Greg takes you through the steps of upgrading your AD from Windows Server 2003 to 2008.
It all happened because of Amazon.com. Specifically, Amazon helped push me to upgrade early to Windows Server 2008. A DNS server co-located with a domain controller (DC) simply refused to resolve images on Amazon's Web pages. After many troubleshooting failures, I decided to upgrade this production DC to Windows Server (WS) 2008.
Microsoft's newest server OS will be ready by the time you read this. The manner in which you upgrade, though, probably won't be immediate. Here's my prediction: Your path to WS 2008 will happen faster than it did from Windows XP to Windows Vista, and upgrading your DCs will probably be your first move.
Think about the servers in your environment. Application servers typically have one or more third-party tools installed. This increases the likelihood of conflicts and complicates testing. Mail servers are exceptionally critical to your business, so upgrading these involves a lot of preparation and an equal amount of risk. Even file servers, often the least customized from the perspective of installed apps, are still cumbersome due to the potential for data loss.
On the other hand, DCs are the perfect storm of low customization, few installed apps and high redundancy thanks to Active Directory's peer-to-peer replication. The upgrade process is also relatively easy for WS 2008. Best of all, the benefits to your AD make it well worth the effort.
First Time for Everything
Although the process to upgrade AD from Windows Server 2003 to WS 2008 isn't terribly complex, this is a process you've likely done only a few times. You've only had to upgrade a production AD domain twice before, once from Windows NT to Windows 2000 and a second time from 2000 to 2003. Because this isn't a commonplace upgrade process, let's take a look at the high-level steps you'll need to accomplish.
Assuming your AD domain is already at Windows 2003 Service Pack 3, the upgrade process involves five steps.
For step one, you'll want to run a series of "sanity checks" on your existing domain. It's not a good idea to upgrade an unhealthy domain, so you should resolve any issues with the existing domain before starting an upgrade.
There are three tools you'd typically use to verify AD health. The first one, dcdiag.exe from Support Tools, runs a series of health and status verifications against the domain. Repadmin.exe, your second tool, is also in Support Tools. This one verifies that replication is running smoothly between DCs. You'll also want to verify Group Policies in your domain, specifically their internal consistencies. You can do this with gpotool.exe, which you'll find in the Resource Kit Tools.
If the domain fails any checks, you should investigate further and resolve any errors. You can avoid some of the worst upgrade scenarios by ensuring the proper functionality of the domain before you start.
Step two is easy. Before starting the upgrade, back up one or two of your DCs. You'll want to back up the entire server, plus its system state. If something happens, remember that you have to restore backups to the same computer where the original backup took place.
The third step is relatively trivial from the standpoint of mouse clicks -- extending the schema -- but it's often the most difficult of all. More often than not, the challenges are political, not technical: Convincing the powers that be that you need to make a schema extension can be a nightmare. Try this: Tell them you're just making a few changes to the structure of the AD database, instead of using the much scarier sounding phrase "schema extension."
Two extensions are also required, which is similar to the last upgrade. Before adding your first WS 2008 DC, you'll have to run adprep.exe /forest prep to extend the Forest schema. For the domain, you also need to run adprep.exe /domain prep. If you plan to use Read-Only DCs, you'll need to run adprep.exe /rod prep. Find adprep.exe on the WS 2008 media in the \sources\ad prep folder.
For step four, you'll add WS 2008 DCs to the environment. You'll do this by upgrading an existing DC. If the hardware is available, you could also add a new WS 2008 machine to the domain and run dcpromo.exe. Doing it this way makes it easier. New WS 2008 instances, once promoted, exist in the same domain and forest functional level as their residing domain. So a new WS 2008 DC will follow the functional level rules of the other DCs.
Once you promote a DC and finish replication, you'll need to finish testing the new DC. You may want to wait a bit and watch the event log for errors before upgrading further. Once you're comfortable with your environment, you can continue upgrading and replacing your remaining DCs. Use dcpromo.exe to properly demote any DCs.
Once you've upgraded all the DCs in your domain, step five raises the Domain Functional Level and ultimately the Forest Functional Level to Windows Server 2008. Raising the domain functional level will add some new features to the domain, such as DFS support for replicating the SYSVOL, AES encryption support, last interactive log-on information and the ability to create fine-grained password policies. Raising the forest functional level provides no new features, but ensures that new domains are automatically created as WS 2008.
Good luck with your upgrade. Let us know how it goes and where you run into problems. I'd also love to hear if you think my predictions ring true about how you might upgrade.
Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.