Skip to content

Transitioning to Windows 2008 Active Directory Domain Services (AD DS)

July 20, 2011

Transitioning to Windows 2008 Active Directory Domain Services (AD DS) from Windows 2003 Domain Controller

Information on this page talks about high level steps required to migrate from windows 2003 domain controller to Windows 2008 AD DS.  Microsoft Active Directory on Windows Server 2008 has many exciting new features allowing improved control of the system and easier administration, while maximizing performance and mitigating security issues. There are many different features available in Windows 2008 AD DS. Here are the few new features which are included in Active Directory on Windows 2008:

  • Auditing: Windows Server 2008 is adding the capability of AD DS auditing to log old and new values of an attribute when a successful change is made to that attribute. Previously, AD DS auditing only logged the name of the attribute that was changed; it did not log the previous and current values of the attribute.   

Directory Service Changes is not enabled by default, After it is enabled, AD DS logs events in the Security event log when changes are made to objects that an administrator has set up for auditing.  Following Event will be recorded in Event logs:

              Event 5136 Modify, 5137 Create, 5138 undelete, 5139 move

  • Fine-Grained Password Policies: With Fine grained password policies you can define different set of Password and account lockout settings different group of users.  These policies can only be applied on user objects and Global security groups, it cannot be directly applied on OUs. For this new feature domain functional level should be windows 2008 Native.
  • Restartable Active Directory Domain Service role:  Restartable AD DS reduces the time that is required to perform certain operations. AD DS can be stopped so that updates can be applied to a domain controller. Also, administrators can stop AD DS to perform tasks, such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped. For this new feature no additional function level requirement.

Transition is a way of migrating older version of Windows Domain controllers to Windows 2008 AD DS. This way of Migration involves adding a Windows 2008 member server in existing Active Directory Environment and promoting it into Active Directory Domain Services. After successfully moving Flexible Single Operation Master (FSMO) roles to this new domain controller, you will simply demote the previous Domain Controllers. Transitioning to Windows 2008 AD DS is possible if Domain Functional level of existing domain environment is Windows 2000 Native. When transition is completed for all the older Domain controllers, to enable many more advanced features you can change domain / forest functional level to Windows 2008.

Two other possible ways of Migration are:

  • In place upgrade:  In this way of migration, you will install windows 2008 AD DS on the existing Windows domain controller which can be due to some limitation moving between hardware.  
  • Restructuring existing Active Directory Environment:  This path requires moving all of the resources from existing domain environment to fresh restructured Active Directory Domain Services environment. You will have to use tools like Active Directory Migration Tool.

Installation Steps for Transitioning windows 2008 Active Directory Domain Services

You may be running other applications which need connection on Active directory. There may be some requirements by these applications running in your environments having Windows 2008 domain controller. You have to consider these applications before introducing Active Directory on Windows 2008. I have included details about some messaging applications which you will find in Messaging Application consideration section at the end.

Pre Installation Steps

  • Add windows 2008 member sever which will be promoted to Active Directory Domain Services.

Installation steps

  • Run Adprep /forestprep to update Schema.  You can run this command directly on Windows 2003 Schema Master Server. Check schema version on all the domain controllers

repadmin /showattr * “cn=schema,cn=configuration,dc=domain,dc=com” /atts:objectVersion

  • Prepare each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 by running “adprep /domainprep /gpprep”
  • If you are also planning to introduce windows 2008 Read only domain controller in environment then run” adprep.exe /rodcprep”. This update allows Read-Only Domain Controllers.
  • Install Active Directory Domain Services role on Member Server and run DCpromo.exe to promote it to Domain Controller.

