Exporteren (0) Afdrukken
Alles uitvouwen
Dit onderwerp heeft nog geen beoordeling - Dit onderwerp beoordelen

Appendix B: How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2

Bijgewerkt: oktober 2009

Van toepassing op: Windows Server 2008, Windows Server 2008 R2

This topic explains the process for upgrading domain controllers to Windows Server 2008 or Windows Server 2008 R2. It has links to related information about the upgrade process and issues that you might encounter.

What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2

The following table has links to more information about new features and functionality in Windows Server 2008 and Windows Server 2008 R2.

 

Operating system What’s new

Windows Server 2008

For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Windows Server 2003 with Service Pack 1 (SP1) to Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164410).

For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008, see Active Directory Domain Services Role (http://go.microsoft.com/fwlink/?LinkId=164414).

Some functionality that was available in previous versions of Windows Server is deprecated in Windows Server 2008. For example, SMTP Replication is removed by default. For more information, see article 947057 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164416). The Browser Service is disabled by default in Windows Server 2008 and Windows Server 2008 R2 domain controllers.

Windows Server 2008 R2

For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139049). For information about specific features in AD DS in Windows Server 2008 R2, see What's New in Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=139655).

In Windows Server 2008 R2, Dcpromo.exe does not allow the creation of a domain that has a single-label Domain Name System (DNS) name. If you try to promote an additional domain controller in a domain that has a single-label DNS name (such as contoso, instead of contoso.com), the check box to install a DNS server is not available in Dcpromo.exe. Upgrading Windows Server 2003 domain controllers in Windows Server 2008 R2 and Windows Server 2008 R2 single-label domains is supported. Promoting additional Windows Server 2008 R2 and Windows Server 2008 R2 domain controllers into existing single-label DNS domains is supported.

Windows Server 2008 R2 does not support MSMQ in domain mode for Windows NT 4 and Windows 2000 MSMQ clients running against Windows Server 2008 R2 domain controllers that have no Windows Server 2003 or Windows Server 2008 domain controllers in the same environment.

For more information about other functionality in Windows Server 2003 that is deprecated in Windows 7 and Windows Server 2008 R2, see (TBD) (http://go.microsoft.com/fwlink/?LinkId=164420).

For more information about other known issues for AD DS, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418).

System requirements for installing Windows Server 2008 and Windows Server 2008 R2

For system requirements for Windows Server 2008, see “System Requirements” in Installing Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164421).

For disk-space requirements for AD DS in Windows Server 2008, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164423).

For system requirements for Windows Server 2008 R2, see Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=160341).

For disk-space requirements for AD DS in Windows Server 2008 R2, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkID=164423).

The AD DS database (Ntds.dit) on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows, for the following reasons:

  • The "partial merge" feature is disabled on Windows Server 2008 R2 domain controllers.

  • Windows Server 2008 R2 Adprep /forestprep adds two new indices on the large link table.

  • The Windows Server 2008 R2 Active Directory Recycle Bin feature, when it is enabled, preserves attributes on deleted objects for the recycled object lifetime.

The Active Directory database on a Windows Server 2008 domain controller that is promoted into a Windows 2000 domain should be a size that is similar to the size of the Active Directory databases on the Windows 2000 domain controllers. While Windows Server 2008 R2 additions increase the database size, the addition of a single-instance store that is supported by domain controllers that run Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 offsets that increase. Windows Server 2008 R2 domain controllers are estimated to be 10 percent larger than Windows Server 2008 domain controllers, not counting the Active Directory Recycle Bin.

In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the database size by an additional 15 to 20 percent of the original AD DS database size, using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days. Additional space requirements depend on the size and count of the objects that can be recycled.

If an in-place upgrade to Windows Server 2008 or Windows Server 2008 R2 rolls back silently to the previous operating system version, check for sufficient free disk space on the partitions that host the AD DS database and log files.

Supported in-place upgrade paths

For upgrades to Windows Server 2008, see “Supported upgrade paths” in Guide for Upgrading to Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=146616).

For upgrades to Windows Server 2008 R2, see “Supported upgrade paths” in Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=160341) and Windows Server 2008 R2 Upgrade Paths (http://go.microsoft.com/fwlink/?LinkID=154894).

