Step by step guide for upgrading Active Directory from Microsoft Windows 2003 to Microsoft Windows Server 2008

step by step approach on how to upgrade your Active Directory from Microsoft Windows 2003 to Microsoft Windows Server 2008. Preparing your Active Directory infrastructure for upgrade to Windows Server 2008 includes the following tasks:

• Prepare Windows Server 2003 forest schema for a domain controller that runs Windows Server 2008
• Prepare Windows Server 2003 domain for a domain controller that runs Windows Server 2008

Note: Review the list of operations that Adprep.exe performs in Windows Server 2008, and test the schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. There should not be any conflicts if your applications use RFC-compliant object and attribute definitions. For a list of specific operations that are performed when you update the Active Directory schema, see Appendix of Changes to Adprep.exe to support AD DS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=122499).

You can also test the Active Directory upgrade in a test environment with all the applications configured for testing purposes.

Forest Schema preparation

Before you can add a domain controller that is running Windows Server 2008 to an Active Directory environment that is running Windows 2000 Server or Windows Server 2003, you must update the Active Directory schema. You must update the schema from the domain controller that hosts the schema operations master role (also known as flexible single master operations or FSMO). If you are performing an unattended installation of Active Directory Domain Services (AD DS) with Windows Server 2008, you must update the schema before you install the operating system. For normal installations, you must update the schema after you run Setup and before you install AD DS.

Use the following procedure to update the Windows Server 2003 Active Directory schema for Windows Server 2008.

Membership in Enterprise Admins, Schema Admins, and Domain Admins for the domain that contains the schema master is required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To prepare the forest schema for Windows Server 2008

1. Log on to the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.
2. Insert the Windows Server 2008 DVD into the CD/DVD drive. Copy the content of the \sources\adprep folder to an Adprep folder on the schema master.
3. Open a command prompt, and then change directories to the Adprep folder.
4. At the command prompt, type the following command, and then press ENTER:

adprep /forestprep

1. (Optional) If you plan to install a read-only domain controller (RODC) in any domain in the forest, type the following command, and then press ENTER:

adprep /rodcprep

1. Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008.

Domain Schema preparation

After you prepare the forest, you need to prepare any domain for which you plan to install a domain controller that runs Windows Server 2008.

Use the following procedure to prepare a Windows 2000 or Windows Server 2003 domain for Windows Server 2008.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To prepare a Windows 2003 domain for Windows Server 2008

1. Identify the domain infrastructure operations master role holder as follows:
   • In the Active Directory Users and Computers snap-in, right-click the domain object, click Operations Masters, and then click Infrastructure.
2. Log on to the infrastructure master as a member of the Domain Admins group.
3. Insert the Windows Server 2008 DVD into the CD/DVD drive. Copy the content of the \sources\adprep folder to an Adprep folder on the infrastructure master.
4. Open a command prompt, and then change directories to the Adprep folder.
5. Type the following command, and then press ENTER:

adprep /domainprep /gpprep

1. Allow the operation to complete, and then allow the changes to replicate throughout the forest before you install a domain controller that runs Windows Server 2008.

After the forest and domain based schema is prepared, new Windows Server 2008 based domain controllers can be added to the domain.

Install Active Directory on Windows Server 2008

Install Active Directory Domain Services (AD DS) on a Windows Server 2008–based member server that is located in the domain by using the Active Directory Domain Services Installation Wizard (Dcpromo.exe). After you install AD DS successfully, the Windows Server 2008–based member server will become a domain controller. You can install AD DS on any Windows Server 2008–based member server that meets the domain controller hardware requirements.

You can install AD DS using the Windows Server 2008 Windows interface. The Windows interface in Windows Server 2008 provides two wizards that guide you through the Active Directory Domain Services (AD DS) installation process. One wizard is the Add Roles Wizard, which you can access in Server Manager. The other wizard is the Active Directory Domain Services Installation Wizard (Dcpromo.exe), which you can access in either of the following ways:

• When you complete the steps in the Add Roles Wizard, click the link to start the Active Directory Domain Services Installation Wizard.
• Click Start, click Run, type dcpromo.exe, and then click OK.

Membership in the local Administrator account, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships athttp://go.microsoft.com/fwlink/?LinkId=83477.

