Wednesday, August 8, 2012

Deploy multiple VM’s from template with PowerCLI


This document to describe the steps to deploy multiple VM’s from template by using VMware PowerCLI.

1-    Create a Customization Specification for Windows:

  • Using Guest Customization wizard to save Windows guest operating system settings in a specification that you can apply when deploying from templates.
  • Using vSphere PowerCLI Cmdlets [New-OCCustomizationSpec] to create a new OS customization specification.
         Prerequisites
Guest operating system customization is supported only if a number of requirements are met.
VMware Tools Requirements
The most current version of VMware Tools must be installed on the virtual machine or template to customize the guest operating system during cloning or deployment.
Virtual Disk Requirements
The guest operating system being customized must be installed on a disk attached as SCSI node 0:0 in the virtual machine configuration.
Windows Requirements
Customization of Windows guest operating systems requires the following conditions:
Microsoft Sysprep tools must be installed on the vCenter Server system. See Installing the Microsoft Sysprep Tools.
The ESX/ESXi host that the virtual machine is running on must be 3.5 or later.
Guest operating system customization is supported on multiple Windows operating systems. To verify customization support for Windows operating systems and compatible ESX/ESXi hosts.
Windows Server 2008, Windows Server 2008 R2 and Windows 7 Microsoft Sysprep  Preparation tools are built into the operating system and do not have to be downloaded.


2-    Deploying the Templates:


      
          Launching vSphere PowerCLI to get a connection to a vCenter Server system.

To get started, call the Connect-VIServer cmdlet and specify the IP address or DNS name of your vCenter Server system or ESX host, the protocol (http or https), user name, and password.

Connect-VIServer –Server [VCenter IP or Name] –Protocol https –User admin –Password mypass

Once your server session is established, prepare the script.\



3-    Script:

To build the script this is a prerequisite:

-vmhost = Target host FQDN;
-Name = Name of new VM;
-Template: From which template you want to deploy the new VM;
-Datastore: Target datastore to place the new VM;
-OSCustomizationspec = created previous for deploying the new VM;

  • New-vm -vmhost Target host FQDN -Name FS-SVR02 -Template w2008-r2-std-tmp -Datastore datastore2 -OSCustomizationspec WIN2008R2_Template
  • New-vm -vmhost Target host FQDN -Name FS-SVR02 -Template w2008-r2-std-tmp -Datastore datastore2 -OSCustomizationspec WIN2008R2_Template
  • New-vm -vmhost Target host FQDN -Name FS-SVR02 -Template w2008-r2-std-tmp -Datastore datastore2 -OSCustomizationspec WIN2008R2_Template
  • New-vm -vmhost Target host FQDN -Name FS-SVR02 -Template w2008-r2-std-tmp -Datastore datastore2 -OSCustomizationspec WIN2008R2_Template



-Save as: FileserverDeploy.ps1


4-    PowerCLI:

Running the script:



If the Host is working in a cluster environment once the VM powered on it will show the below message to select on which host the machine will power on.




Posted by at No comments:

Tuesday, December 13, 2011

How to Zone a Brocade SAN Switch

This Document By :

Ryan’s Tech Notes


Here are the basics to add a new device to a SAN fabric. I’m working with a Brocade Silkworm 4900. In this scenario, I replaced a server that connects to a tape library for backup.

Terminology

HBA - Host Bus Adapter, which in this case, refers to the Fibre Channel Card. In LAN networking, it’s analogous to an Ethernet card.
WWN - World Wide Name, a unique 8-byte number identifying the HBA. In Ethernet networking, it’s analogous to the MAC address.
FC Zone - Fibre Channel Zone, a partitioned subset of the fabric. Members of a zone are allowed to communicate with each other, but devices are not allowed to communicate across zones. An FC Zone is loosely analogous to a VLAN.

