You are on page 1of 74

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

Microsoft Corporation Published: November 2009 Writer: Justin Hall Editor: Jim Becker

Abstract
This guide explains the process for upgrading Active Directory domains to Windows Server 2008 and Windows Server 2008 R2, how to upgrade the operating system of domain controllers, and how to add domain controllers that run Windows Server 2008 or Windows Server 2008 R2 to an existing domain.

Copyright Information
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2009 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains................................................................................................................................1 Abstract....................................................................................................................................1 Copyright Information......................................................................................................................2 Contents..........................................................................................................................................3 Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains................................................................................................................................6 About this guide...........................................................................................................................6 In this guide.................................................................................................................................6 Related information......................................................................................................................6 Overview of Upgrading Active Directory Domains...........................................................................7 Planning to Upgrade Active Directory Domains..............................................................................7 In this guide.................................................................................................................................7 Checklist: Preupgrade Tasks...........................................................................................................8 Assign Appropriate Credentials.......................................................................................................9 Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2.......11 Determine Supported Software Upgrades....................................................................................12 Assess Hardware Requirements...................................................................................................14 Disk space requirements for upgrading to Windows Server 2008.............................................15 Disk space requirements for upgrading to Windows Server 2008 R2........................................16 Determine Domain Controller Upgrade Order...............................................................................19 Develop a Test Plan for Your Domain Upgrade Process...............................................................20 Determine Service Pack Levels....................................................................................................21 Back Up Domain Data...................................................................................................................23 Resolve Upgrade and Application Compatibility Problems............................................................23 Known issues for upgrading to Windows Server 2003...............................................................24 Performing the Upgrade of Active Directory Domains...................................................................25 In this guide...............................................................................................................................25

...................................................................................55 Supported in-place upgrade paths....................................................domain_name subdomain...........................................................................................................47 _msdcs..........46 Application directory partitions for DNS...44 Finding Additional Information About Upgrading Active Directory Domains...............................................................................................................................................................46 Active Directory preparation tool........................56 ..............................................56 Functional level features and requirements...................................................................................37 Perform Clean-up Tasks......................27 Upgrade Existing Domain Controllers.............................................................................49 New groups and new group memberships that are created after upgrading the PDC..............................................................34 Update Group Policy Permissions..............................................39 Raise the Functional Levels of Domains and Forests..................................... 52 SMB packet signing..............29 Unattended upgrade ..43 Complete the Upgrade..........................39 Checklist: Post-Upgrade Tasks........................forest_root_domain subdomain......................................................47 Service (SRV) resource records.............................................................................................................................................................................48 Intrasite replication frequency..............................52 Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains...................48 _msdcs..................................................................................................................................40 Move DNS Data into DNS Application Directory Partitions.........................................................26 Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2..........................................................................................................................................................................................53 System requirements for installing Windows Server 2008 and Windows Server 2008 R2.......................................................30 Modify Default Security Policies....................................................................38 Completing the Upgrade of Active Directory Domains...........................................................................................................................................................................................................................................41 Redirect Users and Computers..................................................................................................................................................................................53 What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2............25 Prepare Your Infrastructure for Upgrade........................50 Security policy considerations when upgrading from Windows 2000 to Windows Server 2003.........................................................................................52 Secure channel signing and encryption........................................................................................................38 In this guide.........................................................Checklist: Upgrade Tasks..................................................................................................................................................................................................45 Appendix A: Background Information for Upgrading Active Directory Domains.......

...................................... and cross-version administration..........................57 Secure default settings in Windows Server 2008 and Windows Server 2008 R2..........65 If you are deploying RODCs...................................59 Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2.....61 Verifications you can make and recommended hotfixes you can install before you begin....................................................................65 Add schema changes using adprep /forestprep..............................................................................................67 Upgrade domain controllers.........................................................................................................................................................................................................................................72 Dcpromo errors...71 Domainprep errors.................................................. VMware.....................58 Administration..............................................68 Upgrading and promoting new domain controllers into an existing domain..............58 Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2 .......................................................61 Run Adprep commands......71 Adprep errors................................................................................................................................... and other virtualization software..........................................................................................................70 Fixes to install after AD DS installation....67 Background information about the in-place upgrade process..................71 Forestprep errors............72 ..................57 Virtualized domain controllers on Hyper-V™...................... server................................68 Post-installation tasks................72 Rodcprep errors.........................................................................................................................66 Run adprep /domainprep /gpprep. and application interoperability............................................................................................................................................................................................................................................................ run adprep /rodcprep..................................................................................................................................................................................Client.............................................70 Troubleshooting errors..... remote administration........................................

In this guide • • • • • • Overview of Upgrading Active Directory Domains Planning to Upgrade Active Directory Domains Performing the Upgrade of Active Directory Domains Completing the Upgrade of Active Directory Domains Finding Additional Information About Upgrading Active Directory Domains Appendix A: Background Information for Upgrading Active Directory Domains • Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains Related information • For more information about the AD DS logical structure and the Domain Name System (DNS) infrastructure that is necessary to support AD DS. use the checklists that are provided in this guide and complete the tasks in the order in which they are presented. see Deploying Domain Name System (DNS) (http://go. For a seamless deployment experience. and allows your organization to take advantage of the improved security that is offered by the Windows Server® 2008 and Windows Server 2008 R2 operating systems. 6 . The upgrade process is straightforward. see Enabling Advanced Features for AD DS. It provides detailed guidance for upgrading Windows 2000 or Windows Server 2003 Active Directory domains to Active Directory Domain Services (AD DS) domains that have domain controllers running Windows Server 2008 or Windows Server 2008 R2. About this guide This guide is intended for use by system administrators and system engineers. efficient.com/fwlink/?LinkId=93656). • For more information about AD DS functional levels.Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains Upgrading your network operating system requires minimal network configuration and typically has a low impact on user operations. see Designing the Logical Structure for Windows Server 2008 AD DS [LH]. • For more information about installing and configuring a DNS server.microsoft.

At the Windows Server 2008 R2 forest functional level. site topology. you can maintain your current network and domain configuration while improving the security.Overview of Upgrading Active Directory Domains By upgrading your network operating system. all domain controllers will be running Windows Server 2008 or Windows Server 2008 R2. In addition. When the domain upgrade process is complete. In this guide • • Checklist: Preupgrade Tasks Assign Appropriate Credentials • Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2 • • • • • • Determine Supported Software Upgrades Assess Hardware Requirements Determine Domain Controller Upgrade Order Develop a Test Plan for Your Domain Upgrade Process Determine Service Pack Levels Back Up Domain Data 7 . and manageability of your network infrastructure. and the Active Directory Domain Services (AD DS) domains and forest will be operating at the Windows Server 2008 or Windows Server 2008 R2 functional level. Although your objectives might not require other significant changes to your existing environment. the operating system upgrade is an opportune time to review your existing Active Directory design. You might find opportunities for increased efficiencies and cost savings that you can incorporate into your upgrade process. including your Active Directory logical structure. ensure that you test your upgrade process in a lab and pilot program. Planning to Upgrade Active Directory Domains To plan the upgrade of your Active Directory domains. and domain controller capacity. complete the tasks in Checklist: Preupgrade Tasks. review your business objectives and decide how they relate to your existing Active Directory infrastructure. you can take advantage of all the advanced AD DS features. Before you upgrade your Windows 2000 or Windows Server 2003 Active Directory domains. scalability. For more information about advanced AD DS features for AD DS functional levels. see Enabling Advanced Features for AD DS.

Then determine if you can upgrade these editions or if you must perform a complete reinstallation for each. That Runs Windows Server 2008 or Windows Server 2008 R2 Identify the editions of Determine Supported Windows 2000 or Software Upgrades Windows Server 2003 that are running in your environment.• Resolve Upgrade and Application Compatibility Problems Checklist: Preupgrade Tasks Complete the tasks in this checklist in the order in which they are presented. Develop a test plan for your domain upgrade process. Determine service pack levels. Checklist: Preupgrade Tasks Task Reference Assign appropriate credentials to Assign Appropriate the users who are responsible for Credentials preparing the forest and domain for an Active Directory upgrade. Back up your Windows 2000 or Windows Server 2003 domain data Assess Hardware Requirements Determine Domain Controller Upgrade Order Develop a Test Plan for Your Domain Upgrade Process Determine Service Pack Levels Back Up Domain Data 8 . return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Determine the order in which you will upgrade your domain controllers before you begin the domain upgrade process. Review and document the existing hardware configuration of each domain controller that you plan to upgrade. Introduce a newly installed member Introduce a Member Server server into the forest. If a reference link takes you to a conceptual topic.

• The Domain Admins group is a member of Builtin\Administrators on member servers in their domain. The adprep /domainprep command requires a user account that is a member of the Domain Admins group in the targeted domain. Enterprise Admins. Credential Domain controller in forest root domain Member server in forest root domain Domain controller in regional domain Member server in regional domain Enterprise Admins in forest root domain Domain Admins in forest root domain Builtin\Administrators in forest root domain Domain Admins in 9 . Members of the Builtin\Administrators group can upgrade the operating system and install software on a computer. The following groups are members of the Builtin\Administrators group by default: • The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain and in each regional domain in the forest. Resolve Upgrade and Application Compatibility Problems Assign Appropriate Credentials Assign appropriate credentials to the users who are responsible for preparing the forest and domain for an Active Directory upgrade. Resolve upgrade and application compatibility problems. • The Domain Admins group is a member of Builtin\Administrators in their domain. and Domain Admins groups. the security context can affect the ability of an administrator to complete the upgrade of domain controllers. The following table shows the credentials that are required to upgrade servers. The adprep /forestprep command requires a user account that is a member of the Schema Admins. The adprep /rodcprep command requires a user account that is a member of the Enterprise Admins group. depending on the domain membership of the servers.Task Reference before you begin the upgrade. In addition.

and then click Add/Remove snap-in. and then click Add. type mmc. verify that the user who will perform the upgrade is a member in one of the groups that has the necessary rights assigned. In the console tree. and then click Finish. In the details pane. or equivalent. Assign the appropriate credentials in advance to allow both Active Directory domain upgrade testing and deployment to proceed without unexpected security delays. The policies are named identically to the user rights listed above.Credential Domain controller in forest root domain Member server in forest root domain Domain controller in regional domain Member server in regional domain regional domain Builtin\Administrators in regional domain You also need to ensure that the administrator who is upgrading the domain controllers has the following rights: • • • • Backup files and directories (SE_BACKUP_NAME) Modify firmware environment values (SE_SYSTEM_ENVIRONMENT_NAME) Restore files and directories (SE_RESTORE_NAME) Shut down the system (SE_SHUTDOWN_NAME) The setup program cannot run properly if these rights are not defined or if they are disabled by a domain Group Policy setting on the computer. In the Run dialog box. navigate to the Local Computer Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder. Click File. To verify if user rights assignments are disabled by a domain Group Policy setting 1. 5. 6. In the Available snap-ins dialog box. and then click OK.microsoft. Review details about using the appropriate accounts and group memberships at http://go. is the minimum required to complete this procedure. 2. 10 .com/fwlink/?LinkId=83477. 4. select Group Policy Management Editor. verify that Local Computer appears in the Group Policy Object box. Membership in the local Administrator account. 3. On the Welcome to the Group Policy Wizard page.

Use the following procedure to introduce a member server that runs Windows Server 2008 or Windows Server 2008 R2 into your environment. Then. you can use an unattended installation method. static IP address. • Perform an in-place upgrade of all existing domain controllers. you can successfully perform an in-place upgrade of this computer's operating system to Windows Server 2008 R2. Use the NTFS file system to format the partitions.microsoft. If your server is running an x64-based version of Windows Server 2003. and subnet mask that are specified by your design. you must first perform an in-place upgrade of a Windows 2000 operating system to a Windows Server 2003 operating system. perform an in-place upgrade of this Windows Server 2003 operating system to a Windows Server 2008 operating system. Important If you want to upgrade the operating system of a Windows 2000 domain controller to Windows Server 2008. remember that Windows Server 2008 R2 is an x64-based operating system. or equivalent. click Configure Remote Desktop. you cannot upgrade this computer to Windows Server 2008 R2. 2. The information in this guide also applies to Windows Server 2008 R2. 3. Enable Remote Desktop to enable administrators to log on remotely.Introduce a Member Server That Runs Windows Server 2008 or Windows Server 2008 R2 You can upgrade your Active Directory environment in the following ways: • Introduce newly installed domain controllers that run Windows Server 2008 or Windows Server 2008 R2 into the forest. A direct Windows 2000–to– Windows Server 2008 operating system upgrade is not supported. Enter a strong administrator password. Membership in the local Administrator account. If your server is running an x86-based version of Windows Server 2003. As an alternative. in Server Manager.com/fwlink/?LinkId=83477. and then click Allow connections from computers running any version of Remote 11 . if necessary. To enable Remote Desktop. If you perform an inplace upgrade of the existing domain controllers running Windows Server 2003 in the forest to Windows Server 2008 R2. and then select the option to install the operating system. Insert the operating system DVD into the DVD drive. and then retire or upgrade all existing domain controllers. To install Windows Server 2008 or Windows Server 2008 R2 1. Enter the computer name. is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.

Windows 2000 editions Upgrade to Windows Server 2003 Standard Edition Upgrade to Windows Server 2003 Enterprise Edition Upgrade to Windows Server 2003 Datacenter Edition Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server 12 . if your forest root domain is a dedicated root. introduce the member server into the forest root domain. Placing this member server into a dedicated root domain has the lowest impact on your environment because users generally do not log on to a dedicated forest root domain. Determine Supported Software Upgrades Identify the editions of Windows 2000 or Windows Server 2003 that are running in your environment. user authentications are minimal. After you prepare your forest and domains for the upgrade (see Prepare Your Infrastructure for Upgrade). Then. However. You can introduce this member server to any domain in the forest. perform an in-place upgrade of those domain controllers to Windows Server 2008. The following table lists Windows 2000 editions and indicates what editions can be upgraded directly to each edition of Windows Server 2003. Then. A direct in-place upgrade of a Windows 2000 edition to a Windows Server 2008 edition is not supported. determine if you can upgrade these editions or if you must perform complete operating system reinstallations.Desktop (less secure) or Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). Important To upgrade Windows 2000 Active Directory domains to Windows Server 2008 Active Directory Domain Services (AD DS) domains. install AD DS on the new member server (see Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2). Therefore. you must perform an in-place upgrade of all existing domain controllers running Windows 2000 in the forest to domain controllers running Windows Server 2003.

