Hi All,
Today we will be looking into the process of Introducing Windows Server 2008 DC into Windows Server 2003 Forest.
To achieve this we need to prepare our forest and domain to accommodate new W2K8 DC.
Few items to keep in mind.Minimum Forest Functional Level and Domain Function level needs to be Windows 2000 Native.
You need to run adprep using an account that is a member of Schema Admin Groups and Enterprise Admin.
It's not recommended that you disable replication on the schema master before you run Adprep.exe. Adprep.exe skips redundant updates. Conflicting updates such as the introduction of duplicate object identifiers, causes adprep.exe to stop until an administrator reconciles the conflicts. You can stop and restart adprep.exe. It resumes from where it's left.
Before you perform adprep /forestprep make sure you must have a health system statebackup for disaster recovery.
Adprep performs the following tasks
1. Updates the Active Directory Schema
2. Improves default Security descriptors
3. Upgrades display specifiers
4. Adjust ACL on Active Directory objects and on files in the SYSVOL shared folder to allow domain controller access. Anonymous user group is no longer a included in everyone
group.
5. Create new objects that are used by application such as COM+ and WMI
6. Creates new containers in Active Directory that are used to verify that preparation was successful
Insert Server 2008 DVD on W2K3 domain controller
Go to x:\support\adprep>adprep /forestprep
To verify that adprep /forestprep completed successfully
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server
2008 R2.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain
where forest_root_domain is the distinguished name of your forest root domain.
6.Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
If you ran adprep /forestprep for Windows Server 2008, confirm that the Revision attribute value is 2, and then click OK.
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties
where forest_root_domain is the distinguished name of your forest root domain.
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
If you ran adprep /forestprep for Windows Server 2008, confirm that the objectVersion attribute value is set to 44, and then click OK.
run x:\support\adprep>adprep /domainprep in all the domains where you are planning to introduce W2K8 DC. Make sure that you can logon to infrastructure master server with an account that is a member of domain admin
To verify that adprep /domainprep completed successfully
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server
2008 R2.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Default naming context in the list of available naming contexts, and then click OK.
5. Double-click Default naming context, double-click the container that is the distinguished name of the domain, and then double-click CN=System.
6. Double-click CN=DomainUpdates, right-click CN=ActiveDirectoryUpdate, and then click Properties.
7. If you ran adprep /domainprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
If you ran adprep /domainprep for Windows Server 2008, confirm that the Revision attribute value is 3, and then click OK.
run x:\support\adprep>adprep /gpprep
Running adprep /gpprep adds inheritable access control enteries on Group Policy Objects in the SYSVOL share folder. The additional ACEs give Enterprise Domain Controller read access permissions on GPOs. These permissions are required to support Resultant Set of Policy functionality (modeling) for the site based policy.
Run adprep /gpprep during off production hours because it can generate substansial replication traffic because each GPO would be updated
For optimal performance, make sure the Default Domain and Default Domain Controller policy is located on Infrastructure master role server.
If you running a Anti virus on server from where you would be running adprep /gpprep make sure to disable it as it may cause interfance
Once you finish running adprep /gpprep you can verify that the operation added the Read permission for the Enterprise Domain Controllers group on all GPOs
No comments:
Post a Comment