Active Directory 2003 Yapınızı 2008 e Geçirirken Karşılaşacağınız Sorunlar

Ben uzun süredir arıyordum ve sizinle paylaşmak istedim gerçekten çok önemli bilgiler var. 

1.       Compatibility issues you should address before beginning the upgrade

a. – No LM Hash

b. – NT 4.0 domains

c. – SMB Signing

d. – Known GPO issues with Win2K8/Vista

e. – RODC Client Pack

f.;EN-US;968614 – Outlook 2003 hotfix

g. – Issue with OCS 2007 or LCS 2005

h. – You cannot locally configure or locally delete the application partitions that are created for IP telephony after you upgrade from Windows Server 2003 to Windows Server 2008  

i. – Description of the Microsoft server applications that are supported on Windows Server 2008

j.        Browse list fails.  If dependent on browse list, then set browser service to auto on PDCe and one DC per segment.

k.       DFS site costed referrals are enabled on W2K8 DCs.  This is a good change, but may result in W2K8 providing referrals in a different order than W2K3 DCs which have this feature disabled by default

l.         Lmcompatabilitylevel increased to 3. See

m.    NullSessionPipes list is shorter. See the Threats and Countermeasures guide

n.      NullSessionShares has been removed.  See the Threats and Countermeasures guide

o.      NSPI connections limited to 50 per user.

p.      DES crypto disabled on R2.  See TechNet doc above and the following.


2.       Fixes you should have downloaded in advance

a.       Might as well integrate SP2 into your install process

b.      If you use devolution to resolve single-label or non-qualified DNS names, get KB957579 and integrate into build process

c.       KB949189 if Japanese Language Locale will be used on W2K8 DCs

d.      Download 948690 if EFS encrypted files exist on W2K3 computers being in-place upgraded to W2K8

e.      If using GPP, download KB943729

g.       Slipstream all fixes into build process where possible / practical.

h.      Have you ever auth restored your domain KRBTGT account?  If so, 

i.         Have you ever auth restored your domain KRBTGT account? If so,

3.       ADPREP /FORESTPREP failures include

a.       Insufficient credentials used to run forestprep

b.      Schema FSMO not assigned to live DC or hasn’t inbound replicated since last boot

c.       Antivirus agent creates locks on LDIF files resulting in error “the callback function failed”

d.      running incorrect version of ADPREP

e.      Schema conflicts including conflicting ldapdisplay names, linkids, oids, Dn paths, attribute syntax, missing “may contains” attributes (KB969307)

4.       RODCPREP failures include

a.       Infrastructure masters not assigned to live DC. See MKSB 949257

5.       DOMAINPREP /GPPREP fails because

a.       Infrastructure master assigned to offline or deleted NTDSA

b.      Insufficient credentials used

c.       Error “callback function failed” = sysvol not shared, default policy missing or missing default GUID or problem with reparse point

6.       DCPROMO

a.       Lots of customers are not correctly configuring AllowNT4Crypto in DCpromo. There are 100+ cases where domain join or user logon or trust create or trust use is failing. See KB942564

b.      DCPROMO incorrectly detects that IPv6 configured with dynamic IP. Resolved by SP2, otherwise, ignore error

c.       DNS Delegation warning

d.      Option to install DNS Server role grayed out if DNS server role already installed.

e.      If Japanese Language locale used, install the fix b4 allowing 1st reboot after DCPROMO with connectivity to replica DCs

7.       RODCPROMO

a.       Option to install RODCs only enabled if FFL = W2K3 or higher

b.      Cannot make the first W2K8 DC in a domain an RODC

8.       Post upgrade

a.       For RODCs

                                                         i.            Get 953392 on all W2K8 writable DCs.

                                                       ii.            Install RODC compatibility pack (MSKB 944043 ) on relevant OS versions in environment

                                                      iii.            The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008. KB981370

b.      For DNS Servers

                                                         i.            For all W2K8 DNS Servers hosting secondary copies of DNS zones, make sure that 953317 installed to avoid the zone transfer delete bug

                                                       ii.            EDNS (RFC 2671) is turned on for W2K8 R2 DNS servers.  Review the following KBs for examples of compatability issues. KB828263 KB977158 KB832223

               c.    For DCs running on hyper-V & VMWARE,

                                                         i.            Install a UPS

                                                       ii.            Brief all admins on the risks of USN rollbacks caused by restoring snapshots on DC role guests. Review

                                                      iii.            P2V conversions should be done in offline mode. If converting multiple DC’s in same forest, then all need to be offline @ same time.

               d.    Disaster Avoidance & Recovery

                                                         i.            Enable delete protection on OU containers

                                                       ii.            Enable system state backups

                                                      iii.            If using 3rd party backup, test system state restores + alternate backup like Windows Server backup so that PSS can restore when 3rd party product fails to restore

               e.    Admin stuff

                                                         i.            Execute 948690 if EFS on W2K3 computer upgraded to W2K8

                                                       ii.            If using GPP, install 943729

                                                     iv.            Get W2K8 Admin tools for Vista clients: 941314    Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

               f. For Recycle bin

                                         i. With Identity Lifecycle Manager (ILM), including Feature Pack 1 (FP1), the Management Agent for Active Directory is not supported with the Recycle Bin feature.  KB2018683