Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 1) - Migrating Domain Controllers

The decision to upgrade Active Directory should focus on these key improvement areas. If one or more of the improvements to Active Directory Domain Services justifies an upgrade, it should be considered. Improvements were introduced in Windows Server 2003 and Windows Server 2008, and yet more improvements were made in Windows Server 2008 R2.

The following list details some of the many changes made to Active Directory in Windows Server 2003 that improved on the original Windows 2000 Server Active Directory:

• Domain rename capability— Windows Server 2003 Active Directory supported the renaming of either the NetBIOS name or the LDAP/DNS name of an Active Directory domain. The Active Directory domain rename tool can be used for this purpose, but only in domains that have completely upgraded to Windows Server 2003 or later domain controllers.

• Cross-forest transitive trusts— Windows Server 2003 supports the implementation of transitive trusts that can be established between separate Active Directory forests. Windows 2000 supported only explicit cross-forest trusts, and the trust structure did not allow for permissions to flow between separate domains in a forest. This limitation has been lifted in Windows Server 2003 or later.

• Universal group caching— One of the main structural limitations of Active Directory was the need to establish very “chatty” global catalog servers in every site established in a replication topology, or run the risk of extremely slow client logon times and directory queries. Windows Server 2003 or later enables remote domain controllers to cache universal group memberships for users so that each logon request does not require the use of a local global catalog server.

• Intersite topology generator (ISTG) improvements— The ISTG in Windows Server 2003 was improved to support configurations with extremely large numbers of sites. In addition, the time required to determine site topology has been noticeably improved through the use of a more efficient ISTG algorithm.

• Multivalued attribute replication improvements— In Windows 2000 Server, if a universal group changed its membership from 5,000 users to 5,001 users, the entire group membership had to be rereplicated across the entire forest. Windows Server 2003 addressed this problem and allowed incremental membership changes to be replicated.

• Lingering objects (zombies) detection— Domain controllers that have been out of service for a longer period of time than the Time to Live (TTL) of a deleted object could theoretically “resurrect” those objects, forcing them to come back to life as zombies, or lingering objects. Windows Server 2003 properly identified these zombies and prevented them from being replicated to other domain controllers.

• AD-integrated DNS zones in application partitions— Replication of DNS zones was improved and made more flexible in Windows Server 2003 by storing AD-integrated zones in the application partition of a forest, thus limiting their need to be replicated to all domain controllers and reducing network traffic. Conversely, the DNS zones could be configured to replicate them to the entire forest if that was appropriate.

The Windows Server 2008 Active Directory retained all the new features of Windows Server 2003 Active Directory and adds several key new features, as follows:

• Fine-grained password policies— Password policies can be customized to different users within the same Active Directory domain.

• Read-Only Domain Controllers— These domain controllers are designed for branch offices and for extranet scenarios, in that they allow directory information to be accessed but not changed. This adds an element of security to scenarios that require directory services but are not as secure as the corporate data center.

• Granular auditing— The Active Directory auditing is much more granular and allows tracking of some objects but not others. This reduces the volume of security logs; however, it provides less information for the auditor or analyst to review during an audit or information acquisition process.

• Distributed File System Replication (DFSR)— DFSR is now used for SYSVOL replication, replacing the File Replication Service (FRS) that is used to replicate SYSVOL in Windows 2000 Server and Windows Server 2003. This feature provides more robust and detailed replication of SYSVOL contents and is available when the domain functional level is raised to Windows Server 2008.

Features introduced with the upgrade to Windows Server 2008 R2 include the following:

• Active Directory Module for Windows PowerShell— The Active Directory Module for Windows PowerShell is a consolidated group of Windows PowerShell cmdlets you can use to manage Active Directory.

• Active Directory Administrative Center— The Active Directory Administrative Center is a task-oriented AD management console that allows for the management of users, groups, computers, sites, and domains from one console.

• Recycle Bin for AD— Previously deleted objects can now be restored from the Recycle Bin.

• Offline Domain Join— Join Windows machines to the domain, while offline, via an XML file.

• Managed Service Accounts— This feature greatly improves the daunting task of managing service account passwords by automatically updating all services when the service account password is changed.

In the scenario in this section, there are two domains (companyabc.com and asia.companyabc.com), which are members of the same forest (shown in Figure 1). The companyabc.com domain has all Windows 2000 Server SP4 domain controllers and the asia.companyabc.com domain has all Windows Server 2003 SP2 domain controllers. The entire forest will be upgraded to Windows Server 2008 R2, but they need to be migrated over time. Thus, a phased migration will be used.

Migrating Domain Controllers

The domain controllers can either be directly upgraded to Windows Server 2008 R2 or replaced by newly introduced Windows Server 2008 R2 domain controllers. The decision to upgrade an existing server largely depends on the hardware of the server in question. The rule of thumb is, if the hardware will support Windows Server 2008 R2 now and for the next two to three years, a server can be directly upgraded. If this is not the case, using new hardware for the migration is preferable.

The prerequisites for upgrading an Active Directory forest and domain discussed earlier still apply. The prerequisites to upgrade to Windows Server 2008 R2 Active Directory are as follows:

• The operating system on the domain controllers is Windows Server 2003 SP2 or higher.

• The current domain functional level is Windows 2000 Native or Windows Server 2003. You cannot upgrade directly from Windows NT 4.0, Windows 2000 Mixed, or Windows Server 2003 interim domain functional levels.

These prerequisites are required to upgrade to Windows Server 2008 R2.

The scenario in this section will use the combined approach to the upgrade, replacing the Windows 2000 SP4 companyabc.com domain controllers and upgrading the Windows Server 2003 asia.companyabc.com domain controllers.

The health of the domain controllers should be verified prior to upgrading the domain controllers. In particular, the Domain Controller Diagnostics (DCDIAG) utility should be run and any errors fixed before the upgrade. The Windows Server 2003 DCDIAG utility is part of the Support Tools, which can be found on the installation media under \support\tools\. The Support Tools are installed via an MSI package named SUPTOOLS.MSI in Windows Server 2003. After installing the tools, the DCDIAG utility can be run. The dcdiag /e option should be used to check all domain controllers in the enterprise. Verify that all tests passed.