If you replace domain controllers, use the metadata cleanup method in Windows Server 2008 and remove DNS and Windows Internet Name Service (WINS) records for the original role holder. For more information, see Cleaning metadata of removed writable domain controllers in Appendix A: Forest Recovery Procedures (http://go.microsoft.com/fwlink/?LinkId=164553).

Functional level features and requirements

Features that are enabled for Windows Server 2008 and Windows Server 2008 R2 domain and forest functional levels are documented in Understanding Domain and Forest Functionality (http://go.microsoft.com/fwlink/?LinkId=164555). Domain and forest functional level requirements for the deployment of Windows Server 2008 and Windows Server 2008 R2 domain controllers are as follows:

  • Adprep /forestprep does not have any domain or forest functional level requirements.

  • Adprep /domainprep requires a Windows 2000 native or higher domain functional level in each target domain.

  • Adprep /rodcprep does not have any functional-level requirements.

  • You can install Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 domain controllers in the same domain or forest without any functional-level requirement.

  • For installation of a read-only domain controller (RODC), the forest functional level must be Windows Server 2003 or higher.

Client, server, and application interoperability

  • Windows NT 4.0 computers cannot be joined to Windows Server 2008 and Windows Server 2008 R2 domains or domain controllers.

  • Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7 client computers are fully compatible with writable Windows Server 2008 and Windows Server 2008 R2 domain controllers. For member-computer interoperability with RODCs, see Known Issues for Deploying RODCs (http://go.microsoft.com/fwlink/?LinkID=164418).

  • For more information about which versions of Microsoft Exchange Server can interoperate with different versions of Windows, see Exchange Server Supportability Matrix (http://go.microsoft.com/fwlink/?LinkID=165034).

  • For a list of applications that are compatible with RODCs, see Applications That Are Known to Work with RODCs (http://go.microsoft.com/fwlink/?LinkID=133779). Exchange Server requires a writable domain controller; therefore, it does not work with RODCs.

Secure default settings in Windows Server 2008 and Windows Server 2008 R2

Windows Server 2008 and Windows Server 2008 R2 domain controllers have the following secure default settings, compared to Windows 2000 and Windows Server 2003 domain controllers.

 

Encryption type or policy

Windows Server 2008 default

Windows Server 2008 R2 default

Comment

AllowNT4Crypto

Enabled

Enabled

Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers. In all cases, these settings can be relaxed to allow interoperability at the expense of security. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558).

DES

Enabled

Disabled

[Microsoft Knowledge Base article in progress]

CBT/Extended Protection for Integrated Authentication

N/A

Enabled

See Microsoft Security Advisory (937811) (http://go.microsoft.com/fwlink/?LinkId=164559).

LMv2

Enabled

Disabled

[Microsoft Knowledge Base article in progress]

Virtualized domain controllers on Hyper-V™, VMware, and other virtualization software

Regardless of the virtual host software product that you are using, read Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=139651) for special requirements related to running virtualized domain controllers. Specific requirements include the following:

  • Do not stop or pause domain controllers.

  • Do not restore snapshots of domain controller role computers. This action causes an update sequence number (USN) rollback that can result in permanent inconsistencies between domain controller databases.

  • All physical-to-virtual (P2V) conversions for domain controller role computers should be done in offline mode. System Center Virtual Machine Manager enforces this for Hyper-V. For information about other virtualization software, see the vendor documentation.

  • Configure virtualized domain controllers to synchronize with a time source in accordance with the recommendations for your hosting software.

  • For more considerations about running domain controllers in virtual machines, see article 888794 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=141292).

Administration, remote administration, and cross-version administration

The following changes have been made to local and remote administration tools for the Windows Server 2008 and Windows Server 2008 R2 operating systems.

  • The installation of a server role, such as Active Directory Domain Services, by Server Manager also locally installs all GUI and command-line tools that you can use to administer that role. To install tools locally to manage other server roles, click Add Features in Server Manager.

  • The GUI and command-line tools that were formerly in the Administrative Tools Pack (ADMINPACK.MSI), Support Tools (SUPPTOOLS.MSI), and Resource Kit tools have been consolidated into a single collection called Remote Server Administration Tools (RSAT).

  • As 64-bit hardware and operating systems became more popular, x86-based (32-bit) and x64-based (64-bit) versions of administration tools were released. See the following table for more information.

