In many cases, the Windows Server 2003/2008
environment that will be migrated includes one or many Active Directory
domains and forests. Because Active Directory is one of the most
important portions of a Microsoft network, it is subsequently one of the
most important areas to focus on in a migration process. In addition,
many of the improvements made to Windows Server 2008 R2 are directly
related to Active Directory, making it even more appealing to migrate
this portion of an environment.
The decision to upgrade
Active Directory should focus on these key improvement areas. If one or
more of the improvements to Active Directory Domain Services justifies
an upgrade, it should be considered. Improvements were
introduced in Windows Server 2003 and Windows Server 2008, and yet more
improvements were made in Windows Server 2008 R2.
The following list details some
of the many changes made to Active Directory in Windows Server 2003
that improved on the original Windows 2000 Server Active Directory:
Domain rename
capability— Windows Server 2003
Active Directory supported the renaming of either the NetBIOS name or
the LDAP/DNS name of an Active Directory domain. The Active Directory
domain rename tool can be used for this purpose, but only in domains
that have completely upgraded to Windows Server 2003 or later domain
controllers.
Cross-forest
transitive trusts— Windows Server 2003
supports the implementation of transitive trusts that can be established
between separate Active Directory forests. Windows 2000 supported only
explicit cross-forest trusts, and the trust structure did not allow for
permissions to flow between separate domains in a forest. This
limitation has been lifted in Windows Server 2003 or later.
Universal group caching— One of the main structural limitations of Active
Directory was the need to establish very “chatty” global catalog servers
in every site established in a replication topology, or run the risk of
extremely slow client logon times and directory queries. Windows Server
2003 or later enables remote domain controllers to cache universal
group memberships for users so that each logon request does not require
the use of a local global catalog server.
Intersite topology generator (ISTG) improvements—
The
ISTG in Windows Server 2003 was improved to support configurations with
extremely large numbers of sites. In addition, the time required to
determine site topology has been noticeably improved through the use of a
more efficient ISTG algorithm.
Multivalued attribute replication improvements— In Windows 2000 Server, if a universal
group changed its membership from 5,000 users to 5,001 users, the entire
group membership had to be rereplicated across the entire forest.
Windows Server 2003 addressed this problem and allowed incremental
membership changes to be replicated.
Lingering objects (zombies) detection— Domain controllers that have been out of service
for a longer period of time than the Time to Live (TTL) of a deleted
object could theoretically “resurrect” those objects, forcing them to
come back to life as zombies, or lingering objects. Windows Server 2003
properly identified these zombies and prevented them from being
replicated to other domain controllers.
AD-integrated DNS zones
in application partitions— Replication of
DNS zones was improved and made more flexible in Windows Server 2003 by
storing AD-integrated zones in the application partition of a forest,
thus limiting their need to be replicated to all domain controllers and
reducing network traffic. Conversely, the DNS zones could be configured
to replicate them to the entire forest if that was appropriate.
The Windows Server
2008 Active Directory retained all the new features of Windows Server
2003 Active Directory and adds several key new features, as follows:
Fine-grained
password policies— Password policies
can be customized to different users within the same Active Directory
domain.
Read-Only
Domain Controllers— These domain
controllers are designed for branch offices and for extranet scenarios,
in that they allow directory information to be accessed but not changed.
This adds an element of security to scenarios that require directory
services but are not as secure as the corporate data center.
Granular auditing— The Active Directory auditing is much more
granular and allows tracking of some objects but not others. This
reduces the volume of security logs; however, it provides less
information for the auditor or analyst to review during an audit or
information acquisition process.
Distributed File System Replication (DFSR)— DFSR is now used for SYSVOL replication,
replacing the File Replication Service (FRS) that is used to replicate
SYSVOL in Windows 2000 Server and Windows Server 2003. This feature
provides more robust and detailed replication of SYSVOL contents and is
available when the domain functional level is raised to Windows Server
2008.
Features introduced with
the upgrade to Windows Server 2008 R2 include the following:
Active Directory Module for Windows PowerShell— The Active Directory Module for Windows PowerShell is a
consolidated group of Windows PowerShell cmdlets you can use to manage
Active Directory.
Active Directory
Administrative Center— The
Active Directory Administrative Center is a task-oriented AD management
console that allows for the management of users, groups, computers,
sites, and domains from one console.
Recycle Bin for AD—
Previously deleted objects can now be restored from the Recycle Bin.
Offline Domain Join— Join Windows machines to the domain, while
offline, via an XML file.
Managed Service Accounts— This feature greatly improves the daunting task of
managing service account passwords by automatically updating all
services when the service account password is changed.
In the scenario in this
section, there are two domains (companyabc.com and asia.companyabc.com),
which are members of the same forest (shown in Figure 1). The companyabc.com domain has all Windows 2000 Server
SP4 domain controllers and the asia.companyabc.com domain has all
Windows Server 2003 SP2 domain controllers. The entire forest will be
upgraded to Windows Server 2008 R2, but they need to be migrated over
time. Thus, a phased migration will be used.
Migrating Domain
Controllers
The domain controllers can either be directly
upgraded to Windows Server 2008 R2 or replaced by newly introduced
Windows Server 2008 R2 domain controllers. The decision to upgrade an
existing server largely depends on the hardware of the server in
question. The rule of thumb is, if the hardware will support Windows
Server 2008 R2 now and for the next two to three years, a server can be
directly upgraded. If this is not the case, using new hardware for the
migration is preferable.
The prerequisites for
upgrading an Active Directory forest and domain discussed earlier still
apply. The prerequisites to upgrade to Windows Server 2008 R2 Active
Directory are as follows:
The operating system on
the domain controllers is Windows Server 2003 SP2 or higher.
The current domain
functional level is Windows 2000 Native or Windows Server 2003. You
cannot upgrade directly from Windows NT 4.0, Windows 2000 Mixed, or
Windows Server 2003 interim domain functional levels.
These prerequisites are
required to upgrade to Windows Server 2008 R2.
Note
A combined approach can be and
is quite commonly used, as indicated in Figure 2, to support a scenario in which some hardware is current
but other hardware is out of date and will be replaced. Either way, the
decisions applied to a proper project plan can help to ensure the
success of the migration.
The scenario in this section
will use the combined approach to the upgrade, replacing the Windows
2000 SP4 companyabc.com domain controllers and upgrading the Windows
Server 2003 asia.companyabc.com domain controllers.
The health of the domain
controllers should be verified prior to upgrading the domain
controllers. In particular, the Domain Controller Diagnostics (DCDIAG)
utility should be run and any errors fixed before the upgrade. The
Windows Server 2003 DCDIAG utility is part of the Support Tools, which
can be found on the installation media under \support\tools\. The
Support Tools are installed via an MSI package named SUPTOOLS.MSI in
Windows Server 2003. After installing the tools, the DCDIAG utility can
be run. The dcdiag /e option
should be used to check all domain controllers in the enterprise. Verify
that all tests passed.