To install AD DS on a Windows Server 2008–based member server:

1. Click Start, and then click Server Manager.
2. In Roles Summary, click Add Roles.
3. If necessary, review the information on the Before You Begin page, and then click Next.
4. On the Select Server Roles page, select the Active Directory Domain Services check box, and then click Next.
5. If necessary, review the information on the Active Directory Domain Services page, and then click Next.
6. On the Confirm Installation Selections page, click Install.
7. On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
8. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.If you want to install from media, or identify the source domain controller for AD DS replication as part of the installation of the additional domain controller, click Use advanced mode installation.
9. On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next.
11. On the Network Credentials page, type the name of any existing domain in the forest where you plan to install the additional domain controller. Under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.
12. On the Select a Domain page, select the domain of the new domain controller, and then clickNext.
13. On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address, and then click Next.
14. On the Additional Domain Controller Options page, make the following selections, and then click Next:
    1. DNS server: This option is selected by default so that your domain controller can function as a DNS server.
    2. Note: If you select the option to install DNS server, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message.
    3. Global Catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality.
    4. Read-only domain controller. This option is not selected by default. It makes the additional domain controller read only.
15. If you selected Use advanced mode installation on the Welcome page, the Install from Mediapage appears. You can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can have all the replication done over the network. Note that some data will be replicated over the network even if you install from media. For information about using this method to install the domain controller, seeInstalling AD DS from Media.
16. If you selected Use advanced mode installation on the Welcome page, the Source Domain Controller page appears. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller, and then click Next. If you do not choose to install from media, all data will be replicated from this source domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the system volume (SYSVOL) files, and then click Next.Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files.
18. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode (DSRM) for tasks that must be performed offline.
19. On the Summary page, review your selections. Click Back to change any selections, if necessary.To save the settings that you have selected to an answer file that you can use to automate subsequent Active Directory operations, click Export settings. Type the name for your answer file, and then click Save. When you are sure that your selections are accurate, click Next to install AD DS.
20. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
21. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so

About Quorum in Windows Server 2008

We Highly Recommend the New Quorum Models in Windows 2008

Microsoft Cluster Services has been completely redesigned in Windows 2008.  Windows 2008 offers New Quorum Models that are much superior to the Quorum Models in Windows 2003.

1.        What is Quorum and why is it so important?

Quorum is extremely important for any high availability solution, particularly so when the cluster nodes are in different data centers.  Consider a cluster that is several office blocks in distance apart.  If the network between the two data centers were to fail and isolate or "partition" each of the cluster nodes a cluster "split" can occur.  If both each node in each data center were to believe that it should run, the cluster has "split brain syndrome" - meaning the highly available single SAP system has split into two systems.  In the worst case scenario users would log into each of the two "split" systems and start entering data. 

To avoid split brain syndrome most cluster implementations use some form of voting in order to "elect" by majority an "owner" of a cluster service (such as SAP, SQL or any other service).  The concept is similar to a parliament, house or committee.  If there are too few members present (less than (n/2) + 1 node) then the committee does not have a quorum (required minimum number of votes) and cannot hold an election.  Also in cases where there are only two cluster nodes a "tie breaker" vote can be cast by a Witness or arbitrator

2.        What happens if a cluster loses Quorum?

Many customers & partners are surprised to learn that if a healthy running cluster loses Quorum, Microsoft Cluster Services is deliberately designed to stop the cluster services (meaning SAP and SQL will be shutdown).  The reason for this relates to topic #1 above.  The cluster software must protect against a "split brain" and this can only be guaranteed if (n/2) + 1 nodes are available and cast a "vote".

Therefore it is critical to ensure that Quorum is always maintained or the cluster service will be stopped.  Majority Node Set clusters can be forced to manually - see ForceQuorum. 

3.        Which Quorum Models are Available in Windows 2003?

The most commonly deployed Quorum Model is the Shared Disk Quorum Model.  This is very often the "Q: Drive" on Windows 2003 clusters (though there is no requirement for "Q:").  This Quorum Model uses SCSI RESERVE commandsto establish possession of a shared Quorum disk. 