  • Additional steps are required to make the administration tools that RSAT installs appear in the Start menu of Windows Vista computers. For these additional steps, see the procedure that follows the table.

As a general rule, the administrative tools only install and run correctly on the operating system versions with which they were released. For example, the Windows Server 2008 administration tools install and run only on Windows Vista client computers and Windows Server 2008 server computers.

Administration tools whose files are copied from the server operating system disk will generally not execute on the corresponding client operating system and are not supported. For example, tools that are copied from the Windows Server 2008 operating system disk to Windows Vista will not work.

 

To manage Windows Server 2008 from Windows Vista

For any overview, interoperability details, and known RSAT issues, review article 941314 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=116179).

For x86-based Windows Vista computers, install Microsoft Remote Server Administration Tools for Windows Vista. For x64-based Windows Vista computers, install Microsoft Server Administration Tools for Windows Vista for x64-based Systems.

To resolve a delay in the Group Policy Management Console (GPMC), install the hotfix in article 959438 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164620).

To add support for Windows Server 2008 Group Policy preferences client-side extensions on Windows Vista clients, review article 943729 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164591).

To install x86-based or x64-based versions of the Windows Vista Management Tools update for the release version of Hyper-V, see article 952627 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=129913).

To manage Windows Server 2008 locally

Installing server roles installs corresponding command line and GUI administration tools.

For an overview, interoperability details, and known RSAT issues, review article 941314 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=116179).

To resolve a delay in Group Policy Management Console (GPMC), install the hotfix in article 959438 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164620).

To manage Windows Server 2008 R2 from Windows 7

Use the Remote Server Administration Tools for Windows 7 (http://go.microsoft.com/fwlink/?LinkID=153874). Remove the RSAT for the Release Candidate (RC) version of Windows 7 before you install the final version. For more information about administering other versions of Windows Server, see article 304718 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=106490).

To manage Windows Server 2008 R2 locally

Installing server roles through Server Manager installs corresponding command-line and GUI administration tools.

You can install he RSAT by using Add Features in Server Manager or from the command line.

To display the administration tools on the Start menu
  1. Right-click Start, and then click Properties.

  2. On the Start Menu tab, click Customize.

  3. In the Customize Start Menu dialog box, scroll down to System administrative tools, and then click Display on the All Programs menu and the Start menu.

  4. Click OK.

For more information, see Installing Remote Server Administration Tools (http://go.microsoft.com/fwlink/?LinkID=153624).

Cross-version support, the ability to administer a computer running an older or newer operating system, varies from operating system version to operating system version and even from tool to tool. Although older versions of administrative tools are never tested against servers that run newer versions of Windows, features that are common to older operating systems and new remote computers can generally be administered successfully.

Functionality that is introduced in newer versions of Windows Server cannot be administered from older versions of Windows or older versions of administrative tools. In some cases, protocols changed between operating system versions, requiring some tools to be retired in newer releases of the administration tool set.

The most seamless administrative experience occurs when you perform administrative tasks from a computer that is running the same operating system family as the computer that you administer remotely.

Group Policy settings that are introduced in each version of Windows are generally exposed only by computers running the same set of Windows operating systems or newer versions. For example, a computer running Windows Vista or Windows Server 2008 is required to configure Group Policy settings that were introduced in Windows Server 2008.

If the right combination of clients, tools, and servers is not available, use Remote Desktop Services or Terminal Services to perform administrative tasks.

Known issues for using remote administration tools

This table explains known issues for various server role management tools.

 

Server role

Issues

DNS

  • The Windows Server 2008 versions of Dnscmd and Dnsmgmt.MSC are required for managing Windows Server 2008 R2 DNS servers.

  • Setting forwarders on Windows Server 2008 DNS servers from Windows Vista client computers fails.

  • Selecting the Use root hints if no forwarders are available check box enables the opposite behavior.

  • Reverse lookup zones lose UI hints when they are viewed in Windows Server 2008 DNS Manager.

