Active Directory Upgrade 2000 - 2008

[scj6771]

I will try to keep this as short and sweet as possible. I have a plan in place to move from 2000 to 2008 using this technique http://social.technet.microsoft.com/wiki/contents/articles/active-directory-upgrade-high-level-steps.aspx I have tested all of this in a lab environment but had a few questions:

1. I was told that this command (http://support.microsoft.com/kb/962355/en-us would work on win 2000 when I need to export the DHCP database "c:\w2k3DHCPdb all", but it looks to be a 2003 command?

2. What if our current DC is also a print server? I believe that this obstacle could be a show stopper, after I transfer the FSMO roles and "demote" the old DC I will rename the new DC to what the old DC was, however, how is that going to work if people are printing to a printer located at "DC_OLD" with a server name that now belongs to "DC_NEW"? (I hope that makes sense)? OR.. do I really need to give the new DC the same name as the old?

3. Can I place the 2008 box on the domain (obviously I am not making it a DC at this point and it won't have the same name) before I start Adprep.exe on my 2000 box?

[YeOldeStonecat]

There are several different ways to move DHCP data from one box to another...even just copying 'n pasting the MDB files....sometimes you get a quirk down the road (like corruption)....sometimes you don't. So I try to just recreate it manually when I can. I mean...honestly...it takes just a minute or two to recreate the same scope on a fresh DHCP service. And unless you have like...15 or 20 reservations...those don't take too long to recreate.....I just make a screen shot of the old one expanded....and manually enter 'em all in the new one.
http://blogs.technet.com/b/networking/a ... -2008.aspx

Printers....on the new 2008 server...install the servers on it...share 'em out..and publish them in group policy, 2k8 server has a wicked easy print publisher now. Clients will automatically pick them up upon login.

Yes you can place a 2k8 server in a 2k directory...I recently did a 2000 to 2008 server replacement at an eye care center....pretty easy. You gotta run a few adprep commands against the 2000 box first....ADPREP /forestprep /domainprep and /gpprep.

So I'd take the 2k8 box....join the domain. Run the above ADPrep commands. Install the network printers on the 2k8 box..share them out. Assuming you'll have 64 bit 2k8 so also install 32 bit drivers for the share. Share them out. Recreate your file/folder shares. Run DCPROMO on her. Shift over DHCP to her. Make her the primary DNS for network in DHCP...shift everyone over. Publish your new print shares via the new 2k8 print tool. Move over the AD roles so none are left on the old server. Pull over the files..change login scripts. Should have everything on the new server now..old server still there "just in case" something was missed. Wait a few days...DCPROMO demote old server...wait another day or so and then kill her.

Microsoft also has a "Microsoft File Server Migration Wizard" toolkit...works fairly well, I've had it sometimes work fine and other times..have problems. Ton of links here on it if you want to check it out. I don't think I've tried it going from 2000 to newer, I think I only used it from 2k3 to 2k3.
http://www.google.com/search?rlz=1C1CHN ... ion+wizard

[scj6771]

Thanks for the reply Stonecat, your suggestions are spot on and are exactly what I had in mind. What are your thoughts on the new DC NOT taking over the same name as the old DC? I have to admit, I have planeed and tested this whole process with the understanding that the new DC will take on the same name as the old DC, that was until my boss asked me why we couldn't rename it and asked me what are some possible pitfalls if we do rename it?

Does it even make sense to give the new DC a new name or are we just asking for trouble?

[YeOldeStonecat]

I've never given a new server the same name as the old one. Yes that means re-doing the login scripts, and shortcuts on peoples desktops that may point to the UNC path on a server....and printers. BUT..that's how I've done it. I've replaced workstations and called them the same exact name, I just ...I don't recall ever calling a server the same name as what it replaced. For one...once a server is a DC, renaming it...I don't think you can(would have to check that with 2k8..I never thought about it, so never looked at it). How do you do a migration from one server to another and have two servers of the same name on the network? You can't! Can't have 2 computers with the same name in active directory.

[scj6771]

How do you do a migration from one server to another and have two servers of the same name on the network? You can't! Can't have 2 computers with the same name in active directory.

No doubt, the 2008 box is already in place with a name like "DCAD1" and our current DC is called something like "DCAD", basically I was going to keep the name of the new server until I "demoted retired and removed" "DCAD" and then rename "DCAD1" TO "DCAD"....

Anyway, I get the point and will be renaming the 2008 box to something completely different.

[scj6771]

Hate to be a pest but I had another potential issue.

We have two "backup" DC''s... Once my new Windows 2008 machine is "promoted" and the Windows 2000 "primary" DC "demoted" what will become of the secondary DC's? (they are Windows 2000 machines) Can a Windows 2008 DC and a Windows 2000 "backup" DC coexist? Sould I demote them and have them as member servers?

The other two I call "backup's" because they are running AD and are used really only as another way of authentication if the primary fails.

