In order to get full management of a Windows 7 environment, or to take advantage of the new features in Active Directory Domain Services like Applocker or the AD Recycle Bin, you need to upgrade the functional level of the forest and domain to Server 2008 R2.

There are a few upgrade paths available – it is possible to perform an in-place upgrade of Windows Server to Server 2008 R2, but you need to verify that the path you have planned is supported. Here’s a list of supported in-place upgrade paths. However, performing a live upgrade of a domain controller is a gutsy move, so a side-by-side migration is the less dangerous (and recommended) path.

(more…)

In Part 1 we extended the forest and domain schema in preparation for the first 2008 R2-based DC, and now in Part 2 we’ll create and fire up the new DC.

The big question was whether to create a virtualized domain controller or not. There are obvious concerns with going down this path in terms of redundancy and reliability, and particularly if the underlying hypervisor is a member of the domain, but after reading this article by Virtual PC Guy Ben Armstrong, I’m quite comfortable in taking this approach. With suitable precautions, of course.

(more…)

OK – please forgive the rather large gap between Part 2 and 3 of this series. There are many conflicting reasons for the time blow-out but the biggest one was that I didn’t want to write this last bit until I’d actually gone through and completed the project in a live environment and verified it to be 100% successful. Yes that’s right – the methodologies I’ve documented weren’t just extracted from a sterile lab environment, but from a live production environment with real users and servers. But before I could get to the point at which I could raise the forest functional level, there were various sub-projects which cropped up – new domain controllers (all virtual – see Part 2), new Hyper-V hosts, network time considerations, WAN reconfiguration, DNS changes and so on.

The actual process of raising the functional level is pretty straightforward – a couple of clicks and you’re done. However, every domain controller has to be able to support the new level, so that means taking existing DCs based on earlier versions of Windows Server out of commission. They can still stick around as member servers, but you have to use DCPROMO to revoke their role as DCs. In my case, the last DC (which was Server 2008 Standard) happened to be the first DC of a new domain, so that meant it also took the FSMO roles for the domain (Flexible Single Master Operations) which are still part of Active Directory Domain Services. These do not get transferred automatically so this must be done manually.

(more…)