Windows AD Domain Upgrade method

Source: Internet
Author: User
Tags administrator password

In the previous blog I talked about the basic concept of network and network reference Model, today we talk about the common technology in enterprises, Windows AD domain, today my notes will focus on the Windows AD Domain upgrade and migration method, through 3 small experiments to configure, the real environment may and virtual machine some differences, Please note that. (Some of the contents refer to Bo's brother brother and the 51CTO Forum on some of the information, configuration verification) if there are errors, please bo friends criticize correct.

Experiment one: Windows Server 2003AD upgrade to Windows SERVERS2008AD

Environment: 1 Windows Server 2003 domain control, domain name benet.com

System: 1 Windows Servers 2003, 1 Windows Server R2

Address: Win ip:192.168.1.253 dns:192.168.1.253

Win ip:192.168.1.254 dns:192.168.1.253

Steps:

1. Use win 03 to build the root domain, benet.com, and add win 08 to the domain

2. Use Win 08 as an additional domain control

(The error reason is win 03 must upgrade the schema to be compatible with win 08.)

2.1 Run the REGSVR schmmgmt.dll command to install the Schema management tool.

Run the MMC command to open the console

2.2 Adding an ISO image, extending the schema

Win 03 Read to mirror

2.3 Input D jump to the disc where the partition D, continue to enter the CD Support\adprep command into the adprep directory.

2.4 Enter the ADPREP32.EXE/FORESTPREP command to upgrade the forest schema, and a adprep warning appears (before running Adprep, verify that all domain controls in the forest are upgraded to Windows Service Pack 4 (SP4) or later) press C to continue.

Run the Adprep32.exe/domainprep extended domain structure (note that you can extend the AD domain before you extend the ad forest.) )

Run Adprep32.exe/domainprep/gpprep and update Group Policy.

Run Adprep32.exe/rodcprep to update the ad's support for the RODC.

Note: The 32-bit version runs adprep32.exe,64-bit version running Adprep.exe

2.5 win 08 successfully configured as an additional domain control

3. The domain level of 2003 cannot be promoted.

4. Change the DNS address of Win 08 to point to itself.

5. Transferring FSMO roles to win 08

Installing the schema Master tool on Win 08

5.1 Use the NETDOM query FSMO command to view the server on which the current 5 host roles reside.

5.2 Use the Ntdsutil command to connect to the server that will be the primary domain control. (Seize host role)

5.3 Use transfer infrastructure master to transfer the fabric master.

5.4 After using the Transfer naming Master,transfer PDC, respectively,

Transferrid Master, Transfer Schema Master transfers other hosts.

5.5 Win 03 FSMO roles are all transferred to win 08

6. Downgrade win 03 to a normal member server

7. Raise the ad domain/forest functional level to win R2

8. Delete win 03 residual data

At this point, Windows Server 2003AD is upgraded to Windows SERVERS2008AD. Verify that low-level domains cannot be joined to a high-tier domain, and that the high domain is compatible with low levels. Validation succeeded.

Lab Two: Windows Server 2003AD upgrade to Windows SERVERS2012AD

See there are many online Windows Server 2003AD upgrade to Windows SERVERS2012AD need to use Windows Server 2008 as a springboard for migration upgrade, feel too much trouble, there is no easy way to Through my notes, you will reap some gains.

Environment: 1 Windows Server 2003 domain control, domain name benet.com

System: 1 Windows Servers 2003, 1 Windows Server R2

Address: Win ip:192.168.1.253 dns:192.168.1.253

Win ip:192.168.1.254 dns:192.168.1.253

Step: (Similar to the previous experiment)

1. Join win 12 to the domain

2. Install the AD Role management tool

3. Attach the Windows Server 2012 CD to the WIN12 server and expand the ad with the WIN12 server. (2012 of the Adprep tools on the WIN03 server are not available, and to prevent accidental occurrences, I have reloaded 1 ISO.) )

4. To avoid errors it is best to log in using Domain Admins and 03 of the domain to be promoted by 03 (default to Windows Server 2000 native mode)

5. Use the command to navigate to the Adprep directory and try to extend it through Adprep.exe/forestprep

6. Open WIN12 Service Manager to locate the Ad DS service interface-point-to-open service post-deployment configuration---Promote this server to a domain controller

Specifies which domain to copy information from. The current environment has only one WIN03 domain controller, so select Win03

7.win 12 successfully configured as an additional domain control

8. Upgrade Win12 to primary domain control

9. So far, our migration has been completed without the need for Windows Server 2008.

If you do not need win 03 to do domain control, use Dcpromo to demote.

10. Upgrade completed, Win 03 down to the member server.

Note: To correct an error here, Windows Server 2003 AD Upgrade 2012 requires 2008 to do the relay for the following reasons: (Borrow Bo friends Dufei view)

For AD DS upgrade, Microsoft recommends using Windows Server 2008 as the transition, as shown in:

The need to do not require Windows Server 2008 mediation, mainly depends on whether to use a read-only domain controller in subsequent environments, if not required, then directly upgrade Windows 2012, there is no problem, if necessary, then need to use Win2008 transition. Another point, because the Preparation tool adprep.exe in Windows Server 2012 only supports 64 systems, but if the source DC is a 32-bit system, there is no way to complete it, so you will use Windows Server 2008 to relay. However, as long as the Windows Server 2008 CD on the source DC can be executed directly, that is, only with the use of Windows Server 2008 32-bit Adprep.exe, in order to prevent accidental occurrence, you must first back up the domain. Remember, there is an accident, no responsibility! In addition, the health of the domain to check, such as Event Viewer, Repadm, Dcdiag and other tools, the problem is not to talk about.

