We are in the process of doing this. Outside of the procedural items you outlined, have you looked into the other possible issues you may run into (besides the CS stuff)? Here is the list that I have been using for our environment:
1. LanMan Hash: http://support.microsoft.com/kb/946405 2. SMB signing (UNIX? ) http://technet.microsoft.com/en-us/library/cc731654.aspx 3. LmCompatibilityLevel http://technet.microsoft.com/en-us/library/cc960646.aspx By default the new setting on 2008 R2 will take this setting from a 2 to a 3. 4. 5000 attributes in LDAP response http://support.microsoft.com/default.aspx?scid=kb;en-US;2009267 http://blogs.technet.com/b/qzaidi/archive/2010/09/02/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2.aspx 5. For other operating system implementations (such as Netapp, Samba, EMC, etc), it is strongly suggested to contact those vendors to get their supportability matrix for Windows as client and as DC. 6. SSL connections to the nodes by using the alias name from an LDAPS client http://support.microsoft.com/kb/2275950 http://support.microsoft.com/kb/2282241 7. Windows Vista and Windows Server 2008 and later operating systems use a higher range of ports for outgoing connections than previous versions of Windows. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000. If you receive errors indicating that “the endpoint mapper is out of endpoints,” especially after retiring domain controllers that run Windows 2000 or Windows Server 2003, you might need to reconfigure firewalls and routers to use the new default port range. For more information, see article 929851 (http://go.microsoft.com/fwlink/?LinkID=153117). 8. See Microsoft Security Advisory (937811) ( http://go.microsoft.com/fwlink/?LinkId=164559) and article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251 ). 9. .NET Framework 3.5 SP1 or earlier: http://support.microsoft.com/default.aspx?scid=kb;en-US;2260240 Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: David Lum <[email protected]> To: "[email protected]" <[email protected]> Date: 08/29/2013 05:39 PM Subject: [NTSysADM] Upgrade 2003 DC's Sent by: [email protected] So… in my environment we have four ancient DC’s. Two root DC’s and two of five subdomain DC’s. These have been around enough and our environment is complex enough that we aren’t sure how many systems rely in the specific IP or hostname. Seems to me it should be fairly straightforward to stand up new with same name/IP as the originals: · Transfer all FSMO roles · Demote DC (DCRPOMO) · Unjoin from domain · Power off · Build new server with same name · Join to domain · Install AD DS roles · DCPROMO · Transfer FSMO roles back (optional) Now in one case the DC is also a certificate server, although we aren’t 100% sure if/how it’s being used. Surely there are some caveats to consider? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<image/jpeg>>