Post  installation Steps

  • It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are

 dcpromo.log
All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services

dcpromoui.log
This file tracks all the events from a graphical interface perspective

Also check the event viewer

  • Move FSMO roles to new Windows 2008 domain controller.

i. To Change the Domain Naming Master -> go to Active Directory Domains and Trusts snap in-> connect to Windows 2008 domain controller -> Operations Master -> Change

 ii. To Change the Schema Master -> go to Active Directory Schema snapin  -> connect to Windows 2008 domain controller -> Operations Master -> Change

 iii. To Change the infrastructure/RID/PDC Master -> go to Active Directory Users and computer snap in -> connect to Windows 2008 domain controller -> Operations Master -> Change

 iv. Check status of FSMO role move by running command “netdom.exe query fsmo”

  • Run DCpromo on previous version of domain controller to demote it.  Before demoting this domain controller make sure all the hosts/ servers in network are configured to send DNS queries to Windows 2008 DNS server.
  • Delete the DNS records still pointing to demoted domain controller on Windows 2008 DNS server

 Check _gc._msdcs.domain.com
If exists, delete the old reference.

Check the domain.com zone

If an entry for “(same as parent) A <oldIpAddress>” exists, delete it.

Check the domain.com and the _msdcs.domain.com zones for the NS (nameserver) records to make sure it no longer exists. If it still shows

a. Right-click the zone properties

b. Choose Nameserver tab

c. Highlight the old entry

d. Choose Delete. Ok the message that pops up asking are you sure you want to delete it.

  • From Site and services console remove server object of demoted domain controller if still exists.  

To delete the server object.             

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)

Messaging Applications Considerations:

Before starting deploying Active Directory on Windows 2008, you will have to put some consideration on running applications like Exchange, OCS, Blackberry and Enterprise vault in environment.

  1. Exchange 2003 / 2007 and Active directory Domain Services
    1.  Exchange Server 2003 Service Pack 2, Exchange 2007, and Exchange 2007 SP1 / SP2 are supported in environments that either partly or entirely use writeable Windows Server 2008 directory servers.
    2. Microsoft exchange server 2003 and later can work with Read only domain controllers, as long as there are writeable domain controllers available. Exchange 2007 effectively ignores RODCs and ROGCs. Exchange 2003 also ignores RODCs and ROGCs in default conditions where Exchange components automatically detect available domain controllers. No changes were made to Exchange 2003 to make it read-only directory server-aware. Therefore, trying to force Exchange 2003 services and management tools to use RODCs may result in unpredictable behavior.
  2. OCS 2007 server and Active Directory Domain Services.
  • Office Communications Server 2007 R2 supports Windows Server 2008, both for servers running Office Communications Server and for domain controllers. For a new installation of Office Communications Server 2007 R2 in an Active Directory forest that already includes at least one Windows Server 2008 domain controller in any domain, the installation of Office Communications Server does not require any extra preparation and will install successfully.
  • If you have an existing Windows Server 2003 forest running Office Communications Server and you upgrade any of the domain controllers to Windows Server 2008, Office Communications Server will not work correctly. Some user interface elements disappear, and you will be unable to add Office Communications Server servers or pools. To resolve this issue, rerun the Active Directory forest preparation step by using either Setup.exe or LcsCmd.exe.

3.  Enterprise vault and Blackberry Enterprise vault Server

  1. Recreate Outlook profile for Blackberry Service account on BES server and restart Blackberry server.
  2. Windows Server 2008 only allows for a default maximum of 50 concurrent NSPI connections per user to any domain controller. Additional NSPI connections are rejected with a MAPI_E_LOGON_FAILED error code. Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion. As we need more concurrent NSPI connections from EV and Blackberry server, We can change the default limit. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS
    3. Click the Parameters key.
    4. On the Edit menu, point to New, and then click DWORD Value.
    5. Type NSPI max sessions per user, and then press ENTER.
    6. Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.Note There is no specific upper-limit to this setting beyond the limits that are imposed by it being a DWORD (that is, 0xffffffff or about 4 billion). Configuring the server in this manner will make it function similarly to Windows Server 2003 in terms of the maximum number of NSPI connections that are allowed per user.
    7. Exit Registry Editor.
    8. Restart the computer or restart Active Directory Domain Services.
Advertisements

From → Uncategorized

One Comment
  1. Ashwini Kumar permalink

    NIce one!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: