W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations

  • Article

 

I have collected some upgrade considerations from a couple colleagues of mine and have been sharing them on our internal technical DLs as the question comes up.  I have gotten positive feedback on the notes and have been encouraged to post them.  So, here they are.  Though, the real thanks go out to my colleagues Tom and Arren.  Further guidance on AD upgrades has been released to technet. The current title of the document "Microsoft Product Support Quick Start to Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains" can be found here.  https://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx

Here are some of the problems customers may run into when upgrading W2K3 AD deployment to W2K8 and/or W2K8R2 AD deployment:

 

  1. Compatibility issues you should address before beginning the upgrade
    1. https://support.microsoft.com/kb/946405 - No LM Hash
    2. https://support.microsoft.com/kb/942564 - NT 4.0 domains
    3. https://support.microsoft.com/default.aspx?scid=kb;en-US;2021766 W2K8R2/Windows 7 and NT4 domains.
    4. https://technet.microsoft.com/en-us/library/cc731654.aspx - SMB Signing
    5. https://support.microsoft.com/kb/944043 - RODC Client Pack
    6. https://support.microsoft.com/default.aspx?scid=kb;EN-US;968614- Outlook 2003 hotfix
    7. https://support.microsoft.com/kb/958980 - Issue with OCS 2007 or LCS 2005
    8. https://support.microsoft.com/kb/947039 - You cannot locally configure or locally delete the application partitions that are created for IP telephony after you upgrade from Windows Server 2003 to Windows Server 2008  
    9.  https://support.microsoft.com/kb/948680 - Description of the Microsoft server applications that are supported on Windows Server 2008
    10. Browse list fails. If dependant on browse list, then set browser service to auto on PDCe and one DC per segment.
    11. DFS site costed referrals are enabled on W2K8 DCs. This is a good change, but may result in W2K8 providing referrals in a different order than W2K3 DCs which have this feature disabled by default
    12. Lmcompatabilitylevel increased to 3. See https://technet.microsoft.com/en-us/library/cc960646.aspx
    13. NullSessionPipes list is shorter. See the Threats and Countermeasures guide
    14. NullSessionShares has been removed. See the Threats and Countermeasures guide
    15. NSPI connections limited to 50 per user.  https://support.microsoft.com/kb/949469
    16. DES crypto disabled on R2. See technet doc above and the following. https://support.microsoft.com/kb/978055
    17. ldap query policy hard coded limits https://support.microsoft.com/default.aspx?scid=kb;en-US;2009267 . Need to override these limits? See https://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx
    18. RFC2696 Section 3 more stringently enforced by W2K8R2 DCs. i.e., Subsequest requests for each page of a query must contain identical values (with the exception of the messageID, the cookie, and
      optionally a modified pageSize) as the original request. W2K3 DCs did not enforce this. W2K8R2 DCs do and will return error UNAVAIL_EXTENSION to caller rather than the requested page if request parameters differ from original request in violation of the RFC. See https://support.microsoft.com/kb/2468316
    19. For other operating system implementations (such as Netapp, Samba, EMC, etc), it is strongly suggested to contact those vendors to get their supportability matrix for Windows as client and as DC.

 

  1. Fixes you should have downloaded in advance
    1. If you use devolution to resolve single-label or non-qualified DNS names, get KB957579 and integrate into build process
    1.  Have you ever auth restored your domain KRBTGT account? If so, https://support.microsoft.com/kb/939820  & https://support.microsoft.com/kb/968140 & https://support.microsoft.com/kb/976424
    1. LDAP client fails to connect LDAPS servers using canonical name. https://support.microsoft.com/kb/2275950 & https://support.microsoft.com/kb/2282241

 

  1. ADPREP /FORESTPREP failures include
    1. Insufficient credentials used to run forestprep
    2. Schema FSMO not assigned to live DC or hasn’t inbound replicated since last boot
    3. Antivirus agent creates locks on LDIF files resulting in error “the callback function failed”
    4. running incorrect version of ADPREP
    5. Schema conflicts including conflicting ldapdisplay names, linkids, oids, Dn paths, attribute syntax, missing “may contains” attributes (KB969307)

 

  1. RODCPREP failures include
    1. Infrastructure masters not assigned to live DC. See MKSB 949257

 

  1. DOMAINPREP /GPPREP fails because
    1. Infrastructure master assigned to offline or deleted NTDSA
    1. Insufficient credentials used
    1. Error “callback function failed” = sysvol not shared, default policy missing or missing default GUID or problem with reparse point

 

  1. DCPROMO
    1. DNS Delegation warning https://technet.microsoft.com/en-us/library/dd379526(WS.10).aspx
    2. Option to install DNS Server role grayed out if DNS server role already installed.

 

  1. RODCPROMO
    1. Option to install RODCs only enabled if FFL = W2K3 or higher
    1. Cannot make the first W2K8 DC in a domain an RODC

 

  1. POST UPGRADE
    1. For RODCs
      1. Install RODC compatibility pack (MSKB 944043 ) on relevant OS versions in environment
      1. The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008. KB981370
      1. Delegation scenarios may break in mixed environments that have RODCs and still contain W2K3 DCs in the same domain as the RODC. KB2360265

 

              b. For DNS Servers  

  1. EDNS (RFC 2671) is turned on for W2K8 R2 DNS servers. Review the following KBs for examples of compatibility issues. KB828263 KB977158 KB832223
  2. W2K8 and W2K8 R2 DNS servers do not reuse DNSnode objects once dnstombstoned=true for a given node, instead these objects are tombstoned. The effect of this will result in a larger AD database, the amount of which will depend on the DNS record churn rate and volume. Aggressive DNS scavenging and/or short DHCP lease durations where DHCP is configured to de-register client records at lease expiration will exacerbate this. https://support.microsoft.com/kb/2548145/en-us

 

               c.  For DCs running on hyper-V & VMWARE

                               a. install a UPS

                               b. brief all admins on the risks of USN rollbacks caused by restoring snapshots on DC role guests. Review https://technet.microsoft.com/en-us/library/dd363553(WS.10).aspx

                               c. P2V conversions should be done in offline mode. If converting multiple DC’s in same forest, then all need to be offline @ same time.

 

               d. Disaster Avoidance & Recovery 

                               a. Enable delete protection on OU containers

                                b. Enable system state backups

                                c. If using 3rd party backup, test system state restores + alternant backup like Windows Server backup so that PSS can restore when 3rd party product fails to restore

 

    9.      ADMIN STUFF

 

  1. Execute 948690 if EFS on W2K3 computer upgraded to W2K8
  2. If using GPP, install 943729

 

   10.      RECYCLE BIN STUFF

                         a. With Identity Lifecycle Manager (ILM), including Feature Pack 1 (FP1), the Management Agent for Active Directory is not supported with the Recycle Bin feature.  KB2018683