Upgrade the Active Directory schema from Windows 2003 to Windows 2008
Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server that is later than the latest version that is running in your current environment. In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.
When you run Adprep.exe, various operations will be performed to prepare the domain for the newer version of Windows Server that will run on your domain controllers. Some of the operations include:
· Upgrade the Active Directory schema
· Upgrade security descriptors
· Upgrade access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
· Creating new objects, as needed
· Creating new containers, as needed
To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. The remaining sections in this topic contain more details about each command.
Command
|
Domain controller
|
Number of times to run the command
| ||
adprep /forestprep
|
Must be run on the schema operations master for the forest.
|
Once for the entire forest
| ||
adprep /domainprep
|
Must be run on the infrastructure operations master for the domain.
|
Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.
| ||
adprep /domainprep /gpprep
|
Must be run on the infrastructure operations master for the domain.
If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for Windows Server 2008 or Windows Server 2008 R2.
|
Once in each domain within the forest
| ||
adprep /rodcprep
|
Can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible.
If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2.
|
Once for the entire forest
|
If you plan to add an RODC to the forest, you can run adprep /rodcprep right after you run adprep /forestprep and then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.
|
If you are not sure which computer holds the operations master (also known as flexible single master operations or FSMO) role that you need, type the following command at a command prompt on a computer on which you have Netdom.exe installed, and then press ENTER:
netdom query FSMO
Preparing to run adprep /forestprep
1. Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
2. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).
3. Antivirus software can sometimes interfere with this command. You may want to temporarily disable the antivirus service from running on the Schema Master until the process has been completed.
Start your upgrade process
Detail of My existing LAB setup
Operating System: Windows 2003 with SP 2
Computer Name: DC-Win-2003
Domain Name: LABTEST.in
FSMO Role Owner and Global Catalog Server
1. Login to your Domain Controller on the server you are upgrading. First we are going to prepare the Domain Controller Database for upgrade.
2. Go ahead and insert the Server 2008 CD in your CD/DVD-ROM drive.
3. Open command prompt and change the drive to your CD/DVD-ROM drive
Now enter the driver letter (d: and hit enter) pointing to your CD/DVD-ROM drive. On the D Drive, type DIR to list the content of the CD/DVD.
Now go to folder (D:\Sources\adprep) that contains the adprep.exe command.
On the D drive, type in cd sources\adprep and hit enter. This will take you to adprep folder
To verify that the content of the adprep folder, type in dir and hit Enter.
The first command you should type is adprep /forestprep, then hit Enter.
Once the adprep /forestprep process is finished you are going to see the information as shown below.
To ensure that the adprep /domainprep command runs successfully, complete these steps before you run the command on the infrastructure operations master role holder in each domain:
- Make sure that the schema updates that adprep /forestprep performs replicated throughout the forest or that they at least replicated to the infrastructure master for the domain where you plan to run adprep /domainprep. For more information, see Verifying that adprep /forestprep completed successfully.
- Make sure that you can log on to the infrastructure master with an account that is a member of the Domain Admins group.
- Verify that the domain functional level is at least Windows 2000 native.
Raising the domain functional level to Windows 200 native or higher
Open the Active Directory Users and Computers
Select the domain LABTEST.in and right click on it. Click on the “Raise Domain Functional Level”
It is my LAB environment and not having any Windows 200 domain controller therefore raising to Windows Server 2003. Scroll the button just below the “select an available domain functional level” to list the available levels. You need to select the desired one and click on Raise.
Once you click the raise button, it asks for the final confirmation, hit on OK button
Once you are finished with the above steps, it gives you the confirmation that domain functional level has been raised successfully.
When you are completed the above steps to run adprep /domainprep, insert the Windows Server operating system DVD into the DVD drive of the infrastructure master. Then, change directories to the folder that contains Adprep.exe and run the command as mentioned above.
If you ran the version of the adprep /domainprep command that is included in Windows Server 2008 or Windows Server 2008 R2, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy.
Running adprep /domainprep /gpprep can create a lot of replication traffic because every GPO is updated. Therefore, you might want to run this command during off-peak hours to minimize the impact of the additional replication.
If you run adprep /domainprep /gpprep before you run adprep /domainprep, Adprep.exe runs both commands sequentially. First, it performs the /domainprep operations, and then it performs the /gpprep operations
Now you have to wait till the changes replicate throughout the forest before preparing any domains for a domain controller that runs Windows Server 2008. Once replication is completed then you are finally ready for the upgrade.
Adding Windows 2008 machine into domain
I have prepared my new virtual machine with below detail and joined into domain.
Operating System: Windows 2008 with SP 1 installed
Computer Name: DC-EXCH-2013
After joining the server in domain, we need to restart the server.
It is my LAB environment therefore disabling the IPv6 on the member server.
Now insert your Server 2008 CD is in the CD/DVD-ROM drive. Open the Run menu and type in dcpromo and hit enter
Active Directory Domain Services (AD DS) binaries will start installing.
Once AD DS binaries have been installed successfully, the AD DS installation wizard will open. Click on the check box “Use advanced mode installation” and hit Next.
Click Next on the Operating System Compatibility window
You are promoting a member server into Additional Domain Controller therefore select the Radio button “Existing forest” and “Add an domain controller to an existing domain” and hit next
Type in the Domain here and you have option to use the “Alternate credentials” to promote the server to Additional Domain Controller and hit enter
Select the domain in which you are going to install additional domain controller and hit enter.
Select the AD site in which you want to install additional domain controller. In our test LAB setup we have only default AD site available therefore we will choose the default site and hit enter
The Additional Domain Controller will also work as DNS server and Global Catalog therefore leave the default settings and hit enter
Press Yes on the DNS Server Delegation window
Select the replication method this additional domain controller will choose to update.
Select the source domain controller for replication partner. We have only One domain controller in our LAB environment therefore we will go with default settings and hit enter.
You can change AD DS database, Log files and SYSVOl default location to other than default. Here we are going with the default one and hit enter
Enter the AD DS restore password and hit enter
On the Summary page, we have option to review all the settings that we applied to promote the server as additional domain controller and hit Next
The AD DS services is being configured
Once the AD DS configuration is completed you can see the completion wizard Press Finish and restart the server.
Moving FSMO Roles on to Additional Domain Controller
To list the current owner of FSMO role
Open the command prompt and type ntdsutil and hit enter
Once you are in NTDSUTIL menu, type roles and hit enter
In connections menu, type in connect to domain LABTEST.in (connect to domain <your domain name>)
You are now connected to your domain LABTEST.in
Type in the connect to server DC-EXCH-2013 and hit enter (the server name where you want to transfer FSMO roles)
Once you are done with connections, type in quit to return to FSMO maintenance menu
On the FSMO maintenance menu, type transfer PDC and hit enter. It will prompt you to confirm the transfer, please hit yes to continue
Once you are done with above step, FSMO maintenance gives you confirmation that PDC is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)
On the FSMO maintenance menu, type transfer RID Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue
On the FSMO maintenance menu, type transfer Infrastructure Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue
Once you are done with above step, FSMO maintenance gives you confirmation that Infrastructure Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)
On the FSMO maintenance menu, type transfer Naming Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue
Once you are done with above step, FSMO maintenance gives you confirmation that Naming Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)
On the FSMO maintenance menu, type transfer Schema Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue
Once you are done with above step, FSMO maintenance gives you confirmation that Schema Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)
You are now done with FSMO transfer successfully, type in the quit two times to exit from NTDSUTIL command.
Verify that FSMO has been transferred successfully, type in the NETDOM /Query FSMO and hit enter.
You have successfully transferred all the FSMO roles from the server DC-WIN-2003 to the server DC-Exch-2013.
(Note: - It is being done in my LAB environment however can be referred to upgrade the production environment.)
No comments:
Post a Comment