For more information about supported upgrade options. upgrades from 32-bit to 64-bit (and from 64-bit to 32-bit) are not supported.The following table lists Windows Server 2003 editions and indicates what editions can be upgraded directly to each edition of Windows Server 2008. If you perform an in-place upgrade of the existing domain controllers running Windows Server 2003 in the forest to Windows Server 2008 R2. If your server is running an x86-based version of Windows Server 2003. see Supported in-place upgrade paths. you can successfully perform an in-place upgrade of this computer's operating system to Windows Server 2008 R2. 13 . you cannot upgrade this computer to Windows Server 2008 R2. this table applies equally to 32-bit and 64-bit Windows Server 2008 editions. Notes With the exception of Windows Server 2008 editions for Itanium-Based Systems. If your server is running an x64-based version of Windows Server 2003. The information in this guide also applies to Windows Server 2008 R2. However. remember that Windows Server 2008 R2 is an x64based operating system.

You can retain domain controllers that 14 . Use this information to identify the domain controllers in your environment that you can upgrade and the domain controllers that do not meet the hardware requirements necessary to run Windows Server 2008 or Windows Server 2008 R2.Windows Server 2003 editions Upgrade to Windows Server 2008 Standard Upgrade to Windows Server 2008 Enterprise Upgrade to Windows Server 2008 Datacenter • Windows Server 2003 Standard Edition with Service Pack 1 (SP1) • Windows Server 2003 Standard Edition with Service Pack 2 (SP2) • Windows Server 2003 R2 Standard Edition • Windows Server 2003 Enterprise Edition with SP1 • Windows Server 2003 Enterprise Edition with SP2 • Windows Server 2003 R2 Enterprise Edition • Windows Server 2003 Datacenter Edition with SP1 • Windows Server 2003 Datacenter Edition with SP2 • Windows Server 2003 R2 Datacenter Edition Assess Hardware Requirements Review and document the existing hardware configuration of each domain controller that you plan to upgrade.

suppose that you have the following resources located on the %WinDir% volume. respectively. whichever is greater. • On the drive containing the operating system files. In most cases. a domain controller requires available free disk space for the Active Directory Domain Services (AD DS) database. Disk space requirements for upgrading to Windows Server 2008 The upgrade process from Windows Server 2003 to Windows Server 2008 requires free disk space for the new operating system image. and the operating system. for the Setup process. in which case. • On the drive containing the SYSVOL shared folder. For the domain controller role. • On the drive containing the AD DS log files. a Windows 2000–based domain controller meets the requirements to be upgraded to Windows Server 2008 as long as it has adequate disk space. and for any installed server roles. An error is logged when the domain controller role detects insufficient disk space to perform the upgrade. to run setup. provide at least 1. for a forest with two domains (domain A and domain B) with 10.000 users. provide at least 500 MB of available space. the volume or volumes that host the following resources also have specific free disk space requirements: • • • • Application Data (%AppData%) Program Files (%ProgramFiles%) Users Data (%SystemDrive%\Documents and Settings) Windows Directory (%WinDir%) The free space on the %WinDir% volume must be equal or greater than the current size of the resources listed above and their subordinate folders when they are located on the %WinDir% volume. their size is included in the free disk space requirements for the %Windir% folder. By default.exe places the Active Directory database and log files under %Windir%. NTDS. Dcpromo. provide at least 500 MB of available space. SYSVOL. provide 0.do not meet the necessary hardware requirements to serve as rollback servers if you must roll back your deployment. provide a minimum of 4 GB of disk space for each domain controller that hosts domain A and provide a minimum of 2 GB of disk space for each domain controller that hosts domain B. Additional disk space information may appear in the compatibility report that Setup displays.000 users and 5. AD DS log files.4 gigabytes (GB) of storage for each 1. with the sizes listed in the following table. 15 .000 users. For example.dit.25 GB to 2 GB of available space. Use the following guidelines to determine how much disk space to allot for your AD DS installation: • On the drive that will contain the AD DS database. At minimum. For example. Available space must equal at least 10 percent of your existing database size or at least 250 megabytes (MB).

dit. it is moved and not copied. the space that was reserved for the copied resources will be returned to the file system. Windows Server 2008 R2 domain controllers add two new indices on the large link table. Therefore. Finally. the free space on the %WinDir% volume must be equal to 1. if the Active Directory database is hosted outside any of the folders above.25 GB In this example. this is why additional free space is required for those resources. the Ntds. then the hosting volume or volumes must only contain additional free space equal to at least 10 percent of the current database size or 250 MB.dit database file and all the log files are temporarily copied over to the quarantine location and then copied back to their original location. Disk space requirements for upgrading to Windows Server 2008 R2 The Active Directory database. Although the SYSVOL directory is also under %WinDir% (that is.25 GB or greater. In a production Windows Server 2008 R2 domain at Microsoft. However. the free space on the volume that hosts the log files must be at least 50 MB. the database increases in size at the following moments: • After Windows Server 2008 R2 adprep /forestprep completes and the first Windows Server 2008 R2 domain controller is installed. NTDS. After the upgrade. %WinDir%\SYSVOL). on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows for the following reasons: • • The "partial merge" feature is disabled on Windows Server 2008 R2 domain controllers. For Active Directory Recycle Bin.Resource Size Application Data (%AppData%) Program Files (%ProgramFiles%) Users Data (%SystemDrive%\Documents and Settings) Windows Directory (%WinDir%) Total size 100 MB 100 MB 50 MB 1 GB 1. isRecycled. the Active Directory Recycle Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the 16 . • After the Active Directory Recycle Bin is enabled. whichever is greater. More disk space is required as more object deletions occur. it does not require any additional free space. all attributes are kept on deleted objects. there is a new indexed attribute. With this configuration. whose value is set for all deleted objects. A default installation of Active Directory in Windows Server 2003 has the Active Directory database and log files under %WinDir%\NTDS. • The Active Directory Recycle Bin Windows Server 2008 R2 preserves attributes on deleted objects for the Recycle object lifetime.

original database size. using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days.dit location Ntds. Ntds. Free space (GB) on the system drive Result Ntds.old folder to the Windows folder. but there is not enough space to copy Windows setup files.dit was 5 GB. The compatibility report warns the user that the amount of free space meets the minimum requirements and that the upgrade process would take longer. Additional space requirements depend on the size and count of the objects that are recycled. The compatibility report finds there is not enough space to copy Windows files. An in-place upgrade of a domain controller to Windows Server 2008 R2 requires sufficient disk space for the upgrade process to copy the following folders: • • • • • • • • • %SystemRoot% %ProgramFiles% %SystemDrive%\Program Files %ProgramFiles(x86)% %SystemDrive%\build %SystemDrive%\InstalledRepository %ProfilesFolder% %ProgramData% %SystemDrive%\Documents and Settings The following table shows the test results for an upgrade of a domain controller from Windows Server 2008 to Windows Server 2008 R2.dit does not have to be copied from the Windows. 17 . and Ntds. 1 In this scenario.old folder to the Windows folder. Ntds. The upgrade is blocked at the compatibility report.dit does not have to be copied from the Windows.dit is located on a different drive than the system.dit is located on the same drive as the system. In this table: • <i> = 15 GB (the minimum amount of free space on a Windows hard drive that Windows setup requires) • The original size of Ntds. <i> In this scenario. the disk meets the minimum free-space requirements for the Windows files to be installed. but it is out of %windir%.

dit does not have to be copied from the Windows.Ntds. Ntds.dit because the database was not copied to the new operating system. which causes the compatibility report to be bypassed. the disk meets the minimum free-space requirements for the Windows Files to be installed. Click OK to shut down the system. The domain controller is upgraded successfully.old folder to the Windows folder.dit. Windows Server 2008 R2 is not able to locate Ntds. the disk meets the minimum free-space requirements for the Windows Files to be installed. <i> In this scenario.old folder to the Windows folder. and Ntds.dit location Free space (GB) on the system drive Result The domain controller is upgraded successfully.dit is located on the same drive as the system. On its first start. 18 . Err 0xc00002ec = STATUS_DS_INIT_FAILURE_CONSOLE The domain controller is rolled back to Windows Server 2008 successfully. The compatibility report warns the user that the amount of free space meets the minimum requirements and that the upgrade process would take longer. You can use the recovery console to diagnose the system further. which causes an error and forces the computer to roll back to the previous operating system.dit is located under the Windows folder. which causes the upgrade to copy it from the Windows. Ntds. ERROR_CODE: (NTSTATUS) 0xc00002ec Directory Services could not start because of the following error: %hs Error Status: 0x %x. This last step fails because there is not enough space on the disk to fit Ntds. Ntds. However.dit is located on the default folder: %windir%\ntds\ <i> + 1 In this scenario. but it is out of %windir%.

upgrade the operating system on the domain controller that holds the primary domain controller (PDC) emulator operations master role. or transfer the role to a domain controller that runs Windows Server 2008 or Windows Server 2008 R2. Download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services. It is safe to upgrade the domain controllers holding any operations master role at any time in the upgrade process. but it is not a requirement. IP address. you can begin upgrading domain controllers in a child domain before you upgrade domain controllers in the root domain of the same forest. see Job Aids for Windows Server 2003 Deployment Kit (http://go.microsoft. For example. 19 . For a worksheet to assist in documenting your domain controller information. Record the name. you can independently upgrade each domain within a forest that has multiple domains. and the operations master roles held by each domain controller before and after the upgrade. Finally. until the domain upgrade is complete. and then open DSSUPWN_2. If the PDC emulator is not upgraded. • In each domain. the Enterprise Read-Only Domain Controllers group is created when the first read-only domain controller (RODC) is added to the domain. are performed on the PDC emulator only if it is running Windows Server 2008 or Windows Server 2008 R2.Determine Domain Controller Upgrade Order Determine the order in which you will upgrade your domain controllers before you begin the domain upgrade process. Use a domain controller documentation table to document information about each domain controller in the forest. the domain in which the domain controller will be located. • Continue upgrading domain controllers or retiring domain controllers that you no longer want to keep in your infrastructure. One possible order for upgrading domain controllers is as follows: • Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 in the forest root domain by using the Active Directory Domain Services Installation Wizard (Dcpromo. It may be preferable to upgrade the PDC emulator for that reason. such as creation of the Enterprise Read-Only Domain Controllers group. Some tasks.zip. Similarly.exe).doc.com/fwlink/?LinkID=102558). record the order in which you will upgrade the operating system on each domain controller. Notes This order for upgrading or adding new domain controllers is a recommendation only.

Continue to test your domain controllers throughout the process to verify that Active Directory Domain Services (AD DS) replication is consistent and successful. Displays replication status of inbound replication partners and directory partitions. Tool/log file Description Location Repadmin.com/fwlink/?LinkId=177813). and resource 20 . Before you begin. %systemroot%\Windows\System32 Note This tool is added to the server as part of the AD DS installation. test your existing domain controllers to ensure that they are functioning properly.exe Checks replication %systemroot%\Windows\System32 consistency and Note monitors both inbound This tool is added to the server as part and outbound of the AD DS installation.Develop a Test Plan for Your Domain Upgrade Process It is important to develop a plan for testing your domain upgrade procedures throughout the upgrade process.microsoft. tests for successful Active Directory connectivity and functionality. This tool is added to the server as part zones. The following table lists the tools and log files to use in your test plan. Dcdiag. see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go. For more information about installing tools to test domain controllers. Diagnoses the state of domain controllers in a forest or enterprise. replication partners.exe Nltest.exe Provides the properties %systemroot%\Windows\System32 of Domain Name Note System (DNS) servers. and returns the results as passed or failed. Queries and checks the status of trusts and can forcibly shut down domain controllers. Provides domain controller location capabilities.exe %systemroot%\Windows\System32 Note This tool is added to the server as part of the AD DS installation. Dnscmd.

Tool/log file Description Location records. see Help and Support for Windows Server 2008. Provides a detailed progress report of the Active Directory installation. all Windows 2000–based domain controllers in the forest must be running Windows 2000 Service Pack 4 (SP4). 21 . add. %SystemRoot%\Windows\Debug\ADPrep\Logs Dcpromoui. A Microsoft Management Console (MMC) snap-in that acts as a low-level editor for AD DS and allows you to view. Determine Service Pack Levels Before preparing your infrastructure for upgrade. and move objects and attributes within the directory. Use the repadmin/showattr command to perform an inventory of the operating system and service pack revision level on all domain controllers in a particular domain. of the AD DS installation. or equivalent. Membership in the local Administrator account.log Provides a detailed progress report of the forest and domain preparation process.log %systemroot%\Windows\debug Note These logs are added to the server as part of the AD DS installation. Review details about using the appropriate accounts and group memberships at http://go. Adsiedit. delete. Adprep. Includes information regarding replication and services in addition to applicable error messages.log and Dcpromo. For more information about support tools for Windows. is the minimum required to complete this procedure.exe %systemroot%\Windows\System32 Note This tool is added to the server as part of the AD DS installation.microsoft.com/fwlink/?LinkId=83477.

type the following command at the command line of a computer that has the support tools for Windows Server 2008 installed. Parameter Description repadmin /showattr Displays the attributes on an object.DC=company.operatingSystemServicePack The following text is sample output from this command: DN: CN=NA-DC-01.DC=com 1> operatingSystem: Windows Server 2008 Standard 1> operatingSystemVersion: 6. domain_controller_in_target_domain /filter:"(&(objectcategory=computer)(primaryGroupID=516))” /subtree Filters the output /atts:operatingSystem.operatingSystemVersion.operatingSystemVersion.To determine the operating system and service pack revision level on all domain controllers • For each domain in the forest.0 (6001) 1> operatingSystemServicePack: Service Pack 1. operating system version. Upgrade domain controllers to the appropriate service pack as necessary.624 Note The repadmin /showattr command does not show any hotfixes that might be installed on a domain controller.OU=Domain Controllers.operatingSystemServicePack to display the object's operating system. and operating system service pack. v. Specifies the fully qualified domain name (FQDN) of the domain controller. and then press ENTER: repadmin /showattr <domain_controller_in_target_domain> ncobj:domain: /filter:"(&(objectcategory=computer)(primaryGroupID=516))” /subtree /atts:operatingSystem. 22 .

