Forklift 2008: Replace 2003 Domain Controller with 2008 R2 Using the Same Name

Howto

WANT AN UPDATE TO THIS GUIDE?

If you’d like me to update this guide for Server 2012 R2 and beyond, or to see a similar guide for SQL Server, drop a comment at the bottom of this page and let me know.

This document details the procedure for replacing an original domain controller running Windows 2000 Server or higher (referred to in this document as SOURCE) with another server running Windows 2000 Server or higher (referred to in this document as DESTINATION). During this procedure you will need a third server for temporary use (referred to in this document as TRANSITIONAL) – normally, this server is introduced in the form of a virtual machine, but a physical machine is also acceptable.

NOTE: this document assumes that all forest operations will be performed by a member of the Schema Admins group, all domain operations will be performed by a member of the enterprise admins group, and that all local operations will be performed by a member of the Administrators group local to the targets in question.

dcforklift-updated-2008R2 in Microsoft Word Format

Pre-migration Tasks

  • Create a standalone server running the same OS version as the replacement server. This server will be TRANSITIONAL
  • On SOURCE server, install the Windows Support Tools from the SUPPORTTOOLS folder on the respective operating system CDs.
  • Test the SOURCE server for problems
    • Click Start, Programs, Windows Support Tools, and click Command Prompt.
    • From the command line, enter the command netdiag, and address any problems that are listed
    • From the command line, enter the command dcdiag, and address any problems that are listed
    • Fill out FILE SHARE and PRINTER worksheets using information from SOURCE

File Shares Worksheet

SHARE NAME LOCATION ON DISK
SHARE PERMISSIONS NTFS PERMISSIONS
COMMENT CACHING
SHARE NAME LOCATION ON DISK
SHARE PERMISSIONS NTFS PERMISSIONS
COMMENT CACHING
SHARE NAME LOCATION ON DISK
SHARE PERMISSIONS NTFS PERMISSIONS
COMMENT CACHING
SHARE NAME LOCATION ON DISK
SHARE PERMISSIONS NTFS PERMISSIONS
COMMENT CACHING

Printer Shares Worksheet

PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS

Migration Steps

On the SOURCE server, insert the Server 2008 installation media (or browse to the shared files), navigate to the d:supportadprep folder, and execute adprep32 /forestprep.

Enter “C”

If it has not already been done, use Active Directory Domains and Trusts to raise the forest functional level to Windows Server 2003.

Launch adprep32 /domainprep, followed by adprep32 /gpprep

On SOURCE, perform adprep32 /rodcprep

Join the TRANSITIONAL server to the domain

On the SOURCE server, export the DHCP database using the following Net Shell command:
netsh dhcp server export c:dhcpdb 192.168.40.0

Shut down DHCP on the SOURCE server

Install DHCP on the TRANSITIONAL server

You will get an error after the selection of Global Catalog prior to the promotion. See http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23473042.html

Copy the DHCP database backup from \[SOURCE]c$ to c: on the TRANSITIONAL server

Import the DHCP database from the backup

netsh dhcp server import C:dhcpcb 192.168.40.0

On TRANSITIONAL, net stop dhcpserver

On TRANSITIONAL, net start dhcpserver

Open dhcpmgmt.msc and confirm that your options migrated. If so, set the startup type of the DHCP service on SOURCE to DISABLED

PROMOTE TRANSITIONAL

On TRANSITIONAL, run DCPROMO

Reboot TRANSITIONAL

On TRANSITIONAL, confirm proper active directory operation and allow adequate time for data to replicate

On TRANSITIONAL open NTDSUTIL

Roles

Connections

Connect to domain [domain.fqdn]

Connect to server [transitional.domain.fqdn]

Quit

Transfer PDC

Transfer RID Master

Transfer Intrastructure Master

Transfer Domain Naming Master

Transfer Schema Master

On SOURCE, check directory services logs to confirm that the changes took place as originated from the other server. This step helps prevent you from following false information reported by a server that has fallen out of replication. Initiating the sequence from one server and checking the result from another helps confirm that both servers have a consensus.

On SOURCE, open dssite.msc, navigate to NTDS Settings, and make SOURCE no longer a global catalog server.

On TRANSITIONAL, point the DNS client to itself, by updating the TCP/IP configuration in NCPA.CPL. NOTE: this step will cause inconsistencies for clients that have obtained IP addresses (and DNS client information) by means of DHCP. If you prefer, you may change SOURCE’s IP address to something new, update DNS host records, and add the original IP address from SOURCE to TRANSITIONAL. This guide assumes all operations will be performed in sequence and without significant pauses.

