Monday, June 13, 2011

Windows Active Directory Migration from Windows 2000 to Windows 2008



Current Hardware: Hardware: Intel Pentium III Processor, 767.52 MB RAM (.7 GB), 2x16 GB HDD

Current Roles on these Servers:
·         Active Directory
·         DNS for the Domain environment

Tasks:
·         Extend the Schema master (Active Directory) so that Windows 2008 can be a member server
  1. Copy adprep32.exe from Windows 2008 DVD to d:\adprep directory on the Windows 2000 DC's
  2. Login to All Domain Controllers one at a time and run the following steps. This will prepare Active Directory Schema for Windows 2008 R2
  3. adprep32.exe  /forestprep
  4. adprep32.exe  /domainprep

Screen Output for adprep
ADPREP WARNING:
Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.
[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.
C
Opened Connection to DCTEST






Note: Schema update from sch17(windows 2000) to sch 47 for Windows 2008 R2 & 44 for Windows 2008
For windows 2000 we might get error msgs


To resolve the issue - http://support.microsoft.com/kb/329194
·  Create the Schema Update Allowed DWORD value in the following registry key, and then set the value to  1:
HKEY LOCAL MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
216060  Registry Modification Required to Allow Write Operations to Schema
·  Create and run the Ipsec_acl_fix.vbs script. To do so:


a.                 Option Explicit
b.                  
c.                 '**************************************************
d.                 '* ADS_RIGHTS_ENUM
e.                 '**************************************************
f.                 Const ADS_RIGHT_DS_READ_PROP = &H10&
g.                 const ADS_RIGHT_DS_LIST = &H4&
h.                 Const ADS_RIGHT_DS_LIST_OBJECT = &H80&
i.                 Const READ_CONTROL = &H20000&
j.                 Const ADS_RIGHT_DS_WRITE_PROP  = &H20&
k.                 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100&
l.                 Const ADS_RIGHT_DS_CREATE_CHILD =&H1&
m.                 Const ADS_RIGHT_DS_DELETE_CHILD = &H2&
n.                 Const WRITE_OWNER = &H80000&
o.                 Const WRITE_DAC = &H40000&
p.                 Const DELETE = &H10000&
q.                 Const ADS_RIGHT_DS_DELETE_TREE = &H40&
r.                 Const ADS_RIGHT_DS_SELF = &H8&
s.                  
t.                 '**************************************************
u.                 '* ADS_ACETYPE_ENUM
v.                 '**************************************************
w.                  
x.                 Const ADS_ACETYPE_ACCESS_ALLOWED = &H0&
y.                  
z.                 '**************************************************
aa.             '* ADS_ACEFLAGS_ENUM
bb.             '**************************************************
cc.              
dd.             Const CONTAINER_INHERIT_ACE = &H2&
ee.             Const OBJECT_INHERIT_ACE = &H1&
ff.              
gg.             Const ADS_ACEFLAG_INHERIT_ACE = &H2&
hh.              
ii.             '**************************************************
jj.             '* Check if a "IP Security" container exists and correct the
kk.             '* Acls for the container
ll.             '* 0 -> container exists, Success
mm.             '* 1 -> container doesn't Exist
nn.             '* 2 -> other failures
oo.             '*
pp.             '**************************************************
qq.             Function FixupIpsecContainerAcls(InputDomainDN, DomainShortName)
rr.              
ss.                     Dim x, deletedAce, Dacl, hResult, ace1, RemoveFlags, sd, ace
tt.                    
uu.                     hResult = 0
vv.              
ww.                     Set x = GetObject( "LDAP://cn=IP Security,cn=system," & InputDomainDN)
xx.                     if Err.Number <> 0 Then
yy.                            MsgBox "Container cn=IP Security,cn=system," & InputDomainDN & "does not exist"& " Error :" & Err.Number, vbCritical
zz.                            hResult = 1
aaa.                 End If
bbb.          
ccc.                 Set sd = x.Get("nTSecurityDescriptor")
ddd.                 if Err.Number <> 0 Then
eee.                        MsgBox "Could not get nTSecurityDescriptor for cn=IP Security,cn=system," & InputDomainDN & " Error :" & Err.Number, vbCritical
fff.                        hResult = 2
ggg.                 End If
hhh.          
iii.                 deletedAce = FALSE
jjj.          
kkk.                 Set Dacl = sd.DiscretionaryAcl
lll.          
mmm.                 For Each ace In Dacl
nnn.                        If(ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
ooo.                                if (ace.AceFlags = 0) Then
ppp.                                        if(ace.Trustee = "NT AUTHORITY\Authenticated Users") Then
qqq.                                               RemoveFlags = 0
rrr.                                               RemoveFlags = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_LIST Or ADS_RIGHT_DS_LIST_OBJECT Or READ_CONTROL
sss.                                               If (ace.AccessMask AND RemoveFlags) <> 0 Then
ttt.                                                       Dacl.RemoveAce ace
uuu.                                                       deletedAce = TRUE
vvv.                                               End If 
www.                                        End If
xxx.                                End If
yyy.                        End If
zzz.                 Next
aaaa.            
bbbb.             if deletedAce = FALSE Then
cccc.                    MsgBox "ACE to remove rights for Authenticated users was not found or was changed from the default installation", vbExclamation
dddd.             End If
eeee.      
ffff.             set ace1 = CreateObject("AccessControlEntry")
gggg.      
hhhh.             ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
iiii.             ace1.AceFlags = CONTAINER_INHERIT_ACE OR OBJECT_INHERIT_ACE
jjjj.             ace1.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_LIST OR ADS_RIGHT_DS_LIST_OBJECT OR READ_CONTROL
kkkk.             ace1.Trustee = DomainShortName &"\Domain Computers"
llll.      
mmmm.             Dacl.AddAce ace1
nnnn.             sd.DiscretionaryAcl = Dacl
oooo.      
pppp.             x.Put "nTSecurityDescriptor", Array(sd)
qqqq.             x.SetInfo
rrrr.             if Err.Number <> 0 Then
ssss.                    MsgBox "There was an Error Adding ACls for cn=IP Security"& " Error :" & Err.Number, vbCritical
tttt.                    hResult = 2
uuuu.             End If
vvvv.      
wwww.             FixupIpsecContainerAcls = hResult
xxxx.      
yyyy.     End Function
zzzz.      
aaaaa.  
bbbbb. '**************************************************
ccccc. '* Clear the ACLs for all the IPSec objects so that
ddddd. '* they inherit Acls from their container.
eeeee. '*
fffff. '* 0 -> container exists, Success
ggggg. '* 1 -> other failures
hhhhh. '*
iiiii. '**************************************************
jjjjj. Function ClearIpsecObjectAcls(InputDomainDN)
kkkkk.  
lllll.         Dim ZeroAcl, obj(22), i
mmmmm.  
nnnnn.         set ZeroAcl = CreateObject("AccessControlList")