AD DS

  • The Active Directory Administrative Center (Dsac.exe) requires Active Directory Web Services (ADWS) to be running on at least one domain controller in each domain that you want to manage. Restated, ADWS must be running on each domain controller that you want to manage using the Active Directory Administrative Center. ADWS is installed with the installation of the AD DS or Active Directory Lightweight Directory Services (AD LDS) roles. For Windows Server 2003 and Windows Server 2008, see Active Directory Management Gateway Service (Active Directory Web Service for Windows Server 2003 and Windows Server 2008) (http://go.microsoft.com/fwlink/?LinkID=164543). ADWS listens on nonconfigurable port 9389 for incoming requests.

  • The Windows Server 2008 R2 Active Directory Administrative Center displays the error message “cannot find an available server” if a computer with ADWS cannot be found or contacted.

  • The list servers in site operation in Windows Server 2008 and the Windows Server 2008 R2 ntdsutil metadata cleanup command fail if they are focused on Windows Server 2003 target domain controllers.

Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2

Make sure that you have the following domain controller roles configured properly to synchronize the Windows Time service (W32time):

  • Forest-root primary domain controller (PDC) on a physical computer. See Configure the Windows Time service on the PDC emulator (http://go.microsoft.com/fwlink/?LinkId=91969).

  • Non-forest-root domain controller on a physical computer

  • Domain controller on Hyper-V

  • Domain controller on VMware

  • Hyper-V host

  • VMware host

Add time-rollback protection on Windows Server 2003 domain controllers by using Group Policy, making sure that you have the policy detail fixes in place before you do.

Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2

Read the following release notes for more information about specific issues that can affect these versions of Windows Server:

Release notes for Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=99299)

Release notes for Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139330)

Installing recommended hotfixes, running Adprep, and upgrading domain controllers

This section describes the following issues for the upgrade process:

Verifications you can make and recommended hotfixes you can install before you begin

  1. All domain controllers in the forest should meet the following conditions:

    1. Be online.

    2. Be healthy (Run dcdiag /v to see if there are any problems.)

    3. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). For more information, see “CSV Format” in Repadmin Requirements, Syntax, and Parameter Descriptions (http://go.microsoft.com/fwlink/?LinkID=147380).

    4. Have successfully inbound-replicated and outbound-replicated SYSVOL.

    5. Metadata for stale or nonexistent domain controllers, or domain controllers that cannot be made to replicate, should be removed from their respective domains. For more information, see Cleaning metadata of removed writable domain controllers in Appendix A: Forest Recovery Procedures (http://go.microsoft.com/fwlink/?LinkID=164553).

    6. All domains must be at the Windows 2000 native functional level or higher to run adprep /domainprep. Windows NT 4.0 domain controllers are not permitted in this functional level.

    7. Have sufficient free disk space to accommodate the upgrade.

      For more information about disk-space requirements for Windows Server 2008 and Windows Server 2008 R2, see System requirements for installing Windows Server 2008 and Windows Server 2008 R2. The task for administrators is to accurately forecast the immediate and long-term growth for Ntds.dit files on Windows Server 2008 and Windows Server 2008 R2 domain controllers so that hard drives and partitions that host Active Directory files can be sized properly on physical and virtual domain controllers.

  2. Check for incompatibilities with secure defaults in Windows Server 2008 and Windows Server 2008 R2. For more information, see Secure default settings in Windows Server 2008 and Windows Server 2008 R2.

  3. Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers.

    1. For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system. As of September 2009, the latest service pack for Windows Server 2008 is Service Pack 2 (SP2). For information about obtaining the latest service pack, see article 968849 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164585) and see Installing Windows Server 2008 with Service Pack 2 (http://go.microsoft.com/fwlink/?LinkId=164586). Windows Server 2008 R2 includes updates from Windows Server 2008 SP2. To make sure that you have all of the latest updates, see Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290) or see article 968849 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164585) for download information.

      1. If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment.

      2. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2, remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers.



      3. The following table lists hotfixes for Windows Server 2008. You can install a hotfix individually, or you can install the service pack that includes it.

