Tag Archives: Windows 2003

Bye Bye!! Windows server 2003

ms_1201_webinar_trending_03

Microsoft windows server 2003 extended support ends on July 14th, 2015. Microsoft ended its mainstream support on July, 2010. It’s been 5 years since then but there are lot of organizations which uses windows server 2003 on their operations. If it’s same for your organization, it is not too late to build up the migration plan. This post will help you to determine why need to upgrade, how to plan migration properly.

Why *%4#@*!?

If your organization running smooth operations still with windows server 2003 infrastructure, “Why we migrate?” is the question everyone will ask when you submit your migration plan. Because migration still cost your organization $$$. This is one of major reason to see windows 2003 server still in operation. Especially in Non-IT business it is very difficult to justify the benefits over the cost as IT operations gets lower budget allocation. Apart from that one common question I get in presentations “Is windows server 2003 bad?” answer to that’s question is straight forward, NO!!!!. Windows server 2003 was a perfect product but it was in its era, at the year 2003 people were not talking about “Cloud Computing”, people were not using “Virtualization” much in operations. “SaaS (Software as a Service), IaaS (Infrastructure as a service)” was still new term to industry. “Security” concerns were relatively low with modern computing. So it was perfect product for “That” time but not for “This” time.

What will happen if we not upgrade?

No Updates – Back in early 20’s, we gets operating system updates rarely, but now a days it’s almost daily. It’s because every day new threats will find, so these patches fixes those security holes in your infrastructure, also these includes new enhancements, bug fixes for the existing services or applications. So updates are crucial these days, No updates for windows server 2003 means Microsoft will not test or monitor widows 2003 against new threats or will not invest on enhancing services or applications of windows server 2003.

No Support – You will not be able to call in Microsoft Support lines regarding windows server 2003 issues any more. Even its critical operation downtime, you will need to fix issues your own or hire consultants or engineers to help. So its increases IT operation cost anyway.

No Compliance – Businesses which handles regulated data such as PCI (payment card industry) may become non-compliant which can cause being cut off from trading partners. Because to keep their system protected, they need to keeps the compliance standards.

No Application Support – Lots of software companies already released applications, software which not support on windows server 2003 anymore. So sooner you will not get benefits from those new versions due to compatibility issues. Most of software providers also ends their support on older versions of the applications to reduce lengthy support cycles. So running an unsupported application for operations add risks.

No compatibility with Modern day computing – Microsoft Azure is one of the best example for this. You can’t re-host windows 2003 server 32bit version images in azure environment. But majority of the windows server 2003 installations are 32 bit. Also in a hybrid-cloud infrastructure it will be very difficult to integrate with modern applications and services compare to infrastructures runs with windows server 2008 or 2012. Upcoming windows server 2016 also will not supported for windows 2003 functional levels.

Why Windows server 2012 R2?

Well if you are migrating, unless you have critical reason you should not migrate to windows server 2008 or R2. Windows server 2016 is already on Technical preview 2 and if you plan long term, definitely you should go to windows server 2012 R2.

bye2003

Windows Server 2012 R2 delivers significant value around the following seven key capabilities:

1.    Server virtualization. Windows Server 2012 R2 is a virtualization platform that has helped organizations of all sizes realize considerable cost savings and operational efficiencies. With industry leading size and scale, Hyper-V is the platform of choice for you to run your mission critical workloads. Hyper-V in Windows Server 2012 R2 greatly expands support for host processors and memory. Using Windows Server 2012 R2, you can take advantage of new hardware technology, while still utilizing the servers you already have. This way you can virtualize today, and be ready for the future.

2.    Storage. Windows Server 2012 R2 was designed with a strong focus on storage, from the foundation of the storage stack up, with improvements ranging from provisioning storage to how data is clustered, transferred across the network, and ultimately accessed and managed. Windows Server 2012 R2 offers a wide variety of high-performance, highly available storage features and capabilities, while taking advantage of industry-standard hardware for dramatically lower cost.

3.    Networking. Windows Server 2012 R2 makes it as straightforward to manage an entire network as a single server, giving you the reliability and scalability of multiple servers at a lower cost. Automatic rerouting around storage, server, and network failures enables file services to remain online with minimal noticeable downtime. What’s more, Windows Server 2012 R2 – together with System Center 2012 R2 – provides an end-to-end Software Defined Networking solution across public, private, and hybrid cloud implementations.

