Preparing the Forest
and Domains Using adprep
The introduction of
Windows Server 2008 R2 domain controllers into a Windows Server
2003/2008 Active Directory requires that the core AD database structure,
the schema, be updated to support the increased functionality. In
addition, several other security changes need to be made to prepare a
forest for inclusion of Windows Server 2008 R2. The Windows Server 2008
R2 DVD includes a command-line utility called adprep that will extend
the schema to include the extensions required and modify security as
needed. Adprep requires that both forestprep and domainprep be run
before the first Windows Server 2008 R2 domain controller can be added.
The adprep utility must be run
from the Windows Server 2008 R2 DVD or copied from its location in the
\support\adprep\ folder. This installs the schema updates that are new
to Windows Server 2008 R2 Active Directory. The following steps should
be run on the Flexible Single Master Operations (FSMO) role holder,
specifically the Schema Master role holder:
1. | Insert
the Windows Server 2008 R2 DVD into the drive. If the Install Windows
autorun page appears, close the window.
|
2. | Select Start, Run.
|
3. | Enter d:\support\adprep\adprep.exe /forestprep
and click OK, where d: is the DVD drive.
|
4. | A warning appears to verify that all Windows 2000
Server domain controllers are at Service Pack 4 or later. Enter C
and press Enter to start the forest preparation.
|
Note
Any previous extensions made to
the Active Directory schema, such as those made with Exchange Server
2003 or Exchange Server 2007, are not affected by the adprep procedure.
This procedure simply adds additional attributes and does not change
those that currently exist.
Now that the schema
updates have been installed, the domain is ready to be prepared. The
operation must be run once in every domain in a forest. It must be
physically invoked on the server that holds the infrastructure master
Operations Master (OM) role. The steps for executing the domainprep
procedure are as follows:
1. | On the
Operations Master domain controller, insert the Windows Server 2008 R2
DVD into the drive. If the Install Windows autorun page appears, close
the window.
|
2. | |
3. | Enter d:\support\adprep\adprep.exe /domainprep
/gpprep and click OK, where d: is the DVD drive.
|
4. | Enter d:\support\adprep\adprep.exe /rodcprep
and click OK. This update allows Read-Only Domain Controllers by
updating the permissions on all the DNS application directory partitions
in the forest and allows them to be replicated by all RODCs that are
also DNS servers.
|
Repeat steps 1 through 4
for each domain that will be upgraded.
After the forestprep
and domainprep operations are run, the Active Directory forest will be
ready for the introduction or upgrade of Windows Server 2008 R2 domain
controllers. The schema is extended and includes support for Active
Directory Recycle Bin and other enhancements. After these updates have
had sufficient time to replicate across all domains, the process of
upgrading the domain controllers to Windows Server 2008 R2 can commence.
Upgrading Existing
Domain Controllers
If the decision has been
made to upgrade all or some existing hardware to Windows Server 2008 R2,
the process for accomplishing this is straightforward. However, as with
the standalone server, you need to ensure that the hardware and any
additional software components are compatible with Windows Server 2008
R2. The requirements for the server to upgrade are as follows:
The operating system on
the domain controllers must be a 64-bit operating system.
The operating system on the
domain controllers is Windows Server 2003 SP2. The domain controller
hardware exceeds the Windows Server 2008 R2 requirements and all
software is compatible with Windows Server 2008 R2, including antivirus
software and drivers.
There is enough disk space free to perform the operating system
and Active Directory upgrade. Specifically, verify that your free space
is at least twice the size of your Active Directory database plus the
minimum 32GB needed to install the operating system.
The specific steps are as
follows:
1. | Insert
the Windows Server 2008 R2 DVD into the DVD drive of the server to be
upgraded.
|
2. | The
Install Windows page should appear automatically. If not, choose Start,
Run and then type d:\Setup, where d: is the drive letter for
the DVD drive.
|
3. | Click
Install Now.
|
4. | Click the large Go Online
to Get the Latest Updates button. This ensures that the installation has
the latest information for the upgrade.
|
5. | Select the operating system you want to install and
click Next.
|
6. | Select the
I Accept the License Terms option on the License page, and click Next
to continue.
|
7. | Click the
large Upgrade button.
|
8. | Review the compatibility report and verify that all
issues have been addressed. Click Next to continue.
|
9. | The system then copies files and reboots as a Windows
Server 2008 R2 server, continuing the upgrade process. After all files
are copied, the system is then upgraded to a fully functional install of
Windows Server 2008 R2 and then reboots again. All this can take some
time to complete.
|
10. | After
the final reboot, the domain controller will be at the familiar
Ctrl+Alt+Del screen. After logon, the domain controller opens to the
Server Manager console. The domain controller upgrade is complete.
|
Repeat for all domain
controllers that will be upgraded.
Replacing Existing
Domain Controllers
If you need to migrate
specific domain controller functionality to the new Active Directory
environment but plan to use new hardware, you need to bring new domain
controllers into the environment before retiring the old servers.
Windows Server 2008 R2 uses a
roles-based model. To make a Windows Server 2008 R2 server a domain
controller, the Active Directory Domain Services role is added. This is
the most thorough approach, and the following steps show how to
accomplish this to establish a new Windows Server 2008 R2 domain
controller in a Windows Server 2003/2008 Active Directory domain:
1. | Log on to
the new server as an administrator.
|
2. | Launch Server Manager.
|
3. | Select the Roles node.
|
4. | Click Add Roles.
|
5. | Click Next.
|
6. | Select the Active Directory Domain Services check box,
and click Next.
Note
The .NET Framework 3.5.1
features are required; if prompted to install, click Add Required
Features.
|
7. | Click Next
on the Introduction page.
|
8. | Click Install to install the role. This installs the
binaries necessary for the server to become a domain controller.
|
9. | Click Close on the Installation Results page.
|
10. | In the Server Manager console, expand the Roles node
and select the Active Directory Domain Services node.
|
11. | In the Summary section, click the Run the Active
Directory Domain Services Installation Wizard (dcpromo.exe)
link.
|
12. | Click
Next on the Welcome page.
|
13. | Select the Existing Forest option button.
|
14. | Select the Add a Domain Controller to an Existing
Domain option button, and click Next.
|
15. | Enter the name of the domain.
|
16. | Click Set to specify alternate credentials to use for
the operation.
|
17. | Enter
the credentials of a domain administrator in the target domain, and
click OK.
|
18. | Click
Next to continue.
|
19. | Select
the appropriate domain for the new domain controller, and click Next. In
this example, the companyabc.com domain is used.
|
20. | Select a site for the domain, and click Next.
|
21. | Select the Additional Domain Controller Options, which
are DNS Server and Global Catalog by default. The Read-Only Domain
Controller option is not available if this is the first Windows Server
2008 R2 domain controller in the domain. Click Next.
|
22. | Click Yes if presented with a DNS Delegation warning
dialog box.
|
23. | Select
locations for the database, log files, and the SYSVOL, and then click
Next.
|
24. | Enter the
Directory Services Restore mode administrator password, and then click
Next.
|
25. | Review
the summary, and then click Next. The installation wizard will create
the domain controller and replicate the Active Directory database, which
might take some time depending on the network and the size of the
Active Directory database.
|
26. | After
the wizard completes the installation, click Finish.
|
27. | Click Restart Now to reboot the new domain controller.
|
This process should be
repeated for each new replacement domain controller.