Steps to Zone Brocade Switch

  1. Plug in the FC Connector into an open port on the switch.
  2. Login to the server and verify the HBA connection. It should see the switch but not the storage device.
  3. Login to the Brocade Switch GUI interface. You’ll need Java enabled on your browser.
  4. Check the Brocade Switch Port.
    1. On the visual depiction of the switch, click on the port where you plugged in the FC connector.
    2. The Port Administration Services screen should pop up. You’ll need to enable the pop-up.
    3. Verify that the Port Status is “Online”. Note the port number.
    4. Close the Port Administration Services screen.
  5. Find the WWN of your new device
    1. Navigate back to the original GUI page.
    2. Select Zone Admin, an icon on the bottom left of the screen. It looks like two squares and a rectangle.
    3. Expand the Ports & Attaching Devices under the Member Selection List.
    4. Expand the appropriate port number. Note the attached WWN.
  6. Create a new alias for this device
    1. Click New Alias button
    2. Follow menu instructions
  7. Add the appropriate WWN to the alias
    1. Select your new device name from the Name drop down menu
    2. Expand the WWNs under Member Selection List
    3. Highlight the appropriate WWN
    4. Select Add Member
  8. Add the alias to the appropriate zone
    1. Select the Zone tab
    2. Select the appropriate zone from the Name drop down menu
    3. Select the appropriate alias from the Member Selection List
    4. Click Add Member
  9. Ensure that the zone is in Zone Config in the Zone Config tab
  10. Save your changes by selecting ZoningActions -> Enable Config
  11. Login back in to the server to verify. It should now see the storage devices.
Posted by at No comments:

Monday, November 21, 2011

How to: Exchange 2010 e-mail signature based on Active Directory information

A cool new feature in Exchange 2010 is to add a signature to your e-mail based on Active Directory information. So if you fill in the correct information in the Active Directory, the signature will be automatically added to your e-mail. You need to follow these steps:

1.) Open the Exchange Management Console
2.) Navigate to Organization Configuration, Hub Transport, Transport Rules
3.) Create a new transport rule
4.) Design the signature based on the Active Directory information, in my example it is:
Met vriendelijke groet,

%%displayName%%
%%Department%%
(Note: you can find all the user attributes using ADSIEDIT for example).
5.) Send a e-mail to another user and check the e-mailsignature

This entry was posted on Monday, January 18th, 2010 at 1:05 pm and is filed under Microsoft Exchange 2010 Server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

«
»
Posted by at No comments:

Wednesday, February 18, 2009

VMware View Manager 3.0

VMware View Manager 3.0

I recently had to setup VMware View Manger 3.0 (formely Virtual Desktop Manager 2.0) in our demo environment for showing to our clients and showing the benefits of Virtual Desktop solutions. When I setup the our first demo environment on VMware Virtual Desktop Manager 2.0 (now called View Manager 3.0) I was very impressed with the simplicity of the solution (if you already had VMware ESX and Virtual Center deployed). It was missing certain features that other Virtual Desktop solutions had but you knew VMware was going to be working on them (and you know the other Virtual Desktops are adding new features and trying to catch up in other areas). So here are some of the lessons learned from the VMware View Manager 3.0 demo environment I built.

First we will start with the basics of the solution:

  • View Standard Connection Server - Server that manages and controls the desktop environment (desktop pools, persistent vs non-persistent, storage location, provisioning, entitlements). This is the 1st server you have to setup.
  • View Replica Connection Server - A copy of the Connection Server for redundancy. Not required but recommended for any production rollout.
  • View Security Server - The remote access portion of the View solution. Not required but recommended for any environment that requires remote access to the virtual desktop infrastructure.
  • ESX server - Hypervisor to virtualize the desktop images. (Read New Features section for more information)
  • vCenter Server (formely Virtual Center) - Manages and control templates, snapshots, folders, resource pools, and virtual machines.
  • Desktops - Virtual desktops, physical desktops and terminal servers are now supported for deployement (Read New Features section for more information)
  • View Composer - Support for Linked Clones in the storage of the Virtual Desktop on ESX. Linked Clones save on storage, provide faster provisioning and support persistent desktops (users who need to change the desktop environment) while keeping disk space requirements low.

