Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Upgrading Win 2K3 DC's to Win 2008
Upgrading Win 2K3 DC's to Win 2008 [message #360284] Tue, 05 January 2010 16:15 Go to next message
Bill N  is currently offline Bill N  United States
Messages: 14
Registered: September 2009
Junior Member
I have the need to upgrade all existing Win 2k3 domain controllers (3) to
Win 2008 DC. The reason is that W2K3 AD won't allow us to set password
policy to a policy group but to apply globally.

Our environment:

Exchange 2007 on W2K3 R2 - 64 bit
Sharepoint server MOSS 2007 on W2K8 R2 32-bit

All current DC's are on Wk3 Standard SP2

Please give me some idea how to accomplish this (unless there's a way to
apply password policy to a selected group instead of to all users).

Thanks

Bill
Re: Upgrading Win 2K3 DC's to Win 2008 [message #360301 is a reply to message #360284] Tue, 05 January 2010 16:28 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Bill,

If i understand your environment correct the DCs are "only" DC and nothing
else is running on them, so you can follow this way to upgrade them, after
upgrade you have to rasie the functional levels to Windows server 2008 to
have the option to use the fine grained password policy which you like to:

!!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOUR DATA/MACHINE!!!

- On the old server open DNS management console and check that you are running
Active directory integrated zone (easier for replication, if you have more
then one DNS server)

- run replmon from the run line or repadmin /showrepl(only if more then one
DC exist), dcdiag and netdiag from the command prompt on the old machine
to check for errors, if you have some post the complete output from the command
here or solve them first. For this tools you have to install the support\tools\suptools.msi
from the 2003 installation disk.

- run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
the 2008 installation disk against the 2003 schema master(forestprep) / infrastructure
master(domainprep/rodcprep), with an account that is member of the Schema/Enterprise/Domain
admins, to upgrade the schema to the new version (44) or 2008 R2 (47)

- you can check the schema version with "schupgr" or "dsquery * cn=schema,cn=configuration,dc=domainname,dc=local
-scope base -attr objectVersion" without the quotes in a command prompt

- Install the new machine as a member server in your existing domain

- configure a fixed ip and set the preferred DNS server to the old DNS server
only, think about disabling IPv6 if you are not using it, some known problems
exist with it. Follow ( http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/1 9/disabling-ipv6-on-windows-2008.aspx)
to disable it

- run dcpromo and follow the wizard to add the 2008 server to an existing
domain, make it also Global catalog and DNS server.

- for DNS give the server time for replication, at least 15 minutes. Because
you use Active directory integrated zones it will automatically replicate
the zones to the new server. Open DNS management console to check that they
appear

- if the new machine is domain controller and DNS server run again replmon,
dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
both domain controllers

- Transfer, NOT seize the 5 FSMO roles to the new Domain controller (http://support.microsoft.com/kb/324801
applies also for 2008), FSMO should always be on the newest OS DC

- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to
an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie
now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual
/reliable:yes /update" where PEERS will be filled with the ip address or
server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier
/reliable:no /update" and stop/start the time service on the old one. All
commands run in an elevated command prompt without the quotes.

- you can see in the event viewer (Directory service) that the roles are
transferred, also give it some time

- reconfigure the DNS configuration on your NIC of the 2008 server, preferred
DNS itself, secondary the old one

- if you use DHCP do not forget to reconfigure the scope settings to point
to the new installed DNS server

- if needed export and import of DHCP database for 2008 choose "netshell
dhcp backup" and "netshell dhcp restore" command (http://technet.microsoft.com/en-us/library/cc772372.aspx)



Demoting the old DC

- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC

- to be sure that everything runs fine, disconnect the old DC from the network
and check with clients and servers the connectivity, logon and also with
one client a restart to see that everything is ok

- then run dcpromo to demote the old DC, if it works fine the machine will
move from the DC's OU to the computers container, where you can delete it
by hand. Can be that you got an error during demoting at the beginning, then
uncheck the Global catalog on that DC and try again

- check the DNS management console, that all entries from the machine are
disappeared or delete them by hand if the machine is off the network for ever

- also you have to start AD sites and services and delete the old servername
under the site, this will not be done during demotion

Fine grained password policy:
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have the need to upgrade all existing Win 2k3 domain controllers (3)
> to Win 2008 DC. The reason is that W2K3 AD won't allow us to set
> password policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there's a way
> to apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
Re: Upgrading Win 2K3 DC's to Win 2008 [message #360360 is a reply to message #360284] Tue, 05 January 2010 16:56 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva  Portugal
Messages: 398
Registered: July 2009
Senior Member
Hi
check
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server
2008 R2 AD DS Domains
http://www.microsoft.com/downloads/details.aspx?displaylang= en&FamilyID=fa629de2-f4dd-47ac-8d80-3db46b2877a2


