Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » in place upgrade of DC/certificate server
in place upgrade of DC/certificate server [message #361965] Thu, 07 January 2010 10:31 Go to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello all

I am running in a DFL and FFL of windows 2003 native, I have 5 DC\DNS
servers of which 4 are running windows 2008, the last server to be upgraded
is running Windows 2003 sp2. This DC/DNS is also my enterprise certificate
server, and holds 4 out of the 5 FSMO roles. Because this DC is also
functioning as the enterprise certificate server, I intend to do an in-place
upgrade of the OS to windows 2008 ( I think it will be easier and take less
time) Before I do the in place upgrade I will take a systemstate backup, and
backup the certificate database, but is there anything else I should be
backing up before I do the upgrade? We also have two forest trusts setup
with other AD forests, and because this server holds the domain naming
master role, and the PDC role when performing the inplace upgrade will the
AD trusts have a problem during the upgrade?

and lastly once this server has been upgraded to 2008, I will want to
elevate the DFL and FFL to 2008. Are there major changes to the 2008 level
as compared to the 2003 level? I know about RODC and finegrained password
polices, but is there anything else or other features I will get after I
make this change?

Many thanks
Re: in place upgrade of DC/certificate server [message #362555 is a reply to message #361965] Fri, 08 January 2010 03:24 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Sawyer,

Check the following articles about CA upgrade:
http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc742466(WS.10).aspx

http://social.technet.microsoft.com/forums/en-US/winserverMi gration/thread/a6464113-cbfa-400b-bbee-120b0fb8c620/

Before starting i would move the FSMO roles to another DC, also the PDCEmulator
role should be on a Windows server 2008 machine as this will create a new
security group, keep FSMOs always the newest OS DC. In a single forest domain
you can have the FSMO roles on one machine without any problem, additional
make all DCs Global catalog server and have at least 2 DNS servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello all
>
> I am running in a DFL and FFL of windows 2003 native, I have 5 DC\DNS
> servers of which 4 are running windows 2008, the last server to be
> upgraded is running Windows 2003 sp2. This DC/DNS is also my
> enterprise certificate server, and holds 4 out of the 5 FSMO roles.
> Because this DC is also functioning as the enterprise certificate
> server, I intend to do an in-place upgrade of the OS to windows 2008 (
> I think it will be easier and take less time) Before I do the in place
> upgrade I will take a systemstate backup, and backup the certificate
> database, but is there anything else I should be backing up before I
> do the upgrade? We also have two forest trusts setup with other AD
> forests, and because this server holds the domain naming master role,
> and the PDC role when performing the inplace upgrade will the AD
> trusts have a problem during the upgrade?
>
> and lastly once this server has been upgraded to 2008, I will want to
> elevate the DFL and FFL to 2008. Are there major changes to the 2008
> level as compared to the 2003 level? I know about RODC and finegrained
> password polices, but is there anything else or other features I will
> get after I make this change?
>
> Many thanks
>
Re: in place upgrade of DC/certificate server [message #365399 is a reply to message #361965] Mon, 11 January 2010 14:47 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
I recommend that you re-think that. Please consider the possibility of
having a dedicated CA for that purpose. If you decide to go head with that,
make sure that you perform the upgrade in a lab scenario before going to
production. CAs in 2008 have differences, and I already saw people that did
that with bad ending results.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"sawyer" <occompguy@cox.net> wrote in message
news:436A6F57-DA81-4261-A1FC-2B7C22A0A6AC@microsoft.com...
> Hello all
>
> I am running in a DFL and FFL of windows 2003 native, I have 5 DC\DNS
> servers of which 4 are running windows 2008, the last server to be
> upgraded is running Windows 2003 sp2. This DC/DNS is also my enterprise
> certificate server, and holds 4 out of the 5 FSMO roles. Because this DC
> is also functioning as the enterprise certificate server, I intend to do
> an in-place upgrade of the OS to windows 2008 ( I think it will be easier
> and take less time) Before I do the in place upgrade I will take a
> systemstate backup, and backup the certificate database, but is there
> anything else I should be backing up before I do the upgrade? We also have
> two forest trusts setup with other AD forests, and because this server
> holds the domain naming master role, and the PDC role when performing the
> inplace upgrade will the AD trusts have a problem during the upgrade?
>
> and lastly once this server has been upgraded to 2008, I will want to
> elevate the DFL and FFL to 2008. Are there major changes to the 2008 level
> as compared to the 2003 level? I know about RODC and finegrained password
> polices, but is there anything else or other features I will get after I
> make this change?
>
> Many thanks
Previous Topic:Problems setting up a forwarding address
Next Topic:Taking down down a Domain Controller for a short time
Goto Forum:
  


Current Time: Tue Jan 23 16:30:36 MST 2018

Total time taken to generate the page: 0.15321 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software