Upgrading Windows domains isn't a new process. In fact, long-lived domains may have undergone this task as often as twice already: Windows 2000 to 2003, and later from 2003 to 2008. Although the changes an upgrade incorporates into your domain are dramatically different from version to version, the process in actually completing the upgrade hasn't changed much over the years. The central problem, however, with domain upgrades is that they don't happen all that often. If you missed any of the previous upgrades, preferring to remain at an old functional level, then it's been somewhere between 2 and 7 years since you last thought about domains and functional levels. As a result, this tip isn't necessarily going to teach you anything new. But what it will do is serve as the step-by-step reminder for how to get through your own upgrade process. The process has six rough steps, each of which you'll want to follow to ensure the highest level of success. Step one: involves running a series of sanity checks on your domain. I call these verifications "sanity checks" because they use a series of tools that verify the basic health and well-being of your domain. With a domain upgrade doing many different and major things to your domain all at once, you'll want to ensure that you start its processes with the healthiest and sane-ist domain possible. Three sanity check tools immediately come to mind for this verification, although others might be useful for your own preparation. The first is dcdiag.exe, which is available on the Windows Server 2003 media's Support Tools installation. It is natively installed to Windows Server 2008 computers and can be run directly from the command line. Dcdiag.exe runs a series of diagnostics on your domain that verifies DNS functionality, AD configuration, sites and services, and schema health among others. For each test, the diagnostic returns a "passed" or "failed" response. You should not upgrade your domain (or even move to the next step in this process) until it passes each test to your satisfaction. The second tool verifies the status of inter-domain controller replication. Running repadmin.exe /replsummary generates a summarization of replication status across each domain controller in the domain. For each replication pair, the tool displays a status of the replication. As with dcdiag.exe, your replication should be in a healthy state before attempting an upgrade. Gpotool.exe is your third sanity tool. Originally found in the Windows 2000 and Windows 2003 resource kits, this tool remains useful today to ensure that both "halves" of your Group Policies are properly synchronized. Remember that Group Policies store information in two places: SYSVOL and your AD database itself. If at any point in the past someone has made manual modifications to the Group Policy files in your SYSVOL, it is possible that they've become unlinked. That link failure can not only cause problems with your upgrade but also can be a source of Group Policy failure itself. Running gpotool.exe against your domain controllers will result in a list of GPOs, all of which should include the response "Policy OK." If you see errors in any policies, consider reviewing and even re-creating those policies before continuing. Gpotool.exe hasn't been updated for Windows Server 2008. So, if you prefer more modern tools, you'll need to look elsewhere. If PowerShell is more your style, SDM Software has a set of freeware Group Policy cmdlets that can perform many of the same verifications as gpotool.exe as well as a few additional verifications. Download them at www.sdmsoftware.com. Step two: can occur in parallel with step one. In essence, step two suggests nothing more than back up your domain controllers! A domain upgrade is a one-directional action, so any problems will mean a very bad day if you don't have good backups. Remember that successfully grabbing your AD data will require a backup of every drive touched by AD. This is typically only the C drive, unless you've positioned your database or log files on other drives, as well as a System State Backup. For completeness, you might want to complete this task on every domain controller, although only a single domain controller backup is really necessary if you don't mind some extra work in the case of a failure. Step three: starts after you're completely satisfied with your backups as well as the health of your not-yet-upgraded domain. This all-important step is usually considered the most challenging part of the upgrade—but not for technical reasons. Before upgrading the OS on any domain controller, step three requires an upgrade to your forest and domain schemas. The challenge in this part of the upgrade is in proving that the schema upgrade's one-way only process won't completely destroy your AD. This is particularly the case if you've added any custom entries to your AD schema since the last OS-related upgrade, or if you use ADAM or Lightweight Directory Services partitions. A schema upgrade is a task that can only be done once, so a smart way to test its functionality is by creating an offline copy of your AD within a virtual machine. Completing this task correctly requires a few steps of which you might not be aware because you don't want to create an orphaned domain controller object in your domain for your test virtual machine. To create an offline copy of your AD, use the following steps: * Create a new site in AD. * Add a member server virtual machine to the domain in the new site. * Run the DCPROMO wizard on that virtual machine to promote it to a domain controller. * Wait for replication to complete, then shut down the domain controller. * Create a copy of the virtual machine's disk file, then restart the domain controller. * Use the DCPROMO wizard to demote the domain controller back to a member server and remove it from the production network. * Once you complete the previous step, create a new virtual machine that uses the copy of the original virtual machine's disk file. Ensure that this second virtual machine has no connection to your production network (this is very important). * Power on the domain controller and seize each of the domain's FSMO roles. Once these steps are complete, you have an exact copy of your AD that you can use to test a schema upgrade. If you experience any failures with the upgrade using this copy, you can use the offline virtual machine to determine the source of the failure. You launch the schema upgrade with the adprep.exe tool, which can be found on the Windows Server 2008 R2DVD media in the supportadprep folder. There are two required uses of this tool, one to upgrade the forest and another to upgrade the domain. Two more optional switches can upgrade the schema for Read-Only Domain Controllers (if not completed during the 2003 to 2008 upgrade) and updating GPO permissions (for upgrades from Windows 2000). Each of the possible switch configurations is listed below. Remember to run the forest preparation before the domain preparation: adprep.exe /forestprep adprep.exe /domainprep adprep.exe /domainprep /gpprep adprep.exe /rodcprep Step four: will likely involve the most work of all the steps. During this step, you will need to upgrade each and every domain controller in your domain, and eventually your forest. Obviously, this process involves upgrading the OS on each domain controller. It is usually a smart idea during this step to create a fresh installation of every domain controller rather than upgrade. Obviously, your first domain controller upgrade will need to be an in-place operation (to maintain your AD data); however, each subsequent upgrade can be a fresh installation. Step five: doesn't occur until you've reached one of two milestones. At the point you've upgraded each of the domain controllers in your domain, only then can you upgrade your Domain Functional Level to Windows Server 2008 R2. Once every domain controller in the forest is upgraded, it becomes possible to upgrade the Forest Functional Level. Both of these actions can be accomplished within Active Directory Domains and Trusts on an upgraded domain controller. Each is a separate operation. |
Your Mail works best with the New Yahoo Optimized IE8. Get it NOW!.
No comments:
Post a Comment