New Features in View 3.0

  • View Composer - Enables Linked Clones of Virtual Disk Files. This is pretty interesting. It saves on disk space first of all by using a single base snapshot and then each desktop gets its own differential file. I haven't tested it yet but supposedly you could update the base VM with a Windows Update, then have the base snapshot apply to the VMs without messing up the apps or anything else the user may have installed. Very cool.
  • Offline Desktops - This feature allows you to download a copy of the VM to your local PC. Now I know there are some use cases for this but I think Application Virtualization/Streaming is more compelling. The download of 8-16 images and then uploading them when they are done is pretty crazy. I know users want offline apps, but mostly users want Outlook offline and that can be accomplished in so many other ways. Still a very cool feature.
  • Unified Access - support for multiple sources of desktops not provided via Virtual Desktops on VMware ESX.
    • Hypervisor - No longer does VMware require you to use their hypervisor for the virtual desktops. HOWEVER the features they support on other hypervisors is very different and my affect how you deploy desktops on other hypervisors. An example, VMware can't power on or power off Virtual Machines on other hypervisors.
    • Physical or Virtual - Virtual machines running on ESX are fully supported. Virtual Machines on other hypervisors are treated as unmanaged desktops. Physical Desktops are also treated as unmanaged desktops also. Unmanaged desktops doesn't support power on or power off capabilities.
    • Terminal Server Support - Terminal Servers are supported as unmanaged desktops. Terminal Server sessions can also be accessed externally via the View Security Server
  • Enhanced Policies for offline policies, Single Sign On, authentication, USBredirection, multimedia redirection,etc.
  • Usage Console (Configuration Tab) - Look at the current and highest user count of Virtual Desktops for licensing and planning.

