I installed a new W2008 x64 DC at work in our W2003 native (single domain) forest. I’m happy to report that:
- It was easy.
- It went flawlessly.
I’m planning on wiping out the W2003 presence on our DC’s to have a native W2008 domain. Right now, there’s no support for monitoring it using SCOM 2007 so I’ll have to wait for a wee while for the management pack and agent support. I want to be able to monitor our AD so I’ll wait before completing this project.
Here’s one way to introduce a W2008 DC to your existing W2003 AD.
The first question is: to upgrade or do a lean install? MS are strongly recommending clean installs. In fact, they almost go as far as saying don’t upgrade. They do clearly say that a machine with only W2003 components can be upgraded fairly dependably but you’ll want to verify that the machine spec and configuration are good. Watch out for the desired 40GB C drive – you’ll need to buy 72GB drives if using HP like me. Things like dodgy AV (I mean you Muckafee and Sinmantec), well …. you’ll want to do a clean install there because, in my opinion, Sinmantec trash the TCP stack when they get their hands on it and the W2008 stack is a complete re-write.
Next question: do you need a rollback plan for the required schema updates? Best practice is "yes". The best plan here is to power down selected DC’s before the upgrade and leave them off until you’re sure everything is OK. Keep the holder of the Schema Master FSMO role turned on – we need it. If so, then just power on those DC’s and continue as normal.
If something does go wrong with the schema updates then you power off the powered on DC’s and only then would you power on the standby DC’s. Seize the FSMO roles to one of the now powered on standby DC’s. Do a metadata cleanup to wipe away all traces of the powered off DC’s. The powered off DC’s would be disconnected from the network (to prevent AD replication), rebuilt, reattached to the network and DCPROMO’ed.
We’re assuming everything is good. I’ve not heard of anyone having a schema corruption via a MS update but I’d always recommend being safe.
Now you can follow the process that MS describes. It’s pretty simple:
- Copy the "sources\adprep" folder from the W2008 media to a W2003 DC where you will run the schema updates. The best DC for this is the holder of the Schema Master FSMO role. The tools you’ll use are in this folder.
- Run adprep /forestprep to prepare the forest..
- Run adprep /domainprep /gpprep to prepare the domain.
- MS says to only run adprep /rodcprep if you want to run Read-Only DC’s. As discussed on the Minasi forum, the W2008 version of Dcdiag.exe returns an error when it runs the NCSecDesc test if you don’t do this step. I did it anyway just to get clean results from DCDIAG.
- Now you should build your W2008 DC’s operating system and configure it as required. Install the AD services role. This will probably install DNS as well.
- You’re all ready to do your DCPROMO. It’s pretty much the same as before apart from an annoying DNS warning. At the end, I’d recommend saving the unattended answer file settings. You can use this when you plan to DCPROMO your next W2008 DC.
Now, keep an eye on your network, e.g. DFS, FRS, Directory Services, System and Application logs. I finished off by moving the FSMO roles to my new W2008 DC.
This blog post is the property of Aidan Finn (@joe_elway / http://www.aidanfinn.com) and may not be reused in any manner without prior consent of Aidan Finn. You may quote one paragraph from this blog post if you link to the original blog post.