Open REPLMON on SOURCE to monitor both SOURCE and TRANSITIONAL to follow replication during procedures that occur during changed IP addressing. To do this, navigate to CN=Schema,CN=Configuration,DC=[domain],DC=[tldn]

NOTE: replmon is no longer available on 2008. http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

If both servers are replicating properly, and there are no significant DNS or Directory Services problems, demote SOURCE. NOTE: DO NOT check the “this is the last server in the domain” option.

Restart SOURCE and monitor logs to confirm that SOURCE is no longer participating in the DOMAIN

Disjoin SOURCE from the domain, restart, and then shut SOURCE down.

Rename DESTINATION to the name of the ORIGINAL server (in this example, DATASERVER)

Reboot the new server

Just a quick check of the domain:

Join the domain and reboot the NEW server

Log on to the DOMAIN after the reboot.

Configure the NEW server using the ORIGINAL server’s IP address, but point DNS to the TRANSITIONAL server

Promote the NEW server to a domain controller

Note the warnings here. See MS KB article 942564 for further details:

http://go.microsoft.com/fwlink/?LinkId=104751

Don’t forget this password. It’s important and you’ll need it to restore AD if necessary at a later time.

Add the DHCP role to the NEW server

Accept the defaults on all options. We will be replacing the configuration options soon.

On TRANSITIONAL SERVER, export the DHCP database to a file, and shut down DHCP Services

Copy the backup file from \TRANSITIONALc$dhcpdbNew to c: on the NEW server

NOTE: in this step, for me the process kept erroring out. I had to use the CLI to get the operation done.

netsh
dhcp server
import c:dhcpdNew 192.168.40.0

Point DNS client on NEW server to itself

On the NEW server, execute ipconfig /flushdns and ping vmdomain.local. Check Director Services log for any problems.

Transfer roles to the NEW server using NTDSUTIL

Issue NETDOM QUERY FSMO on both NEW and TRANSITIONAL servers to confirm consensus

Check Directory Services logs for any errors before proceeding

Confirm that the NEW server is a Global Catalog. It should be if you selected that option during DCPROMO

NOTE: If you are enabling this for the first time, wait at least 5 minutes before proceeding to the next step.

On TRANSITIONAL, uncheck the box shown to remove the global catalog function from the TRANSITIONAL SERVER. Perform this action from the NEW server, and confirm it from the TRANSITIONAL server. This helps confirm that replication is working properly.

Confirm in the Event log as well as in Active Directory Sites and Services

Configure the TRANSITIONAL server to point to the NEW server for DNS. We will begin backing TRANSITIONAL out of the domain now

Ipconfig /flushdns and ping vmdomain.local

If it resolves to the TRANSITIONAL server, we need to update DNS records

On NEW server, issue ipconfig /registerdns.

On TRANSITIONAL server, issue ipconfig /flushdns, and ping the FQDN of the domain again. It should resolve to the IP address of the NEW server. If it does not, you can manually update DNS records from dnsmgmt.msc. At this point, we just need to get the DOMAIN resolving properly and make sure the involved domain controllers resolve propelry. We will be returning to dnsmgmt.msc to clean up DNS after demoting TRANSITIONAL.

Choose a local administrator password (you’ll need it to log in locally after disjoining from the domain.

Complete the wizard and reboot.

From Server Manager, click Remove Roles, and deselect DNS Server and DHCP Server.

Reboot TRANSITIONAL when prompted.

Wait for configuration changes to complete on TRANSITIONAL, and reboot TRANSITIONAL again

Disjoin TRANSITIONAL from the domain and reboot.

Shut down TRANSITIONAL server.

On NEW server, open dssite.msc and remove reference to TRANSITIONAL

In dnsmgmt.msc, make remove references to TRANSITIONAL in all zones, including the _msdcs zone.

Check DNS and Directory Services logs for problems.

You’re almost done! At this point you should have a server on new hardware, running a new operating system, with the same domain you had before you started. Group Policy Objects, Usernames, Groups, and most other Active Directory elements should have remained intact. Additionally, you should have NO NEED to visit workstations. The last steps you need to perform are to follow the worksheets and install your system applications and services, restore your data, shares, and printers. Then start up all services and make sure you can reboot.

Things to fix:

Printing. Server 2008’s printing will work differently, and it would be a good idea to set up scripts to remove the old printer connections from your workstations, and to add the new printer connections to them so you don’t have to visit any more workstations than necessary for the purposes of setting up printers. I believe printing should be one of the only things to require a visit to a workstation.

Shares and permissions. If you used backup software, restoring permissions is easy. If you manually printed out ACLs then you’re in for a long night, but you should be able to duplicate your file structure exactly.

