How to Migrate an Active Directory Domain to Windows Server 2008

Windows Server 2008 includes a handful of important upgrades to your Active Directory domain infrastructure. The most useful are these:

• Read-Only Domain Controllers: RODCs are a new type of domain controller that doesn’t allow updates but does provide authentication and directory services. This reduces the risk of an Active Directory security compromise (especially for branch offices with poor physical security) because an attacker with access to an RODC would have a very difficult time using that access to update the Active Directory.
• Flexible Password Policies: You can assign different password policies to different sets of users within a single domain—finally! If you have created separate domains to work around this restriction in the past, get rid of those redundant domains after the upgrade.
• Auditing: Active Directory auditing is much more granular in Windows Server 2008, allowing you to closely track changes on just the objects you’re interested in (including recording both the old and new values). You can separately audit read accesses and replication.

You can take advantage of these improvements only by upgrading every domain controller in a domain to Windows Server 2008, and then upgrading the domain functional level. That sounds easy, but if you don’t plan it properly, you could be left with a broken Active Directory and thousands of angry users. Follow these tips to upgrade without fear.

1. Back up your domain controllers

While most upgrades go smoothly, there’s the possibility of creating an outage that could affect your entire domain — potentially preventing users from accessing network resources. The more customized your Active Directory schema and permissions, the more likely you are to have problems. Therefore, you should plan your upgrade during nonpeak hours and have a full backup (including System State) of at least two domain controllers in case you need to roll back to an earlier version.

2. Verify upgrade requirements

Before you can upgrade the domain functional level, all domain controllers in the domain must be running Windows Server 2008. This allows you to take advantage of the new features but prevents you from adding any domain controllers running earlier versions of Windows.

Before you start upgrading, verify that your domain controllers meet these requirements:

• The hardware exceeds the Windows Server 2008 requirements.
• All hardware and software is compatible with Windows Server 2008, including antivirus software and drivers.
• Sufficient disk space is free to perform the operating system and Active Directory upgrade. Specifically, verify that your free space is at least twice the size of your Active Directory database.
• The current domain functional level is Windows 2000 Native or Windows Server 2003. You cannot upgrade directly from Windows NT 4.0, Windows 2000 Mixed or Windows Server 2003 Interim domain functional levels.
• All Windows 2000 Server domain controllers have Service Pack 4 installed.

3. Test your domain

Active Directory domains are very resilient and can continue to function even when a variety of problems exist. Even if your Active Directory seems to be working, you might have logon delays, replication failures or Group Policy settings that aren’t being applied. These conditions can cause problems during an upgrade, so it’s important to resolve them now.

These tools will help you identify and diagnose any problems:

• Dcdiag.exe. Run this tool to analyze your Active Directory for common problems; it’s included with Windows Server 2003 and Windows Server 2008.
• Repadmin.exe. Use Repadmin.exe to identify Active Directory replication problems; it’s included with Windows Server 2003 and Windows Server 2008.
• Gpotool.exe. Use this tool to verify that Group Policy is consistent amongdomain controllers, it’s included with the Windows Server 2003 Resource Kit tools, available at http://go.microsoft.com/fwlink/?linkid=27766.
• Event Viewer. Review the Directory Services log file for errors that might indicate problems.

4. Prepare your schema

Just as when upgrading to a Windows Server 2003 functional level, you must use the Adprep.exe tool to prepare your forest and domain schema. Note that you must use the version of Adprep included on the Windows Server 2008 media in the \sources\adprep folder, even though you will need to run it from an existing Windows Server 2003 domain controller. Be sure to use 32-bit media when running Adprep from a 32-bit domain controller, and use 64-bit media for 64-bit domain controllers.

To prepare your Active Directory schema, follow these steps for each domain that you plan to upgrade:

1. Run Adprep/forestprep on your Schema Master with Enterprise Admins, Schema Admins and Domain Admins privileges. Wait for changes to replicate.
2. Run Adprep/domainprep/gpprep on the Infrastructure Master with Domain Admin privileges. On Windows Server 2003 domains, you’ll receive an error message caused by the unnecessary /gpprep parameter that you can ignore.
3. On Windows Server 2003 domains, run Adprep/rodcprep on the Domain Naming Master with Domain Admin privileges.

Note: As long as your domain and forest are at the Windows Server 2003 functional level and you’ve prepared the schema, you don’t need to upgrade your entire domain to install a Windows Server 2008 RODC.

5. Migrate your domains

Before you upgrade a domain, be sure that you don’t plan to add domain controllers running Windows 2000 Server or Windows Server 2003. While you can always upgrade the domain functional level, you can never downgrade it.

The easiest way to migrate your domain to the Windows Server 2008 functional level is to follow these steps:

1. Install a new Windows Server 2008 computer, and then run Dcpromo.exe. You can configure either a Full Server or a Server Core as a domain controller. On Full Servers, you also have the option of adding the Active Directory Domain Services role using Server Manager.
   Tip: You can use command-line parameters to run Dcpromo.exe unattended (with or without an answer file). For detailed information, run Dcpromo/?.
2. Wait for replication to occur.
3. Retire or upgrade all Windows 2000 Server and Windows Server 2003 computers. To upgrade a Windows 2000 Server, upgrade it to Windows Server 2003, and then upgrade it to Windows Server 2008.
4. Upgrade the domain functional level using the Active Directory Domains and Trusts tool. Right-click the domain, and then click Raise domain functional level.

Now, test any applications that depend on Active Directory, including user logons and Exchange Server. If you run into problems, restore your domain controllers from backups, and head back to the lab for more testing. If everything goes well, wait a couple of weeks for the environment to stabilize before you make any other major changes.

6. Upgrade your forest

There are no new features available if you upgrade your forest to the Windows Server 2008 functional level — it just causes any new domains that are added to the forest to be at the Windows Server 2008 domain functional level by default. Still, it’s a worthwhile step to save yourself the trouble of upgrading a new domain that you accidentally added at the wrong functional level.

Summary

Microsoft must have been listening to the complaints about Active Directory limitations because Windows Server 2008 allows multiple password policies within a domain, read-only domain controllers and auditing that’s actually useful. If you follow these steps, you’ll be finished with your upgrade in no time.