[YeOldeStonecat]

You'll be stuck not able to run 2008 native mode....and lose a lot of good features of 2k8. How large is your organization? How many other servers?

[scj6771]

How large is your organization? How many other servers?

700 users and around 100 servers or so, I definitely want to run in native mode so I don't see any issues demoting those other two or upgrading them. Am I wrong to believe that one DC is sufficent for a single domain of our size?

[YeOldeStonecat]

I would want at least 2x DCs. Having multiple DCs is a method of giving your network redundancy. If your DC does down...how many people are out of production? How much money per hour does that cost the business?

Another reason for multiple DCs is...how many locations are you at? Single location? Having 2x DCs minimum should suffice. 6x locations connected in WAN? If more than say..a dozen or twenty or more peeps at each satellite, I'd want a DC at each satellite.

700 users and 100 servers...that is an odd "client to server" ratio. Why so many servers for 700 peeps?

[scj6771]

Closer to 70 really, have 4 ESX machines containing 10-15 per and then several physical boxes, we run so many application servers around here its ridicoulous.

So I think what we could do is setup our primary and then build a another DC for replication/backup/redundancy and whatnot?

[YeOldeStonecat]

Wow...must be a licensing nightmare!
You doing vCenter w/vMotion in your ESX setup?

1x DC = single point of failure....if it goes down, your network (and staff) lose quite a bit of productivity..thus lose quite a bit of money.
Adding another DC greatly decreases your point of failure. You'd want it on a different ESX host...you don't want both DCs on the same physical host...cuz..what if that host blows a major piece of hardware..that means both your DCs go down..so put a second DC on your network..on the other host. Hopefully different battery backup unit too. Both ESX units sharing the same SAN? What if that tanks? Think about what it would take to drop both DCs...and eliminate as much risk as you can.
Adding a 3rd DC decreases your likely hood of lost of network functionality even further....but IMO, for the same physical location (building)..just 2x DCs should be enough.
It's a price versus reducing risk factor.

[scj6771]

Something else just came up, what about CALs (Client Access Licenses)? I'm not even sure why this was brought to the table but it was. All of our clients are running Windows XP Pro which are each licensed with the single volume licensing key we purchased way back when.

If our domain is upgraded to 2008 will the clients encounter any issues when logging in and authenticating?

[YeOldeStonecat]

Yah, you'll have the CALs too. Right off the bat I'd say you'll need Server 2008r2 CALs..700 of them. But I don't know your setup there...if all users access all your servers, or whatever. I'd recommend calling a Microsoft licensing rep. There's a lot of details to hammer out I'm sure.

Not knowing your setup, user CALs vs device CALs.....I usually go with user CALs. But some places end up having device CALs work better for them, such as..a place that is staffed 24 hours with 3x shifts of employees...say you have 300 employees..but across 3 shfts of 100 each sitting down at 100 computers.

[scj6771]

CALs are on their way and we are going with Windows Server 2008 Enterprise Edition and not R2, I would have rather we went with R2 but some things are out of my control, do you foresee any issues with that?

I just wanted to reiterate some talking points and get your thoughts.

1. After this new 2008 AD box is up and running, we will for the moment have only one AD DC, I know this is not SOP but the plan will be to create another new 2008 box in the very near future to give us another DC.
2. We will still have the other 3 Windows 2000 boxes which have AD on them after this upgrade. I know you mentioned that we will be stuck in mixed mode if we do so, but they have other roles (Print servers, Radius for wireless authentication), do we need ALL 2000 servers upgraded to make the switch to native mode or just the 2000 DC’s?
3. As per number 2, how quickly do we need to demote the “schema master” (or any of the old DC’s) after we introduce the new 2008 DC? (I assume immediately after we test and all looks OK) I realize that once demoted they will reside in the computers container, concerns?
4. We will still be using the old Windows 2000 boxes for DNS and DHCP. Thoughts?

We really want to get the first new DC up and running with the least amount of disruption (we are a 24/7 shop here), everyone involved realizes the need to upgrade our 2000 servers.

I have a meeting in a couple of days regarding this and thought you could arm me with your concerns and suggestions. As always, thanks for your time.

[YeOldeStonecat]

You do not need all 2K servers to be upgraded, only the ones that are DCs
You can move the roles at your leisure, there is no "has to be done within xxx amount of time" thing here. On some small networks I do it all in one day. For larger networks like yours..replication will take longer, so I'd perhaps do things in a week or so.
I'd no longer want to use the 2k boxes for DNS....your DCs have to run DNS, but you want your head DC to be the main DNS for your network. Additional DCs that come online..second DNS, etc. As for DHCP....."meh, can leave that" on the old 2k box if you don't want to move it.

[scj6771]

Thanks for all your help Stonecat, I will add you to my list of contacts when the **** starts hitting the fan..