ooooo.        
ppppp.         obj(0) ="LDAP://cn=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
qqqqq.         obj(1) ="LDAP://cn=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
rrrrr.         obj(2) ="LDAP://cn=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
sssss.         obj(3) ="LDAP://cn=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
ttttt.         obj(4) ="LDAP://cn=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
uuuuu.         obj(5) ="LDAP://cn=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
vvvvv.         obj(6) ="LDAP://cn=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
wwwww.         obj(7) ="LDAP://cn=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
xxxxx.         obj(8) ="LDAP://cn=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
yyyyy.         obj(9) ="LDAP://cn=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
zzzzz.         obj(10) ="LDAP://cn=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
aaaaaa.                                    obj(11) ="LDAP://cn=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
bbbbbb.                                    obj(12) ="LDAP://cn=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
cccccc.                                    obj(13) ="LDAP://cn=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
dddddd.                                    obj(14) ="LDAP://cn=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
eeeeee.                                    obj(15) ="LDAP://cn=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
ffffff.                                    obj(16) ="LDAP://cn=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN
gggggg.                                    obj(17) ="LDAP://cn=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
hhhhhh.                                    obj(18) ="LDAP://cn=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
iiiiii.                                    obj(19) ="LDAP://cn=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
jjjjjj.                                    obj(20) ="LDAP://cn=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
kkkkkk.                                    obj(21) ="LDAP://cn=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN
llllll.                                   
mmmmmm.                                    for i=0 To 21
nnnnnn.                                           Dim x, hResult, sd, ace
oooooo.                             
pppppp.                                           hResult = 0
qqqqqq.                                          
rrrrrr.                                           set x = GetObject(obj(i))
ssssss.                                           if Err.Number = 0 Then
tttttt.                                                   Set sd = x.Get("nTSecurityDescriptor")
uuuuuu.                                                   if Err.Number <> 0 Then
vvvvvv.                                                           MsgBox "nTSecurityDescriptor could not be retrieved from " & obj(i) & " Error :" & Err.Number, vbCritical
wwwwww.                                                           hResult = 1
xxxxxx.                                                   End If
yyyyyy.                                   
zzzzzz.                                                   set ZeroAcl = sd.DiscretionaryAcl
aaaaaaa.                                               For Each ace In ZeroAcl
bbbbbbb.                                                       ZeroAcl.RemoveAce ace
ccccccc.                                               Next
ddddddd.                                               sd.DiscretionaryAcl = ZeroAcl
eeeeeee.                                               x.Put "nTSecurityDescriptor", Array(sd)
fffffff.                                               x.SetInfo
ggggggg.                                               if Err.Number <> 0 Then
hhhhhhh.                                                       MsgBox "Error setting Acls for " & obj(i) & " Error :" & Err.Number, vbCritical
iiiiiii.                                                       hResult = 1
jjjjjjj.                                               End If 
kkkkkkk.                                       End If
lllllll.                                Next
mmmmmmm.                         
nnnnnnn.                                ClearIpsecObjectAcls = hResult
ooooooo.                         
ppppppp.                        End Function
qqqqqqq.                         
rrrrrrr.                        Function FixupSchemaObjectAcls(InputDomainDN)
sssssss.                         
ttttttt.                                Dim ZeroAcl, obj(6), i, container, deletedDAAce, deletedSYAce, RemoveFlags, deletedAUAce, hResult
uuuuuuu.                               
vvvvvvv.                                hResult = 0
wwwwwww.                         
xxxxxxx.                                set ZeroAcl = CreateObject("AccessControlList")
yyyyyyy.                         
zzzzzzz.                                container = "CN=Schema, CN=Configuration," & InputDomainDN
aaaaaaaa.                            obj(0) ="LDAP://cn=Ipsec-Base," & container
bbbbbbbb.                            obj(1) ="LDAP://cn=Ipsec-Filter," & container
cccccccc.                            obj(2) ="LDAP://cn=Ipsec-ISAKMP-Policy," & container
dddddddd.                            obj(3) ="LDAP://cn=Ipsec-Negotiation-Policy," & container
eeeeeeee.                            obj(4) ="LDAP://cn=Ipsec-NFA," & container
ffffffff.                            obj(5) ="LDAP://cn=Ipsec-Policy," & container
gggggggg.                           
hhhhhhhh.                            for i = 0 To 5
iiiiiiii.                     
jjjjjjjj.                                   Dim x, sd