see Known Issues for Upgrades to Windows Server 2008 and Windows Server 2008 R2. • Test all backup media to ensure that the data can be restored successfully. Resolve Upgrade and Application Compatibility Problems For more information about upgrades to Windows Server 2008 and Windows Server 2008 R2. agree on. see article 241201 in the Microsoft Knowledge Base (http://go. For more information. Develop a recovery plan to use if some portion of your domain upgrade process fails. Important Store backup media in a secure offsite location designated by (and accessible to) the upgrade team before you begin the upgrade process.com/fwlink/? LinkId=114578). This task varies based on the operations and procedures that already exist in your environment. standard cryptographic algorithms.Back Up Domain Data Back up your domain data before you begin the upgrade. Note If you plan to retire or upgrade the first promoted domain controllers of your Windows 2000 or Windows Server 2003 domains. At a minimum. • An approval process. ensure successful replication between two domain controllers in each domain. and approve the recovery plan. EFS is a component of the NTFS file system that enables transparent encryption and decryption of files by using advanced. complete the following steps: • To allow for fault tolerance. ensuring that all team members review. including System State data. we highly recommend that you export and back up the private key of the Encrypting File System (EFS) recovery agent. • Back up two domain controllers in each domain in the forest. You can use EFS to encrypt data files to prevent unauthorized access.microsoft. A successful recovery plan includes the following: • Step-by-step instructions that enable the upgrade team to restore normal operations to the organization. 23 .

use the Winnt32. DFS root shares must be located on NTFS partitions with no files or directories under the DFS link. For more information about Windows 2000 administration tools and upgrade issues. Membership in the local Administrator account. To identify potential upgrade and compatibility problems • At the command line. For more information about deploying DFS. Two application compatibility problems you might need to resolve include the following: • Distributed File System (DFS) root shares are not supported if they are hosted on a file allocation table (FAT) partition. You must remove the Windows 2000 Administration Tools Pack before upgrading to Windows Server 2003. see article 235979 in the Microsoft Knowledge Base (http://go. you might receive the following error when using the Client Installation Wizard: " Unable to create or Modify Computer account" Error: 00004E4F This error occurs because Windows Server 2003 creates machine account objects differently from Windows 2000. • Windows 2000–based computers running Windows Deployment Services might cause errors in a Windows Server 2003 Active Directory domain. Review details about using the appropriate accounts and group memberships at http://go.com/fwlink/?LinkId=106490). To prevent this error from occurring when creating machine accounts. see Designing and Deploying File Servers (http://go. is the minimum required to complete this procedure.com/fwlink/?LinkId=83477.com/fwlink/?LinkID=27928). see article 304718 in the Microsoft Knowledge Base (http://go.com/fwlink/?LinkId=106488). connect to the I386 directory at your installation source.Known issues for upgrading to Windows Server 2003 Before upgrading a server to Windows Server 2003. configure the Windows 2000–based Windows Deployment Services servers in your environment to point to a domain controller running Windows 2000. When using a Windows 2000–based Windows Deployment Services server in your Windows Server 2003 Active Directory domain. type the following command.microsoft. and then press ENTER: 24 .microsoft. This is done by adding the DefaultServer registry parameter to the Windows 2000–based Windows Deployment Services servers.exe command-line tool with the /checkupgradeonly parameter to identify potential upgrade problems such as inadequate hardware resources or compatibility problems. In Windows Server 2003.microsoft. or equivalent.microsoft. For more information about configuring optional registry parameters for the Boot Information Negotiation Layer (BINL) service.

If a reference link takes you to a conceptual topic.winnt32 /checkupgradeonly Parameter Description winnt32 /checkupgradeonly Checks your computer for upgrade compatibility with products in the Windows Server 2003 family. return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Performing the Upgrade of Active Directory Domains To upgrade your Active Directory domains. Checklist: Upgrade Tasks Task Reference Prepare your Active Directory infrastructure for upgrade. Install Active Directory Domain Services (AD DS) on a member server that runs Windows Prepare Your Infrastructure for Upgrade Install Active Directory Domain Services on the Member Server That Runs 25 . complete the tasks in Checklist: Upgrade Tasks. In this guide • • Checklist: Upgrade Tasks Prepare Your Infrastructure for Upgrade • Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2 • • • • Upgrade Existing Domain Controllers Modify Default Security Policies Update Group Policy Permissions Perform Clean-up Tasks Checklist: Upgrade Tasks Complete the tasks in this checklist in the order in which they are presented.

There should not be any conflicts if your applications use RFC-compliant object and attribute definitions. by running adprep /rodcprep. Note This step is required only if you are upgrading Windows 2000 Active Directory domains. Perform clean-up tasks. and test the schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. see Windows Server 2008: Appendix of Changes to Adprep. For a list of specific operations that are performed when you update the Active Directory schema. Update Group Policy permissions. Important Review the list of operations that Adprep.Task Reference Server 2008 or Windows Server 2008 R2 in the forest root domain. Upgrade existing domain controllers. For more information about running Adprep.exe performs in Windows Server 2008. if you plan to install them. Modify default security policies as needed.exe to Support AD DS and Windows Server 2008 R2: Appendix of Changes to Adprep. 26 . • Prepare each domain where you want to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2 by running adprep /domainprep /gpprep.exe to Support AD DS.exe. • Prepare the forest for read-only domain controllers (RODCs). Windows Server 2008 or Windows Server 2008 R2 Upgrade Existing Domain Controllers Modify Default Security Policies Update Group Policy Permissions Perform Clean-up Tasks Prepare Your Infrastructure for Upgrade Preparing your Active Directory infrastructure for upgrade includes the following tasks: • Prepare the forest schema by running adprep /foretsprep. see Run Adprep commands.

2.exe). review the information on the Before You Begin page. the member server will become a domain controller. type dcpromo. On the Select Server Roles page.Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2 Install Active Directory Domain Services (AD DS) on a member server that runs Windows Server 2008 or Windows Server 2008 R2 by using the Active Directory Domain Services Installation Wizard (Dcpromo. The Windows UI provides two wizards that guide you through the installation process for AD DS. click Install. If necessary. You can install AD DS using the Windows user interface (UI). You can install AD DS on any member server that meets the domain controller hardware requirements. which you can access in Server Manager. 27 . On the Installation Results page. and then click Next. After you install AD DS successfully. and then click Next.exe).exe).exe. 5. The member server should be located in the forest root domain. click Add Roles. 7. and then click Next. Click Start. 3. review the information on the Active Directory Domain Services page. is the minimum required to complete this procedure. run the following command at a command prompt before you start to install AD DS: net user Administrator password/passwordreq:yes Replace password with a strong password. 4. select the Active Directory Domain Services check box. click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo. which you can access in either of the following ways: • When you complete the steps in the Add Roles Wizard. click Run. If necessary. One wizard is the Add Roles Wizard.com/fwlink/?LinkId=83477. the local Administrator password might be blank or it might not be required. or equivalent. Depending on the operating system installation options that you selected for the computer. In this case. On the Confirm Installation Selections page. The other wizard is the Active Directory Domain Services Installation Wizard (Dcpromo. To install AD DS on a member server by using the Windows interface 1. Membership in the local Administrator account.microsoft. click the link to start the Active Directory Domain Services Installation Wizard. • Click Start. and then click OK. Review details about using the appropriate accounts and group memberships at http://go. and then click Server Manager. 6. In Roles Summary.

make the following selections. It makes the additional domain controller read only. • Global Catalog: This option is selected by default. clear this option. or specify the Password Replication Policy (PRP) for an RODC as part of the installation of the additional domain controller. provide the user name and password for an account that can install the additional domain controller. and then click Set. On the Additional Domain Controller Options page. click Existing forest. If you are installing an additional domain controller in either the forest root domain or a tree root domain. click Next. It adds the global catalog. and then click Next. click My current logged on credentials or click Alternate credentials. and then click Next. This option is not selected by default. click Yes and disregard the message. 14.8. If you selected Use advanced mode installation on the Welcome page. click Add a domain controller to an existing domain. you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. 9. and then click Next. On the Network Credentials page. identify the source domain controller for AD DS replication. you must be a member of the Enterprise Admins group or the Domain Admins group. 13. • Read-only domain controller. read-only directory partitions to the domain controller. select the domain of the new domain controller. review the warning about the default security settings for Windows Server 2008 domain controllers. the Install from Media page appears. On the Select a Domain page. If you want to install from media. In this case. you do not have to create the DNS delegation. On the Choose a Deployment Configuration page. Note If you select the option to install DNS server. Under Specify the account credentials to use to perform the installation. You can provide the location of installation media to be used 28 . 15. 11. and it enables global catalog search functionality. In the Windows Security dialog box. click Use advanced mode installation. On the Welcome to the Active Directory Domain Services Installation Wizard page. select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address. If you do not want the domain controller to be a DNS server. and then click Next. 12. On the Select a Site page. and then click Next: • DNS server: This option is selected by default so that your domain controller can function as a DNS server. type the name of any existing domain in the forest where you plan to install the additional domain controller. When you are finished providing credentials. click Next. To install an additional domain controller. On the Operating System Compatibility page. 10.

This password must be used to start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline. review your selections. 18. On the Location for Database. all data will be replicated from this source domain controller. 17. type or browse to the volume and folder locations for the database file. Note that some data will be replicated over the network even if you install from media. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller. store these files on separate volumes that do not contain applications or other nondirectory files. Type the name for your answer file. Click Back to change any selections. see Installing AD DS From Media. For backup and recovery efficiency. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so. 19. and then click Save. On the Directory Services Restore Mode Administrator Password page. the computer immediately assumes the role of domain controller after the final restart of the computer. Upgrade Existing Domain Controllers When you upgrade the operating system on domain controllers. Log Files. 16. To save the settings that you have selected to an answer file that you can use to automate subsequent Active Directory operations. and then click Next. click Export settings. type and confirm the restore mode password. or you can have all the replication done over the network. If you do not choose to install from media. the directory service log files. see Installing an Additional Domain Controller. and then click Next.exe). 29 . For information about installing AD DS by using a command line or an answer file. If you selected Use advanced mode installation on the Welcome page. the Source Domain Controller page appears. On the Completing the Active Directory Domain Services Installation Wizard page. click Next to install AD DS. When you are sure that your selections are accurate. It is not necessary to install Active Directory Domain Services (AD DS) by using the Active Directory Domain Services Installation Wizard (Dcpromo.to create the domain controller and configure AD DS. if necessary. and then click Next. Windows Server Backup backs up the directory service by volume. For information about using this method to install the domain controller. and SYSVOL page. click Finish. On the Summary page. 20. and the system volume (SYSVOL) files. 21.

chm to access the Unattend. A direct Windows 2000–to–Windows Server 2008 operating system upgrade is not supported. remember that Windows Server 2008 R2 is an x64-based operating system. Or. run the Setup. open Ref.cab file in the Support\Tools folder on the Windows Server 2003 operating system CD.com/WMIConfig/2002/State"> <settings pass="specialize" wasPassProcessed="true"> 30 . Here is a sample of an answer file that can be used to perform an unattended upgrade to Windows Server 2008: <?xml version='1. Unattended upgrade You can also perform an unattended upgrade by using an answer file.microsoft.cab file. and then click DCInstall. see "Step 2: Building an Answer File" in the Windows Vista Deployment Step-by-Step Guide (http://go. For more information about how to create a new answer file. insert the Windows Server 2003 operating system CD on the domain controller. If your server is running an x64-based version of Windows Server 2003. Or. if the Windows Server 2003 media are shared over the network. To initiate the installation of the Windows Server 2003 operating system on a Windows 2000– based domain controller.Important If you want to upgrade the operating system of a Windows 2000 domain controller to Windows Server 2008. If you want to perform an in-place upgrade of the existing domain controllers running Windows Server 2003 in the forest to Windows Server 2008 R2. if the operating system installation media are shared over the network. Inside the Deploy. insert the operating system DVD on the domain controller. you can successfully perform an in-place upgrade of this computer's operating system to Windows Server 2008 R2. run the Winnt32. To initiate the installation of the Windows Server 2008 or Windows Server 2008 R2 operating system on a Windows Server 2003–based domain controller. you must first perform an in-place upgrade of a Windows 2000 operating system to a Windows Server 2003 operating system.txt file.0' encoding='utf-8'?> <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft. You can also perform an unattended installation of Windows Server 2003. perform an in-place upgrade of this Windows Server 2003 operating system to a Windows Server 2008 operating system.exe command-line tool.exe command-line tool. Expand Unattend. If your server is running an x86-based version of Windows Server 2003. Then. Instructions for creating an answer file for an Active Directory installation are located in the Deploy. you cannot upgrade this computer to Windows Server 2008 R2.txt in the left pane. Important The information in this guide also applies to Windows Server 2008 R2.com/fwlink/?LinkID=66066).

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64"> <ComputerName>Machine Name</ComputerName> </component> </settings> <settings pass="windowsPE" wasPassProcessed="true"> <component name="Microsoft-Windows-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64"> <UserData> <ProductKey>Product-Key</ProductKey> <AcceptEula>True</AcceptEula> <FullName>User Name</FullName> <Organization>Organization Name</Organization> </UserData> <ImageInstall> <OSImage> <WillShowUI>Never</WillShowUI> <InstallTo> <DiskID>0</DiskID> <PartitionID>1</PartitionID> </InstallTo> <InstallFrom> <MetaData> <Key>Image/Name</Key> <Value>W2K8S</Value> </MetaData> </InstallFrom> </OSImage> </ImageInstall> <DiskConfiguration> <WillShowUI>Never</WillShowUI> <Disk> <DiskID>0</DiskID> <WillWipeDisk>False</WillWipeDisk> <ModifyPartitions> 31 .