Desktop applications

Roaming profiles. This is a dodgy one. Profiles changed dramatically in the new OS and behaviors may change when you log on for the first time.

SMB packet signing and encryption settings. This is especailly important when dealing with older workstations running Windows XP.

Virus Protection

Backup – make sure you get a backup of your server from this point forward!

I hope this guide has been a help to you. It goes without saying that this information is provided AS-IS with NO WARRANTY expressed or implied, and that you use this information at your own risk. I am in no way liable for any damage to your systems resulting from the use of this information.

How to Transfer a Windows Domain Controller to New Hardware (DC FORKLIFT)

Howto

I wrote this whitepaper up for use at work and thought the community at large could benefit from it. It’s all kind of dated information now with Server 2008 coming into the mainstream but I figure it can’t hurt to have it out there.
Click here for the document in Microsoft Word format: dcforklift-updated.doc

Update December 11, 2010: See the updated version to transfer your domain controller to Server 2008 R2 x64 from Server 2003.

How to Transfer a Windows 2000 or 2003 Domain Controller to New Hardware

This document details the procedure for replacing an original domain controller running Windows 2000 Server or higher (referred to in this document as SOURCE) with another server running Windows 2000 Server or higher (referred to in this document as DESTINATION). During this procedure you will need a third server for temporary use (referred to in this document as TRANSITIONAL) – normally, this server is introduced in the form of a virtual machine, but a physical machine is also acceptable.

NOTE: if you experience replication problems you can track replication process using REPLMON

NOTE: this document assumes that all forest operations will be performed by a member of the Schema Admins group, all domain operations will be performed by a member of the enterprise admins group, and that all local operations will be performed by a member of the Administrators group local to the targets in question.

Pre-migration Tasks

  • Create a standalone server running the same OS version as the replacement server. This server will be TRANSITIONAL

  • On SOURCE and DESTINATION servers, install the Windows Support Tools from the SUPPORTTOOLS folder on the respective operating system CDs.

  • Test the SOURCE server for problems

    • Click Start, Programs, Windows Support Tools, and click Command Prompt.

    • From the command line, enter the command netdiag, and address any problems that are listed

    • From the command line, enter the command dcdiag, and address any problems that are listed

  • Fill out FILE SHARE and PRINTER worksheets using information from SOURCE

Migration Tasks

  • Install the DHCP and DNS service on DESTINATION

    • start, run, appwiz.cpl

    • select Windows Components (varies by OS version)

    • select Networking Services

    • select DHCP services or Dynamic Host Configuration Protocol service

    • select DNS services or Domain Naming Server service

    • finish the setup wizard and supply the OS CD if prompted

  • If upgrading to a higher operating system version or revision, prepare the Schema in the existing Forest/Domain for the introduction of the new OS

    • If upgrading from 2000 to 2003, put the 2003 CD in one of the 2000 DCs and go to a command line.

      • switch to the CD drive, and change to the i386 directory

      • enter the command adprep /forestprep

      • enter the command adprep /domainprep

      • if upgrading to 2003 R2, put the 2003 R2 Disc 2 CD into one of the 2000 DCs and go to a command line.

        • switch to the CD drive, and change to the CMPNENTSR2ADPREP directory

        • enter the command adprep /forestprep

        • enter the command adprep /domainprep

    • if upgrading from 2003 to 2003 R2, put the 2003 R2 Disc 2 CD into one of the 2003 DCs and go to a command line

      • switch to the CD drive, and change to the i386 directory

      • enter the command adprep /forestprep

      • enter the command adprep /domainprep

    • perform another netdiag and dcdiag from the original domain.

  • join TRANSITIONAL to the domain, reboot

  • Export the DHCP database on SOURCE

    • consult MS KB article 325473 for exact documentation on how to move the database to a dissimilar OS version.

    • if you are moving to the same OS version:

      • on SOURCE, net stop “dhcp server”

      • on SOURCE, copy %systemroot%dhcp to %systemroot%dhcp on DESTINATION

      • on DESTINATION, net start “dhcp server”

  • run DCPROMO on TRANSITIONAL to promote to a domain controller, and reboot

  • on TRANSITIONAL, go to start, run, dssite.msc

    • browse sitesdefault-first-site-nameserversTRANSITIONALNTDS Settings

    • right-click NTDS Settings in the tree, and click properties

    • check the box next to Global Catalog

    • click start, run eventvwr

      • browse to the Directory Services log and watch for event reporting “THIS SERVER IS NOW A GLOBAL CATALOG” you occasionally will see an event reporting that the process will be delayed 5 minutes. if you see this, wait 5 minutes and check for the above message