Lessons learned from the installation and configuration

  • Virtual Center 2.5 (now going to be called vCenter Server) needs to be at 2.5 Update 3.
  • ESX 3.5 must also be at 3.5 update 3 if you plan on taking advantage of View Composer.
  • Vista on ESX
    • Vista by default will put itself into Sleep mode after 1 hr. Not fun for virtual desktops.So make sure to set your templates, snapshots and any Vista VM running on ESX to not sleep after 1 hr.
    • Open the Control Panel -> (enable Classic Mode if not done already) -> Power Options -> Change when the computer sleeps -> Never -> Save.
      Note: Vista on Microsoft Hyper-V and Citrix XenServer do not require this.
  • View Composer
    • Must be installed on the vCenter Server (AKA VirtualCenter Server)
    • Requres a seperate database to enable.
    • The account used to configure View Composer during the install, must have permissions to join users to the domain and must have permissions into vCenter Server (see admin guide). Also during the install, check in the event logs if you have errors connecting the database since it could require you to give DOMAIN\vCenterServerNAME$ to the database as a DB_Owner.
    • The necessary license is also required to be installed in the View Manager Web Administration tool to enable View Composer.
    • The vCenter Server defined in the View Manager Web Administration must have View Composer enabled with the account has rights to join workstations to the domain.
    • Requires a desktop with the following requirements
      • Virtual Machine should be on DHCP.
      • Ipconfig /release should be run in the VM.
      • The Virtual Machine must then be shutdown. (A powered-on snapshot won't work)
      • A snapshot must then be run on the Virtual Machine. (the snapshot must be of a powered-down VM or you will not be able to see the Snapshot in the View Manager)
        A Desktop Pool without a linked clone requires a template and a specification which is different then the snapshot requirement of a linked clone virtual machine.
  • Group Policy Preferences should be used to add Users to the Remote Desktop Users group (much easier than a script and starts getting you used to GPPs)
    • Desktop Pools that are created from a template need to have a group or user added to the Remote Desktop Users group of the VM. When there are issues with this, you will see Access Denied or session access is denied.
    • Using a Vista or Windows 2008 Server in the domain, edit the GPO that applies to the desktops OU.
    • Computer Configuration -> Preferences -> Control Panel Settings -> Local users and Groups.
    • Create a Preference.
    • Select the Action as Update.
    • Select the Group Name "Remote Desktop Users (built-in)"
    • Click the Add button and add the groups or users you wish to have in the group.
    • If necessary, click on the Common tab and click on the Item-Level Targeting option. Then click the Targeting button to create the rules to the machines you want this policy to apply.
    • Apply the preference and click Ok.
    • Install the Group Policy Preferences via Windows Update -> Optional Updates.
      Note: Very critical that you ensure the Group Policy Preferences Extensions are updated on all XP, and Vista workstations. Run Windows Update and then click on Optional Updates. Then enable the update of Group Policy Preference Extensions. Without this the policy will not apply.
    • GPPs can also be used to build the desktop with shortcuts or files for VMware ThinApp.
  • Security Server Configuration
    • Once the Security Server has been installed and the necessary external NATing, DNS and Firewall rules have been configured, you need to add the Security Server Configuration.
    • In the Configuration Tab, click on Add under Security Servers
    • Add the actual FQDN of the Security Server (may require Hosts file or DNS modification since it will more then likely be in the DMZ)
    • Enter the external URL and port used by the users outside the company and click OK.
    • Select on Create Configuration File and save the file to the C:\
    • Copy the file you just saved to C:\Program Files\VMware\VMware View\Server\sslgateway\conf on the Security Server.
    • Restart the Security Server to enable this feature.
      Without this, connections from the outside will look they are going to work but then error out with error messages concerning the internal FQDN of the Standard Server
  • Virtual Desktop Basic Setup
    • Install OS
    • License/Activate the OS
    • Install VMware Tools
    • Name the workstation accordingly
    • Set the VMs for DHCP (Static is possible but might be more to manage).
    • Join the domain
    • Run Windows Update a few times to make sure the VM is all the way up to date
    • Install the View Agent
    • Install the Group Policy Extensions (Optional Update in Windows Update)
    • Reboot (take a snapshot for backup purposes and copy to Template) or Shutdown (if using linked clones)
  • Virtual Desktop Advanced Setup (some of these are from VMworld 2008 VDI Presentations)
    • Give enough RAM to the desktops so they don't have to swap that much.
    • Use the LSI Logic cards for XP and Vista
    • For Linked Clones, Add a D:\ Drive (move pagefiles and temp files here)
    • Disable AV Updates (might not work for all)
    • Disable System Restore (
      • http://support.microsoft.com/kb/310405)
    • Disable Boot Optimization (http://www.theeldergeek.com/automatic_boot_disk_optimization_%5Bdefrag%5D.htm)
    • DRS Pool for different desktop levels (Execs may get one DRS Pool, while task workers get access to less resources)
    • Don't mix servers and desktops on the same hosts (unless this is a very small environment)
    • Load Balance Security Servers and Connection Servers (Standard and Replicas)

Overall, I am impressed with the new features and the admin interfaces. The user inferface is very clean which is great but doesn't have a WOW factor. It is very easy to setup but documentation isn't all the way up to speed (which is why I wrote this article).

Some suggestions for later revisions of View Manager for the time being are mostly cosmetic for now until I get some more use out of the solution. Overall, a good product. Good job guys and girls at VMware.

  • Make the certificate replacement of the Security Server SSL Cert easier.
  • Give admins the ability to upload different graphics, logos or color schemes to the Web Site for clients.
  • Granular control of administrators that allow certain admins to view and reset desktops, while others get full access.
  • Policies should be based on user or group rather than global policies. There are lots of times we want to enable USB for some users and not others. Sometimes we want them to access USB on one VM but not on another VM.
  • Historical Reports of who used VMs and where the accessed it from. We want to know who accessed the VM externally or from the internal client IP address. This can be for security or troubleshooting purposes. Also historical reporting to know when they accessed the desktop and for how long. Top 10, 100, 1000 user reports. Stuff like that.
Posted by at No comments:

Wednesday, August 13, 2008

Transitioning your Active Directory to Windows Server 2008

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

This post intends to help you with this transition in a structured, balanced and thorough way and describes:

