server
    until replication after promoting later is done.
    Why? Do it direct during promotion, no problem and all is replicated complete
    AD, DNS and GC.
    To use netdiag on 2008 you have to copy the netdiag.exe from 2003 to the
    2008 windows\system32 folder, not included as the others. Works also without
    any problem on 2008.
    See above.
    See above.
    You can also use the AD management consoles. http://support.microsoft.com/kb/324801
    You can also use the AD management consoles. http://support.microsoft.com/kb/324801
    WAIT until you have really tested all functionality for some days. For the
    test just remove the network cable form the old DC's so that all must run
    with the new ones. If every service/application/role is working as expected,
    reconnect, let them replicate again, check replication and then start with
    demotion.
    If demotion is succesful, you have only to remove the old DC names from AD
    sites and services. Also DNS has to be cleaned up from the old servers and
    record's.
    After demotion the servers will move in AD UC to the computers container,
    so you have to delete them there if you will not longer use the servers as
    member servers in the domain.
     
    Meinolf Weber [MVP-DS], Mar 12, 2009
    #7
  8. Brian M. White

    KC Guest

    Hi Meinolf, thank you for the response. If the environment has over thousand
    of clients, changing the DNS settings per client might not be very practical
    if you have limited staff. Is there a way where you still do the replacement
    with new server hardware and with new server name but you reuse the old IP
    address for DNS sake? Thanks again.
     
    KC, Mar 13, 2009
    #8
  9. Hello KC,
    You can use a simple script in powershell or vbscript to accomplished this.
     
    Isaac Oben [MCITP,MCSE], Mar 13, 2009
    #9
  10. Brian M. White

    KC Guest

    Hello. So, it is basically not a recommended approach to reuse the IP address
    of the seized domain controller even it is being replaced with a new box, new
    name and all. Am I correct? Thank you.

     
    KC, Mar 13, 2009
    #10
  11. Helo KC,
    You can reuse IP addresses of seized domain controllers. Just make sure you
    have cleaned dns of old records. My last post was just to give you an easy
    way to for configuring fixed ip addresses.

    --
    Isaac Oben [MCTIP:EA, MCSE]
     
    Isaac Oben [MCITP,MCSE], Mar 13, 2009
    #11
  12. Brian M. White

    KC Guest

    Thank you Isaac. I just wanted to confirm it can be done. With that, the
    procedure will be slightly different from what I had earlier. Hiopefully, I
    get it right this time.

    1) Install Win2003 SP3 and all latest patches on all Win2003 DC.
    2) Run repadmin /showrepl, dcdiag, and netdiag on DC. Check any DC for errors.
    3) Run adprep /forestprep, then adprep /domain /gpprep on FSMO role holder.
    4) Run adprep /rodprep if you want to deploy read-only DC.
    5) Allow all updates to replicate and check for errors.
    6) Assume there is another DC with DNS and GC on the domain. Move the FSMO
    to the other Win2003 DC using AD snap-in MMC.
    7) Disconnect network cable on the Win2003 DC (the one where you moved FSMO
    from). Verify name resolution and every service/application/role are all
    functioning as expected.
    8) If everything works, reconnect and allow replication to occur. Then,
    start demotion.
    9) Verify everything still works. Shut off the DC. Remove any entry
    referencing to that old DC (DNS, computer name, etc.)
    10) Join the Win2008 server to the domain with the IP of the old DC.
    11) Add the AD DS with DNS and GC on Win2008.
    12) Verify updates are replicating across using repadmin, dcdiag and netdiag.
    13) Verify the name resolution works from clients.
    14) Move FSMO from Win2003 DC to Win2008 DC using AD Snap-in.
    15) Check for errors after replication.
    16) Repeat step 7 through 13 for the other Win2003 DC.

    Am I missing anything? Thank you for checking.

    Thanks,
    KC

     
    KC, Mar 13, 2009
    #12
  13. Hello KC,
    Why don't you just move the fsmo roles from one dc1 to dc2 after after step
    2?Why run the prep to a dc that you are about to demote first?

    --
    Isaac Oben [MCTIP:EA, MCSE]
     
    Isaac Oben [MCITP,MCSE], Mar 13, 2009
    #13
  14. Brian M. White

    KC Guest

    Yeah. That would definitely simplify the whole migration process. Thank you
    for pointing it out. I thought you can basically run the prep on any DC.
    After further thought, you actually run the prep on the schema master role
    holder DC. Got it!!!

    Thank you.
    KC

     
    KC, Mar 13, 2009
    #14
  15. Hello KC,

    To reuse a ip address is not a problem itself. This requires more steps during
    replacement. So install the new DC/DNS with a free ip address.

    At one point you have less/no users working start with the first old DC/DNS
    and change it to another free ip address and run ipconfig /registerdns or
    reboot. Then check that the change is registered in DNS and that replication
    still works between the DC's.

    Now configure the new DC/DNS with the now free ip address you like to reuse.
    Again check DNS and replication and sop you can also change the other DC/DNS
    servers.

    When everything is changed you can start demoting the old DC's.

    Give always some time for replication and registration in DNS and AD.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Mar 13, 2009
    #15
  16. Hello KC,

    It is just more work. Wath amount of workstations with fixed ip's you should
    think about scripting solution for changes. Any setting can be changed with
    script's as Isaac pointed out.

    Also DHCP servers per subnet/location can be used, but this depends on security
    requirements and i think you are not allowed to use DHCP.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Mar 13, 2009
    #16
  17. Hello Isaac Oben [MCITP,MCSE],

    With some more configuration steps you can also use the actual addresses
    for new DC's, not only with seized DC's.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Mar 13, 2009
    #17
  18. Brian M. White

    KC Guest

    I have another question in regards to domain functional level. Do both domain
    and forest functional levels need to be on 'Windows 2003'? My domain
    functional level is on Windows 2003 but my forest functional level is on
    Windows 2000. I know Windows 2008 functional level support Windows 2000 but
    no sure I need to raise both to Windows 2003 before introducing Windows 2008
    DC. Thank you.
     
    KC, Mar 24, 2009
    #18
  19. Meinolf Weber [MVP-DS], Mar 24, 2009
    #19
  20. Brian M. White

    Siddiqui Guest

    Dear All

    I have 5 Domain runing windows2003 Server as a additional server to each
    other now we want to one more new server that will be Windows2008 operating
    system and we have more than 1000 user so we want to replace these
    windows2003 server w/o disconnecting the old server can we make this windows
    2008 server as a additional server to Windows 2003 then can we keep the same
    computer name in the New server as it was in win2003 server because of
    application they are accessing through computer name.

    Please if any one can help for right procedure
     
    Siddiqui, Aug 19, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.