         

        Description

        Microsoft Knowledge Base article

        Service pack

        Domain controllers that are configured to use the Japanese language locale

        949189 (http://go.microsoft.com/fwlink/?LinkId=164588)

        Windows Server 2008 SP2

        EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008

        948690 (http://go.microsoft.com/fwlink/?LinkID=106115)

        Not included in any Windows Server 2008 Service Pack

        Records on Windows Server 2008 secondary DNS server are deleted following zone transfer

        953317 (http://go.microsoft.com/fwlink/?LinkId=164590)

        Windows Server 2008 SP2

        Use root hints if no forwarders are available

        2001154 (http://go.microsoft.com/fwlink/?LinkId=165959)

        Setting Locale info in GPP causes Event Log and dependent services to fail

        951430 (http://go.microsoft.com/fwlink/?LinkId=165960)

        To be included in Windows Server 2008 SP3

        GPMC Filter fix

        [KB article in progress]

        Windows Server 2008 SP2

        If you use devolution to resolve DNS names (instead of suffix search list), apply the DNS devolution hotfix.

        [KB article in progress]

        Windows Server 2008 SP2

        Group Policy Preferences rerelease

        943729 (http://go.microsoft.com/fwlink/?LinkId=164591)

        974266 (http://go.microsoft.com/fwlink/?LinkID=165035)

        Windows Server 2008 SP2

        The following table lists hotfixes for Windows Server 2008 R2.

         

        Description

        Microsoft Knowledge Base article

        Comment

        Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502

        [KB article in progress]

        [The article will include a hotfix.]

        Event ID 1202 logged with status 0x534 if security policy modified

        2000705 (http://go.microsoft.com/fwlink/?LinkId=165961)

        Hotfix is in progress. Also scheduled for Windows Server 2008 R2 SP1.

        TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades

        [KB article in progress]

        Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel.

        Deploying the first Windows Server 2008 R2 domain controller in an existing Active Directory forest may temporarily halt Active Directory replication to strict-mode destination domain controllers.

        [KB article in progress]

Run Adprep commands

This section describes how to run the following adprep commands.

If you encounter errors when you run an Adprep command, see Adprep errors.

Add schema changes using adprep/forestprep

  1. Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup:

    1. Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a domain controller with a deleted NTDS settings object, follow the steps in article 255504 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=70776) to seize the role to a live domain controller in the forest root domain.

    2. Log on to the schema operations master with an account that has Enterprise Admins, Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-in administrator account in a forest root domain has these credentials.

    3. On the schema master, run the repadmin /showreps command. If schema master has inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use the replicate now command Dssite.msc to trigger inbound replication of the schema partition to the schema master. (See Force replication over a connection (http://go.microsoft.com/fwlink/?LinkId=164634)). You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master.

  2. Locate the correct version of Adprep for your upgrade:

    • The Windows Server 2008 installation media contain one version of adprep, Adprep.exe, in the \sources\adprep folder Windows Server 2008 installation disk, that runs on both x86-based and x64-based operations masters.

    • Windows Server 2008 R2 installation media contain both x86-based (Adprep32.exe) and x64-based (Adprep.exe) versions of adprep in the \support\adprep folder of the Windows Server 2008 R2 installation disk.

    • Windows Server 2008 and Windows Server 2008 R2 schema updates can be added directly to forests with Windows 2000 Server, Windows Server 2003, or Windows Server 2008 schema versions.

    • If you copy Adprep.exe from the installation media to a local computer or a network share, copy the entire adprep folder and provide the full path to the Adprep.exe file.

  3. Update the forest schema with adprep /forestprep.

    While you are still logged on to the console of the schema master with an account that has Enterprise Admins, Schema Admin, and Domain Admin credentials, run the appropriate version of adprep /forestprep from the Windows Server 2008 or Windows Server 2008 R2 installation media. Specify the full path to Adprep.exe to prevent running another version of Adprep that may be present in the PATH environment variable.

    For example, if you are running the Windows Server 2008 version of Adprep from a DVD drive or network path that is assigned the drive letter D:, the command to run is as follows:

    >D:\sources\adprep\adprep /forestprep
    
    The syntax for running Windows Server 2008 R2 Adprep on a 64-bit schema master is as follows:

    <dvd drive letter>:\support\adprep\adprep /forestprep
    
    The syntax for running Windows Server 2008 R2 Adprep on a 32-bit, x86-based schema master is as follows:

    D:\support\adprep\adprep32 /forestprep
    
    For a list of operations that Windows Server 2008 adprep /forestprep performs, see Windows Server 2008: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164636).

    For a list of operations that Windows Server 2008 R2 adprep /forestprep performs , see Windows Server 2008 R2: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164637).