4.    Server management and automation. Windows Server 2012 R2 enables IT professionals to meet the need for fast, continuous and reliable service within their datacenters by offering an integrated platform to automate and manage the increasing datacenter ecosystem. Windows Server 2012 R2 delivers capabilities to manage and automate many servers and the devices connecting them, whether they are physical or virtual, on-premises or off, and using standards-based technologies.

5.    Web and application platform. Windows Server 2012 R2 builds on the tradition of the Windows Server family as a proven application platform, with thousands of applications already built and deployed and a community of millions of knowledgeable and skilled developers already in place. Windows Server 2012 R2 can offer your organization even greater application flexibility. You can build and deploy applications either on-premises or in the cloud—or both at once, with hybrid solutions that work in both environments.

6.    Access and information protection. With the new capabilities in Windows Server 2012 R2, you will be able to better manage and protect data access, simplify deployment and management of your identity infrastructure on-premises and across clouds, and provide your users with more secure remote access to applications data from virtually anywhere and any device.

7.    Virtual desktop infrastructure. With Windows Server 2012 R2, Microsoft is making it even easier to deploy and deliver virtual resources across workers’ devices. VDI technologies in Windows Server 2012 R2 offer easy access to a rich, full-fidelity Windows environment running in the datacenter, from virtually any device. Through Hyper-V and Remote Desktop Services, Microsoft offers three flexible VDI deployment options in a single solution: Pooled Desktops, Personal Desktops, and Remote Desktop Sessions (formerly Terminal Services).

On your mark, get set, go!!!!

Microsoft recommends 4 steps plan for migration.

servercloud-aug26-1

Discover – Before migration it is important to evaluate and properly make inventory about current running system. You need to identify the server roles you need to migrate. Also important to check how you can migrate the current running applications, services. For ex- CMS, billing system, websites, etc. some of these applications, especially custom made applications may require upgrades, support from vendor to migrate to new system. Also in this stage important to evaluate the hardware upgrades or new implementations which will required.
You can use Microsoft Assessment and Planning Toolkit to inventory and assess current infrastructure setup.

Asses – in this stage we need to categorize the applications, roles and workload based on type, importance and complexity. We need to evaluate the risks, concerns involves with the migration. For ex-operation downtime, impact on sales, licenses cost, software upgrade costs, man power etc.

Target – in this step we need to decide the migration destination for each application or services. It can be in same network, datacenter facility, and Azure or hybrid-cloud setup. For ex- if company uses exchange email services we can migrate that role to office365. Following links will helpful to decide the target.

Office365 Trial

Windows server 2012 R2 Trial

Microsoft Azure one-month Trial

Migrate – This is where action begins. Based on outcome of previous steps it is time to start the actual migration. In below you can find some of articles I wrote about roles migration. You also can get further training on windows server 2012 on here.

Step-By-Step: Migrating Windows Server 2003 FSMO Roles To Windows Server 2012 R2

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

Step-By-Step: Migrating DHCP From Windows Server 2003 to 2012 R2

Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

For the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.

In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.

You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this

1)    Log in to domain controller as Domain admin or Enterprise Admin
2)    Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.

dfrs1

Before move in to the configurations we need to look into stages of the migration.

There are four stable states going along with the four migration phases.

1)    State 0 – Start
2)    State 1 – Prepared
3)    State 2 – Redirected
4)    State 3 – Eliminated

State 0 – Start

With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.

State 1 – Prepared

In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.

State 2 – Redirected

In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.

State 3 – Eliminated

In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.

In order to migrate from FRS to DFSR its must to go from State 1 to State 3.

Let’s look in to the migration steps.

Prepared State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 1 and press enter

dfrs2

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

dfrs3

Redirected State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 2 and press enter

dfrs4

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state

dfrs5

Eliminated State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 3 and press enter

dfrs6

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state

dfrs7

This completes the migration process and to confirm the SYSVOL share, type net share command and enter.

dfrs8

Also make sure in each domain controller FRS service is stopped and disabled.

dfrs9

If you have any question regarding the post feel free to email me at rebeladm@live.com

STEP-BY-STEP GUIDE TO MIGRATE DHCP FROM WINDOWS SERVER 2003 TO WINDOWS SERVER 2012 R2

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO ).