The biggest drawback with having a single disk as the Quorum Model is that the disk is in and of itself, a Single Point of Failure (SPOF).  The design premise of the HA solution is to eliminate all SPOF in an infrastructure.  For this reason Microsoft released an enhancement in Service Pack 1 of Windows 2003 to support Majority Node Set with a File Share Witness.  This Quorum Model does not require a "Q: Drive" and the Quorum state is replicated into the %SystemRoot%\Cluster directory of each node.  This Quorum Model is highly recommended for mission critical clusters or geographically dispersed clusters.

4.        Which Quorum Models are Available in Windows 2008 or higher?

Windows 2008 and higher offers these Quorum Models.

The Quorum models are discussed in detail here.

1. Node Majority quorum mode - this model requires an odd number of nodes. Uncommon for SAP systems
2. Node and Disk Majority quorum mode - this is a combination of Node and Quorum disk. This Quorum Model can be used for clusters where the nodes are all in the one data center
3. Node and File Share Majority quorum mode - Common for SAP systems and can also be used for Geographically Dispersed Clusters
4. No Majority: Disk Only quorum mode - Traditional Windows 2003 Quorum Disk Model. Recommend to discontinue use of this Model

In addition to the above there are configurations using Node Majority where the cluster is stretched across two datacenters.  These "stretch clusters" are called Geoclusters.  Please contact Microsoft if you are planning to implement a Geocluster for SAP.  Also please note that although Windows 2008 supports cluster nodes on different IP Subnets, SAP does not.  Therefore it is still mandatory to span a VLAN across multiple data centers.  Technically the SAP application server cannot handle the Message Server changing its IP address suddenly.  Today we have many customers running SAP on SQL Server with a Geocluster.  An example is Queensland Railways. 

 5.        Which Quorum Model is recommended for SAP Systems?

Each customer environment is different, however in general we would encourage customers to evaluate Node and File Share Majority or Node and Disk Majority on Windows 2008 or higher.  Further information can be found in the section "Choosing the quorum mode for a particular cluster"

6.        Do SAP Support the new Quorum Models?

Yes, in fact SAP support the Majority Node Set and File Share Witness even for Windows 2003.  Today some of our largest customers are running using this Quorum Model on Windows 2003 or Windows 2008.  Quanta in Taiwan are using a Majority Node Set and File Share Witness Quorum Model. 

In the back pages of the SAP Windows SQL Installation Guide there are sections dealing with MSCS clustering.  Majority Node configuration is discussed in this SAP document.

7.        What are Multi-SID SAP Clusters?

SAP support installing multiple SAP systems onto a single set of servers in a cluster.  As SAP Benchmarks show that Intel Servers are becoming extremely powerful, a single 4CPU Intel Server supporting over 57,000 SAPS and 10,000 users it no longer makes sense to create separate Active/Passive clusters for each SAP component (such as ECC, BW, EP etc).

The Best Practices for installing a Multi-SID SAP cluster will be the topic of a Blog coming soon.  We will also provide some examples of successful Multi-SID customer deployments.  The SAP Installation Guide for Multi-SID Clusters is available for download.

8.        What are some of the other changes in Windows 2008 Clustering?

Windows 2008 clustering has changed so dramatically from Windows 2003 that a direct upgrade is not possible.  There are some options discussed in this blog, however for SAP systems the only supported procedure is a SAP Homogeneous System Copy (this involves a complete reinstallation of the operating system and database).  This is very simple and quick for SAP on SQL Server.   Refer to the SAP System Copy Guide and the notes listed in section 3 of this blog.

Other changes include a redesigned cluster admin tool, cluster validation tool and an increase of the maximum number of nodes in a single cluster from 8 to 16.  Today many SAP customers are deploying 3-4 node Multi-SID clusters.