  • transfer FSMO roles to TRANSITIONAL

    • on TRANSITIONAL, go to a command line and enter the command NTDSUTIL

    • in NTDSUTIL, enter roles

    • enter connections

    • enter connect to domain [yourdomain.tld] (where yourdomain.tld represents your actual fully qualified domain name)

    • enter connect to server [TRANSITIONAL.yourdomain.tld]

    • enter quit

    • enter transfer pdc

    • enter transfer schema master

    • enter transfer infrastructure master

    • enter transfer rid master

    • enter transfer domain naming master

    • enter quit

    • enter quit

  • on both SOURCE and TRANSITIONAL, enter NETDOM query fsmo from the command line, and verify that both servers report that all roles now reside on TRANSITIONAL. it is a good idea to force replication and follow replication process using AD Sites and Services, and REPLMON.

  • DO NOT PROCEED UNTIL YOU ARE CERTAIN THAT ALL DCs ARE AWARE OF THE ROLE TRANSFER

  • on SOURCE, go to start, run dssite.msc

    • browse to sitesdefault-first-site-nameserversSOURCENTDS Settings

    • right-click NTDS Settings in the tree, and click properties

    • uncheck the box next to Global Catalog

    • click start, run eventvwr

    • watch for indications that the server is no longer a Global Catalog

    • Force replication between domain controllers and make sure the process completes successfully.

  • Run netdiag and dcdiag on SOURCE, verify there are no failures

  • Run DCPROMO on SOURCE and demote the server (DO NOT CHECK “THIS IS THE LAST DOMAIN CONTROLLER…”), and reboot

  • Rename SOURCE to OLD

  • change the IP address of the SOURCE server

  • Reboot SOURCE (if not done during the rename from SOURCE to OLD)

  • On TRANSITIONAL, start, run dnsmgmt.msc

    • clean up DNS zone for any records referencing SOURCE

  • on TRANSITIONAL, start, run adsiedit.msc

    • clean up references to SOURCE in CN=ConfigurationCN=SitesCN=Default-First-Site-NameCN=Servers

    • you may prefer to use NDTSUTIL to clean up metadata. See Microsoft support online for details on how to use this feature of Windows

    • Be sure that site replication takes place

  • Bring up DESTINATION and give it the name of the SOURCE server

  • change the IP address of DESTINATION to the same address previously used by SOURCE

  • install DNS and DHCP on DESTINATION

  • On DESTINATION, restore the DHCP database from the backed-up files in the earlier steps

    • if moving DHCP to the same OS version, you can simply copy the DHCP data to %systemroot%dhcp and net start “dhcp server”

    • if moving DHCP between two different versions or revisions, you can use the net sh import dhcp command (see ms KB article 325473)

  • on DESTINATION, promote to DC using DCPROMO, and reboot

  • on DESTINATION, start, run, dssite.msc

    • browse to sitesdefault-first-site-nameserversDESTINATIONNTDS Settings

    • Right-click NTDS Settings, and click properties

    • check the Global Catalog box

    • Watch the event log for signals that the server has become a global catalog

  • On DESTINATION, open a command prompt, and enter the following: net time /setsntp:[fqdn of NTP server]. Several reliable ntp servers can be used. To use one of the Naval Observatory servers, go to http://tycho.usno.navy.mil and click the NTP link. There you can find a listing for the appropriate server for you time zone and location.

  • run netdiag and dcdiag on the TRANSITIONAL server to make sure all things are still working properly.

  • on DESTINATION, go to a command prompt

    • enter ntdsutil

    • enter roles

    • enter connections

    • enter connect to domain [yourdomainname.tld]

    • enter connect to server [DESTINATION.yourdomainname.tld]

    • enter quit

    • enter transfer schema NOTE: you must confirm using a graphical dialog for each transfer operation

    • enter transfer domain naming master

    • enter transfer infrastructure master

    • enter transfer rid master

    • enter transfer pdc

    • enter quit

    • enter quit

    • enter netdom query fsmo

  • on TRANSITIONAL go to a command line

    • enter netdom query fsmo and verify that the same info is reported

    • allow time for site replication to take place

  • demote TRANSITIONAL, reboot

  • disjoin TRANSITIONAL, reboot or shutdown

  • on DESTINATION, open dnsmgmt.msc and clean up any references to TRANSITIONAL

  • on DESTINATION, open clean metadata using ntdsutil or adsiedit.msc

  • Transfer data back from backup or OLD (formerly SOURCE) server to DESTINATION

  • Set up printer shares on DESTINATION as noted in the worksheets

  • set up file shares (after file copy is complete) on DESTINATION as noted in the worksheets

File Shares Worksheet

SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING

Printer Shares Worksheet

PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS