Active Directory Upgrade

20
Stanley Lopez, Senior Premier Field Engineer Upgrading Active Directory from 2003 – 2008 R2

Transcript of Active Directory Upgrade

Stanley Lopez, Senior Premier Field Engineer

Upgrading Active Directory from 2003 – 2008 R2

Agenda

Introducing Windows Server

2008R2 into Active Directory

Windows Server 2008R2 Setup

Requirements

Windows Server 2008R2 Upgrade

Scenarios

Preparing Active Directory

DC Promo

3

New AD Features in Windows Server 2008R2

Server Versions

System Requirements

Full versus Core Installation

Upgrade Scenarios

Time Configuration Registry Changes

Well Known TCP / UDP Dynamic Port Changes

Kerberos Improvements

Implementing Windows Server 2008R2

4

Active Directory Domain Services role in Windows Server 2008/2008R2

includes many new features that are not available in previous versions

of Windows Server Active Directory:

Auditing Enhancements

Fine-Grain Password Policies

Read-Only Domain Controllers (RODC)

Restartable Active Directory Domain Services

Database Mounting Tool

DFSR Replication for SYSVOL

AES(Advance Encryption Standard) Support for Kerberos

User Interface Improvements

Preventing Accidental Deletion

Group Policy Changes (central store, admx, preferences)

ADLDS

New AD Features in Windows Server 2008R2

5

Windows Server 2008R2 Foundation

Available through OEMs only on selected single processor servers, limited to

15 user accounts

Windows Server 2008R2 Standard

Provides most server roles / features and supports Server Core Installation

Windows Server 2008R2 Enterprise

Provides Failover Clustering and Active Directory Federation Services

Windows Server 2008R2 Datacenter

Additional memory and processors, and unlimited virtual image use rights

Windows 2008R2 Web Server

Provides Web / Application / DNS server functionality. Other server roles not

available.

Server Versions (only x64 available!)

6

500 MB for Active Directory transaction logs.

500 MB for the drive containing the SYSVOL share.

1.5 GB to 2 GB for the Windows Server 2008R2 operating system files

0.4 GB for every 1,000 users in the directory for the NTDS.dit drive

+ 50% of Recommended Disk space for each additional Domain

Additional storage for each application partition

Consider pagefile and dump files as well

Recommended reading:

Step D1: Determine Domain Controller Configuration

http://technet.microsoft.com/en-us/library/cc268214.aspx

Performance Tuning Guidelines for Windows Server 2008 R2

http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv-R2.mspx

Assess hardware requirements

http://technet.microsoft.com/en-us/library/cc753439(WS.10).aspx

How to reclaim space after applying Windows 7/2008 R2 Service Pack 1

http://blogs.technet.com/b/joscon/archive/2011/02/15/how-to-reclaim-space-after-applying-service-

pack-1.aspx

Minimum Storage Requirements for DCs

7

Windows Server Core installation provides an environment for

running one or more of the following server roles:

Active Directory Directory Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Certificate Services (ADCS)

Branch Cache Hosted Cache

Dynamic Host Configuration Protocol (DHCP) Server

Domain Name System (DNS) Server

Hyper-V

File server

Print Services

Windows Media Services

Web Services

Full versus Core Installation

8

Cross Platform Upgrades (32 bit to 64 bit) are not

supported

In-place upgrade from Windows 2000 is not supported

Upgrading existing OS to Server Core is not supported

Application compatibility issues Exchange Server Supportability Matrix (Supported AD environments)

http://technet.microsoft.com/en-us/library/ee338574.aspx

Supported Active Directory Environments by Office Communications Server Version

http://technet.microsoft.com/en-us/library/ee692314(office.13).aspx

Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

Application Compatibility Update through Dynamic Update: June 2010

http://support.microsoft.com/kb/982520/en-us

Application Considerations When Upgrading to Windows Server 2008

http://technet.microsoft.com/en-us/library/cc771576.aspx

Known Issues When Upgrading to Windows Server 2008

http://technet.microsoft.com/en-us/library/cc731003.aspx

Upgrade Scenarios

9

MaxPosPhaseCorrection (DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

The new default value for domain members and domain controllers is 172,800

(48 hours)

MaxNegPhaseCorrection (DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

The new default value for domain members and domain controllers is 172,800

(48 hours)

This is true for OS clean install and in-place upgrade as well…

be aware of:

The Windows Time Group Policy has incorrect defaults after you enable the

Windows Time Service Group Policy in Windows Server 2008 or Windows Vista

Service Pack 1 (961027)

Time Configuration Registry Changes

10

Windows Server 2008+ aligns port ranges with IANA standards

The default dynamic port range for TCP/IP has changed in Vista and 2008

http://support.microsoft.com/kb/929851

The default dynamic ports ranges are now:

Win2008+/Vista+: 49152 through 65535

Win2003: 1025 through 5000

To adjust dynamic ports:

netsh int <ipv4|ipv6> set dynamicportrange <tcp|udp> start=number num=range

Root domain connectivity needed

Logoff takes several minutes if there is no LDAP connectivity to the forest root domain

http://support.microsoft.com/default.aspx?scid=kb;EN-US;971198

Cannot install AD if the DNS and LDAP traffic to the forest root domain is blocked

http://support.microsoft.com/kb/975142/en-us

TCP / UDP Port Considerations

11

Changes in default encryption type cause security audit

events 675 and 680 on Windows Server 2003 DCs

It is possible to start pre-authentication with RC4 by

modifying the DefaultEncryptionType registry value to

0x17 hex (0x18 hex is AES).