kkkkkkkk.                     
llllllll.                                   Set x = GetObject( obj(i) )
mmmmmmmm.                                   if Err.Number <> 0 Then
nnnnnnnn.                                           MsgBox obj(i) & "does not exist"& " Error :" & Err.Number, vbCritical
oooooooo.                                           hResult = 1
pppppppp.                                   Else
qqqqqqqq.                                           sd = x.Get("defaultSecurityDescriptor")
rrrrrrrr.                                           x.Put "defaultSecurityDescriptor", "D:"
ssssssss.                                           x.SetInfo
tttttttt.                                           if Err.Number <> 0 Then
uuuuuuuu.                                                   MsgBox "Error setting defaultsecurityDescriptor for " & obj(i) & " Error :" & Err.Number, vbCritical
vvvvvvvv.                                                   hResult = 1
wwwwwwww.                                           End If 
xxxxxxxx.                                   End If
yyyyyyyy.                            Next
zzzzzzzz.                           
aaaaaaaaa.                        FixupSchemaObjectAcls = hResult
bbbbbbbbb.                 
ccccccccc.                End Function
ddddddddd.                 
eeeeeeeee.                Function IsSchemaUpdateAllowed()
fffffffff.                 
ggggggggg.                        Dim WshShell, bKey
hhhhhhhhh.                 
iiiiiiiii.                        Set WshShell = WScript.CreateObject("WScript.Shell")
jjjjjjjjj.                        bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed")
kkkkkkkkk.                 
lllllllll.                        IsSchemaUpdateAllowed = bKey
mmmmmmmmm.                 
nnnnnnnnn.                End Function
ooooooooo.                 
ppppppppp.                '**************************************************
qqqqqqqqq.                '* MAIN
rrrrrrrrr.                '**************************************************
sssssssss.                 
ttttttttt.                        Dim Info
uuuuuuuuu.                        Dim dnsName, domainDN
vvvvvvvvv.                        Dim regOk, retVal1, retVal2, retVal3
wwwwwwwww.                 
xxxxxxxxx.                        MsgBox "This script attempts to correct the ACLs of IP Security related objects and schema in Active Directory. For this, it needs Schema changes be allowed through a registry Key."& vbcrlf & "Please read Q<KB #> and Q216060 for more details."
yyyyyyyyy.                 
zzzzzzzzz.                        regOk = IsSchemaUpdateAllowed()
aaaaaaaaaa.                    if regOk <> 1 Then
bbbbbbbbbb.                           MsgBox "The registry key to allow schema updates is not set. Please read Q216060 for more information." & vbcrlf & "The Script will stop processing. The ACL corrections have not been made.", vbExclamation
cccccccccc.                    Else
dddddddddd.                            Set Info = CreateObject("AdSystemInfo")
eeeeeeeeee.                           dnsName = Info.DomainDNSName
ffffffffff.                           domainDN = Replace(dnsName, ".", ",dc=")
gggggggggg.                           domainDN = "dc=" & domainDN
hhhhhhhhhh.             
iiiiiiiiii.                           retVal1 = FixupIpsecContainerAcls(domainDN, Info.DomainShortName)
jjjjjjjjjj.             
kkkkkkkkkk.                           retVal2 = ClearIpsecObjectAcls(domainDN)
llllllllll.             
mmmmmmmmmm.                           retVal3 = FixupSchemaObjectAcls(domainDN)
nnnnnnnnnn.             
oooooooooo.                           If retVal1 = 0 And retVal2 = 0 And retVal3 = 0 Then  
pppppppppp.                                   MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed successfully." & vbcrlf & "You may now reset/delete the registry key that allows schema updates per Q216060"
qqqqqqqqqq.                           Else
rrrrrrrrrr.                                   MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed with some errors" & vbcrlf & "If you are not going to retry the operation, you may reset/delete the registry key that allows schema updates per Q216060"
ssssssssss.                           End If
tttttttttt.                         End If
uuuuuuuuuu.      On the File menu, click Save, click All Files in the Save as type box, type ipsec_acl_fix.vbs in the File name box, specify a location where you want to save the file, and then click Save.
vvvvvvvvvv.                  Quite Notepad.
wwwwwwwwww.                      Run the Ipsec_acl_fix.vbs script from a command prompt.
                        Delete the Schema Update Allowed registry value that you created in step 1.
Note You can also use this procedure to modify the permissions of the IPSec policy of a Windows Server 2003 domain that you upgraded from Windows 2000, in the situation where the permissions of policy objects were not modified during the upgrade operation.


After the above script run the adprep /forestprep it should come up without any errors.




·         Install new Windows 2008 Server and join to our Production Domain Controller as Member Server
·         Transfer the Active Directory & DNS role to the new Windows 2008 Server and bring the new Windows 2008 server as one of the new Directory server.
·         Once we checked & confirmed that the new Domain controller server is good we can start the other server.
·         Back out plan – if the server didn’t work as we expected, bring down the server. There is no impact/outage to any of the services as we have two domain controllers and we are migrating only one Domain controller at a time.
·         Once the new domain controller is migrated all the users will be authenticated via Windows 2008



No comments:

Post a Comment