通过

W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations

  • 项目

 

I have collected some upgrade considerations from a couple colleagues of mine and have been sharing them on our internal technical DLs as the question comes up.  I have gotten positive feedback on the notes and have been encouraged to post them.  So, here they are.  Though, the real thanks go out to my colleagues Tom and Arren.  Further guidance on AD upgrades has been released to technet. The current title of the document "Microsoft Product Support Quick Start to Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains" can be found here.  https://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

Here are some of the problems customers may run into when upgrading W2K3 AD deployment to W2K8 and/or W2K8R2 AD deployment:

 

  1. Compatibility issues you should address before beginning the upgrade
    1. https://support.microsoft.com/kb/946405 - No LM Hash
    2. https://support.microsoft.com/kb/942564 - NT 4.0 domains
    3. https://support.microsoft.com/default.aspx?scid=kb;en-US;2021766 W2K8R2/Windows 7 and NT4 domains.
    4. https://technet.microsoft.com/en-us/library/cc731654.aspx - SMB Signing
    5. https://support.microsoft.com/kb/944043 - RODC Client Pack
    6. https://support.microsoft.com/default.aspx?scid=kb;EN-US;968614- Outlook 2003 hotfix
    7. https://support.microsoft.com/kb/958980 - Issue with OCS 2007 or LCS 2005
    8. https://support.microsoft.com/kb/947039 - You cannot locally configure or locally delete the application partitions that are created for IP telephony after you upgrade from Windows Server 2003 to Windows Server 2008  
    9.  https://support.microsoft.com/kb/948680 - Description of the Microsoft server applications that are supported on Windows Server 2008
    10. Browse list fails. If dependant on browse list, then set browser service to auto on PDCe and one DC per segment.
    11. DFS site costed referrals are enabled on W2K8 DCs. This is a good change, but may result in W2K8 providing referrals in a different order than W2K3 DCs which have this feature disabled by default
    12. Lmcompatabilitylevel increased to 3. See https://technet.microsoft.com/en-us/library/cc960646.aspx
    13. NullSessionPipes list is shorter. See the Threats and Countermeasures guide
    14. NullSessionShares has been removed. See the Threats and Countermeasures guide
    15. NSPI connections limited to 50 per user.  https://support.microsoft.com/kb/949469
    16. DES crypto disabled on R2. See technet doc above and the following. https://support.microsoft.com/kb/978055
    17. ldap query policy hard coded limits https://support.microsoft.com/default.aspx?scid=kb;en-US;2009267 . Need to override these limits? See https://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx
    18. RFC2696 Section 3 more stringently enforced by W2K8R2 DCs. i.e., Subsequest requests for each page of a query must contain identical values (with the exception of the messageID, the cookie, and
      optionally a modified pageSize) as the original request. W2K3 DCs did not enforce this. W2K8R2 DCs do and will return error UNAVAIL_EXTENSION to caller rather than the requested page if request parameters differ from original request in violation of the RFC. See https://support.microsoft.com/kb/2468316
    19. For other operating system implementations (such as Netapp, Samba, EMC, etc), it is strongly suggested to contact those vendors to get their supportability matrix for Windows as client and as DC.

 

  1. Fixes you should have downloaded in advance
    1. If you use devolution to resolve single-label or non-qualified DNS names, get KB957579 and integrate into build process
    1.  Have you ever auth restored your domain KRBTGT account? If so, https://support.microsoft.com/kb/939820  & https://support.microsoft.com/kb/968140 & https://support.microsoft.com/kb/976424
    1. LDAP client fails to connect LDAPS servers using canonical name. https://support.microsoft.com/kb/2275950 & https://support.microsoft.com/kb/2282241

 

  1. ADPREP /FORESTPREP failures include
    1. Insufficient credentials used to run forestprep
    2. Schema FSMO not assigned to live DC or hasn’t inbound replicated since last boot
    3. Antivirus agent creates locks on LDIF files resulting in error “the callback function failed”
    4. running incorrect version of ADPREP
    5. Schema conflicts including conflicting ldapdisplay names, linkids, oids, Dn paths, attribute syntax, missing “may contains” attributes (KB969307)

 

  1. RODCPREP failures include
    1. Infrastructure masters not assigned to live DC. See MKSB 949257

 

  1. DOMAINPREP /GPPREP fails because
    1. Infrastructure master assigned to offline or deleted NTDSA
    1. Insufficient credentials used
    1. Error “callback function failed” = sysvol not shared, default policy missing or missing default GUID or problem with reparse point

 

  1. DCPROMO
    1. DNS Delegation warning https://technet.microsoft.com/en-us/library/dd379526(WS.10).aspx
    2. Option to install DNS Server role grayed out if DNS server role already installed.

