Upgrading your domain to AD 2008 from Active Directory 2000

Benefits:
Improve the security, scalability, and manageability of your network infrastructure.
Things to know:
Raising the domain or forest functional levels to 2008 means you can only have 2008 domain controllers.
Raising the domain or forest functional levels to 2003 means you can only have 2003 domain controllers.
Raising the domain or forest functional levels to 2000 means you can only have 2000 domain controllers.
Functional levels do not effect what OS runs on your workstations and member servers.
YOU CANNOT go back so make sure you are sure before you upgrade.
Benefits of each functional level at the domain level:
Windows 2000 functional level

  • Universal groups for both distribution and security groups.
  • Group nesting
  • Group conversion, which allows conversion between security and distribution groups
  • Security identifier (SID) history

Windows 2003 functional level

  • All of the 2000 benefits plus the ones below.
  • The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
  • Logon time stamp updates
    The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
  • The ability to redirect Users and Computers containers
    By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts.
  • The ability for Authorization Manager to store its authorization policies in AD DS
  • Constrained delegation
    Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
    You can restrict delegation to specific destination services only.
  • Selective authentication
    Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
  • Windows 2008 functional level

    • All of the benefits above plus the following below.
    • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
      DFS replication support provides more robust and detailed replication of SYSVOL contents.
    • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol
    • Last Interactive Logon Information
      Last Interactive Logon Information displays the following information:

      • The time of the last successful interactive logon for a user
      • The name of the workstation that the used logged on from
      • The number of failed logon attempts since the last logon
    • Fine-grained password policies
      Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477).

    Benefits of each functional level at the forest level:
    Windows 2000 functional level

    • All of the default directory service features

    Windows 2003 functional level

    • Forest trust
    • Domain rename
    • Linked-value replication
      Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
    • The ability to deploy a read-only domain controller (RODC)
    • Improved Knowledge Consistency Checker (KCC) algorithms and scalability
      The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
    • The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
    • The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
    • The ability to create instances of new group types to support role-based authorization.
      These types are called application basic groups and LDAP query groups.
    • Deactivation and redefinition of attributes and classes in the schema

    Windows 2008 functional level

    • All of the 2003 features. All domains added to the forest at the 2008 functional level by default.

    Things to know:

    • Must be a member of domain admins to raise domain level.
    • Must be a member of enterprise admins to raise forest level.
    • You must raise the functional level on the domain at the PDC emulator operations master it is targed by default in AD users and computers and AD sites and services.
    • You must raise the forest functional level on the schema operations master only.  It is automatically targed within when you raise the forest functional level
    • You can only raise the forest level if all of the domains within your forest are at the level you are trying to raise to.
    • All of the operating systems on your domain controllers in your forest must be running the the same OS as the level you are trying to raise to.
    • Domain functional level must be higher than the forest.  The forest functional level is always lower than the lowest domain level.
    • YOU CANNOT lower once you upgrade!

     
    Process(DO NOT perform these steps if you have 2000 or 2003 DC’s):
    Install a new Windows 2008 server in your network. 
    On an existing DC insert the Windows 2008 Server CD and run the following commands. 
    The required files are located in /support/adprep.  If your existing DC’s are 32-bit then you must use adprep32.exe
    adprep /forsestprep – run this on your operations master for the entire forest
    adprep /domainprep – run this on your infrastructure operations master on each domain that you have
    adprep /domainprep /gpprep – run this on your infrastructure operations master on each domain that you have
    Raise Functional Level
    Open active directory domains and trusts.
    Right click on Active Directory Domains and Trusts then click Raise Forest Functional Level.
    Depending on what level you want to raise to either select Windows Server 2003 or Windows Server 2008 and click on raise.
    Once you are finished with this process open Active Directory Users and Computers.  You want to create 2 new OU’s one for the users and one for the computers.  The old verssion of AD had these in containers and they are unmanageable this way.  This is why we are going to move them.
    Open command prompt and switch to system32 cd %systemroot%system32
    redircmp ou=<NewComputerOUYouJustCreated>,DC=<YourDomainName>,dc=com
    redirusr ou=<NewComputerOUYouJustCreated>,DC=<YourDomainName>,dc=com

    0 replies

    Leave a Reply

    Want to join the discussion?
    Feel free to contribute!

    Leave a Reply