9.        List of some important Notes, KB articles and Documents for Clustering

Below are a list of interesting links:

 Highly recommended is this blog : http://blogs.msdn.com/b/clustering/

http://blogs.msdn.com/b/clustering/archive/2008/05/10/8483427.aspx

 This webcast is strongly recommended for those evaluating a Geographically Dispersed Cluster:

https://msevents.microsoft.com/cui/WebCastEventDetails.aspx?culture=en-US&EventID=1032364834&CountryCode=US

http://msmvps.com/blogs/jtoner/default.aspx

•  http://support.microsoft.com/kb/952886
• http://support.microsoft.com/kb/921181
•  http://download.microsoft.com/download/4/4/c/44ce4af4-1f41-4e2d-a404-8f50b315a59c/WINDOWS%20SERVER%202008/Windows%20Server%202008%20Building%20High%20Availability%20Infrastructures-%20Ramnish%20%20Singh.pdf
•  www.microsoft.com/windowsserver2008/failover-clusters.mspx
•  http://download.microsoft.com/download/3/B/5/3B51A025-7522-4686-AA16-8AE2E536034D/Overview%20of%20Failover%20Clustering%20with%20Windows%20Server%202008.doc
•  http://h20195.www2.hp.com/V2/getdocument.aspx?docname=4AA2-2644ENW.pdf

 

DNS Interview Questions

 

DNSInterviewQuestionsandAnswer1.Secureservicesinyournetworkrequirereversenameresolutiontomakeitmoredifficulttolaunchsuccessfulattacksagainsttheservices.Tosetthisup,youconfigureareverselookupzoneandproceedtoaddrecords.Whichrecordtypesdoyouneedtocreate?2.WhatisthemainpurposeofaDNSserver?3.SOArecordsmustbeincludedineveryzone.Whataretheyusedfor?4.Bydefault,ifthenameisnotfoundinthecacheorlocalhostsfile,whatisthefirststeptheclienttakestoresolvetheFQDNnameintoanIPaddress?5.WhatisthemainpurposeofSRVrecords?6.Beforeinstallingyourfirstdomaincontrollerinthenetwork,youinstalledaDNSserverandcreatedazone,namingitasyouwouldnameyourADdomain.However,aftertheinstallationofthedomaincontroller,youareunabletolocateinfrastructureSRVrecordsanywhereinthezone.Whatisthemostlikelycauseofthisfailure?7.WhichofthefollowingconditionsmustbesatisfiedtoconfiguredynamicDNSupdatesforlegacyclients?8.Atsomepointduringthenameresolutionprocess,therequestingpartyreceivedauthoritativereply.Whichfurtheractionsarelikelytobetakenafterthisreply?9.Yourcompanyusestendomaincontrollers,threeofwhicharealsousedasDNSservers.YouhaveonecompanywideAD-integratedzone,whichcontainsseveralthousandresourcerecords.Thiszonealsoallowsdynamicupdates,anditiscriticaltokeepthiszoneup-to-date.Replicationbetweendomaincontrollerstakesupasignificantamountofbandwidth.Youarelookingtocutbandwidthusageforthepurposeofreplication.Whatshouldyoudo?10.YouareadministeringanetworkconnectedtotheInternet.Youruserscomplainthateverythingisslow.PreliminaryresearchoftheproblemindicatesthatittakesaconsiderableamountoftimetoresolvenamesofresourcesontheInternet.Whatisthemostlikelyreasonforthis?Answers………………….1.PTRRecords2.DNSserversareusedtoresolveFQDNhostnamesintoIPaddressesandviceversa3.SOArecordscontainaTTLvalue,usedbydefaultinallresourcerecordsinthezone.SOArecordscontainthee-mailaddressofthepersonwhoisresponsibleformaintainingthezone.SOArecordscontainthecurrentserialnumberofthezone,whichisusedinzonetransfers.4.PerformsarecursivesearchthroughtheprimaryDNSserverbasedonthenetworkinterfaceconfiguration5.SRVrecordsareusedinlocatinghoststhatprovidecertainnetworkservices.6.Thezoneyoucreatedwasnotconfiguredtoallowdynamicupdates.ThelocalinterfaceontheDNSserverwasnotconfiguredtoallowdynamicupdates.7.Thezonetobeusedfordynamicupdatesmustbeconfiguredtoallowdynamicupdates.TheDHCPservermustsupport,andbeconfiguredtoallow,dynamicupdatesforlegacyclients.8.Afterreceivingtheauthoritativereply,theresolutionprocessiseffectivelyover.9.ChangethereplicationscopetoallDNSserversinthedomain.10.DNSserversarenotcachingreplies..Localclientcomputers arenotcachingreplies…Thecache.dnsfilemayhavebeencorruptedontheserver.