If you encounter errors, see “Forestprep errors” later in this topic.

If you are deploying RODCs, run adprep /rodcprep

Run Windows Server 2008 R2 adprep /rodcprep in a forest that has already been prepared with Windows Server 2008 adprep /rodcprep. Proceed to adprep /domainprepprep.

If you are deploying RODCs for the first time:

While still logged on with Enterprise Admins credentials on the schema master, run adprep /rodcprep.

noteNote
Rodcprep will run on any member computer or domain controller in the forest if you are logged on with Enterprise Admin credentials. You can run adprep /rodcprep before or after adprep /domainprep. We recommend running adprep /rodcprep on the schema master immediately after adprep /forestprep as a matter of convenience because that operation also requires Enterprise Admins credentials.

For Windows Server 2008 Rodcprep, specify the full path to Adprep. For example, if the DVD or network path is assigned drive D:, run the following command:

c:\windows >D:\sources\adprep\adprep /rodcprep

For Windows Server 2008 R2:

  1. If the computer where you run Rodcprep is a 64-bit computer, run the following command:

    D:\support\adprep\adprep /rodcprep
    
  2. If the computer where you run Rodcprep is a 32-bit computer, run the following command:

    D:\support\adprep\adprep32 /rodcprep
    

If you encounter errors, see “Rodcprep errors” later in this topic.

Run adprep /domainprep /gpprep

For each domain that you intend to add Windows Server 2008 or Windows Server 2008 R2 domain controllers to:

  1. Run netdom query fsmo or dcdiag /test:<name of FSMO test> to identify the infrastructure operations master.

  2. If operations master roles are assigned to deleted or offline domain controllers, transfer or seize the roles as required.

  3. Log on to the infrastructure master with an account that has Domain Admins credentials.

  4. Run Windows Server 2008 adprep /domainprep /gpprep from the Windows Server 2008 operating system disk using the following syntax:

    noteNote
    You do not have to add the /gpprep parameter in the following command if you already ran it for Windows Server 2003.

    <drive>:\<path>\adprep /domainprep /gpprep
    
    For example, if the DVD or network path is assigned drive D, use the following syntax:

    D:\sources\adprep\adprep /domainprep /gpprep
    
    For Windows Server 2008 R2:

    If the infrastructure master is 64-bit, use the following syntax:

    D:\support\adprep\adprep /domainprep /gpprep
    
    If the infrastructure master is 32-bit, use the following syntax:

    D:\support\adprep\adprep32 /domainprep /gpprep
    
    If you encounter errors, see “Domainprep errors” later in this topic

Upgrade domain controllers

This section includes the following topics:

Background information about the in-place upgrade process

When you upgrade existing domain controllers or promote new domain controllers into existing domains, consider the following:

  • Computers running Windows 2000 Server cannot be upgraded in place to Windows Server 2008 or Windows Server 2008 R2.

  • In-place upgrades from Windows Server 2003 or Windows Server 2003 R2 to Windows Server 2008 or Windows Server 2008 R2 are supported, with the following exception: x86-based operating systems cannot be upgraded in place to x64-based versions of Windows Server 2008 or Windows Server 2008 R2 (which supports only the x64-based architecture).

  • A writeable domain controller cannot be upgraded to be an RODC. The reverse is also true.

  • A server that runs the full installation of Windows Server 2008 R2 cannot be upgraded to be a server that runs a Server Core installation of Windows Server 2008 R2. The reverse is also true.

  • For more information about supported and unsupported upgrades, see Windows Server 2008 R2 Upgrade Paths (http://go.microsoft.com/fwlink/?LinkID=154894).

  • Windows Server 2008 and Windows Server 2008 R2 both auto-install Internet Protocol version 6 (IPv6). Do not arbitrarily disable or remove IPv6.

  • To promote RODCs:

    • The adprep[32] /rodcprep command must have completed successfully.

    • The forest functional level must be Windows Server 2003 or higher.

    • A writable (or “full”) domain controller that runs Windows Server 2008 or Windows Server 2008 R2 must exist in the target domain.