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Bill N" <billn@jaco.com> wrote in message
news:u0ECA0ljKHA.1824@TK2MSFTNGP04.phx.gbl...
> I have the need to upgrade all existing Win 2k3 domain controllers (3) to
> Win 2008 DC. The reason is that W2K3 AD won't allow us to set password
> policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
>
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there's a way to
> apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
Re: Upgrading Win 2K3 DC's to Win 2008 [message #360720 is a reply to message #360284] Wed, 06 January 2010 06:25 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Check out an article I have on upgrading your forest to 2008 at:
http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Bill N" <billn@jaco.com> wrote in message
news:u0ECA0ljKHA.1824@TK2MSFTNGP04.phx.gbl...
>I have the need to upgrade all existing Win 2k3 domain controllers (3) to
> Win 2008 DC. The reason is that W2K3 AD won't allow us to set password
> policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
>
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there's a way to
> apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
password policy in Win 2K3 [message #360895 is a reply to message #360284] Wed, 06 January 2010 09:25 Go to previous messageGo to next message
Everett Wallace  is currently offline Everett Wallace  United States
Messages: 2
Registered: January 2010
Junior Member
Bill,

You asked if there waw a way to apply a password policy to a group instead of having the same policy for everyone. the answer is yes and no <g>. you can apply a different password policy to an OU, not a security group in Win 2K3 - this is just like any other Group Policy. So, you could get the effect you want by creating a new OU under the existing OU, putting the users in that OU, then linking the new password policy to that OU.

- Everett



Bill N wrote:

Upgrading Win 2K3 DC's to Win 2008
05-Jan-10

I have the need to upgrade all existing Win 2k3 domain controllers (3) to
Win 2008 DC. The reason is that W2K3 AD will not allow us to set password
policy to a policy group but to apply globally.

Our environment:

Exchange 2007 on W2K3 R2 - 64 bit
Sharepoint server MOSS 2007 on W2K8 R2 32-bit

All current DC's are on Wk3 Standard SP2

Please give me some idea how to accomplish this (unless there is a way to
apply password policy to a selected group instead of to all users).

Thanks

Bill

Previous Posts In This Thread:


Submitted via EggHeadCafe - Software Developer Portal of Choice
Dr. Dotnetsky's Holiday Vodka Mojito
http://www.eggheadcafe.com/tutorials/aspnet/a9844470-4cdb-4a f9-bb53-6f830e35c465/dr-dotnetskys-holiday-v.aspx
password policy in Win 2K3 [message #360896 is a reply to message #360284] Wed, 06 January 2010 09:28 Go to previous messageGo to next message
Everett Wallace  is currently offline Everett Wallace  United States
Messages: 2
Registered: January 2010
Junior Member
Bill,

You asked if there waw a way to apply a password policy to a group instead of having the same policy for everyone. the answer is yes and no <g>. you can apply a different password policy to an OU, not a security group in Win 2K3 - this is just like any other Group Policy. So, you could get the effect you want by creating a new OU under the existing OU, putting the users in that OU, then linking the new password policy to that OU.

- Everett



Bill N wrote:

Upgrading Win 2K3 DC's to Win 2008
05-Jan-10

I have the need to upgrade all existing Win 2k3 domain controllers (3) to
Win 2008 DC. The reason is that W2K3 AD will not allow us to set password
policy to a policy group but to apply globally.

Our environment:

Exchange 2007 on W2K3 R2 - 64 bit
Sharepoint server MOSS 2007 on W2K8 R2 32-bit

All current DC's are on Wk3 Standard SP2

Please give me some idea how to accomplish this (unless there is a way to
apply password policy to a selected group instead of to all users).

Thanks

Bill

Previous Posts In This Thread:


Submitted via EggHeadCafe - Software Developer Portal of Choice
Migration 2003-2007 Project Server details
http://www.eggheadcafe.com/tutorials/aspnet/36708640-9aa9-48 d3-b041-dd519122bd06/migration-20032007-proje.aspx
Re: password policy in Win 2K3 [message #361016 is a reply to message #360896] Wed, 06 January 2010 10:52 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Everett,

Sorry, but you are wrong.