Kerberos changes (AES)

http://blogs.technet.com/instan/archive/2009/10/12/changes-in-default-encryption-type-for-kerberos-pre-

authentication-on-vista-and-windows-7-clients-cause-security-audit-events-675-and-680-on-windows-server-2003-

dc-s.aspx

12

Other Known Issues

Topic 2003 2008R2 Comment

AllowNT4Crypto N/A Disabled Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows

Server 2008 and Windows Server 2008 R2 domain controllers. Article 942564

DES Enable

d

Disabled The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with

the default settings on a computer that is running Windows 7 or Windows Server 2008 R2

Article 977321 Article 978055

CBT/Extended Protection

for Integrated Authentication

N/A Enabled See Microsoft Security Advisory (937811) and article 976918

Control Extended Protection for Authentication using Security Policy

http://blogs.technet.com/b/askds/archive/2009/12/10/control-extended-protection-for-authentication-using-security-

policy.aspx

LMv2 Enable

d

Disabled Computers that are running Windows 7 and Windows Server 2008 R2 may fail to be authenticated by non-Windows

NTLM or Kerberos-based servers

Article 976918

You may experience one or more of the following symptoms:

1. Windows clients that support channel binding fail to be authenticated by a non-Windows Kerberos server.

2. NTLM authentication failures from Proxy servers.

3. NTLM authentication failures from non-Windows NTLM servers.

4. NTLM authentication failures when there is a time difference between the client and DC or workgroup server.

LMhash Enable

d

Disabled If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the

NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server

2008 is enabled. Article 946405

Signing required No Yes Domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client

computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel

signing. http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx

EDNS N/A

N/A

Some DNS name queries are unsuccessful after you deploy a 2003 or 2008 R2-based DNS server

http://support.microsoft.com/kb/832223

PDC lockouts, lmcompat ? 3 When you see massive account lockouts from transitive NTLM authentication, there is likely a mismatch of the lanman

authentication level between the clients and DCs in the path.

http://blogs.technet.com/b/askds/archive/2011/02/22/i-moved-my-pdce-role-and-accounts-started-locking-out.aspx

Hotfix List N/A N/A For a sample list with recommended hotfixes, see askds Blog or evaluate SP1 (recommended).

13

Create a lab first!

Trigger garbage collection on all DCs

Locate Schema Master and disable outbound replication

Forestprep: Prepare an existing forest for a Windows Server 2008R2 DC

Domainprep: Prepare an existing domain for a Windows Server 2008R2 DC

Rodcprep: prepare an existing forest for Windows Server 2008R2 RODC

Verify adprep logs

Enable outbound replication

Note

Use adprep32 on 32-bit systems instead

Location of ADPREP debug logs has moved from %systemroot%\system32\debug to %systemroot%\debug\adprep

ADPREP error lists can be found at:

http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx#BKMK_AdprepErrors

http://blogs.technet.com/askds/archive/2008R2/12/15/troubleshooting-adprep-errors.aspx

Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server

2008 R2 Domain Controllers to Existing Domains

http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(WS.10).aspx

For creating a lab see: Testing for Active Directory Schema Extension Conflicts

http://technet.microsoft.com/en-us/library/testing-for-active-directory-schema-extension-conflicts(WS.10).aspx

SP1 and Directory Services (added on 14-Jan 2011):

http://blogs.technet.com/b/askds/archive/2011/01/14/sp1-and-directory-services-what-s-new.aspx

Preparing AD Environment for Windows Server 2008R2

14

For the deployment of RODC: FFL must be 2003 or

higher, so that linked-value replication is available

If the RODC will be a global catalog server, you must

also run adprep /domainprep in all domains in the

forest.

The first Windows Server 2008R2 domain controller in

an existing Windows 2000, Windows Server 2003 or

Windows Server 2008R2 domain cannot be created as a

RODC

Be aware of KB 949257 (invalid fsmoroleowner)

RODC Considerations with ADPREP

15

Determine the current version of the Active Directory schema by

checking the value ObjectVersion attribute of the

dn=schema,cn=configuration,dc=<root_domain> partition

Example:

dsquery * cn=schema,cn=configuration,dc=<root_domain> -scope base -attr

objectVersion

o Applications track schema changes differently, you need to query

different object each time.

For example Exchange:

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,

dc=<root_domain> -scope base -attr rangeUpper

Identify Schema Version

16

Checking the value ObjectVersion attribute of the

dn=schema,cn=configuration,dc=<root_domain>

partition

Schema Versions

Operating System Schema Version

Windows 2000 Server 13

Windows Server 2003 30

Windows Server 2003 R2 31

Windows Server 2008 44

Windows Server 2008R2 47

17

New Installation Options

DCPROMO Enhancements

Adding the DC Role using Server Manager

Unattended Installation Options

Global Catalog Options

DNS Options

Active Directory Installation

18

Pick Source Domain Controller

Pick Destination Site

DNS installed automatically (cover later in this module

and in detail in the DNS module)

Optional Global Catalog install

Automatic reboot on completion

Installs GPMC by default.

New DCPROMO Installation Options

19

Demo

Questions???