Upgrading and promoting new domain controllers into an existing domain

Complete the following steps if you are performing either of these in-place upgrades:

  • Upgrading to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 domain controllers

  • Upgrading to Windows Server 2008 R2 from Windows Server 2008 or Windows Server 2003 or domain controllers

  1. If you have the Japanese language locale installed on Windows Server 2003 domain controllers that are being upgraded in place to Windows Server 2008, read and comply with article 949189 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164588).

  2. If the Active Directory Migration Tool (ADMT) version 3.1 is installed on a Windows Server 2003 or Windows Server 2008 domain controller that is being upgraded to Windows Server 2008 R2, uninstall ADMT 3.1 before the upgrade.

  3. Run <dvd or network path>:\setup.exe.

  4. Read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) and consider the right setting for the AllowNT4Cryto policy for your environment.

  5. If dcpromo.exe fails, see Dcpromo errors.

  6. If you have remotely encrypted Encrypting File System (EFS) files on Windows Server 2003 computers that are being upgraded in place to Windows Server 2008, read and comply with article 948690 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=106115). This problem does not apply to domain controllers that are upgraded to Windows Server 2008 R2.

  7. Consider installing the following fixes after the in-place upgrade unless they are integrated into your installation media:

    • If you are installing Windows Server 2008, install Service Pack 2 (SP2). Windows Server 2008 R2 includes Windows Server 2008 SP2 fixes.

    • If you are using Group Policy Preferences on Windows Vista or Windows Server 2008 computers, download the July 2009 update to article 943729 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164591).

    • Download the fix for a GPMC filter bug in article 949360 in the Microsoft Knowledge Base.

    • If you use devolution (as opposed to suffix search lists) to resolve DNS queries for single-label and non-fully-qualified DNS names, download the DNS devolution fix. See article 957579 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166140).

Complete the following steps if you are performing an in-place upgrade of Windows Server 2008 or Windows Server 2008 R2 writable domain controllers into existing Windows 2000 Server, Windows Server 2003 or Windows Server 2008 domains:

  1. Verify that the target domain is at the Windows 2000 native domain functional level or higher.

  2. If you are promoting Windows Server 2008 domain controllers that are configured to use the Japanese language, read and comply with article 949189 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=164588). The hotfix should be installed immediately after promotion and before the first boot into normal mode.

  3. From the Windows Start menu, run Dcpromo.exe (or install the Active Directory Domain Services Role in Server Manager, and then run Dcpromo).

  4. When the AllowNT4Crytpo page appears, read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) consider the right setting for AllowNT4Cryto for your environment.

  5. If you encounter an error, see the list of Dcpromo errors at the end of this topic.

Do the following if you are performing an in-place upgrade of Windows Server 2008 RODCs into existing Windows Server 2003 domains, Windows Server 2008 domains, or domains that have a mix of those operating systems:

  1. If the option to install RODC is not available in Dcpromo, verify that the forest functional level is Windows Server 2003 or higher.

  2. If the option to install RODC is not available and the error message indicates that there is no Windows Server 2008 in the domain, verify that a Windows Server 2008 domain controller exists in the domain and that it is accessible on the network to the RODC that you are promoting.

  3. If an error message indicates that access is denied, see the Microsoft Knowledge Base.

Post-installation tasks

For all domain controllers:

  • Configure the forest root PDC with an external time source. For more information, see Configure the forest root PDC with an external time source (http://go.microsoft.com/fwlink/?LinkId=91969).

  • Enable delete protection on organizational units (OUs) and other strategic containers to prevent accidental deletions.

  • Use only Active Directory–aware backup applications to restore domain controllers or roll back the contents of AD DS. Restoring snapshots that were created by imaging software is not supported on domain controllers.

Fixes to install after AD DS installation

After installation of AD DS, install the following hotfixes.

noteNote
It is impossible to provide an exhaustive list of hotfixes. The following is a list of fixes that are available in October 2009.

 

Hotfix

Windows Server 2008 SP1 (RTM)

Windows Server 2008 SP2

Windows Server 2008 R2

Article 949360: GPMC filter bug

Yes

No

No

Article 957959: DNS devolution fix

Yes

Yes

No

Article 943729: GPP rerelease

Yes

Yes

No

Article 949189: Japanese Language Locale

Yes

No

No

For RODCs:

  • If you are deploying RODCs, install the hotfix in article 953392 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=150337) on all Windows Server 2008 writable domain controllers. This fix is not required on Windows Server 2008 R2 writable domain controllers.