Ways to migrate

Upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in three distinct ways:

  • In-place upgrading
    Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows Server 2008, as long as you keep the following in mind:
    • The Windows Server 2003 patchlevel should be at least Service Pack 1
    • You can't upgrade across architectures (x86, x64 & Itanium)
    • Standard Edition can be upgraded to both Standard and Enterprise Edition
    • Enterprise Edition van be upgraded to Enterprise Edition only
    • Datacenter Edition van be upgraded to Datacenter Edition only

In-place upgrading requires you to run adprep.exe before starting the upgrade process on the Domain Controllers. Check this post from Jorge for more information.

  • Transitioning
    Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.

    Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.
  • Restructuring
    A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Using tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Reasons to transition

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

  • Restructuring means filling a new Active Directory from scratch
  • In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
  • Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your servers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

Steps to transition

Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:

Before you begin

Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it. (twice) Most of the contents also apply to transitioning from Windows Server 2003 (R2) to Windows Server 2008

Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 with ease.

Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows server 2008. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.

Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...

Prepare your Active Directory environment

Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master

* Optional when you want to deploy Read Only Domain Controllers.

After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files. If your life depends on it, you can use the HowTo Jorge wrote to check forestprep and domainprep succesfully replicated to all Domain controllers.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.

Install the first Windows Server 2008 Domain Controller

You could already start installing Windows Server 2008 on a fresh box and make it a member of the domain, while preparing your Active Directory. When you're done preparing your Active Directory you can safely go ahead installing the first Windows Server 2008 Domain Controller by promoting a Windows Server 2008 box to a Domain Controller, using dcpromo.exe.

When running dcpromo.exe make sure you select to make this Domain Controller an extra Domain Controller for the Active Directory domain you're transitioning. Type a secure password for Directory Services Restore Mode (DSRM).

Tip:
Write down the the Directory Services Restore Mode (DSRM) password.

Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 Domain Controller will be open for business after you restarted it to complete the wizard.

Install additional Domain Controllers

Installing additional Windows Server 2008 Domain Controllers is as easy as purchasing them, licensing them, installing them and promoting them. There's really nothing to it: Once you've introduced the first Windows Server 2008 Domain Controller you know how to do it.

If you find installing loads of Domain Controllers is a tedious job you might want to promote servers to Domain Controllers using answer files. When Domain Controllers need to be placed in locations with limited connectivity or bandwidth constraints you might want to explore the Install from Media (IFM) possibilities.

Take care of FSMOs and GCs

Using the Active Directory Sites and Services MMC Snap-in make new Windows Server 2008 Domain Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO) from your Windows Server 2003 servers to Windows Server 2008. Another option is using ntdsutil.

In multiple Domain Controller scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server;
  • Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following command using netdom.exe from the Resource Kit:

netdom.exe query fsmo

Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:

  • dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
  • dcpromoui.log
    all the events from a graphical interface perspective

Also check the event viewer.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot proper Active Directory replication.

Demote Windows Server 2003 Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your Windows Server 2003 ex-Domain Controllers though!

From my personal experience I can tell you it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.

When your Windows Server 2003 Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2008 would then suffice to migrate DNS settings. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory the hard way, which Jorge describes here. (leaving out the percussive maintenance option though)

Raise the domain functional level

After you've successfully demoted the last Windows Server 2003 Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:

  • Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
  • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
  • Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.

Note:
Raising the functional level is a one way procedure. Once you've raised your domain functional level there's no way to return to the previous domain functional level.

Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain functional level on Windows Server 2003:

  1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
  4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.

Upgrade the forest functional level

After you've successfully upgraded the domain functional level of all the domains in your Active Directory forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.

To upgrade the forest functional level to Windows Server 2008 perform the following actions:

  1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
  4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.

Concluding

Transition your Active Directory to Windows Server 2008 seems as easy as running adprep and installing Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in one single Active Directory domain in its own forest with one single Active Directory site.

Be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!

Posted by at No comments:
Subscribe to: Posts (Atom)