Monday, April 21, 2008

Upgrading a 2k3 domain to 2k8.

Decided to upgrade the old 2k3 AD domain this week to 2008 AD. First stop was the Microsoft Technet page - strongly recommend you read it first.

I opted to install a new domain controller to start with just to ease into the process. Prior to that, I ran the ADPREP /forestprep, adprep /domainprep /gpprep, and just for kicks adprep /rodcprep and let the changes propagate for a couple of hours just to be on the safe side.

I decided to go with a VM for the domain controller this time. It seemed like a good way to future proof it as far as hardware and since it's a small site I'm not really worried about performance issues. Windows 2008 Enterprise installed right on, vmware tools followed easily enough. Then I added the AD DS role through the new snazzy Server Manager. Last step - DCPROMO, which now defaults to dummy mode but there's still an option for 'Advanced' for real admins.

Once completed, I ran all the usual netdiag, dcdiag, etc and all was well and left it to stew overnight to see if any cool errors would manifest. The first thing to get used to is the new server manager likes to make you aware of *ALL* warnings and errors no matter how trivial they may be. One valid one was from IIS and complained about WAS and the IIS_IUSRS group. A long search pulled up a nifty script from Microsoft that fixed it.

So with renewed confidence that all was well, I went ahead and upgraded the rest of the Domain controllers with little problems. Prior to upgrading the existing domain controllers, I had to uninstall things like powershell and antivirus and backup exec, etc. The powershell was mandatory and of course was hidden under a hotfix name
so uninstalling it was impossible without figuring out which hotfix it was under. The other software I uninstalled just as a precaution. One domain controller had the Exchange 2003 management tools installed which caused MMC issues post upgrade with the Active directory User and Computers snap-in. The resolution there was just to uninstall it.

Once all the DCs were upgraded and working, I reinstalled backup exec agents, symantec antivirus, and applied new Security Configuration Wizard policies. Then made backups, documentation, etc.

Since all my DC's were running windows 2008 server now, I went ahead and upgraded the Forest mode to 2008 functional level. (keep in mind, functional level changes are ONE WAY, no going back). The 2008 functional level comes with some cool features like AES encryption on Kerberos, better DFS replication, and last interactive logon. I went ahead and tried to enable the "last interactive logon" according to Microsoft's help pages and my test Vista workstation could not longer unlock the terminal. So after some searching it turns out that you have to enable the policy on All Your Domain Controllers First!. Thanks go out to Steven Bink for his article I found on google to solve it:

And now happily, the feature works perfectly when you log into win2k8 or vista boxes that have the policy set on the domain.

1 comment:

sebus said...

Lucky you, I have so far had 3 machines (2 separate Dell 330 and 1 VM on ESX 3.5) gone with 0x00000024 error
And there is no way to repair W2K8 server in any normal way (as it was available previously)