<ModifyPartition> <Order>1</Order> <PartitionID>1</PartitionID> <Letter>C</Letter> <Active>True</Active> </ModifyPartition> </ModifyPartitions> </Disk> </DiskConfiguration> <UpgradeData> <Upgrade>True</Upgrade> </UpgradeData> <Diagnostics> <OptIn>True</OptIn> </Diagnostics> </component> <component name="Microsoft-Windows-International-Core-WinPE" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64"> <UILanguage>EN-US</UILanguage> </component> </settings> <settings pass="oobeSystem" wasPassProcessed="true"> <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64"> <UserAccounts> <DomainAccounts> <DomainAccountList> <Domain>Domain Name</Domain> <DomainAccount> <Name>Administrator</Name> <Group>Administrators</Group> </DomainAccount> </DomainAccountList> </DomainAccounts> 32 .

or equivalent. use the following procedure to perform an unattended upgrade of a Windows Server 2003–based domain controller. Depending on the operating system installation options that you selected for the computer. the local Administrator password might be blank or it might not be required.microsoft.com/fwlink/?LinkId=83477. Membership in the local Administrator account. Review details about using the appropriate accounts and group memberships at http://go.</UserAccounts> <AutoLogon> <Enabled>True</Enabled> <Domain>Domain Name</Domain> <Username>User Name</Username> <Password>User Password</Password> <LogonCount>9999</LogonCount> </AutoLogon> <FirstLogonCommands> <SynchronousCommand> <Order>1</Order> <CommandLine>Command To Execute</CommandLine> <Description>"RunOnceItem0"</Description> </SynchronousCommand> <SynchronousCommand> <Order>2</Order> <CommandLine>Command To Execute</CommandLine> <Description>"Post Install Command Execute"</Description> </SynchronousCommand> </FirstLogonCommands> <OOBE> <SkipMachineOOBE>True</SkipMachineOOBE> <SkipUserOOBE>True</SkipUserOOBE> </OOBE> </component> </settings> </unattend> After you create the answer file. is the minimum required to complete this procedure. run the following command at a command prompt before you start to install AD DS: net user Administrator password/passwordreq:yes 33 . In this case.

Replace password with a strong password. To perform an in-place domain controller upgrade by using an answer file 1. At the command prompt, type the following: setup.exe /unattend:"path to the answer file" 2. Press ENTER.

Modify Default Security Policies
To increase security, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel signing. If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain. Note By modifying the settings of the default security policies, you are weakening the default security policies in your environment. Therefore, we recommend that you upgrade your Windows–based client computers as soon as possible. After all client computers in your environment are running versions of Windows that support SMB packet signing and secure channel signing, you can re-enable default security policies to increase security. To configure a domain controller to not require SMB packet signing or secure channel signing, disable the following settings in the Default Domain Controllers Policy: • • Microsoft network server: Digitally sign communications (always) Domain member: Digitally encrypt or sign secure channel data (always)

Back up the Default Domain Controllers Policy Group Policy object (GPO) before you modify it. Use the Group Policy Management Console (GPMC) to back up the GPO so that it can be restored, if necessary. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

34

To disable SMB packet signing enforcement based domain controllers 1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK. 2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit. 3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options. 4. In the details pane, double-click Microsoft network server: Digitally sign communications (always). 5. Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK. To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:
gpupdate /force

Note Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To disable secure channel signing enforcement on domain controllers 1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK. 2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit. 3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options. 4. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK. To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:

35

gpupdate /force

Note Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that you make here will be replicated to all other domain controllers in the domain. Therefore, you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers. For more information about SMB packet signing and secure channel signing, see Appendix A: Background Information for Upgrading Active Directory Domains. By default, domain controllers that run Windows Server 2008 and Windows Server 2008 R2 also prohibit clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to establish security channels using weak Windows NT 4.0 style cryptography algorithms. Any security channel dependent operation that is initiated by clients running older versions of the Windows operating system or non-Microsoft operating systems that do not support strong cryptographic algorithms will fail against a Windows Server 2008-based domain controller. Until you are able to upgrade all of the clients in your infrastructure, you can temporarily relax this requirement by modifying the following default domain policy setting on your domain controllers: • Allow cryptography algorithms compatible with Windows NT 4.0 Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To allow cryptography algorithms that are compatible with Windows NT 4.0 1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK. 2. In the console tree, right-click Default Domain Controllers Policy in Domains/Current Domain Name/Group Policy objects/Default Domain Controllers Policy, and then click Edit. 3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/System/Net Logon. 4. In the details pane, double-click Allow cryptography algorithms compatible with Windows NT 4.0, and then click Enabled. Note By default, the Not Configured option is selected, but, programmatically, after you upgrade a server to Windows Server 2008 domain controller status, this policy is set to Disabled. To apply the Group Policy change immediately, either restart the domain controller or open command line, type the following command, and then press ENTER:
gpupdate /force

36

you only have to modify these policies one time to affect the Default Domain Controllers Policy on all domain controllers. After the download is complete. Policy changes that are made here will be replicated to all other domain controllers in the domain. The GPMC detects this when you click a GPO.com/fwlink/?LinkId=106342). the service must have read access to all Group Policy objects (GPOs) in the forest.Note Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. If you are upgrading Windows Server 2003 Active Directory domains or creating a new domain with domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The simulation is performed by a service that runs on domain controllers. To solve this problem. type the following. To perform the simulation across domains. Review details about using the appropriate accounts and group memberships at http://go. or equivalent. see Group Policy Management Console Sample Scripts (http://go.com/fwlink/?LinkId=106380). is the minimum required to complete this procedure. if the domain was upgraded from Windows 2000.microsoft. To update permissions on all GPOs in a domain 1.wsf). and then it notifies the user that the Enterprise Domain Controllers group does not have read access to all GPOs in this domain. Update Group Policy Permissions Group Policy Modeling is a feature of the Group Policy Management Console (GPMC) that simulates the resultant set of policy for a particular configuration. Note The procedure in this topic is required only if you are upgrading Windows 2000 Active Directory domains. Membership in Domain Admins. To download GPMC sample scripts (including GrantPermissionOnAllGPOs. see Secure default settings in Windows Server 2008 and Windows Server 2008 R2. the Enterprise Domain Controllers group will not have read access to any existing GPOs that were created before the upgrade.com/fwlink/?LinkId=83477.wsf that is provided with the GPMC. see Effects of netlogon cryptographic support changes in Windows Server 2008 (http://go. the Enterprise Domain Controllers group will automatically have read access to all newly created GPOs and all GPOs that were created before the upgrade.microsoft. %programfiles%\Microsoft Group Policy\GPMC Sample Scripts folder will be created.microsoft. and then press ENTER: 37 . Therefore. For more information about additional security policy changes in Windows 7 and Windows Server 2008 R2. For more information. This script will update the permissions on all GPOs in the domain. At a command prompt. However. use the sample script named GrantPermissionOnAllGPOs.

Be sure to label all backup tapes with the operating system version that the domain controller is running. and updates pages in the database to the new format.microsoft. perform the tasks in Checklist: PostUpgrade Tasks. including service packs and hotfixes. If a group or user is already granted a permission type that is higher than the new permission type. reduces the memory footprint. see Compact the directory database file (offline defragmentation) (http://go. For more information about backing up AD DS. Perform Clean-up Tasks After upgrading your Active Directory infrastructure to Active Directory Domain Services (AD DS). see the AD DS Backup and Recovery Step-by-Step Guide (http://go. and you do not specify Replace. For more information.wsf “Enterprise Domain Controllers” /permission:read /domain:DNSDomainName /Replace Using the Replace switch removes existing permissions for the group or user before making the change. and then press ENTER: Cscript GrantPermissionOnAllGPOs.microsoft. • Create a new System State backup for at least two domain controllers in your environment. Completing the Upgrade of Active Directory Domains To complete the upgrade of your Active Directory domains. Type the following. If you are upgrading a Windows 2000 domain controller to Windows Server 2008 (which requires an in-place upgrade from Windows 2000 to Windows Server 2003.com/fwlink/? LinkID=106343). Note This task is relevant only when you are performing an in-place upgrade from Windows 2000 to Windows Server 2003. perform the following clean-up operations: • After the security descriptor propagator has finished building the single-instance store. we recommend that you perform this task after your domain controller is upgraded to Windows Server 2003. 38 . This reduces the size of AD DS on the file system by up to 40 percent. followed by an in-place upgrade from Windows Server 2003 to Windows Server 2008).com/fwlink/?LinkID=93077).cd /d %programfiles%\Microsoft Group Policy\GPMC Sample Scripts 2. no change is made. perform an offline defragmentation of the database on each upgraded domain controller.

if you are upgrading Windows 2000 Active Directory domains.In this guide • • • • • Checklist: Post-Upgrade Tasks Raise the Functional Levels of Domains and Forests Move DNS Data into DNS Application Directory Partitions Redirect Users and Computers Complete the Upgrade Checklist: Post-Upgrade Tasks Complete the tasks in this checklist in the order in which they are presented. Checklist: Post-Upgrade Tasks Task Reference Raise the functional levels of domains and forests to enable all advanced features of Active Directory Domain Services (AD DS). your DNS zones have already been stored in the DNS application directory partitions. However. Move Domain Name System (DNS) zones into DNS application directory partitions. Note This step is optional. If you are upgrading Windows Server 2003 Active Directory domains. Redirect users and computers to organizational units (OUs). you might choose to move your DNS zones into the newly created DNS application directory partitions. Note Raise the Functional Levels of Domains and Forests Move DNS Data into DNS Application Directory Partitions Redirect Users and Computers 39 .

with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled. Use the following procedure to raise the forest functional level to Windows Server 2008. Complete the Upgrade Raise the Functional Levels of Domains and Forests To enable all Windows Server 2008 advanced features in Active Directory Domain Services (AD DS). you have the option of rolling the forest functional level back to Windows Server 2008. To enable all Windows Server 2008 R2 advanced AD DS features. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. Important After you set the forest functional level to a certain value.microsoft. Caution Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier. raise the functional level of your forest to Windows Server 2008. This will automatically raise the functional level of all domains to Windows Server 2008 R2. For more information about the Active Directory Recycle Bin. Complete the upgrade. A Windows Server 2003 Active Directory domain OU structure will remain the same after the upgrade is complete. see Active Directory Recycle Bin Step-by-Step Guide (http://go. it cannot be rolled back. This will automatically raise the functional level of all domains to Windows Server 2008. to Windows Server 2003. raise the functional level of your forest to Windows Server 2008 R2. you cannot roll back or lower the forest functional level.com/fwlink/?LinkId=133971). for example.Task Reference The procedures described in this section are required only if you are upgrading Windows 2000 Active Directory domains. 40 . If the forest functional level is set to Windows Server 2008 R2.

you can use application directory partitions for Active Directory–integrated DNS zones. To reduce replication traffic and the amount of data stored in the global catalog. • To raise the forest functional level to Windows Server 2008 R2. and then click Raise. click Administrative Tools.com/fwlink/?LinkId=83477. 3. DomainDnsZones. After completing the upgrade of all Windows 2000–based domain controllers in the forest. click Windows Server 2008.Membership in Domain Admins or Enterprise Admins. do one of the following: • To raise the forest functional level to Windows Server 2003. and then click Active Directory Domains and Trusts. Open the Active Directory Domains and Trusts snap-in. 41 . Review details about using the appropriate accounts and group memberships at http://go. and then click Raise. In the console tree.microsoft. right-click Active Directory Domains and Trusts. is the minimum required to complete this procedure. 2. and then click Raise. Move the DNS zones that you want to replicate to all DNS servers in the forest to the forest-wide DNS application directory partition. For more information about Windows Server 2008 advanced AD DS features. or equivalent. Move DNS Data into DNS Application Directory Partitions Note The procedures in this topic are optional. your Domain Name System (DNS) zones have already been stored in the DNS application directory partitions. For each domain in the forest. see Enabling Advanced Features for AD DS. ForestDnsZones. and then click Raise Forest Functional Level. You can do this by changing the replication scope of the DNS zones. If you are upgrading Windows Server 2003 Active Directory domains. move the DNS zones that you want to replicate to all DNS servers in the domain to the domain-wide DNS application directory partition. click Windows Server 2008 R2. click Windows Server 2003. move the Active Directory–integrated DNS data on all DNS servers from the domain partition into the newly created DNS application directory partitions. However. In Select an available forest functional level. if you are upgrading Windows 2000 Active Directory domains. Click Start. you might choose to move your DNS zones into the newly created DNS application directory partitions. To raise the forest functional level 1. • To raise the forest functional level to Windows Server 2008.

microsoft. Review details about using the appropriate accounts and group memberships at http://go. click Start. see Deploying Domain Name System (DNS) (http://go. Membership in Domain Admins or Enterprise Admins. Right-click the DNS zone that uses the fully qualified domain name (FQDN) of the Active Directory domain. Note For more information about DNS and application directory partitions. Membership in Domain Admins or Enterprise Admins.com/fwlink/?LinkId=83477. 2. is the minimum required to complete this procedure. click Administrative Tools.<forest_root_domain> DNS zone. and then click DNS to open the DNS Manager. Click the Change button next to Replication: All DNS servers in this domain. To change the replication scope of the _msdcs. and then click Properties. On a domain controller that hosts a DNS server in the forest root domain.forest_root_domain is moved with the forest root domain zone to the domain-wide application directory partition.forest_root_domain zone is not present as a separate zone on your DNS server. or equivalent. 3. Review details about using the appropriate accounts and group memberships at http://go. click Administrative Tools. Click To all DNS servers in this domain:<domain_name>. Right-click the _msdcs. 4. and then click DNS to open DNS Manager. 3. make sure that the domain naming operations master is hosted on at least a Windows Server 2003– based version domain controller. 2.microsoft. On a domain controller that hosts a DNS server in a particular domain. and then click OK.com/fwlink/?LinkId=93656). 4. click Start. To change the replication scope of the domain-wide DNS zone by using a DNS application directory partition 1. 42 . and then click OK. and then click Properties.Important Before you attempt to move DNS data to an application directory partition. see Appendix A: Background Information for Upgrading Active Directory Domains. is the minimum required to complete this procedure.forest_root_domain DNS zone by using a DNS application directory partition 1. you do not need to perform this procedure because the DNS data that is stored in the _msdcs. If the _msdcs. or equivalent. Click the Change button next to Replication: All DNS servers in this forest.com/fwlink/?LinkId=83477.microsoft. DomainDnsZones. For more information. Click To all DNS servers in this forest:<forest_name>.