 

  1. RODCPROMO
    1. Option to install RODCs only enabled if FFL = W2K3 or higher
    1. Cannot make the first W2K8 DC in a domain an RODC

 

  1. POST UPGRADE
    1. For RODCs
      1. Install RODC compatibility pack (MSKB 944043 ) on relevant OS versions in environment
      1. The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008. KB981370
      1. Delegation scenarios may break in mixed environments that have RODCs and still contain W2K3 DCs in the same domain as the RODC. KB2360265

 

              b. For DNS Servers  

  1. EDNS (RFC 2671) is turned on for W2K8 R2 DNS servers. Review the following KBs for examples of compatibility issues. KB828263 KB977158 KB832223
  2. W2K8 and W2K8 R2 DNS servers do not reuse DNSnode objects once dnstombstoned=true for a given node, instead these objects are tombstoned. The effect of this will result in a larger AD database, the amount of which will depend on the DNS record churn rate and volume. Aggressive DNS scavenging and/or short DHCP lease durations where DHCP is configured to de-register client records at lease expiration will exacerbate this. https://support.microsoft.com/kb/2548145/en-us

 

               c.  For DCs running on hyper-V & VMWARE

                               a. install a UPS

                               b. brief all admins on the risks of USN rollbacks caused by restoring snapshots on DC role guests. Review https://technet.microsoft.com/en-us/library/dd363553(WS.10).aspx

                               c. P2V conversions should be done in offline mode. If converting multiple DC’s in same forest, then all need to be offline @ same time.

 

               d. Disaster Avoidance & Recovery 

                               a. Enable delete protection on OU containers

                                b. Enable system state backups

                                c. If using 3rd party backup, test system state restores + alternant backup like Windows Server backup so that PSS can restore when 3rd party product fails to restore

 

    9.      ADMIN STUFF

 

  1. Execute 948690 if EFS on W2K3 computer upgraded to W2K8
  2. If using GPP, install 943729

 

   10.      RECYCLE BIN STUFF

                         a. With Identity Lifecycle Manager (ILM), including Feature Pack 1 (FP1), the Management Agent for Active Directory is not supported with the Recycle Bin feature.  KB2018683

Comments

  • Anonymous
    January 01, 2003
    Any new upgrade considerations concerning AD upgrade from W2K3 to W2012 R2 ? Thanks !

  • Anonymous
    January 01, 2003
    For 1p, to find a list of DES enabled accounts see http://blogs.msdn.com/b/muaddib/archive/2014/03/30/powershell-script-to-query-useraccountcontrol-flags.aspx

  • Anonymous
    January 01, 2003
    Might be worthwhile to add support.microsoft.com/.../982020

  • Anonymous
    January 01, 2003
    Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 seperate Domain incoming and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior to moving the Domain to 2008R2

  • Anonymous
    January 01, 2003
    Great article!! Please give us the honor to know the new ones issues compilation for Windows 2012 upgrade!! Thanks!!

  • Anonymous
    May 26, 2010
    Love the new look.

  • Anonymous
    April 09, 2014
    hi Soumia, please try this link for Server 2012 ADDS upgrade consideration:
    http://blogs.technet.com/b/askpfeplat/archive/2013/04/29/upgrading-or-migrating-active-directory-to-windows-server-2012-build-your-roadmap-now.aspx

  • Anonymous
    July 18, 2014
    A one-liner to report on any accounts that are configured to only use DES encryption for Kerberos authentication.

  • Anonymous
    January 18, 2016
    I have the same question as MeanDean0.