This will NOT work with Windows server 2003, except you use a 3rd party program.
A password policy on OU level in Windows server 2003 domain will only apply
when used WITHOUT being connected to the domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Bill,
>
> You asked if there waw a way to apply a password policy to a group
> instead of having the same policy for everyone. the answer is yes and
> no <g>. you can apply a different password policy to an OU, not a
> security group in Win 2K3 - this is just like any other Group Policy.
> So, you could get the effect you want by creating a new OU under the
> existing OU, putting the users in that OU, then linking the new
> password policy to that OU.
>
> - Everett
>
> Bill N wrote:
>
> Upgrading Win 2K3 DC's to Win 2008
> 05-Jan-10
> I have the need to upgrade all existing Win 2k3 domain controllers (3)
> to Win 2008 DC. The reason is that W2K3 AD will not allow us to set
> password policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there is a way
> to apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
> Previous Posts In This Thread:
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
>
> Migration 2003-2007 Project Server details
>
> http://www.eggheadcafe.com/tutorials/aspnet/36708640-9aa9-48 d3-b041-dd
> 519122bd06/migration-20032007-proje.aspx
>
Re: password policy in Win 2K3 [message #361091 is a reply to message #360896] Wed, 06 January 2010 12:23 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
This only applies to the local machines, the only location where a password
policy will take effect in Windows Server 2003 is the default domain policy.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

<Everett Wallace> wrote in message news:20101611289boethius@bellsouth.net...
> Bill,
>
> You asked if there waw a way to apply a password policy to a group instead
> of having the same policy for everyone. the answer is yes and no <g>.
> you can apply a different password policy to an OU, not a security group
> in Win 2K3 - this is just like any other Group Policy. So, you could get
> the effect you want by creating a new OU under the existing OU, putting
> the users in that OU, then linking the new password policy to that OU.
>
> - Everett
>
>
>
> Bill N wrote:
>
> Upgrading Win 2K3 DC's to Win 2008
> 05-Jan-10
>
> I have the need to upgrade all existing Win 2k3 domain controllers (3) to
> Win 2008 DC. The reason is that W2K3 AD will not allow us to set password
> policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
>
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there is a way to
> apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
> Previous Posts In This Thread:
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> Migration 2003-2007 Project Server details
> http://www.eggheadcafe.com/tutorials/aspnet/36708640-9aa9-48 d3-b041-dd519122bd06/migration-20032007-proje.aspx
Re: Upgrading Win 2K3 DC's to Win 2008 [message #363196 is a reply to message #360720] Fri, 08 January 2010 18:25 Go to previous messageGo to next message
Bill N  is currently offline Bill N  United States
Messages: 14
Registered: September 2009
Junior Member
Thank you all for responding to my questions.
I'll look into these documents.

Bill


"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:#CSJCPtjKHA.5608@TK2MSFTNGP05.phx.gbl...
Check out an article I have on upgrading your forest to 2008 at:
http://www.pbbergs.com/windows/articles.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Bill N" <billn@jaco.com> wrote in message
news:u0ECA0ljKHA.1824@TK2MSFTNGP04.phx.gbl...
>I have the need to upgrade all existing Win 2k3 domain controllers (3) to
> Win 2008 DC. The reason is that W2K3 AD won't allow us to set password
> policy to a policy group but to apply globally.
>
> Our environment:
>
> Exchange 2007 on W2K3 R2 - 64 bit
> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
>
> All current DC's are on Wk3 Standard SP2
>
> Please give me some idea how to accomplish this (unless there's a way to
> apply password policy to a selected group instead of to all users).
>
> Thanks
>
> Bill
>
Re: Upgrading Win 2K3 DC's to Win 2008 [message #365362 is a reply to message #363196] Mon, 11 January 2010 14:15 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Great!

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Bill N" <billn@jaco.com> wrote in message
news:e3VwTqMkKHA.1536@TK2MSFTNGP06.phx.gbl...
> Thank you all for responding to my questions.
> I'll look into these documents.
>
> Bill
>
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:#CSJCPtjKHA.5608@TK2MSFTNGP05.phx.gbl...
> Check out an article I have on upgrading your forest to 2008 at:
> http://www.pbbergs.com/windows/articles.htm
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Bill N" <billn@jaco.com> wrote in message
> news:u0ECA0ljKHA.1824@TK2MSFTNGP04.phx.gbl...
>>I have the need to upgrade all existing Win 2k3 domain controllers (3) to
>> Win 2008 DC. The reason is that W2K3 AD won't allow us to set password
>> policy to a policy group but to apply globally.
>>
>> Our environment:
>>
>> Exchange 2007 on W2K3 R2 - 64 bit
>> Sharepoint server MOSS 2007 on W2K8 R2 32-bit
>>
>> All current DC's are on Wk3 Standard SP2
>>
>> Please give me some idea how to accomplish this (unless there's a way to
>> apply password policy to a selected group instead of to all users).
>>
>> Thanks
>>
>> Bill
>>
>
Previous Topic:Bit Locker
Next Topic:Did you ever find out what was locking the account?
Goto Forum:
  


Current Time: Wed Jan 17 04:13:41 MST 2018

Total time taken to generate the page: 0.07338 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software