Announcement

Collapse
No announcement yet.

2003 to 2008 Best Practice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 to 2008 Best Practice

    Hi,

    Wonder if any users had any tips or best practice guides for the following scenario?

    We are about to add our first 2008 R2 Domain controller to a current windows 2003 Domain. We have local and branch office 2003 domain controllers. A new server has been purchased with 2008 on it, this will become the main 2008 domain controller, with the others in branches remaining on 2003 for a few months at least.

    Thanks for all your help!

  • #2
    Re: 2003 to 2008 Best Practice

    Nothing special, really...
    Upgrade AD Schema (use ADPREP from 2008R2 media on existing schema master -- run 32 or 64 bit according to current DC OS)
    Join 2008r2 box to domain
    Add ADDS role
    Run DCPROMO

    Add DNS role as you need -- I would
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: 2003 to 2008 Best Practice

      Whilst introducing Windows 2008 R2 servers and Windows 7 PCs to a Domain, I also tend to review Group Policy. In particular, I review the Starter GPOs and see if any settings are relevant to the environment being upgraded.

      Google gives you articles regarding the settings and an explanation. The Vista Starter GPO settings are also releavnt to Windows 7.

      You may find that certain scripts can be moved to Group Policy Preferences; Power options, Printers, Drive Mappings and so on.

      The Microsoft Security Compliance Manager is also worth a review.

      http://technet.microsoft.com/en-us/l.../cc677002.aspx

      Furthermore, you can consider running the Security Configuration Wizard on one 2008 R2 server, which contains specific role(s) and then converting it to a GPO policy. This way, it can be assigned to the relevant server OU.

      I tend to P2V or V2V, as relevant and carry out an upgrade in an isolated environment prior to doing the upgrade. Better still, you could sytem state restore a DC to an isolated, test environment and ensure the backup restore is successful and then carry out the upgrade. This familiarises you with the upgrade and gives you peace of mind that you can roll it back.

      In some environments, I have ran ADPREP on the relevant FSMO role holder and temporarily disabled AD replication from that server. That way, should the ADPREP of the schema effect anything, you can seize the FSMO roles onto another DC and remove its metadata. If all is well, you then enable AD replication for that DC (relevant FSMO role holder) once again.

      I also tend to enable DFS replication when the Forest Functional Level is at Windows Server 2008 R2 including the Recycle bin feature. Occassionally, some PSOs would also be created.

      Comment


      • #4
        Re: 2003 to 2008 Best Practice

        Thanks for all your help.

        One more question, I've got the windows 2008 R2 standard with SP2 disks. The ADprep tool located on CD 2 under the cmpnents folder, but this hasn't got the option of running rodccPrep. It says that only the following options are supported

        /forestperp
        / domainprep
        / domainprep /gprep

        We will eventually introduce a couple of read only domains. What's difference between this version of adprep and others?

        Thanks again!

        Comment


        • #5
          Re: 2003 to 2008 Best Practice

          Any help?
          http://forums.petri.com/showthread.php?t=45985

          rodcprep appears to be a switch still, even if not documented

          What "says" no rodcprep?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: 2003 to 2008 Best Practice

            rodcprep is still a switch. The /domainprep /gpprep tends to be run if it is a Windows 2000 domai nbeign upgraded but doesnlt hurt on Windows 2003. I don't believe you have to run /domainprep and /domainprep /gpprep separately though. If you do, it will probably just say the Domainprep has already been carried out.

            I tend to run the /rodcprep as the last one to do. I would pause 24 hours between Forestprep and Domainprep though you cna always force the replication if you wish.

            If you are running ADPREP on a 32-bit machine, it needs to be ADPREP32. It is in the same folder as ADPREP.

            Also, do a DCDIAG before and after each stage as a comparison including reviewing event logs.

            Another one to look out for is NTLM v2 authenticaiton. It is that as default in 2008 R2 and a Group Policy may be enforcing NTLM only or similar. I tend to allow negotiated NTLMv2 authentication.
            Last edited by Virtual; 6th February 2012, 11:35. Reason: spelling

            Comment

            Working...
            X