We recommend that administrators who upgrade Windows 2000–based domain controllers redirect the well-known path for the CN=Users and CN=Computers containers to an OU that is specified by the administrator so that Group Policy can be applied to containers hosting newly created objects. For more information about creating an OU design. computer accounts. However.com/fwlink/?LinkId=83477. Review details about using the appropriate accounts and group memberships at http://go. double-click Administrative Tools. To open the Active Directory Users and Computers snap-in. administrators are not allowed to create these objects in either the CN=Computers container or the CN=User container. or equivalent. When the domain functional level has been raised to Windows Server 2003. click Start. In the console tree. and security groups that are created by using earlier versions of user interface (UI) and command-line management tools do not allow administrators to specify a target OU. A Windows Server 2003 Active Directory domain organizational unit (OU) structure will remain the same after the upgrade is complete. making them easier to manage. or the netdom add command where the /ou parameter is either not specified or not supported. Examples of these earlier versions include the net user and net computer commands. the net group command. The default CN=Users and CN=Computers containers that are created when AD DS is installed are not OUs. Membership in Domain Admins or Enterprise Admins. by default. see Designing the Logical Structure for Windows Server 2008 AD DS [LH]. and then double-click Active Directory Users and Computers. Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts. you cannot (and must not) remove them. is the minimum required to complete this procedure.Redirect Users and Computers Note The procedures in this topic are required only if you are upgrading Windows 2000 Active Directory domains. you can redirect the default CN=Users and CN=Computers containers to OUs that you specify so that each can support Group Policy. 43 . For this reason. Important The CN=Users and CN=Computers containers are computer-protected objects. To redirect the CN=Users container 1. b. click Control Panel. For backward-compatibility reasons. right-click the domain name.microsoft. Use the Active Directory Users and Computers snap-in to create an OU container to which you will redirect user objects that were created with earlier versions of UI and command-line management tools: a. you can rename these objects.

b. Type the name of the OU. • Verify that Group Policy is being applied successfully by checking the application log in Event Viewer for Event ID 1704. right-click the domain name. At the command line. click Control Panel. In the console tree. Type the following.DC=<domainname>. 2. Use the Active Directory Users and Computers snap-in to create an OU container to which you will redirect computer objects that were created with earlier versions of UI and command-line management tools. alias (CNAME). 44 . • Verify that the NETLOGON and SYSVOL shared folders exist and that the File Replication Service (FRS) or Distributed File Service (DFS) Replication is functioning without error by checking Event Viewer. change to the System32 folder by typing: cd %systemroot%\system32 3. a. change to the System32 folder by typing: cd %systemroot%\system32 3. update. and <domainname> is the name of the domain: redirusr ou=<newuserou>. d. double-click Administrative Tools. and then click Organizational Unit. Point to New. where <newcomputerou> is the name of the new computer OU. d. and document the domain architecture to reflect any changes that you made during the domain upgrade process. Type the name of the OU. • Verify Windows Firewall status. and <domainname> is the name of the domain: redircmp ou=<newcomputerou>. Type the following.dc=com To redirect the CN=Computers container 1. and host (A) resource records have been registered in Domain Name System (DNS).c. where <newuserou> is the name of the new user OU.DC=<domainname>.dc=com Complete the Upgrade Complete the following tasks to finalize the process: • Review. At the command line. • Verify that all service (SRV). and then double-click Active Directory Users and Computers. c. To open Active Directory Users and Computers. click Start. 2. and then click Organizational Unit. Point to New.

• For more information about Windows 2000 administration tools and upgrade issues. 45 . • For more information about deploying Distributed File System (DFS).microsoft. After these tasks have been completed successfully.microsoft.Important Although the default behavior for Windows Server 2008 and Windows Server 2008 R2 is that Windows Firewall is turned on.com/fwlink/? LinkId=135993). the firewall will remain off after the upgrade unless you turn it on using the Windows Firewall control panel. see Enabling Advanced Features for AD DS.com/fwlink/? LinkId=106490). see Read-Only Domain Controller Planning and Deployment Guide (http://go.com/fwlink/?LinkID=106488).microsoft. • For a worksheet to assist you in documenting your domain controller information.doc. see article 304718 in the Microsoft Knowledge Base (http://go. • For more information about read-only domain controllers (RODCs). • Continuously monitor your domain controllers and Active Directory Domain Services (AD DS). you will have completed the in-place upgrade process.com/fwlink/? LinkID=102558). Using a monitoring solution (such as Microsoft Operations Manager (MOM)) to monitor distributed Active Directory Domain Services (AD DS)—and the services that it relies on—helps maintain consistent directory data and a consistent level of service throughout the forest. Download Job_Aids_Planning_Testing_and_Piloting_Deployment_Projects.microsoft. • For more information about configuring optional registry parameters for the Boot Information Negotiation Layer (BINL) service. see Designing and Deploying File Servers (http://go. see article 235979 in the Microsoft Knowledge Base (http://go.zip and open DSSUPWN_2.microsoft.com/fwlink/?LinkID=27928). if you upgrade a Windows Server 2003 computer that had Windows Firewall turned off. Finding Additional Information About Upgrading Active Directory Domains You can find the following documentation about Active Directory Domain Services (AD DS) on the Windows Server 2003 and Windows Server 2008 TechCenter Web sites: • For more information about advanced AD DS features that are related to AD DS functional levels. see Job Aids for Windows Server 2003 Deployment Kit (http://go.

• For more information about Windows Services for UNIX 2. see Designing the Logical Structure for Windows Server 2008 AD DS [LH]. • For more information about backing up AD DS. Adprep. see article 293783 in the Microsoft Knowledge Base (http://go.com/fwlink/?LinkId=164558). or for the introduction of a domain controller that runs Windows Server 2008 or Windows Server 2008 R2. • For more information about creating an organizational unit (OU) design.microsoft.microsoft.com/fwlink/?LinkId=93656). • For more information.microsoft.com/fwlink/?LinkID=93077). become familiar with some important issues that affect the upgrade process. Adprep. see Installing a New Forest (http://go. see Effects of netlogon cryptographic support changes in Windows Server 2008 (http://go. The Windows Server 2008 R2 versions of Adprep are 64-bit and 32-bit (Adprep32. Active Directory preparation tool To prepare Windows 2000 or Windows Server 2003 forests and domains for upgrade. you must use the Active Directory preparation tool (Adprep.microsoft. while preserving previous schema modifications in your environment • Resetting permissions on containers and objects throughout the directory for improved security and interoperability • Copying administrative tools to manage Windows Server 2008 domains to the local computer 46 .microsoft.0 application compatibility issues and the hotfix installation file.exe prepares the forests and domains for an upgrade to AD DS by performing a collection of operations. see the AD DS Backup and Recovery Step-by-Step Guide (http://go.exe is located in the \sources\adprep folder of the Windows Server 2008 operating system DVD and in the \support\adprep folder of the Windows Server 2008 R2 operating system DVD. Appendix A: Background Information for Upgrading Active Directory Domains Before you begin the process of upgrading your Windows 2000 or Windows Server 2003 Active Directory environment to Active Directory Domain Services (AD DS).com/fwlink/?LinkID=106343).com/fwlink/?LinkId=101704).com/fwlink/?LinkID=106317). see Compact the directory database file (offline defragmentation) (http://go. • For information about installing AD DS by using a command line or an answer file. see Deploying Domain Name System (DNS) (http://go.microsoft.exe).exe tool provides. • For more information. • For more information about DNS. These operations include the following: • Extending your current schema with new schema information that the Adprep.exe).

you can use application directory partitions to store Domain Name System (DNS) data on Windows Server 2003–based domain controllers. see Prepare Your Infrastructure for Upgrade. <Protocol> is the protocol requested. and the domain naming operations master is also running Windows Server 2003. If you have at least one domain controller in your forest running Windows Server 2003. or Windows Server 2008 R2._tcp. or Windows Server 2008 R2. The following DNS-specific application directory partitions are created during AD DS installation: • ForestDnsZones—A forest-wide application directory partition that is shared by all DNS servers in the same forest • DomainDnsZones—Domain-wide application directory partitions for each DNS server in the same domain Service (SRV) resource records A Windows Server 2008–based domain controller Net Logon service uses dynamic updates to register service (SRV) resource records in the DNS database.For more information about using Adprep. Windows Server 2008. The creation and deletion of application directory partitions (including the default DNS application directory partitions) requires the domain naming master role holder to reside on a domain controller that runs Windows Server 2003. therefore. client computers find an LDAP server by querying DNS for a record of the form: _ldap. Application directory partitions for DNS Application directory partitions provide storage for application-specific data that can be replicated to a specific set of domain controllers in the same forest. A workstation that is logging on to a Windows Server 2008–based domain queries DNS for service (SRV) resource records in the general form: _<Service>._<Protocol>. This service (SRV) resource record is used to map the name of a service (such as the Lightweight Directory Access Protocol (LDAP) service) to the DNS computer name of a server that offers that service. Windows Server 2008. DNS attempts to create the partitions every time that the service starts. an LDAP resource record locates a domain controller.exe to prepare your environment. you can take advantage of application directory partitions.<DnsDomainName> The service and protocol strings require an underscore ( _ ) prefix to prevent potential Note 47 . AD DS servers offer the LDAP service over the TCP protocol. In a Windows Server 2008 network. DNS-specific application directory partitions are automatically created in the forest and in each domain when the DNS Server service is installed on new or upgraded domain controllers. If application directory partition creation fails during AD DS installation. Windows Server 2008. For example. and <DnsDomainName> is the fully qualified DNS name of the AD DS domain. or Windows Server 2008 R2.<DnsDomainName> Where <Service> is the service requested.

Some organizations running Windows 2000 Active Directory have already created an _msdcs. Moving the Active Directory–integrated DNS zones into the domain and forest-wide application directory partitions provides the following benefits: 48 . we recommend that you create a separate _msdcs. If an _msdcs. _msdcs. all domain controllers in the forest register alias (CNAME) and LDAP. For a newly created domain controller to participate in replication._Protocol.forest_root_domain subdomain stores forest-wide resource records that are of interest to client computers and domain controllers from all parts of the forest.<DnsDomainName> format records) also registers service (SRV) resource records that identify the well-known server-type pseudonyms "dc" (domain controller). To accommodate the location of domain controllers by server type or by GUID (abbreviated "dctype"). it must be able to register its forest-wide records in DNS.<domain_name> subdomain.<DnsDomainName> _msdcs.forest_root_domain subdomain The _msdcs.forest_root_domain already exists in your Windows 2000 environment.forest_root_domain subdomain. For this reason. and the gc service (SRV) resource records are used by client computers to look up global catalog servers. The alias (CNAME) resource records are used by the replication system to locate replication partners.<domain_name> subdomain: _Service. Kerberos. For any two domain controllers to replicate with each other. To facilitate location of Windows Server 2008–based domain controllers.<domain_name> zone to the DomainDnsZones application directory partition for that domain.This format is applicable for implementations of LDAP servers other than Windows Server 2008– based domain controllers and also possible implementations of LDAP directory services that employ global catalog servers other than servers running Windows Server 2008.forest_root_domain zone and define its replication scope so that it is replicated to all DNS servers in the forest. "gc" (global catalog). In addition. This subdomain also allows location of domain controllers by the globally unique identifier (GUID) when a domain has been renamed. "pdc" (primary domain controller).forest_root_domain subdomain need to be available for replication and global catalog lookups. the Net Logon service (in addition to the standard _Service.DcTyle._Protocol.domain_name subdomain This Microsoft-specific subdomain allows location of domain controllers that have Windows Server 2008–specific roles in the domain. the DNS servers that are authoritative for the _msdcs. they must be able to look up forest-wide locator records. For example._msdcs. and gc service (SRV) resource records in the _msdcs.forest_root_domain to help client computers locate domain controllers more efficiently. and "domains" (GUID) as prefixes in the _msdcs. we recommend that you move the zone to the ForestDnsZones application directory partition after all domain controllers in the forest are upgraded. Therefore. for each domain in the forest. including two domain controllers from the same domain. Windows Server 2008– based domain controllers register service (SRV) resource records in the following form in the _msdcs. move the _msdcs. and other domain controllers must be able to look up these records.

For more information about using application directory partitions to store DNS data. That is. When the forest functional level is raised to Windows Server 2003. Intrasite replication frequency Windows 2000–based domain controllers that are upgraded maintain their default intrasite replication frequency of 300/30. wellknown. upgrade your Windows 2000–based domain to Windows Server 2003. • Forest-wide replication can be targeted to minimize replication traffic because DNS data is no longer replicated to the global catalog.• Because the forest-wide application directory partition can replicate outside a specified domain. That is. the replication frequency of AD DS is changed to the Windows Server 2003default setting of 15/3. you do not have to use DNS zone transfer to replicate the zone file information to DNS servers that are outside the domain. If you modified the 300/30 default replication frequency setting in Windows 2000. • DNS records located on global catalog servers in the forest are removed. minimizing the amount of information replicated with the global catalog. and raise the forest functional level to Windows Server 2003 to take advantage of the 15/3 intrasite replication frequency.forest_root_domain into the forest-wide application directory partition replicates it to all domain controllers in the forest that are running the DNS Server service. New groups and new group memberships that are created after upgrading the PDC After you upgrade the Windows 2000–based domain controller holding the role of the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) in each domain in the forest to Windows Server 2003. Instead. Important Do not modify the default 300/30 intrasite replication frequency on Windows 2000–based domain controllers. the setting does not change to the 15/3 default setting in Windows Server 2003 after you complete the upgrade. If 49 . and because moving the _msdcs. and built-in groups are created. any changes that are made to AD DS replicate to all other domain controllers in the same site 5 minutes (300 seconds) after a change is made—with a 30-second offset before notifying the next domain controller—until the forest functional level is raised to Windows Server 2003. several new. see Move DNS Data into DNS Application Directory Partitions. a new installation of Windows Server 2003 will always use the 15/3 intrasite replication frequency setting. However. Also. some new group memberships are established. • Domain-wide replication can be targeted to minimize replication traffic because administrators can specify which of the domain controllers running the DNS Server service can receive the DNS zone data. changes will replicate to all domain controllers in the same site 15 seconds after a change is made—with a 3-second offset before notifying the next domain controller.

the following new well-known and built-in groups are created: • • • • Builtin\IIS_IUSRS Builtin\Cryptographic Operators Allowed RODC Password Replication Group Denied RODC Password Replication Group 50 . well-known. or after you move the PDC emulator operations master role to a Windows Server 2008-based domain controller. the following additional security principals are created: • • • • • • • LocalService NetworkService NTLM Authentication Other Organization Remote Interactive Logon SChannel Authentication This Organization After you upgrade the Windows Server 2003–based domain controller holding the role of the PDC emulator master in each domain in the forest to Windows Server 2008. The new.you transfer the PDC emulator operations master role to a Windows Server 2003–based or a Windows Server 2008–based domain controller instead of upgrading it. when upgrading the Windows 2000–based domain controller that holds the role of the PDC emulator master in the forest root domain. the Anonymous Logon group and the Authenticated Users group are also added to the Pre– Windows 2000 Compatible Access group. these groups will be created when the role is transferred. and built-in groups include the following: • • • • • • • • • Builtin\Remote Desktop Users Builtin\Network Configuration Operators Performance Monitor Users Performance Log Users Builtin\Incoming Forest Trust Builders Builtin\Performance Monitoring Users Builtin\Performance Logging Users Builtin\Windows Authorization Access Group Builtin\Terminal Server License Servers The newly established group memberships include the following: • If the Everyone group is in the Pre–Windows 2000 Compatible Access group. In addition. or after you add a read-only domain controller (RODC) to your domain. • The Enterprise Domain Controllers group is added to the Windows Authorization Access group. • The Network Servers group is added to the Performance Monitoring alias.