It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 in their infrastructure with different server roles. In last few post I have covered up how we can migrate different server roles from windows server 2003 to latest windows server 2012. This article also a part of the same series and it will explain how we can migrate DHCP server role.

For the demonstration I am using following setup

Server Name

Operating System

Server Roles

Networks

dhcp-2k3.canitpro.local

Windows Server 2003 R2 Enterprise x86

DHCP

Network A – 10.10.10.0

Network B – 172.16.25.0

Network C – 192.168.148.0

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

dhcp-2k3.canitpro.local server currently setup with 3 additional NIC to represent network A,B and C. they have configured with static ip addresses to match with relevant network it belongs to. The DHCP server host different DHCP scopes for each network.

Backup DHCP configuration in windows server 2003 R2

1)    Log in to the windows server 2003 as member of administrator group
2)    Load the DHCP server console Start > Administrative Tools >  DHCP

dhcp1

3)    In here we can see the configured DHCP scopes

dhcp2

4)    Now it’s time to back up the config. To do that open the command prompt using start > run > type cmd and then enter
5)    Then type netsh dhcp server export C:\DHCPbk\dhcpbk.txt all and press enter. In here C:\DHCPbk\dhcpbk.txt is the file path which backup will save in to. It can change according to your requirement.

dhcp3

6)    Now please move file C:\DHCPbk\dhcpbk.txt in to CANITPRO-DC2K12.canitpro.local server which will be configured as new DHCP server ( windows server 2012 R2)

Remove DHCP roles from windows server 2003 R2

Since we no longer need DHCP role running on this server we can go ahead and uninstall the DHCP service.

1)    Log in to the windows server 2003 as member of administrator group
2)    Start > Control Panel > Add or Remove Programs

dhcp4

3)    Then click on “Add/Remove Windows Components”

dhcp5

4)    In next window select “Networking Services” and click on details

dhcp6

5)    From next window de-select the DHCP option and click ok

dhcp7

6)    Then click next to uninstall the DHCP service

It will uninstall the DHCP role from the windows 2003 server.

Install DHCP Role in windows 2012 R2 server

1)    Log in to the windows server 2012 as member of administrator group
2)    Open Server Manager > Add Roles and Features

dhcp8

3)    It will open the wizard and click next to continue
4)    For the installation type select “Role-based or feature-based installation” and click  next
5)    Let the default selection run on server selection and click next to continue
6)    For the server roles select DHCP and it will prompt to add relevant features. Click on “Add features” to add them and next to continue

dhcp9

7)    For the features let it run with default. Click next to continue
8)    Then it will give brief description about DHCP server role and click next to continue

dhcp10

9)    Next window it will give the confirmation and click on install to continue

dhcp11

This will install the DHCP server role in the new server.

Restore DHCP configuration

1)    Log in to the windows server 2012 as member of administrator group
2)    Open Command prompt with Run > cmd
3)    Type netsh dhcp server import C:\DHCPbk\dhcpbk.txt all and press enter. In here C:\DHCPbk\dhcpbk.txt is the backup file we copied from windows 2003 server.

dhcp12

4)    Go to Server manager > tools > DHCP

dhcp13

5)    Right click on the server name > All Task > Restart

dhcp14

6)    Once Restart done we can see all the scopes are visible which was in 2003 server.

dhcp15

7)    We still need to authorize the dhcp server, to do it again right click on server name and select authorize

dhcp16

Now we completed with the restore process and I already can see its issues IP addresses.

dhcp17

if any questions about the post feel free to contact me on rebeladm@live.com
 

STEP-BY-STEP GUIDE TO MIGRATE ACTIVE DIRECTORY CERTIFICATE SERVICE FROM WINDOWS SERVER 2003 TO WINDOWS SERVER 2012 R2

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). It’s no wonder that some organizations still uses windows server 2003 versions in production environment.

If you still not plan for migration from legacy windows server versions, well time has come!!

This guide will explain how we can migrate AD CS from windows server 2003 to windows server 2012 R2.

In this demonstration I am using following setup.

