Jump to content

Window Server 2003(dc) migration to Window Server 2008


Shahid99

Recommended Posts

Hello All,

How are you? I need your help on this migration im doing on my Domain Controller which is Windows Server 2003 to Windows Server 2008...

Well actually, i did the migration by following these steps:

http://computech.in/2011/08/step-by-step-guide-to-migrate-and-move-roles-from-server-2003-domain-to-server-2008-r2-domain/

however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:

here is the prompt they were receiving:

"The local policy of this system does not permit you to logon"

The new server became the global catalog so therefore everything got messed up(all because i didnt demote the DC(WINDOW SERVER 2003).

I removed the second domain contoller, took off active directory and deleted the server from sites and trust.

Now, i just reinstalled the new server again(new machine 2k8) if i want to follow the whole procedure again will i be able to rerun

adprep32 /forestprep? how can i rerun adprep? please help me out!!!

Also, i didnt change the tcp ip address from old dc to new dc....(new dc 2k8 was just added to the domain with a different ip(i thought once i am done with eveyrhting i will bring down the main dc(2k3) and assign that address to new dc(2k8)

Thank You!!!

Link to comment
Share on other sites


however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:

I don't think it is required for you to demote the old DC. If it has no roles it can just sit there. Last time I did a migration I did this... however I left a role on the old DC because I got an error xfer it... and also put DNS on there. BUT my question is this (since you aren't too clear on this):

Were your users able to work properly during those few hours after the promo, but before they got the error?

Link to comment
Share on other sites

Yes users were able to work properly during those few hours after the promo...but than all of a sudden this happen....

right now im trying to figure out how i can redo the whole process?

1. I can't run adprep32 /forestprep

this is the output:

C:\Documents and Settings\Administrator.VAKIFBANK-DC>cd \win2k8\support\adprep

C:\win2k8\support\adprep>adprep32 /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t

he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[user Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this

requirement, type C and then press ENTER to continue. Otherwise, type any other

key and press ENTER to quit.

c

Forest-wide information has already been updated.

[status/Consequence]

Adprep did not attempt to rerun this operation.

C:\win2k8\support\adprep>adprep32 /domainprep

Running domainprep ...

Domain-wide information has already been updated.

[status/Consequence]

Adprep did not attempt to rerun this operation.

C:\win2k8\support\adprep>adprep32 /domainprep /gpprep

Running domainprep ...

Domain-wide information has already been updated.

[status/Consequence]

Adprep did not attempt to rerun this operation.

No Group Policy Object (GPO) updates needed, or GPO information has already been

updated.

[status/Consequence]

Adprep did not attempt to rerun this operation.

Oh fyi:

Schema Version IS (47)

System Schema Version (31)

Link to comment
Share on other sites

Yes, my current domain controller don't have CD drive so therefore i downloaded the ISO for win 2008 r 2 and than extract the content to C: Local drive\ win2k8(i created this folder) extract everything in here......so now the directory is "C:\win2k8\support\adprep"

Current domain functional level is: Windows Server 2003

Link to comment
Share on other sites

Most likely when your first tried, the policies didn't replicate properly as the default gpo from 2008 are a lot more restrictive than the 2003 ones. Before stopping the 2003 or transfering the roles or even allow it to authenticate users (using active directory sites and services), you need to be sure that everything is properly replicated on the new DC (login scripts/gpo = the whole sysvol). Also check that the 2008 DC policies after it is a computer member are set like the windows 2003 DC.

Link to comment
Share on other sites

Allen,

Right now the new server (windows server 2008 r2) has been added to the domain (member server)

so i can see the domain if i go to Administrative tools\Active Directory Users and Computer

i can see policies,users,workstations,authentications and etc....

NOTE: I DIDN'T ADD THE 2008 R2 server to an existing server by (dcpromo) yet!!!

Im so lost!! please kindly tell me briefly the next step for this migration.....

Once again: Before adprep32 ran successfully, but due to problems which i stated above i had to reinstall the windows server 2008 r2 from scratch.

I deleted active directory, dns zone, cname and etc etc

right now on Windows Server 2003 (Domain Controller)

schema version REG_DWORD 0x000002f (47)

When i ran metadata cleanup this is the output:

metadata cleanup: select operation target

select operation target: list domains

Found 1 domain(s)

0 - DC=exampleny,DC=com ("exampleny" (up there i see my old domain controller)

select operation target: list servers in site

No active site list

.............................................................

i already removed DNs zone, Zone properties and also for AD sites and services ( i only see my domain controller there)

Now, pls, tell me what my next step should be(just to be on the safe side)

i appreciate it !

Link to comment
Share on other sites

I would do the dcpromo on Windows 2008 R2 and set it as a DC without any roles and not GC just add dns server integration or do it manually (before if done manually) and create a dedicated site for the 2008 DC disallow user authentication.

Then i would check if everything is still working properly for users and check if AD replications are working (should take one hour). Then check the policies on the 2008 DC and compare them with the windows 2003 DC as there might be a gap as policies models aren't stored in sysvol anymore.

Next step would be checking if the 2008 DC allow clients to logon as usual (still using active directory sites and services and use a small subnet the test clients).

Then set it as GC and then transfer roles with ntdsutil (of course after each step check if there are side effects).

The usual problems are the policies which you might need to recreate/reset entirely on the windows 2008R2 depending on the settings who were on the windows 2003 DC as compatibility isn't always there (and that was most like the problem you already encountered).

Link to comment
Share on other sites

If you set the 2008 DC in active directory site and services in another subnet by putting it in another site and setting this site to only allow authentication of client of a subnet you don't use for production or don't use at all then no client should be able to use the 2008 DC.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...