LinkedIn

March 2011
M T W T F S S
« Feb   Apr »
 123456
78910111213
14151617181920
21222324252627
28293031  

MAP

Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers

March 4th, 2011 by and tagged , ,

One question which I often come across is how to upgrade your domain from windows 2003 to windows 2008 or 2008 R2.

Mostly organizations are running their domain controller on windows 2003 x86(32bit), windows 2008 R2 is available only in x64(64bit) & initially when we want to upgrade their domain from windows 2000 to 2003 they use ADPREP.EXE as 99% organization has their DC on 32bit system.

Now, you too decided to upgrade your domain controller to windows 2008 R2 which is only available in x64bit, & while looking for ADPREP.EXE, you found ADPREP32.EXE as well as ADPREP.EXE both is available in windows 2008 R2 media, now you are confused which one to be used on windows 2003 which is 32bit to prepare schema so you can introduce x64 bit (2008 or 2008 R2) domain controller.

Thinking ADPREP32.EXE is made for 32bit dc & since you are going to use windows 2008 R2 which is x64, you decided to run on windows 2000 or 2003 which is 32 bit & what’s next you got error, scratching your head looking for here & there checking your Active directory health using DCDIAG & NETDIAG (NETDIAG is not available in windows 2008 & above), but everything is well & good. Now you decided to verify replication using REPADMIN & REPLMON (REPLMON is not available in windows 2008 & above) tool that’s also fine, you again decided to re-look to account used for ADPREP which has to be member of following schema admin, enterprise admin & domain admin it is too in place, so what is wrong or making ADPREP to fail when everything is in place.

Well, its nothing wrong but you chose the wrong version of ADPREP, MS has released two version of ADPREP32.EXE which has to run on 32bit OS DC & ADPREP.EXE has to run on 64 bit DC. There is no different between ADPREP32.EXE & ADPREP.EXE, both does the same job, its only for compatibility with 32bit OS & 64bit OS.

This time you went ahead & tried ADPREP32.EXE from 2008 or 2008 R2 media & you found it working.

I found people have doubt, if I upgrade the schema from windows 2000/2003 to 2008/2008 R2, will there be any issue, to clear the doubt, ADPREP will only add the new attribute & classes, but it will not modify or delete the already existing attribute or classes.

One more important thing if you have multiple domain or domain controller with large site base, wait for the replication cycle to finish & make sure changes has replicated to all the DC’s, then only proceed.

You need to run the below commands on the following DC servers only not on member server or new windows 2008 R2 which is going to be ADC:
Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep *(This command is optional. Run it only if you want to install a read-only domain controller (RODC). There is no harms in running even. ) Domain Naming Master/IM(Can be executed on any of the DC)

adprep.exe /domainprep /gpprep is not required, if you are upgrading your domain from windows 2003/20032 to windows 2008/2008 R2, its only required during the upgrade of windows 2000 to 2003/R2 or 2008/R2.

http://technet.microsoft.com/en-us/library/dd464018%28WS.10%29.aspx

http://blogs.technet.com/b/askds/archive/2008/11/11/so-you-want-to-upgrade-to-windows-2008-domain-controllers-adprep.aspx

The function of gpprep is to add permission on policy folder in Sysvol.

Once you verify everything is well & good, then only proceed, which is only way to achieve error free upgrade.

AD Schema Version:

OS Version

Schema Version

Windows 8

51

Windows 2008 R2

47

Windows 2008

44

Windows 2003 R2

31

Windows 2003

30

Windows 2000

13


How to find the current Schema Version

“dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion”

http://support.microsoft.com/kb/556086

References for AD upgrade to windows 2008 or 2008 R2:

http://technet.microsoft.com/en-us/library/cc731188%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2%28WS.10%29.aspx#BKMK_Whatsnew

http://blogs.technet.com/b/askds/archive/2008/11/11/so-you-want-to-upgrade-to-windows-2008-domain-controllers-adprep.aspx

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/03/02/transitioning-your-active-directory-to-windows-server-2008.aspx

Few Steps prior to preparing your environment for windows 2008 or 2008 R2.
  • Checking your Domain & domain controller health using dcdiag, & netdiag(Netdiag is not available in windows 2008 & above) tool.
  • Check replication using repadmin tool.
  • Check the DNS name resolution & its related error in event log.
  • Check error related to sysvol & FRS.