• • • • • • Read-only Domain Controllers Builtin\Event Log Readers Enterprise Read-only Domain Controllers (created only on the forest root domain) Builtin\Certificate Service DCOM Access IUSR security principal added to the Builtin\IIS_IUSRS group The following groups added to the Denied RODC Password Replication Group: • • • • • • • • Group Policy Creator Owners Domain Admins Cert Publishers Domain Controllers Krbtgt Enterprise Admins Schema Admins Read-only Domain Controllers The newly established group memberships are: • Network Service security principal added to Builtin\Performance Log Users • Also. 51 . you might have to temporarily disable these security policies during the upgrade process. Security policy considerations when upgrading from Windows 2000 to Windows Server 2003 Server Message Block (SMB) packet signing and secure channel signing are security policies that are enabled by default on Windows Server 2008–based domain controllers. To allow client computers running earlier versions of Windows to communicate with domain controllers running Windows Server 2008. and built-in groups and newly established group memberships mentioned above will be created. the following new. additional security principals are created in the forest root domain: • • • IUSR Owner Rights Well-Known-Security-Id-System security principal is renamed to System Note If you move the PDC emulator master role from a Windows 2000–based domain controller to a Windows Server 2008-based domain controller. all the new. wellknown.

0 with Service Pack 3 (SP3) or earlier installed do not support secure channel signing. you can allow them to be authenticated by configuring SMB packet signing on all Windows Server 2008–based domain controllers so that SMB packet signing is allowed but not required. which is then verified by the receiving party. To ensure successful authentication. This is done by placing a digital security signature into each SMB packet. see Modify Default Security Policies. 52 . To ensure successful communication. However. if you cannot upgrade your client computers. These client computers will not be able to authenticate to a Windows Server 2008–based domain controller. all client computers are required to have SMB packet signing enabled. However. that is. This secure channel is used to ensure secure communications between a domain member and a domain controller for its domain. Client computers running Windows NT 4. upgrade these client computers to a later version of the operating system or service pack. all client computers must enable secure channel signing and encryption. it uses the computer account password to create a secure channel with a domain controller for its domain. Each time the computer starts. that is. or particular nonMicrosoft operating systems. if you cannot upgrade your client computers. Client computers running Windows NT 4. and it prevents malicious software attacks by providing a form of mutual authentication. Server-side SMB signing is required by default on Windows Server 2008–based domain controllers. These client computers will not be able to establish communications with a Windows Server 2008–based domain controller. For more information about configuring secure channel signing on Windows Server 2003–based domain controllers. a computer account is created.SMB packet signing SMB packet signing is a security mechanism that protects the data integrity of SMB traffic between client computers and servers. For more information about configuring SMB packet signing on Windows Server 2008–based domain controllers. upgrade these client computers to a later version of the operating system or service pack. Secure channel signing and encryption When a computer becomes a member of a domain.0 with Service Pack 2 (SP2) or earlier. Secure channel signing is required by default on Windows Server 2008–based domain controllers. you must disable secure channel signing on all Windows Server 2008–based domain controllers so that the traffic passing through the secure channel is not required to be signed or encrypted. see Modify Default Security Policies. do not support SMB packet signing.

and how to prepare for deployment. server. This topic includes links to related information about the upgrade process. see Changes in Functionality from Windows Server 2003 with Service Pack 1 (SP1) to Windows Server 2008 53 . Operating system What’s new Windows Server 2008 For information about each feature. and other virtualization software Administration. • • • • • • • • What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2 System requirements for installing Windows Server 2008 and Windows Server 2008 R2 Supported in-place upgrade paths Functional level features and requirements Client. special considerations. and cross-version administration • Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2 • • • • • Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2 Verifications you can make and recommended hotfixes you can install before you begin Run Adprep commands Upgrade domain controllers Troubleshooting errors What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2 The following table has links to more information about new features and functionality in Windows Server 2008 and Windows Server 2008 R2. remote administration.Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains This topic explains the process for upgrading domain controllers to Windows Server 2008 or Windows Server 2008 R2. This information is based on the experience of the Microsoft Customer Service and Support team. VMWARE. and application interoperability Secure default settings in Windows Server 2008 and Windows Server 2008 R2 Virtualized domain controllers on Hyper-V.

For more information.com/fwlink/?LinkId=164414). see Active Directory Domain Services Role (http://go. 54 . see article 947057 in the Microsoft Knowledge base (http://go. Upgrading Windows Server 2003 domain controllers in Windows Server 2008 R2 and Windows Server 2008 R2 single-label domains is supported.microsoft.microsoft.com).microsoft. Windows Server 2008 R2 For information about each feature.com/fwlink/?LinkID=139655).com/fwlink/?LinkId=164410). Promoting additional Windows Server 2008 R2 and Windows Server 2008 R2 domain controllers into existing single-label DNS domains is supported. The Browser Service is disabled by default in Windows Server 2008 and Windows Server 2008 R2 domain controllers.microsoft.com/fwlink/?LinkId=164416).exe. For example.exe does not allow the creation of a domain that has a single-label Domain Name System (DNS) name. For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008. the check box to install a DNS server is not available in Dcpromo. see Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2 (http://go.Operating system What’s new (http://go. Dcpromo.com/fwlink/?LinkID=139049).microsoft. see What's New in Active Directory Domain Services (http://go. special considerations. and how to prepare for deployment. Some functionality that was available in previous versions of Windows Server is deprecated in Windows Server 2008. SMTP Replication is removed by default. instead of contoso. If you try to promote an additional domain controller in a domain that has a single-label DNS name (such as contoso. In Windows Server 2008 R2. For information about specific features in AD DS in Windows Server 2008 R2.

microsoft. • Windows Server 2008 R2 Adprep /forestprep adds two new indices on the large link table. For disk-space requirements for AD DS in Windows Server 2008. see “System Requirements” in Installing Windows Server 2008 (http://go. for the following reasons: • There are changes in the online defragmentation process on Windows Server 2008 R2 domain controllers.com/fwlink/?LinkId=164423). For disk-space requirements for AD DS in Windows Server 2008 R2.microsoft. The AD DS database (Ntds.com/fwlink/?LinkID=160341).com/fwlink/?LinkId=177815).com/fwlink/?LinkId=164421). see Installing Windows Server 2008 R2 (http://go. For more information about other functionality in Windows Server 2003 that is deprecated in Windows 7 and Windows Server 2008 R2. • The Windows Server 2008 R2 Active Directory Recycle Bin feature. see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go. see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go. For more information about other known issues for AD DS. 55 . preserves attributes on deleted objects for the recycled object lifetime.microsoft. For system requirements for Windows Server 2008 R2. when it is enabled.microsoft. see Deprecated Features for Windows 7 and Windows Server 2008 R2 (http://go.com/fwlink/?LinkID=164423). System requirements for installing Windows Server 2008 and Windows Server 2008 R2 For system requirements for Windows Server 2008.Operating system What’s new Windows Server 2008 R2 does not support MSMQ in domain mode for Windows NT 4 and Windows 2000 MSMQ clients running against Windows Server 2008 R2 domain controllers that have no Windows Server 2003 or Windows Server 2008 domain controllers in the same environment.com/fwlink/?LinkId=164418).microsoft.microsoft.dit) on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows. see Known Issues for Installing and Removing AD DS (http://go.

microsoft. computer name. the Active Directory Recycle Bin feature increased the database size by an additional 15 to 20 percent of the original AD DS database size. If you want to migrate the AD DS server role. While Windows Server 2008 R2 additions increase the database size. and supporting configuration state. or if you have made configuration changes. refer to this article if you want to ensure that the new server has the same IP address or server name as the legacy server. Additional space requirements depend on the size and count of the objects that can be recycled. the addition of a single-instance store that is supported by domain controllers that run Windows Server 2003.com/fwlink/?LinkID=154894). Windows Server 2008. not counting the Active Directory Recycle Bin.microsoft.microsoft. Domain and forest functional level requirements 56 .The Active Directory database on a Windows Server 2008 domain controller that is promoted into a Windows 2000 domain should be a size that is similar to the size of the Active Directory databases on the Windows 2000 domain controllers. For upgrades to Windows Server 2008 R2.microsoft. DNS server roles. Windows Server 2008 R2 domain controllers are estimated to be 10 percent larger than Windows Server 2008 domain controllers. IP address. see Cleaning metadata of removed writable domain controllers in Appendix A: Forest Recovery Procedures (http://go. from an existing server to a new Windows Server 2008 or Windows Server 2008 R2 destination server. see “Supported upgrade paths” in Guide for Upgrading to Windows Server 2008 (http://go. check for sufficient free disk space on the partitions that host the AD DS database and log files.com/fwlink/?LinkId=177812). For example. Functional level features and requirements Features that are enabled for Windows Server 2008 and Windows Server 2008 R2 domain and forest functional levels are documented in Understanding Domain and Forest Functionality (http://go. see “Supported upgrade paths” in Installing Windows Server 2008 R2 (http://go.com/fwlink/?LinkId=164553).microsoft. If you replace domain controllers.com/fwlink/?LinkID=160341) and Windows Server 2008 R2 Upgrade Paths (http://go. on the legacy DNS server and you want them retained on the new DNS server. In a production Windows Server 2008 R2 domain at Microsoft. Windows Server 2003 R2. using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days.microsoft.com/fwlink/?LinkID=146616). see AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles (http://go. or Windows Server 2008 R2 offsets that increase. use the metadata cleanup method in Windows Server 2008 and remove DNS and Windows Internet Name Service (WINS) records for the original role holder. such as registry changes or file-based DNS zones. For more information. Supported in-place upgrade paths For upgrades to Windows Server 2008.com/fwlink/?LinkId=164555). If an in-place upgrade to Windows Server 2008 or Windows Server 2008 R2 rolls back silently to the previous operating system version.

server. • You can install Windows 2000.com/fwlink/?LinkID=164418). In 57 . • For more information about which versions of Microsoft Exchange Server can interoperate with different versions of Windows. Windows Server 2003. Client. compared to Windows 2000 and Windows Server 2003 domain controllers. and Windows Server 2008 R2 domain controllers in the same domain or forest without any functional-level requirement.microsoft. see Known Issues for Deploying RODCs (http://go. • Adprep /rodcprep does not have any functional-level requirements. see Applications That Are Known to Work with RODCs (http://go. see Exchange Server Supportability Matrix (http://go. and application interoperability • Windows NT 4.for the deployment of Windows Server 2008 and Windows Server 2008 R2 domain controllers are as follows: • Adprep /forestprep does not have any domain or forest functional level requirements. Encryption type or policy AllowNT4Crypt o Windows Server 200 8 default Disabled Windows Server 2008 R 2 default Disabled Comment Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers.com/fwlink/?LinkID=165034). it does not work with RODCs. • Windows 2000. therefore.0 computers cannot be joined to Windows Server 2008 and Windows Server 2008 R2 domains or domain controllers. and Windows 7 client computers are fully compatible with writable Windows Server 2008 and Windows Server 2008 R2 domain controllers. Windows Server 2003. • For installation of a read-only domain controller (RODC). Windows Vista. • Adprep /domainprep requires a Windows 2000 native or higher domain functional level in each target domain. Exchange Server requires a writable domain controller.microsoft. the forest functional level must be Windows Server 2003 or higher. • For a list of applications that are compatible with RODCs. Secure default settings in Windows Server 2008 and Windows Server 2008 R2 Windows Server 2008 and Windows Server 2008 R2 domain controllers have the following secure default settings.com/fwlink/?LinkID=133779). For member-computer interoperability with RODCs. Windows XP. Windows Server 2008.microsoft.

all cases. Administration. • Configure virtualized domain controllers to synchronize with a time source in accordance with the recommendations for your hosting software. and other virtualization software Regardless of the virtual host software product that you are using. This action causes an update sequence number (USN) rollback that can result in permanent inconsistencies between domain controller databases. DES CBT/Extended Protection for Integrated Authentication LMv2 Enabled N/A Disabled Enabled Article 977321 in the Microsoft Knowledge Base (http://go. see article 942564 in the Microsoft Knowledge Base (http://go.com/fwlink/?LinkId=177717) See Microsoft Security Advisory (937811) (http://go. • Do not restore snapshots of domain controller role computers. For information about other virtualization software. 58 .microsoft. read Running Domain Controllers in Hyper-V (http://go. System Center Virtual Machine Manager enforces this for Hyper-V.com/fwlink/?LinkID=139651) for special requirements related to running virtualized domain controllers.com/fwlink/?LinkId=164559) and article 976918 in the Microsoft Knowledge Base (http://go.microsoft.microsoft. remote administration. • All physical-to-virtual (P2V) conversions for domain controller role computers should be done in offline mode.microsoft. see article 888794 in the Microsoft Knowledge Base (http://go.com/fwlink/? LinkId=164558). VMware. these settings can be relaxed to allow interoperability at the expense of security. For more information.com/fwlink/?LinkID=141292). see the vendor documentation. • For more considerations about running domain controllers in virtual machines.microsoft.microsoft.com/fwlink/? LinkId=178251). Article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251) Enabled Disabled Virtualized domain controllers on Hyper-V™. Specific requirements include the following: • Do not stop or pause domain controllers. and crossversion administration The following changes have been made to local and remote administration tools for the Windows Server 2008 and Windows Server 2008 R2 operating systems.

