Sep 24 2011

ADDS 2008 migration: Before migrating to windows 8 server…

You can’t wait to install Windows server 8 developer preview in order to test it in the event of a future deployment… But you might want to finish your migration to ADDS 2008R2 before thinking about all that 😉 Bellow is a tab showing some client compatibility issues and the important steps when migrating your domain controllers to Windows server 2008R2:

Prepare AD: adprep.exe or adprep32.exe Install the first Windows 2008R2 RWDC (not fsmo holder). Migrate the PDCe to Windows 2008R2. Migrate the schema master to Windows 2008: enable Filtered Attribute Set when installing a RODC.
1\ Minimum domain functional level: 2000.Recommended: 2003.

See this askDS post for more details on running adprep


2\ Deploying a RODC:

adprep /rodcprep:

Minimum domain functional level: 2003.

1\ NT4.0 and old CIFS servers will not authenticate against a Windows 2008R2 domain controller.Symptom 4:

A SMB storage device may be unable to use weak cryptography algorithms to establish a security channel to a Windows Server 2008-based domain controller.

Here is an example if your EMC Celerra target version is lower than 5.6:

As of version, Celerra Network Server supports Microsoft’s new SMB 2 protocol.


2\ Applications using Data Encryption Standard (DES) encryption for Kerberos authentication to a Windows 2008R2 domain controller will fail to authenticate.

Because this old cryptography algorithm is disabled by default.

Have a look a this example describing an SSO problem with SAP and a Windows 2008R2 DC.

1\ Active directory trust with a Windows NT4.0 domain, still in the same KB:Symptom 5:

Servers that are running Windows Server 2008 R2 cannot be accessed by using a Windows NT 4.0-based domain trust.

As a bonus: The trust relationship breaks when the 2008R2 PDCe is renewing the trust password with a NT4.0 DC, a few days later. See TDO passwords chapter of this article.


2\ Deploying a RODC:

It will not advertise as a time source untill the PDCe is migrated to Windows server 2008, have a look at this article for information and a possible workaround.

1\ The Schema master holder must be running Windows 2008 before using Filtered Attribute Set:Make sure that the domain controller that holds the schema operations master (also known as flexible single master operations or FSMO) role is running Windows Server 2008 when you add attributes to the RODC FAS so that the attributes are verified to not be system critical.


2\ Another important point about FAS from the same article:

A rogue RODC can replicate RODC FAS data from a domain controller that runs Windows Server 2003 by making a replication request.

Do not configure a Windows 2003 DC as a replication partner of a Windows 2008 DC. Use dssite.msc and/or firewall rules to make sure it doesn’t happen.

Ok now you migrated to ADDS 2008R2 you can enjoy many new features like the active directory recycle bin when you forest functional level is 2008R2…

Well when you will start migrating to Windows server 8 ADDS you will get a new feature to make your disaster recovery plan even faster: The ability to do snapshots of a V-DC. 🙂 I am sure my colleagues Hypervisor and VMDude will appreciate that quote:

Microsoft is working with other virtualization vendors to make sure they include this technology in the latest version of their hypervisors as well. It’s in their interest to do so.



This post is also available in: French

1 Comment

  • By Ammesiah, September 24, 2011 @ 2:18 pm

    Thanks a lot Microsoft for this major enhancement ….
    TAD says thanks, finally ^^

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment


WordPress Themes

Blossom Icon Set

Software Top Blogs