Server Name

Operating System

Server Roles

canitpro-casrv.canitpro.local

Windows Server 2003 R2 Enterprise x86

AD CS ( Enterprise Certificate Authority )

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

Backup windows server 2003 certificate authority database and its configuration

•    Log in to Windows 2003 Server as member of local administrator group
•    Go to Start > Administrative Tools > Certificate Authority

adcs1

•    Right Click on Server Node > All Tasks > Backup CA

adcs2

•    Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue

adcs3

•    In next window click on check boxes to select options as highlighted and click on “Brows” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue

adcs4

•    Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue

adcs5

•    In next window it will provide the confirmation and click on “Finish” to complete the process

Backup CA Registry Settings

•    Click Start > Run and then type regedit and click “Ok”

adcs6

•    Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

•    Right click on “Configuration” key and click on “Export”

adcs7

•    In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup

adcs8

Now we have the backup of the CA and move these files to the new windows 2012 R2 server.

adcs9

 

Uninstall CA Service from windows server 2003

Now we have the backup files ready and before configure certificate services in new windows server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.

•    Click on Start > Control Panel > Add or Remove Programs

adcs10

•    Then click on “Add/Remove Windows Components” button

adcs11

•    In next window remove the tick in “Certificate Services” and click on next to continue

adcs12

•    Once its completed the process it will give the confirmation and click on “Finish”

adcs13

With it we done with windows server 2003 CA services and next step to get the windows server 2012 CA services install and configure.

Install windows server 2012 R2 Certificate Services

•    Log in to windows server 2012 as Domain Administrator or member of local administrator group

•    Go to Server Manager > Add roles and features

adcs14

•    It will open up “Add roles and feature” wizard and click on next to continue

adcs15

•    Then next window select “Role-based or Feature-based installation” and click next to continue

adcs16

•    From the server selections keep the default selection and click on next to continue

adcs17

•    In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about  required features need to be added. Click on add features to add them

adcs18

adcs19

•    Then in features section will let it run with default. Click next to continue

adcs20

•    In next window, it will give brief description about AD CS. Click next to continue

adcs21

•    Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue

adcs22

•    Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS

adcs23

•    Then in next window it gives option to add IIS role services. I will leave it default and click next to continue

adcs24

•    Next window will give confirmation about service install and click on “Install” to start the installation process

adcs25

•    Once installation completes you can close the wizard.

Configure AD CS

In this step will look in to configuration and restoring the backup we created.

•    Log in to server as Enterprise Administrator
•    Go to Server Manager > AD CS

adcs26

•    In right hand panel it will show message as following screenshot and click on “More”

adcs27

•    It will open up window and click on “Configure Active Directory Certificate Service ……”

adcs28

•    It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue

adcs29

•    In next window it asking which service you like to configure. Select “Certification Authority”,  “Certification Authority Web Enrollment” options and click next to continue

adcs30

•    It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue

adcs31

•    Next window select “Root CA” as the CA type and click next to continue

adcs32

•    The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a  migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue

adcs33

•    In next window click on “Import” button

adcs34

•    In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok

adcs35

•    Then it will import the key successfully and in window select the imported certificate and click next to continue

adcs36

•    Next window we can define certificate database path. In here I will leave it default and click next to continue

adcs37

•    Then in next window it will provide the configuration confirmation and click on configure to proceed with the process

adcs38

•    Once its completed click on close to exit from the configuration wizard

Restore CA Backup

Now it’s comes to the most important part of the process which is to restore the CA backup we made from windows server 2003.

•    Go To Server Manager > Tools > Certification Authority

adcs39

•    Then right click on server node > All Tasks > Restore CA

adcs40

•    Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok

adcs41

•    It will open up Certification Authority Restore Wizard, click next to continue

adcs42

•    In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue

adcs43

•    Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue

adcs44

•    In next window click “Finish” to complete the import process

adcs45

•    Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online

Restore Registry info

During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
Then click yes to proceed with registry key restore.

adcs46

Once completed it will give confirmation about the restore.

adcs47

Reissue Certificate Templates

We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.

•    Open the Certification Authority Snap-in
•    Right click on Certificate Templates Folder > New > Certificate Template to Reissue

adcs48

•    From the certificate templates list click on the appropriate certificate template and click ok

adcs49

Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.

adcs50

So this confirms the migration is successful.