com/fwlink/?LinkId=177813). download the correct version of RSAT for the client computers that you use to administer servers. which you can obtaine from the Microsoft Download Center. see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go. For example. To display the administration tools on the Start menu 1. • Additional steps are required to make the administration tools that RSAT installs appear in the Start menu of Windows Vista computers. scroll down to System administrative tools. tools that are copied from the Windows Server 2008 operating system disk to Windows Vista will not work. Support Tools (SUPPTOOLS. and then click Display on the All Programs menu and the Start menu. click Customize. such as Active Directory Domain Services. For example. x86-based (32-bit) and x64-based (64-bit) versions of administration tools were released.microsoft. Click OK. On the Start Menu tab. For more information. In the Customize Start Menu dialog box.• The installation of a server role. click Add Features in Server Manager.com/fwlink/?LinkID=153624). and Resource Kit tools have been consolidated into a single collection called Remote Server Administration Tools (RSAT).MSI).microsoft. • The GUI and command-line tools that were formerly in the Administrative Tools Pack (ADMINPACK. For these additional steps. Right-click Start. To install tools locally to manage other server roles.MSI). For more information. 2. 3. Instead of copying the tools. see the following procedure. Administration tools whose files are copied from the server operating system disk will generally not execute on the corresponding client operating system and are not supported. see Installing Remote Server Administration Tools (http://go. 59 . As a general rule. 4. the Windows Server 2008 administration tools install and run only on Windows Vista client computers and Windows Server 2008 server computers. and then click Properties. Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2 Make sure that you have the following domain controller roles configured properly to synchronize the Windows Time service (W32time). by Server Manager also locally installs all GUI and command-line tools that you can use to administer that role. • As 64-bit hardware and operating systems became more popular. the administrative tools only install and run correctly on the operating system versions with which they were released.

For more information. Microsoft recommend that you add time-rollback protection on Windows Server 2003 domain controllers by using Group Policy.0x08 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider s\NtpClient\SpecialPollInterval (REG_DWORD) = 900 (decimal) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPo sPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNe gPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) For domain-joined host computers: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Config\MinPol lInterval (REG_DWORD): 6 (decimal) • 60 . time on workgroup and domain-joined virtual host computers should be configured as follows: For workgroup host computers: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters\T YPE (REG_SZ) = NTP • HKLM\system\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer (REG_DWORD) = <fully qualified host name of time server. For domain controllers running on non-Microsoft virtualization software.com/fwlink/? LinkId=178255). such as time. consult the vendor. Finally. making sure that you have the policy detail fixes in place before you do. Windows Server 2008 and Windows Server 2008 R2 domain controllers added time-rollback protection to help prevent domain controllers from adopting bad time.windows. see article 884776 in the Microsoft Knowledge Base (http://go. see Configure the Windows Time service on the PDC emulator (http://go. All other domain controllers that are installed on physical hardware or Hyper-V should use the default domain hierarchy (no configuration change required).microsoft. .com>.The forest-root primary domain controller (PDC) on a physical computer should synchronize time from a reliable external time source.com/fwlink/?LinkId=91969). For more information.microsoft.

com/fwlink/?LinkID=147380). see “CSV Format” in Repadmin Requirements. should be removed from their respective domains. or domain controllers that cannot be made to replicate. d. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel).com/fwlink/?LinkID=139330) Extension mechanisms for DNS (EDNS) are enabled by default on Windows Server 2008 R2. and Parameter Descriptions (http://go.microsoft.microsoft.com/fwlink/?LinkID=99299) Release notes for Windows Server 2008 R2 (http://go. e.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Config\MaxPol lInterval (REG_DWORD): 10 (decimal) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPo sPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNe gPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2 Read the following release notes for more information about specific issues that can affect these versions of Windows Server: Release notes for Windows Server 2008 (http://go. see Cleaning metadata of removed writable domain controllers in 61 . For more information. Be online.) c. b. or queries that the old DNS servers can resolve cannot be resolved by Windows Server 2008 R2 DNS servers. Have successfully inbound-replicated and outbound-replicated SYSVOL. For more information. If you notice queries that used to work on DNS servers that run Windows 2000. then disable EDNS using the command:dnscmd /Config /EnableEDnsProbes 0 Verifications you can make and recommended hotfixes you can install before you begin 1. Syntax. Metadata for stale or nonexistent domain controllers. All domain controllers in the forest should meet the following conditions: a. or Windows Server 2008 fail after those DNS servers are upgraded or replaced with DNS servers that run Windows Server 2008 R2. Be healthy (Run dcdiag /v to see if there are any problems. Windows Server 2003.microsoft.

Description Microsoft Knowledge Base article Service pack 62 .dit files on Windows Server 2008 and Windows Server 2008 R2 domain controllers so that hard drives and partitions that host Active Directory files can be sized properly on physical and virtual domain controllers. Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment. iii. i.microsoft.Appendix A: Forest Recovery Procedures (http://go. g.1 cannot be installed on Windows Server 2008 R2 computers. 3. or you can install the service pack that includes it.microsoft. Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers. To make sure that you have all of the latest updates. it cannot be uninstalled. Windows Server 2008 R2 includes updates from Windows Server 2008 SP2. If you are deploying RODCs.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2. a. f. create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system.com/fwlink/?LinkID=164585) for download information.com/fwlink/?LinkId=164586).microsoft.com/fwlink/?LinkID=122974). For upgrades to either Windows Server 2008 or Windows Server 2008 R2.microsoft. remove ADMT 3.microsoft. otherwise.com/fwlink/?LinkId=164585) and see Installing Windows Server 2008 with Service Pack 2 (http://go. Check for incompatibilities with secure defaults in Windows Server 2008 and Windows Server 2008 R2. For more information about disk-space requirements for Windows Server 2008 and Windows Server 2008 R2. ii. For information about obtaining the latest service pack. Have sufficient free disk space to accommodate the upgrade. You can install a hotfix individually.1 before the upgrade.com/fwlink/? LinkID=47290) or see article 968849 in the Microsoft Knowledge Base (http://go.0 domain controllers are not permitted in this functional level. review article 944043 in the Microsoft Knowledge Base (http://go. For more information. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.microsoft. The task for administrators is to accurately forecast the immediate and long-term growth for Ntds. see Windows Update (http://go. ADMT 3. Windows NT 4. The following table lists hotfixes for Windows Server 2008. see System requirements for installing Windows Server 2008 and Windows Server 2008 R2. see Secure default settings in Windows Server 2008 and Windows Server 2008 R2. the latest service pack for Windows Server 2008 is Service Pack 2 (SP2). In addition. see article 968849 in the Microsoft Knowledge base (http://go. All domains must be at the Windows 2000 native functional level or higher to run adprep /domainprep. As of September 2009. 2.com/fwlink/? LinkID=164553).

com/fwlink/? LinkId=177814) 63 . apply the DNS devolution hotfix. If you change “Regional Option – User Locale – enabled.microsoft.Domain controllers that are configured to use the Japanese language locale EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008 Records on Windows Server 2008 secondary DNS server are deleted following zone transfer Use root hints if no forwarders are available Setting Locale info in GPP causes Event Log and dependent services to fail. DNS Server Service. task Scheduler Service fail to start.com/fwlink/? LinkId=164591) 974266 (http://go. GPMC Filter fix If you use devolution to resolve DNS names (instead of suffix search list).com/fwlink/? LinkId=164590) 2001154 (http://go.com/fwlink/? LinkID=165035) Windows Server 2008 SP2 Synchronize the Directory Services Restore Mode (DSRM) Administrator password with a domain 961320 (http://go.microsoft.com/fwlink/? LinkId=178224) Windows Server 2008 SP2 Windows Server 2008 SP2 943729 (http://go.com/fwlink/? LinkId=164588) 948690 (http://go.microsoft.microsoft.microsoft.microsoft.com/fwlink/? LinkID=106115) Windows Server 2008 SP2 Not included in any Windows Server 2008 Service Pack Windows Server 2008 SP2 953317 (http://go.com/fwlink/? LinkId=165959) For prevention and resolution. Group Policy Preferences rerelease 949189 (http://go.microsoft.microsoft. To be included in Windows Server 2008 SP3 949360 957579 (http://go.com/fwlink/?LinkId=165960).microsoft.” the Windows Event Log Service. see 951430 (http://go.

microsoft. TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades 2001086 (http://go.com/fwlink/? LinkId=178226) Deploying the first Windows Server 2008 R2 domain controller in an existing Active Directory forest may temporarily halt Active Directory replication to strict-mode destination domain controllers.user account The following table lists hotfixes for Windows Server 2008 R2.com/fwlink/? LinkId=178225) Comment [The article will include a hotfix. Also scheduled for Windows Server 2008 R2 SP1. Occurs only on x64based server upgrades in Dynamic DST time zones. Description Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502 Event ID 1202 logged with status 0x534 if security policy modified Microsoft Knowledge Base article 2002490 (http://go.com/fwlink/? LinkId=165961) Hotfix is in progress.] 2000705 (http://go. click the link to open the date and time control panel.microsoft. click the taskbar clock. If the clock fly-out indicates a time zone problem. 2002034 64 . To see if your servers are affected.microsoft.

If schema master has inbound-replicated the schema partition since startup. the built-in administrator account in a forest root domain has these credentials. c. or Windows Server 2008 schema versions.exe) and x64-based (Adprep.com/fwlink/?LinkID=70776) to seize the role to a live domain controller in the forest root domain. 2.Run Adprep commands This section describes how to run the following adprep commands. 65 .microsoft. Windows Server 2003. follow the steps in article 255504 in the Microsoft Knowledge Base (http://go. Adprep. Windows Server 2003 R2. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master. By default.msc to trigger inbound replication of the schema partition to the schema master. Add schema changes using adprep /forestprep 1. If the schema role is assigned to a domain controller with a deleted NTDS settings object. Locate the correct version of Adprep for your upgrade: • The Windows Server 2008 installation media contain one version of adprep. run the repadmin /showreps command. and Domain Admins credentials in the forest root domain. Run the dcdiag /test:knowsofroleholders command. Schema Admins. continue to the next step. use the replicate now command Dssite. Windows Server 2003. • Windows Server 2008 and Windows Server 2008 R2 versions of adprep. You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command.exe) versions of adprep in the \support\adprep folder of the Windows Server 2008 R2 installation disk. On the schema master. and Windows Server 2008 (for Windows Server 2008 R2) operations masters. • Windows Server 2008 and Windows Server 2008 R2 schema updates can be added directly to forests with Windows 2000 Server. run adprep /rodcprep Run adprep /domainprep /gpprep If you encounter errors when you run an Adprep command. Log on to the schema operations master with an account that has Enterprise Admins. see Adprep errors. Otherwise. • Windows Server 2008 R2 installation media contain both x86-based (Adprep32.exe. (See Force replication over a connection (http://go.com/fwlink/?LinkId=164634)). b. • • • Add schema changes using adprep /forestprep If you are deploying RODCs. that runs on both x86-based and x64-based operations masters. in the \sources\adprep folder Windows Server 2008 installation disk.exe can be run directly on Windows Server 2000 SP4.microsoft. Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup: a.

Proceed to adprep /domainprepprep. specify the full path to Adprep. see “Forestprep errors” later in this topic. run the following command: 66 . see Windows Server 2008 R2: Forest-Wide Updates (http://go.com/fwlink/?LinkId=164636). You can run adprep /rodcprep before or after adprep /domainprep. For example. see Windows Server 2008: Forest-Wide Updates (http://go. and Domain Admin credentials. x86-based schema master is as follows: D:\support\adprep\adprep32 /forestprep For a list of operations that Windows Server 2008 adprep /forestprep performs. If you are deploying RODCs for the first time: While still logged on with Enterprise Admins credentials on the schema master. If you encounter errors.exe from the installation media to a local computer or a network share. If you are deploying RODCs. For a list of operations that Windows Server 2008 R2 adprep /forestprep performs . run adprep /rodcprep Run Windows Server 2008 R2 adprep /rodcprep in a forest that has already been prepared with Windows Server 2008 adprep /rodcprep. run adprep /rodcprep. the command to run is as follows: >D:\sources\adprep\adprep /forestprep The syntax for running Windows Server 2008 R2 Adprep on a 64-bit schema master is as follows: <dvd drive letter>:\support\adprep\adprep /forestprep The syntax for running Windows Server 2008 R2 Adprep on a 32-bit.com/fwlink/? LinkId=164637). if the DVD or network path is assigned drive D:. Note Rodcprep will run on any member computer or domain controller in the forest if you are logged on with Enterprise Admin credentials. 3. Schema Admin. Update the forest schema with adprep /forestprep. run the appropriate version of adprep /forestprep from the Windows Server 2008 or Windows Server 2008 R2 installation media. if you are running the Windows Server 2008 version of Adprep from a DVD drive or network path that is assigned the drive letter D:. Specify the full path to Adprep. While you are still logged on to the console of the schema master with an account that has Enterprise Admins.exe file.exe to prevent running another version of Adprep that may be present in the PATH environment variable. For Windows Server 2008 Rodcprep. We recommend running adprep /rodcprep on the schema master immediately after adprep /forestprep as a matter of convenience because that operation also requires Enterprise Admins credentials.microsoft.• If you copy Adprep.microsoft. For example. copy the entire adprep folder and provide the full path to the Adprep.