Troubleshooting ADPREP errors.

http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

Happy upgrading..

 

Posted in Directory Services | 49 Comments »



49 Responses to “Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain Controllers”

  1.   David Jacquemotte Says:

    Great post, thanks. I also wanted to find out if there were special considerations for very large organizations? In our enterprise, we have multiple forests, parent and child domains and we just wanted to make sure that if we extend the schema, it will play nice with 2003.

    Reply

    •   Awinish Says:

      Thank you for your comments. Extending the schema can’t be the issue, since running the adprep to update the schema it only add the new classes & attribute w/o removing/modifying the existing classes/attributes.

      Few legacy application might not be compatible with schema changes, but i haven’t heard of any such till now.If you are bothered, i always recommend for creating replica of live environment into lab & test all the application/functionality before upgrading the schema. This is best way to move ahead.

      System state backup of AD is always best & handy solution to proceed before making any minor/major changes into schema. Once you got all the DC in windows 2008 r2, you might want for raising the DFFL/FFL to 2008 R2.

      Key Points:
      – Take system state backup prior to schema update.
      – Test the live environment with all the applications in a lab
      – Document the test cases.
      – good planning & design is way to success.

      Take a look at previous discussions.
      http://social.technet.microsoft.com/Forums/en/winserverDS/thread/edb2bcd0-b490-44e6-b8d9-9e85c2f24d03

      Reply

  2.   David Jacquemotte Says:

    Great post, thanks. I also wanted to find out if there were special considerations for very large organizations? In our enterprise, we have multiple forests, parent and child domains and we just wanted to make sure that if we extend the schema, it will play nice with 2003.

    Reply

    •   Awinish Says:

      Thank you for your comments. Extending the schema can’t be the issue, since running the adprep to update the schema it only add the new classes & attribute w/o removing/modifying the existing classes/attributes.

      Few legacy application might not be compatible with schema changes, but i haven’t heard of any such till now.If you are bothered, i always recommend for creating replica of live environment into lab & test all the application/functionality before upgrading the schema. This is best way to move ahead.

      System state backup of AD is always best & handy solution to proceed before making any minor/major changes into schema. Once you got all the DC in windows 2008 r2, you might want for raising the DFFL/FFL to 2008 R2.

      Key Points:
      – Take system state backup prior to schema update.
      – Test the live environment with all the applications in a lab
      – Document the test cases.
      – good planning & design is way to success.

      Take a look at previous discussions.
      http://social.technet.microsoft.com/Forums/en/winserverDS/thread/edb2bcd0-b490-44e6-b8d9-9e85c2f24d03

      Reply

  3.   selvaraj Says:

    good..points.

    Reply

  4.   selvaraj Says:

    good..points.

    Reply

  5.   Server Engineer Says:

    Hi Awinish,
    This is a great Post. Now i started visiting your blogs too in addition to technet :)

    Reply

  6.   Server Engineer Says:

    Hi Awinish,
    This is a great Post. Now i started visiting your blogs too in addition to technet :)

    Reply

  7.   Awinish Says:

    Good to hear, you find this post informative..:)

    Reply

  8.   Awinish Says:

    Good to hear, you find this post informative..:)

    Reply

  9.   Dan Says:

    Awinish,

    We have a 2003R2 domain and planned on upgrading to 2008. I have extended the schema using the 2008 standard media. We have added one 2008 standard DC. We have not upgraded the rest of our DC’s. So we have three 2003 DC’s and one 2008 DC in production with a 2003 functional level and a 2008 schema. We want to move to a 2008R2 domain. My question is this: do I still need to extend the schema but using adprep from the 2008R2 media? I would think so. We would add the 2008R2 DC’s and just demote the old 2003 DC’s. Any problems with this?