Lab Three: Windows Server 2008AD upgrade to Windows SERVERS2012AD

Environment: 1 Windows Server R2 domain control, domain name seven.com

System: 1 Windows Server r2,1 Windows Server R2

Address: Win ip:192.168.3.253 dns:192.168.3.253

Win ip:192.168.3.254 dns:192.168.3.253

Step: (Similar to the previous experiment)

1. Uninstall the AD Domain service on win 2012

If we don't need a domain controller, how do we handle it? If we let this domain controller disappear directly, then other domain controllers will not know this message, and every other domain controller will also try to make AD replication with this domain controller, the client may also send the user name and password to this non-existent domain controller for verification. Therefore, when we perform a domain controller offload, we prioritize the use of regular uninstallation, to automate the update of SRV records in DNS, and to synchronize messages in other domain controllers.

Tick "Active Directory Domain Services", (note: This is not to really delete the role, only to invoke the downgrade function, because the domain controller is not degraded, the ad service role can not be removed), click the "Delete Features" button.

If the domain controller is the last domain controller, the following uninstall interface is displayed, and the last domain controller in the domain is checked.

Enter the local administrator password after demotion

can also be deleted from the task

Delete AD Domain success

2. Configure the address to join the seven domain

3. Configuration becomes additional domain control (no upgrade schema required)

Through the previous 2 experiments we know that to join a different version of server to a domain or upgrade, you need to prepare the forest schema for it. Steps to prepare the forest schema for Windows Server R2:

    1. Log on to the schema master as an Enterprise Admins, schema Admins, and Domain Admins group memberships.
    2. Insert the Windows Server R2 DVD into the CD or DVD drive. Copy the contents of the \support\adprep folder to the Adprep folder on the schema master.
    3. Open a command prompt, and then change the directory to the Adprep folder.
    4. At the command prompt, type the following, and then press Enter:adprep/forestprep/forest

4. Migrating FSMO to win 12

Win+x Open a command prompt to view the current FSMO role

Open the Schema Host Administration tool and console by using a command

The previous transfer host roles are all commands, and the following will use the graphical interface to transfer the host.

Transferring domain-wide hosts

Transfer forest-scoped hosts

Migrating FSMO to win 12 complete

5. Downgrade the win 08 to the member server.

6.Windows Server 2008AD successfully upgraded to Windows SERVERS2012AD

Summary: Through the previous 3 experiments, we know that the Windows AD domain upgrade, 1 is to raise the domain and forest level;

(after 08 version not) 2 is configured for additional domain control, 3 is to insert ISO image, transfer FSMO (can transfer not occupy);

4 is to demote the original domain to a member server, 5 is to raise the domain or forest functional level, configuration is complete.

Note: If you want to upgrade the original domain, you can only transfer the FSMO, install the ISO image, and synchronize with the global catalog.

Appendix: Theoretical knowledge of the FSMO.

Operations master (domain controllers that assume different roles)

1. Concept:

Windows NT4.0 (Single master replication)

PDC: Modify AD Database BDC: Read AD Database

After Windows Server 2000 (multi-master replication)

All DCs can modify the contents of the ad database, and the modified content will be copied to other DCs

In a Windows domain, the role of a domain controller does not depend on whether it is the first domain controller in the network, but on the distribution of the five roles in the network, depending on the FSMO (Flexible single master operation, flexible one-host operation).

2. Role:

Forest-wide, schema master, and domain naming master (naming master), each of the roles in the forest must be unique.

Schema master: Used to control all object and attribute definitions in the entire forest of an ad. Schemas are extensible, such as deploying Exchange servers and upgrading domain controls, and the schema master is forest-based and can have only one schema master in the entire forest.

To extend the schema, you must have Schema Admins group permissions, by default, the domain administrator has Schema Admins group permissions.

Domain naming master: Controls the addition or deletion of domains in the forest to prevent duplicate domain names in the forest and only one domain naming master in the entire forest.

Domain-wide, primary domain controller (PDC) emulation host (emulator master). Relative ID (RID) Master and Infrastructure (infrastructure) hosts, each domain must have a unique role.

PDC Emulation host: Responsible for intra-domain time synchronization (5min). Minimize Password change replication wait time (5min) and support for Windows 2000 systems.

RID master: Assigns a sequence of relative IDs to each domain controller in the domain. Create a user every time that the domain controller is created. Group or Computer object, it assigns a unique security ID (SID) to the object. The SID contains a "domain" sid (which is the same as all SIDS created in the domain) and a RID (which is unique to each SID created in the domain).

Infrastructure Master: Responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data to the data of the global catalog.

Use the infrastructure master to be aware of:

If the infrastructure master and the global catalog are in the same domain controller, the infrastructure master does not run. The infrastructure master never looks at stale data and never replicates any changes to the domain and other domain controllers.

If all domain controllers in the domain have global catalogs, all domain controllers will have the latest data.

The infrastructure master is also responsible for updating the group-to-user reference when renaming or changing the members of the organization.

3. Transferring and seizing operations master roles

Transfer: Assuming that the domain control and target domain control of the operations master role are online, the domain control that assumes the operations master role needs to be degraded, and the process of transferring the operations master role is reversible.

Occupancy: The domain control that assumes the operations master role fails and cannot be recovered in the short term and cannot be transferred.

Note: Do not occupy when you can transfer, the transfer is more secure than the operation.

Schema master. Domain naming master. After the RID master role is occupied, never connect the domain controller that originally played the role to the network.

Here today, if there is any mistake, please correct me, thank you.

Windows AD Domain Upgrade method

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.