  • Read article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974), and install the corrective fixes on the Windows client and server computers that are affected by the scenarios that are listed in the Knowledge Base article.

Troubleshooting errors

This section describes errors in Adprep.exe and Dcpromo.exe. If you encounter an error that is not covered, search site:Microsoft.com: “error description” or post your problem to the following community sites:

Adprep errors

These sections describe errors for the forestprep, domainprep, and rodcprep commands.

Forestprep errors

  • If an error message indicates that the schema operations master is assigned to a deleted domain controller, see the Microsoft Knowledge Base.

  • If the error message says “Adprep was unable to extend the schema” or “Adprep failed to verify whether the schema master has completed a replication cycle after last reboot,” verify that the schema master has inbound-replicated the schema partition since the reboot. See Force a replication event with all partners in Forcing Replication (http://go.microsoft.com/fwlink/?LinkId=164668), and run the repadmin /syncall command.

  • If the error message says “The callback function failed,” see Adprep was unable to complete because the call back function failed in Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkId=164669).

  • If the error message says “There is a schema conflict with Exchange 2000. The schema is not upgraded.”, see article 314649 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166190).

  • If the error message says ”An attribute with the same link identifier already exists,” see article 969307 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164670).

  • For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Domainprep errors
  1. If the error message says “Adprep detected that the domain is not in native mode,” see Raise the domain functional level (http://go.microsoft.com/fwlink/?LinkID=141249).

  2. If the error message indicates that the callback function failed, see Adprep was unable to complete because the call back function failed in Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=164669).

  3. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Rodcprep errors
  1. If Rodcprep fails with the error message “Adprep could not contact a replica for partition <distinguished name for the forest-wide or domain-wide DNS application partition>” that is documented in article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=140285), run the Fixfsmo.vbs script in the same article, and then rerun Rodcprep until it runs successfully.

  2. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Dcpromo errors

  1. If the upgrade rolls back without any onscreen error or recorded error in a debug log, verify that you have sufficient free disk space on the volumes that are hosting %systemdrive, Ntds.dit, and SYSVOL.

  2. If an error message says "To install a domain controller into this Active Directory forest, you must first prepare the forest using ""adprep /forestprep""… ", verify that /forestprep has been run and that the helper domain controller has inbound-replicated /forestprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

  3. If an error message says "To install a domain controller into this Active Directory domain, you must first prepare the forest using ""adprep /domainprep""…” and verify that /domainprep has been run and that the helper domain controller has inbound-replicated /domainprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

  4. If an error message says “the specified user already exists,” delete the stale machine account and verify that the helper domain controller has inbound-replicated that deletion. As an alternative, try another helper domain controller.

  5. If an error message says “You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline.” or “You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue?”, see the Microsoft Knowledge Base.

  6. If a warning indicates that there is no static IP address configured for an IPv6 address on a Windows Server 2008 domain controller, click Yes and complete the wizard.

  7. If the check box for installing the DNS Server role is unavailable, either the Active Directory domain has a single-label DNS name or Dcpromo.exe cannot discover another Microsoft DNS server in the domain.

  8. If you see the error message “A delegation for this DNS Server cannot be created because the authoritative parent zone cannot be found…,” see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418).

  9. If you see the error message “The DNS zone could not be created...," see the Microsoft Knowledge Base.

  10. If you see the logging event <unable to obtain local RID pool>, see the Microsoft Knowledge Base.

  11. If the system is unable to share SYSVOL, see the Microsoft Knowledge Base.

  12. If Dcpromo fails with an error message that says “Failed to modify the necessary properties for the machine account. Access is denied”, make sure that administrators are granted the Enable computer and user accounts to be trusted for delegation permission in Default Domain Controllers Policy and that the policy has been linked to the Domain Controllers OU. Also make sure that the helper domain controller’s machine account resides in the Domain Controllers OU and that it has successfully applied policy. For more information, see article 232070 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166198).

Vindt u dit nuttig?
(1500 tekens resterend)
Bedankt voor uw feedback

Community-inhoud

Toevoegen
Weergeven:
© 2014 Microsoft. Alle rechten voorbehouden.