Domain Migration: Windows 2008R2 to Windows 2019 – Challenges & Mitigation



Scenario:


Our RED.COM domain initially built on Windows Server 2003. A few years back, it was migrated to Windows Server 2008R2. Presently two DCs - both are Windows Server 2008 R2. The Domain Functional Level & Forest Functional Level is Windows Server 2003. We have planned to introduce Windows Server 2019 DC in this infra & coming days Windows 2019 DC replace the Windows 2008R2 DCs.
                Trivia¹: Prior Windows 2008, replication has happened through FRS (File Replication Service). From Windows 2008 it becomes DFSR (Distributed File System Replication) where instead of whole, it replicates only the delta of change.

Migration

Challenges:


1.       Windows Server 2003 Domain & Forest Functional Level does not support Windows 2019 DC. So DFL & FFL must be raise. Here we’ll raise both functional level to Windows Server 2008R2.


  
2.     Windows 2019 DC does not support FRS (File Replication Service) SYSVOL replication, it must migrate to DFSR (Distributed File System Replication) to the coup in the existing domain. DFSR migration only possible, when minimum Forest Function Level is Windows Server 2008.

Trivia²: Windows Server 2008 R2 supports DFSR replication, but as it migrated from Windows Server 2003 DC, the domain continuing FRS.


Raising Domain & Forest Functional Level:


Raising Domain & Forest Functional Level is very simple. Go to Active Directory Domains & Trusts > Select “Domain” (i.e. RED.COM) >Raise Domain Functional Level. Same way, select “Active Directory Domains & Trusts” > Raise Forest Functional Level. Now both Domain & Functional Level are at its highest level –Windows Server 2008R2.


              

Migration of FRS to DFSR:


First, we need to check what the existing replication is. Run dfsrmig /getglobalstate.  The output shows DFSR migration is not yet initiated. That means it still using FRS replication & DFSR migration need to initiate.


If replication is dfsr, the output will be Current DFSR global state: ‘Eliminated



Before migration, check the SYSVOL of existing DC is shared & advertising:
dcdiag /e /test:sysvolcheck /test: advertising.



Migration Process:


There is four stable state/phase of DFSR migration. Each command output is self-explanatory.
£  State 0 – Start: dfsrmig /setglobalstate 0  - You can avoid this state.


£  State 1 – Prepared: dfsrmig /setglobalstate 1


 To check the migration state any time - dfsrmig /getmigrationstate


£  State 2 – Redirected : dfsrmig /setglobalstate 2


£  State 3 – Eliminated : dfsrmig /setglobalstate 3


Type dfsrmig /getmigrationstate to confirm all domain controllers have reached ‘eliminated’ state. Depends upon forest size, DFSR migration takes time, no need to panic.


Now migration is complete – DCs are consistent state.


Now check the changes happened after the migration:
1.       SYSVOL becomes SYSVOL_DFSR
2.       FRS service is now STOPPED



Domain Migration Process:


1.       Windows 2019 Server (REDAD02) is already a member of RED.COM. The problems we faced to promote it as DC is already mitigated.
2.       Promote the server to a domain controller.


3.       Check the entries in “Domain Controllers” OU
4.       Check replication status.



Trivia³:  In our organization, the DCs are built with Windows Server 2003, later it is migrated to W2008R2 & a few months back we introduce two W2012R2 DCs & move the FSMO roles from W2008R2 to W2012R2.  Domain & Forest Functional Level remain as early - Windows Server 2008R2. Up to this stage, the migration is very straight:
1.       Join W2012R2 as a member of a domain –RED.COM.
2.       Promote it as ADC.
3.       Check the GC status of the DC which we need to decommission. Remove the GC status.
4.       Demote the DC controller & remove the AD DS role.
5.       Clean metadata from AD User & Computers, DNS & AD Site & Services.
6.       Check replication status – repadmin /replsum.
To create this Test Environment that can match our production environment, I have created first a W2003 DC for FRS replication & Windows Server 2003 DFL/FFL. Later introduce a W2008R2 DC in this domain & decommission W2003 DC, but kept FRS replication & Windows 2003 Domain & Forest Functional Level intact. Remember, for W2008R2 DC, you need to extend the schema version with help of ADPREP command – adprep /forestprep, adprep /domainprep & adprep /domainprep /gpprep. For this insert the W2008R2 OS disk into W2003 DC. Under support directory ADPREP tool is available. Before running the command check the schema version of exiting DC – HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters: Schema Version. You’ll find the change - 30 -> 47.  From W2012 onwards, no need to extend or change schema version for domain migration, because this command is incorporated into OS installation. So for W2012 to W2016/2019 migration, adprep command is not required.

Reference Link:

 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd464018(v=ws.10)?redirectedfrom=MSDN
https://www.youtube.com/watch?v=JZ5otKq54p4

Comments

Post a Comment

Thank you.

Popular posts from this blog

Google Chrome Bookmark & Homepage through GPO

Image
Goals: We need to create a GPO for Google Chrome Bookmarks & home page/landing page. Under the bookmarks, few URLs would be there. It will be easy for users to access these url/site. Also by home page – most useful/frequently open site can be set, so that when user open Google chrome, the page will be displayed first. Gyan: All policy setting for Group Policy Management Console are not readily available. Sometime to manipulate group policy settings for higher version OS (i.e. Screensaver for Windows 10) or third party application (i.e. Google Chrome),we need to download group policy setting supported files – admx (policy settings) along with adml (language suppot). Both files are stored into central storage repository, known as “ Central Store ”. For higher Windows it is “ PolicyDefinitions” – automaticall created when a DC built under C:\Windows\ Process: Incorporate Chrome GPO templates:         1.       To manage Chrome settings through Group Policies, you
Read more

DNS Server IP Address change in Client Systems through Group Policy

Image
  Scenario: Recently our network team, restructure IP segments & it is recommended to change the IP address of our DNS server. It is an AD integrated DNS server & around 1000 desktops & laptops are in the network – all have static IP addresses. We need to change the DNS IP for all the systems. Procedure: We can change the DNS IP through Group Policy with the help of a simple *.bat file. We will apply the GPO in Startup as Computer base policy. But here tricky part is, we need run the batch file in "Run as Administrator" mode. Most of the Computer-based Startup GPO is not run in normal mode. The batch file as below, suppose it name DNSIP_Change.bat   :   Replace your DNS Server “ set dnsserver=X.X.X.X ” @echo off set dnsserver=10.10.10.31 set dnsserver2=10.10.10.30 for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (   if %%i EQU Enabled (   rem echo change "%%l" : %dnsserver%   netsh interface
Read more

File Server Migration: Windows Server 2008R2 to Windows Server 2019

Image
  Scenario:   We have a File Server on Windows Server 2008R2 . The File Server has several departmental shares & it is accessed by the department user only. But among them few have RW (Read & Write) permission, rest have only R (Read) permission. Also every dept. share have disk quota & every authorized user has their shared folder mapped as a network drive in their Windows Explorer. In my environment, I have implemented the procedure for 15 different departmental share folders accessing different departments consist of 10-30 users each dept & each shared folder volume is 100 GB to 500GB. Challenges: 1 .       Migrated Share Folders must have the same level of permission as on W2008 Server. 2.        Several Disk quota templates need to export to new W2019 to minimized the effort.   Users should be transparent to this migration & their access to the shared folder must be flowless – that meant users
Read more