Upgrading Windows 2003 Domain to 2008 Domain

Fortunately, my company is enrolled in a 6 year microsoft subscription. This probably sounded appealing when Microsoft partners gave their speech (a year before they had a dedicated IT professional). I admit that it is nice to have a server license with the ability to upgrade to the current version at the time of my choosing. A company definitely saves money over time. Anyheuw, thats what I did. I have a single forrest with one domain.

The domain I inherited was originally a windows 2000 domain. This became obvious after examining the selected options and functional levels. Apart from these inconveniences, upgrading from 2003 DCs to 2008 DCs was a snap. Important: You will need to raise the forrest and domain functional levels to 2k3 native to do the upgrade, unless thats where your forrest/domain is now. Windows 2k3 forrest/domains are in a Win2k compatibility functional level by default. Make sure to give your functional raise some time to propagate.  

After my forrest and domain functional levels were raised, I moved all 5 fsmo roles to a single “virgin” 2003 DC that was born for this adventure. This served to eliminate possible third-party/previous install conflicts.  Domain controllers seem to become a slave of small third-party semi-important services on a small Windows domain = too many on mine to think about fighting with.

Next I did a series of health tests on my Active Directory. I used Windows 2003 support tools to out put a series of tests’ results to text files and studied them a bit. The Event Viewer is also helpful when improving AD health.  Upgrading to a new AD schema wont improve existing AD problems, it will only complicate them. At the very least, make sure that dcdiag and netdiag tests all pass and fix the event logged errors on your DCs.

After AD was healthy and all controllers were synced up, I put up a new 2k8 server and joined it to the domain. From my newly created win2k3 box, I prepped my domain for 2k8 

  1. Insert Win2k8 DVD (either x64 or x86 = depending on what the “virgin” 2k3 domain controller is) and copy the adprep folder (on the DVD its \sources\adprepto the HD
  2. Upgrade AD definitions in the forrest: cmd to the root of the folder you copied -> adprep.exe /forrestprep
  3. Allow the domain to take advantage of what the forrest has to offer: stay in cmd -> adprep.exe /domainprep
  4. Upgrade the group policy to match the newly updated AD schema of the domain: adprep.exe /domainprep /gpprep
  5. Optionally allow for read only domain controllers: adprep.exe /rodcprep
From my 2k8 box, I ran dcpromo (command line) and followed the wizard. Make sure to select advanced options and add to the existing forrest & domain. Good to go. From there created another 2k8 (x64) controller and demoted/removed my old 2k3 controllers. Hint: If you are demoting, turn off Trend Micro on the DCs if thats what you use for AntiVirus.
All in all, I think 2k8 runs a better domain controller than 2k3. Its definitely less boring to push buttons in = more intuitive. Memory usage is greater in 2k8 than that in 2k3 to handle Windows Domain roles. However, its memory usage does improve performance…or maybe I am fooled by a more resonsive GUI over terminal services. In any case, I am a fan of the greater control over my domain via the updated Group Policy/DNS options; just make sure you raise your forrest & domain functional levels to 2k8 reap all the benefits. (P.S. This means you cannot have domain controllers running anything less than 2k8)
Now its time to replace the 2k3 exchange/windows box with a 2k7 exchange/2k8 windows (x64) box. The enhanced, built-in spam filtering of Exchange 2k7 looks good to me right now. Recently, my users have been getting mail saying things such as “I have kidnapped your baby, give me money to see her again” and “click here” to get your gift card. As much as I am a fan of gift cards, I care too much for the children to allow the kidnapping/ransom notes to continue.
Cheers.