    Thanks, – Dan

    Reply

  10.   Dan Says:

    Awinish,

    We have a 2003R2 domain and planned on upgrading to 2008. I have extended the schema using the 2008 standard media. We have added one 2008 standard DC. We have not upgraded the rest of our DC’s. So we have three 2003 DC’s and one 2008 DC in production with a 2003 functional level and a 2008 schema. We want to move to a 2008R2 domain. My question is this: do I still need to extend the schema but using adprep from the 2008R2 media? I would think so. We would add the 2008R2 DC’s and just demote the old 2003 DC’s. Any problems with this?

    Thanks, – Dan

    Reply

  11.   Awinish Says:

    Yes, you are required to run Adprep(32 or 64bit depends on OS) because the schema version of 2008 R2 is 47 which is different with windows 2008 schema version which is 44.As far as i know, there are no issues, but if you are running legacy application, you have to test in a lab first to check application compatibility with windows 2008 R2. I haven’t seen any issues with windows 2008 R2 , though test is recommended in a lab.

    For additional help you would like to post in DS forum.
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    Reply

  12.   Awinish Says:

    Yes, you are required to run Adprep(32 or 64bit depends on OS) because the schema version of 2008 R2 is 47 which is different with windows 2008 schema version which is 44.As far as i know, there are no issues, but if you are running legacy application, you have to test in a lab first to check application compatibility with windows 2008 R2. I haven’t seen any issues with windows 2008 R2 , though test is recommended in a lab.

    For additional help you would like to post in DS forum.
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    Reply

  13.   Purvi Says:

    We are planning to upgrade our Server from Windows 2000 to Windows 2008 (32 bit). Kindly let us know whether the components (old dll’s) which we used to access in Windows 2000 will be compatible to this new Windows 2008 or not?

    Reply

  14.   Purvi Says:

    We are planning to upgrade our Server from Windows 2000 to Windows 2008 (32 bit). Kindly let us know whether the components (old dll’s) which we used to access in Windows 2000 will be compatible to this new Windows 2008 or not?

    Reply

  15.   Bernie Says:

    Hi, we currently are at schema version 30(Windows 2003) and we begin to deploy Windows 2008 R2 member servers. We are not ready to migrate our DC’s though.

    Is this a good idea to extend our schema to enable the latest GPO for 2008 servers or we loose our time doing this?

    We currently have 17 DC’s installed across different geographical regions, but only one DC hold the FSMO roles. Do we need a complete replication after the /forestprep before doing the /adprep? How can I be sure that every DC’s are replicated after the /forestprep?

    Reply

    •   Awinish Says:

      Extending the schema will prepare the forest to allow new OS dc to be added as an domain controller and its no way going to harm your AD environment. You can do it now or when you plan to introduce both way works.
      Also, you must confirm the schema version changed to 47 from 30. You can refer my article Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain for how to check.

      Jorge has article below “How to check that FORESTPREP and DOMAINPREP replicated to all DCs? ”
      http://blogs.dirteam.com/blogs/jorge/archive/2006/06/06/1094.aspx

      Thanks.

      Reply

  16.   Bernie Says:

    Hi, we currently are at schema version 30(Windows 2003) and we begin to deploy Windows 2008 R2 member servers. We are not ready to migrate our DC’s though.

    Is this a good idea to extend our schema to enable the latest GPO for 2008 servers or we loose our time doing this?

    We currently have 17 DC’s installed across different geographical regions, but only one DC hold the FSMO roles. Do we need a complete replication after the /forestprep before doing the /adprep? How can I be sure that every DC’s are replicated after the /forestprep?

    Reply

    •   Awinish Says:

      Extending the schema will prepare the forest to allow new OS dc to be added as an domain controller and its no way going to harm your AD environment. You can do it now or when you plan to introduce both way works.
      Also, you must confirm the schema version changed to 47 from 30. You can refer my article Upgrade from Windows 2000/2003 to 2008/2008 R2 Domain for how to check.

      Jorge has article below “How to check that FORESTPREP and DOMAINPREP replicated to all DCs? ”
      http://blogs.dirteam.com/blogs/jorge/archive/2006/06/06/1094.aspx

      Thanks.

      Reply

  17.   Mike Says:

    Hi Awinish

    We are gonna add two Windows Server 2008R2 as a domain controllers in an existing Windows 2003 Server domain, with Windows server 2003 domain functional level and forest functional level.

    This is for replacing the Windows 2003 AD servers to new Windows 2008r2 instead.
    After adding the two 2008R2 servers in the AD as DC:s we intend to remove the older 2003 DC:s.

    We intend to keep on running the domain and forest functional level on 2003 in the beginning, but will raise the level to 2008 after a while.

    Are there any risks in doing this?
    Or do you have any tips of what to think of before we start?

    Thanks
    Mike

    Reply

    •   Awinish Says:

      This is perfectly fine as windows 2008 r2 supports both NTLM and NTLMv2 protocol, so no need to worry regarding functional level as it effect DC not member server.

      Also, before raising the DFL/FFL, make sure you are not running a legacy apps which might give you trouble but i haven’t seen any till now.

      Thanks
      Awinish

      Reply

      •   Mike Says:

        Hi

        Thanks for your reply, we will try to test all of our applications in our test environment first before raising DFL/FFL in production.

        Regards,
        Mike

        Reply

  18.   Mike Says:

    Hi Awinish

    We are gonna add two Windows Server 2008R2 as a domain controllers in an existing Windows 2003 Server domain, with Windows server 2003 domain functional level and forest functional level.

    This is for replacing the Windows 2003 AD servers to new Windows 2008r2 instead.
    After adding the two 2008R2 servers in the AD as DC:s we intend to remove the older 2003 DC:s.

    We intend to keep on running the domain and forest functional level on 2003 in the beginning, but will raise the level to 2008 after a while.

    Are there any risks in doing this?
    Or do you have any tips of what to think of before we start?

    Thanks
    Mike

    Reply

    •   Awinish Says:

      This is perfectly fine as windows 2008 r2 supports both NTLM and NTLMv2 protocol, so no need to worry regarding functional level as it effect DC not member server.

      Also, before raising the DFL/FFL, make sure you are not running a legacy apps which might give you trouble but i haven’t seen any till now.

      Thanks
      Awinish

      Reply

      •   Mike Says:

        Hi

        Thanks for your reply, we will try to test all of our applications in our test environment first before raising DFL/FFL in production.

        Regards,
        Mike

        Reply

  19.   steve Says:

    Wow I learn a lot by reading this article. Thanks

    Reply

  20.   steve Says:

    Wow I learn a lot by reading this article. Thanks

    Reply

  21.   Raj Says:

    Great Post Awinish

    Reply

  22.   Raj Says:

    Great Post Awinish

    Reply

  23.   constant Says:

    hi,
    i want to do an AD upgrade from 2003 (Schema version=30) to a 2008R2 (schema version=47).
    Reading this article, it might be possible, but looking on other websites, i have to upgrade my 2003 in 2003R3 (schema version=31) before to upgrade to 2008R2.
    Can I do this migration directly?

    Reply

    •   Awinish Says:

      You can perform direct upgrade from windows 2003 to 2008 R2 and there is no requirement to upgrade the schema or DC to windows 2003 R2 first. Run adprep32.xe on FSMO role holder DC and introduce new box with windows 2008 R2 and run dcpromo directly on it.

      Reply

  24.   constant Says:

    hi,
    i want to do an AD upgrade from 2003 (Schema version=30) to a 2008R2 (schema version=47).
    Reading this article, it might be possible, but looking on other websites, i have to upgrade my 2003 in 2003R3 (schema version=31) before to upgrade to 2008R2.
    Can I do this migration directly?

    Reply

    •   Awinish Says:

      You can perform direct upgrade from windows 2003 to 2008 R2 and there is no requirement to upgrade the schema or DC to windows 2003 R2 first. Run adprep32.xe on FSMO role holder DC and introduce new box with windows 2008 R2 and run dcpromo directly on it.

      Reply

Leave a Reply