4. 3. run the following command: D:\support\adprep\adprep32 /rodcprep If you encounter errors. <drive>:\<path>\adprep /domainprep /gpprep For example. use the following syntax: D:\support\adprep\adprep /domainprep /gpprep If the infrastructure master is 32-bit. see “Domainprep errors” later in this topic Upgrade domain controllers This section includes the following topics: • Background information about the in-place upgrade process 67 . Run netdom query fsmo or dcdiag /test:<name of FSMO test> to identify the infrastructure operations master. use the following syntax: D:\sources\adprep\adprep /domainprep /gpprep For Windows Server 2008 R2: If the infrastructure master is 64-bit. run the following command: D:\support\adprep\adprep /rodcprep 2. 2. Run adprep /domainprep /gpprep For each domain that you intend to add Windows Server 2008 or Windows Server 2008 R2 domain controllers to: 1.c:\windows >D:\sources\adprep\adprep /rodcprep For Windows Server 2008 R2: 1. see “Rodcprep errors” later in this topic. if the DVD or network path is assigned drive D. Run Windows Server 2008 adprep /domainprep /gpprep from the Windows Server 2008 operating system disk using the following syntax: Note You do not have to add the /gpprep parameter in the following command if you already ran it for Windows Server 2003. If operations master roles are assigned to deleted or offline domain controllers. transfer or seize the roles as required. use the following syntax: D:\support\adprep\adprep32 /domainprep /gpprep If you encounter errors. If the computer where you run Rodcprep is a 64-bit computer. If the computer where you run Rodcprep is a 32-bit computer. Log on to the infrastructure master with an account that has Domain Admins credentials.

Upgrading and promoting new domain controllers into an existing domain Complete the following steps if you are performing either of these in-place upgrades: • Upgrading to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 domain controllers • Upgrading to Windows Server 2008 R2 from Windows Server 2008 or Windows Server 2003 or domain controllers 1. For more information about supported and unsupported upgrades. If you have the Japanese language locale installed on Windows Server 2003 domain controllers that are being upgraded in place to Windows Server 2008.com/fwlink/? LinkID=164588).microsoft. Do not arbitrarily disable or remove IPv6.com/fwlink/?LinkID=154894). The reverse is also true. The forest functional level must be Windows Server 2003 or higher. 68 . read and comply with article 949189 in the Microsoft Knowledge Base (http://go. Windows Server 2008 and Windows Server 2008 R2 both auto-install Internet Protocol version 6 (IPv6). In-place upgrades from Windows Server 2003 or Windows Server 2003 R2 to Windows Server 2008 or Windows Server 2008 R2 are supported. consider the following: Computers running Windows 2000 Server cannot be upgraded in place to Windows Server 2008 or Windows Server 2008 R2. with the following exception: x86based operating systems cannot be upgraded in place to x64-based versions of Windows Server 2008 or Windows Server 2008 R2 (which supports only the x64-based architecture). A server that runs the full installation of Windows Server 2008 R2 cannot be upgraded to be a server that runs a Server Core installation of Windows Server 2008 R2.• • • Upgrading and promoting new domain controllers into an existing domain Post-installation tasks Fixes to install after AD DS installation Background information about the in-place upgrade process When you upgrade existing domain controllers or promote new domain controllers into existing domains. • A writable (or “full”) domain controller that runs Windows Server 2008 or Windows Server 2008 R2 must exist in the target domain. To promote RODCs: • • The adprep[32] /rodcprep command must have completed successfully. The reverse is also true. A writeable domain controller cannot be upgraded to be an RODC.microsoft. see Windows Server 2008 R2 Upgrade Paths (http://go.

2.com/fwlink/?LinkID=164591). download the DNS devolution fix.com/fwlink/?LinkID=106115). For example. make sure that object information about the newly promoted domain controllers (the computer account in the domain partition and the NTDS Settings object in the configuration partition) has outbound replicated to a sufficient number of domain controllers that are remaining in the forest before you retire the only domain controller in the forest that has that object information. uninstall ADMT 3. When promoting new domain controllers. 3.microsoft. See article 957579 in the Microsoft Knowledge Base (http://go. 4. • If you use devolution (as opposed to suffix search lists) to resolve DNS queries for single-label and non-fully-qualified DNS names. 6.1 before the upgrade. If the Active Directory Migration Tool (ADMT) version 3.exe. read and comply with article 948690 in the Microsoft Knowledge Base (http://go.exe fails. 5.microsoft. install Service Pack 2 (SP2). • Download the fix for a GPMC filter bug in article 949360 in the Microsoft Knowledge Base.microsoft. This is particularly an issue where the helper domain controllers used by newly promoted domain controllers are rapidly demoted before outbound reapplication takes place. If dcpromo. Run <dvd or network path>:\setup. Complete the following steps if you are performing an in-place upgrade of Windows Server 2008 or Windows Server 2008 R2 writable domain controllers into existing Windows 2000 Server.microsoft. Verify that the target domain is at the Windows 2000 native domain functional level or higher. 8.1 is installed on a Windows Server 2003 or Windows Server 2008 domain controller that is being upgraded to Windows Server 2008 R2. Windows Server 2003 or Windows Server 2008 domains: 1. Windows Server 2008 R2 includes Windows Server 2008 SP2 fixes. see Dcpromo errors. 7. then make sure that DC1 has outbound replicated object information about DC2 to other domain controllers before you retire DC1. if you promote DC2 and use DC1 as the helper domain controller. • If you are using Group Policy Preferences on Windows Vista or Windows Server 2008 computers. Consider installing the following fixes after the in-place upgrade unless they are integrated into your installation media: • If you are installing Windows Server 2008. Read article 942564 in the Microsoft Knowledge Base (http://go. If you have remotely encrypted Encrypting File System (EFS) files on Windows Server 2003 computers that are being upgraded in place to Windows Server 2008. This problem does not apply to domain controllers that are upgraded to Windows Server 2008 R2.com/fwlink/? LinkId=166140). 69 .com/fwlink/? LinkID=164558) and consider the right setting for the AllowNT4Cryto policy for your environment. download the July 2009 update to article 943729 in the Microsoft Knowledge Base (http://go.

microsoft. and then run Dcpromo). or domains that have a mix of those operating systems: 1. Note It is impossible to provide an exhaustive list of hotfixes. 3. read and comply with article 949189 in the Microsoft Knowledge base (http://go. 3. From the Windows Start menu. If you are promoting Windows Server 2008 domain controllers that are configured to use the Japanese language. 5. For more information. Do the following if you are performing an in-place upgrade of Windows Server 2008 RODCs into existing Windows Server 2003 domains.exe (or install the Active Directory Domain Services Role in Server Manager. If you encounter an error. verify that a Windows Server 2008 domain controller exists in the domain and that it is accessible on the network to the RODC that you are promoting. The hotfix should be installed immediately after promotion and before the first boot into normal mode. 4. If the option to install RODC is not available in Dcpromo.microsoft. see the list of Dcpromo errors at the end of this topic. When the AllowNT4Crytpo page appears. • Use only Active Directory–aware backup applications to restore domain controllers or roll back the contents of AD DS. If an error message indicates that access is denied. Windows Server 2008 domains. read article 942564 in the Microsoft Knowledge Base (http://go.com/fwlink/? LinkId=91969). Hotfix Windows Server 2008 Windows Server 2008 Windows 70 . see the Microsoft Knowledge Base. run Dcpromo.2.com/fwlink/?LinkID=164588). Post-installation tasks For all domain controllers: • Configure the forest root PDC with an external time source. Fixes to install after AD DS installation After installation of AD DS. Restoring snapshots that were created by imaging software is not supported on domain controllers. install the following hotfixes. see Configure the forest root PDC with an external time source (http://go. • Enable delete protection on organizational units (OUs) and other strategic containers to prevent accidental deletions.microsoft. If the option to install RODC is not available and the error message indicates that there is no Windows Server 2008 in the domain. verify that the forest functional level is Windows Server 2003 or higher. 2. The following is a list of fixes that are available in October 2009.com/fwlink/?LinkID=164558) consider the right setting for AllowNT4Cryto for your environment.

” verify that the schema master has inbound-replicated the schema partition since the reboot. • Read article 944043 in the Microsoft Knowledge Base (http://go.active_directory (http://go. This fix is not required on Windows Server 2008 R2 writable domain controllers. search site:Microsoft.com: “error description” or post your problem to the following community sites: • Directory Services Directory Services (http://go.exe.public. See 71 .microsoft.microsoft. and install the corrective fixes on the Windows client and server computers that are affected by the scenarios that are listed in the Knowledge Base article. Forestprep errors • If an error message indicates that the schema operations master is assigned to a deleted domain controller. • If the error message says “Adprep was unable to extend the schema” or “Adprep failed to verify whether the schema master has completed a replication cycle after last reboot.server. Troubleshooting errors This section describes errors in Adprep. install the hotfix in article 953392 in the Microsoft Knowledge Base (http://go. If you encounter an error that is not covered. see the Microsoft Knowledge Base.com/fwlink/? LinkID=122974).com/fwlink/?LinkId=166141) • Discussions in microsoft.com/fwlink/?LinkID=150337) on all Windows Server 2008 writable domain controllers.exe and Dcpromo. domainprep.microsoft.SP1 (RTM) Article 949360: GPMC filter bug Article 957959: DNS devolution fix Article 943729: GPP rerelease Article 949189: Japanese Language Locale For RODCs: Yes Yes Yes Yes SP2 No Yes Yes No Server 2008 R2 No No No No • If you are deploying RODCs.windows. and rodcprep commands.com/fwlink/?LinkId=166142) Adprep errors These sections describe errors for the forestprep.microsoft.

and run the repadmin /syncall command.microsoft.com/fwlink/? LinkID=56290). The schema is not upgraded.” see Raise the domain functional level (http://go.microsoft. If the error message indicates that the callback function failed. and then rerun Rodcprep until it runs successfully. see article 314649 in the Microsoft Knowledge Base (http://go. run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go. If the error message says “Adprep detected that the domain is not in native mode. 2. run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go. If Rodcprep fails with the error message “Adprep could not contact a replica for partition <distinguished name for the forest-wide or domain-wide DNS application partition>” that is documented in article 949257 in the Microsoft Knowledge Base (http://go.com/fwlink/? LinkId=164670).com/fwlink/?LinkID=164669). • For all other error messages. • If the error message says “The callback function failed. see Adprep was unable to complete because the call back function failed in Running Adprep.vbs script in the same article.com/fwlink/? LinkID=56290).microsoft. For all other error messages.”. run the Fixfsmo.dit. Dcpromo errors 1. 3.com/fwlink/?LinkId=166190).” see Adprep was unable to complete because the call back function failed in Running Adprep.com/fwlink/?LinkID=141249). and SYSVOL.microsoft. Rodcprep errors 1.com/fwlink/?LinkID=140285).microsoft.exe (http://go. Ntds.exe (http://go. • If the error message says ”An attribute with the same link identifier already exists.com/fwlink/? LinkID=56290). you must first prepare the forest using ""adprep /forestprep""… ".microsoft.microsoft.” see article 969307 in the Microsoft Knowledge Base (http://go. • If the error message says “There is a schema conflict with Exchange 2000. verify that /forestprep has 72 .microsoft.microsoft. run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.Force a replication event with all partners in Forcing Replication (http://go. For all other error messages. Domainprep errors 1.com/fwlink/?LinkId=164669). 2. verify that you have sufficient free disk space on the volumes that are hosting %systemdrive. 2. If the upgrade rolls back without any onscreen error or recorded error in a debug log. If an error message says "To install a domain controller into this Active Directory forest.com/fwlink/?LinkId=164668).microsoft.

exe (http://go. If the current role holder is the only live domain controller in the domain but its copy of Active Directory refers to domain controllers that no longer exist.com/fwlink/?LinkId=164418). you must first prepare the forest using ""adprep /domainprep""…” and verify that /domainprep has been run and that the helper domain controller has inbound-replicated /domainprep changes. click Yes and complete the wizard.been run and that the helper domain controller has inbound-replicated /forestprep changes.” or “You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline.” see Known Issues for Installing and Removing AD DS (http://go.exe cannot discover another Microsoft DNS server in the domain.. For more information.com/fwlink/? LinkID=142597).. see Running adprep. For more information. complete the following steps to recover. If the system is unable to share SYSVOL. Run NETDOM QUERY FSMO or DCDIAG /TEST:<name of FSMO test> b. If the distinguished name path that is returned from the command in the previous step is mangled or assigned to a deleted domain controller.” delete the stale machine account and verify that the helper domain controller has inbound-replicated that deletion. If the check box for installing the DNS Server role is unavailable. Do you want to continue?”. see the Microsoft Knowledge Base. 4. Verify that RID master role is assigned to a live domain controller that has successfully inbound replicated the domain directory partition since boot from at least one other domain controller in the same domain. 5. If you see the error message “The DNS zone could not be created.com/fwlink/?LinkID=142597). remove the metadata for that domain controller and seize the role to a live domain controller that hosts a writable copy of the domain partition. 3. either the Active Directory domain has a single-label DNS name or Dcpromo. 7. c. 73 . 11. 10.exe (http://go." see the Microsoft Knowledge Base. As an alternative. 6. If an error message says “the specified user already exists. If an error message says "To install a domain controller into this Active Directory domain. see Running adprep. try another helper domain controller.microsoft. 8. 9. If a warning indicates that there is no static IP address configured for an IPv6 address on a Windows Server 2008 domain controller. a..microsoft. If you see the error message “A delegation for this DNS Server cannot be created because the authoritative parent zone cannot be found…. d.microsoft. remove the stale metadata for those domain controllers and reboot the live domain controller and retry promotion. If an error message says “You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline. see the Microsoft Knowledge Base. If you see the logging event <unable to obtain local RID pool>.

Access is denied”. 74 . make sure that administrators are granted the Enable computer and user accounts to be trusted for delegation permission in Default Domain Controllers Policy and that the policy has been linked to the Domain Controllers OU. For more information.microsoft. Also make sure that the helper domain controller’s machine account resides in the Domain Controllers OU and that it has successfully applied policy.12. see article 232070 in the Microsoft Knowledge Base (http://go. If Dcpromo fails with an error message that says “Failed to modify the necessary properties for the machine account.com/fwlink/?LinkId=166198).