Upgrading your Windows Server 2003 and Windows Server 2003 R2 Domain Controllers in-place to Windows Server 2008 Domain Controllers consists of the following steps:
Before you begin
Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it. (twice) Most of the contents also apply to transitioning from Windows Server 2003 (R2) to Windows Server 2008
Plan your server lifecycle
It’s not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 with ease.
Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when upgrading to Windows server 2008. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).
Make backups of all your Domain Controllers and verify you can restore these backups when needed.
It is a good thing to know exactly what you’re migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it’s very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.
When done right your colleagues might not even suspect a thing, but it’s important to shed some light on what you’re doing. (Make someone) communicate to the end users that you’re going to mess with the core of their infrastructure. This might result in colleagues understanding you’re (really) busy and might also result in problems being reported fast. Both are good things if you’d ask me…
Prepare your Active Directory environment
Before you can begin to upgrade the first Windows Server 2003 Domain Controller to a Windows Server 2008 Domain Controller, you first have to prepare the Active Directory.
Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment:
You need to run the following commands on the following servers in your Active Directory environment:
Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master
* Optional when you want to deploy Read Only Domain Controllers.
After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.
Allow sufficient time for proper replication to all your Windows Server 2003 Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.
Choosing which Domain Controller to upgrade first
When your Active Directory forest consists of many Active Directory domains, begin your upgrades in the forest root domain.
Flexible Single Master Operations (FSMO) roles are key in your Active Directory environment. When your environment allows it, it is recommended to:
* Transfer all the Flexible Single Master Operations (FSMO) roles from the root domain (3) and the entire forest (2) to a single Active Directory Domain Controller
* Make all Domain Controllers Global Catalogs
Perform an in-place upgrade of the Domain Controller holding all the Flexible Single Master Operations (FSMO) roles first. This will ensure the first Windows Server 2008 Domain Controller is a Global Catalog and all the Flexible Single Master Operations (FSMO) roles are on Windows Server 2008.
After you have upgraded the Domain Controller holding all the FSMO roles in the forest root domain, you can upgrade the Domain Controllers for additional domains in your forest. Place the domain-wide FSMO roles (3) on a single server and upgrade it in-place.
When you’re done upgrading other servers you can redistribute Flexible Single Master Operations (FSMO) roles across other servers, although it is a best practice to keep your Flexible Single Master Operations (FSMO) roles on as little servers as possible.
Upgrade the first Domain Controller
After preparing your Active Directory environment you can start the in-place upgrade on your first Windows Server 2003 Domain Controller. Simply enter the Windows Server 2008 DVD, corresponding to the architecture (x86, x64 or Itanium) and the Edition (Standard, Enterprise, DataCenter) you’re migrating from and to.
In the initial Install Windows screen press the Install Now button to begin installation of Windows Server 2008.
The screen Get important updates for installation gives you the option to either go online and get the latest updates for installation or to skip going online. I recommend choosing Go online to get the latest updates for installation (recommended), since Microsoft might enhance the Windows Server 2008 installation wizard by adding additional support for drivers and scenarios.
These updates are not related to the updates your accustomed to receive through Windows or Microsoft Update. These updates relate to the Windows Server 2008 Installation process only. Microsoft may choose to enhance the installation experience between Service Pack releases.
Depending on your media type you will see the Type your product key for activation window. If you do, simply type your Windows product key and tick the Automatically activate Windows when I’m online option.
In the Which type of installation do you want window select Upgrade.
The Compatibility report window will be displayed telling you what hardware might not function once upgrade is completed , also to check with software vendors to check if their software are compatible with Windows Server 2008. click Next.
The Installation wizard will now perform an in-place upgrade of your Windows Server 2003 Domain Controller. After multiple restarts, the Upgrade process will be completed and you will be able to start using your Windows Server 2008. Your upgrade might take hours to complete.
Upgrade additional Domain Controllers
Upgrading additional Domain Controllers in place is as easy as repeating the steps for in-place upgrading the first Domain Controller.
If you want to deploy Read Only Domain Controllers (RODCs) in the same domain as your upgraded Domain Controller, make sure:
* You have deployed at least one Windows Server 2008 in each domain you want to deploy Read Only Domain Controllers, before you deploy the first Read Only Domain Controller.
* Both the Forest functional level and Domain functional level are Windows Server 2003 at minimum, before you deploy the first Read Only Domain Controller.
* You have run adprep.exe /rodcprep on the Domain Controller holding the Domain Naming Master Flexible Single Master Operations (FSMO) role for the forest you want to deploy Read Only Domain Controllers in, before you deploy the first Read Only Domain Controller.
Raise the domain functional level
After you’ve successfully upgraded the last Windows Server 2003 Domain Controller for a specific domain (or you don’t feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory environment) you’re ready to raise the Domain functional level of that domain.
Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:
* Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
* Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
* Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
* Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.
Raising the functional level is a one way procedure. Once you’ve raised your domain functional level there’s no way to return to the previous domain functional level.
Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain functional level on Windows Server 2003:
1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
2. Open Active Directory Domains and Trusts.
3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.
Raise the forest functional level
After you’ve successfully raised the domain functional level of all the domains in your Active Directory forest you’re ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.
Raising the functional level is a one way procedure. Once you’ve raised your forest functional level there’s no way to return to the previous forest or domain functional levels.
To upgrade the forest functional level to Windows Server 2008 perform the following actions:
1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
2. Open Active Directory Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.