back to article Microsoft says 'weird things' can happen during Windows Server 2003 migrations

Microsoft has started issuing increasingly stern warnings to move from the soon-to-be-unsupported Windows Server 2003, but has also just found an obstacle to migrations away from the operating system. The problem manifests when users run Windows Server 2003 and Windows Server 2012 R2 domain controllers serving the same domain …

  1. Lee D Silver badge

    InI did exactly this several years ago now.

    Never had a problem.

    Inherited 2003 DC's, put on a single 2012R2 DC, moved all the config, files, services, etc. over and slowly converted each 2003 machine to 2012R2.

    Did it half-live, half-not (school system, summer holidays) - never saw this problem. I'm guessing it relates to some obscure configuration or even just an hotfix gone bad.

    1. TheVogon

      "as running the two domain controllers in the same domain is just the kind of thing that can be necessary during a migration"

      Running at least 2 domain controllers for each domain is always a requirement, unless you like living dangerously.

    2. Anonymous Coward
      WTF?

      Eh?

      Not sure if misunderstanding that post, but R2 was only released October last year?

    3. Vince

      Several years ago? Why, were you running an operating system in a time machine sometime in the future, since 2012 R2 hasn't been out for "years".

      Or do you mean 2008 R2 in which case your entire comment is invalid since the article is talking about a specific version.

      1. Anonymous Coward
        Anonymous Coward

        Hello, IT? Yah-hah? Have you tried forcing an expected reboot? You see the driver hooks the function by patching the system call table, so it's not safe to unload it unless another thread's about to jump in there and do its stuff, and you don't want to end up in the middle of invalid memory. Hello?

  2. Trevor_Pott Gold badge

    Well shit, that would have been useful in November. It does, however, a lot of paint-peeling cursing that went on then...

  3. James 100

    Skipping versions?

    Going straight from 2003 to 20012R2 is a four-version jump. I've actually been quite impressed how well Microsoft support the upgrade path between versions (there are a few YouTube videos where someone takes a virtual machine, installs DOS and Windows 1, then upgrades through every version up to Windows 7 or whatever was current at the time) - but trying to jump directly, missing out 2008, 2008R2 and 2012 in between sounds risky.

    TheVogon: Multiple DCs is rather an unlikely scenario when you only have a single server - indeed, as I recall it was *prohibited* on the small business SKUs originally!

    Then again, I had a small company with a 2003-based Small Business Server - which was 32-bit only; the next version, thanks to including Exchange, was 64-bit only, so no direct upgrade path was available. (Conclusion: since we need to migrate to a new platform anyway, and don't have the budget for a new server, let's make that new platform Google Apps. Probably not the upgrade MS wanted us to go for...)

    1. joeW

      Re: Skipping versions?

      Could that provide an effective workaround for this issue? Introduce a 2008R2 DC to the 2003 network, then upgrade/replace the 2003 DC to 2012R2?

    2. TheVogon

      Re: Skipping versions?

      "TheVogon: Multiple DCs is rather an unlikely scenario when you only have a single server - indeed, as I recall it was *prohibited* on the small business SKUs originally"

      If you ONLY have a single server, then you have no services to protect against authentication failure if that single server is down, and you would have to rely on restore from backup or a reinstall if you have a complete failure. An additional domain controller server with SBS has always been supported - ever since Windows NT. See http://blogs.technet.com/b/sbs/archive/2007/10/04/debunking-the-myth-about-additional-domain-controllers-replica-dcs-in-an-sbs-domain.aspx - and has the follwing potential benefits:

      •Redundancy:

      ◦If the Small Business Server cannot be contacted but another DC is available users can still authenticate.

      ◦If DNS is also installed and the zone for the internal domain is being replicated to all DCs/DNS servers, redundancy will be provided for local and public DNS namespace queries.

      •Disaster recovery:

      ◦It is not necessary to rebuild your entire Active Directory domain if the Small Business Server crashes and you don’t have a good system state backup.

      •Improved user experience:

      ◦If additional DCs are placed at remote sites and also made Global Catalog Servers, remote users can logon more quickly and reliably, and locate objects in the domain more quickly.

      "let's make that new platform Google Apps"

      You get what you pay for. If you want cloud, Office 365 is a better product in pretty much every way.

  4. Anonymous Coward
    Anonymous Coward

    Typical Microsoft struggle

    Truth is, in spite of their much touted backwards compatibility -which is one of the best in the industry- the complexity of their products has reached a level where it is extremely difficult for them to keep old and new versions running together.

    I've experienced issues with SSO that even Microsoft could not fix. To this day, I still get multiple authentication challenges from Lync and Outlook, some of them are fake, some of them are real, depending on which network I connect to, all this for a +20K machine domain.

    Problems always related to heterogeneous environments with more than one version of the same Microsoft product running on the same network. First line of support always answer "upgrade everything to the latest versions of everything and it will work", but they are slowly learning that these kind of answers are not acceptable for customers who buy from them in part because of the backwards compatibility. The other part of the problem, I suppose, is that testing all those scenarios must be time consuming, difficult, and expensive.

    1. TheVogon

      Re: Typical Microsoft struggle

      "I've experienced issues with SSO that even Microsoft could not fix. To this day, I still get multiple authentication challenges from Lync and Outlook, some of them are fake, some of them are real, depending on which network I connect to, all this for a +20K machine domain"

      Then your configuration is not correct. I could fix that for you for £ large number a day ;-). Most likely your certificates are not created or published correctly somewhere. First step is to hold down CTRL key, right click on the tray icon for Outlook, select 'Test E-Mail AutoConfiguration' and check the results, then for Lync do the same, but choose 'Configuration Information' and check through everything...

    2. TheVogon

      Re: Typical Microsoft struggle

      ". First line of support always answer "upgrade everything to the latest versions of everything "

      Microsoft first line might tell you to upgrade to the latest patch version / update / service pack of everything if your product is still in support. They don't nomally suggest moving to a complete new version unless the product you are using is out of support / end of life.

  5. Craigie

    Testing

    It sounds to me like they didn't even test the combination of a 2003 and 2012 R2 DC on the same domain. Isn't product compatibility that the most basic testing they should be doing?

    1. Anonymous Coward
      Anonymous Coward

      Re: Testing

      Probably because it's been unsupported for several years.

      2003 R2 support ends next year, but this article talks about 2003.

      1. Nick Ryan Silver badge

        Re: Testing

        Shouldn't even be specific server testing, it should be protocol testing where different versions of specific protocols are clearly defined, documented and proven to not interfere with each other. Ah. Clearly defined and documented? That'll be the problem here...

  6. tim 13

    We did this earlier this year, while it wasn't trouble free, didn't have any of this type of this issue.

  7. david 12 Silver badge

    >workarounds are possible

    > but those outlined in the post require rather a lot of working around.

    At least one of the work-arounds is trivial: disable workstation "password" resets.

    And I did that anyway when I was doing server upgrades. Disabling and re-enabling is a simple policy setting.

    Routine machine password reset is more a kind of enviromental sanitation setting than a present threat mitigation. The machine password is not, of course, a "password", it is totally user-invisible, disabling changes makes your network more robust, and the risk/danger is very very very low on my list of possible risks/dangers to my network.

  8. Hans 1
    Windows

    At least with Linux you have none of this shit, all protocols are open and published ... yes, you might want to change here and there a few things in a config file or two (whatever you found during testing and validation), the rest, well, apt-get takes care of that.

    Not sure why you guyz go on enduring this shit. Hire a Unix guru and your troubles are over....

  9. SF

    I *knew* that I should have been running RedHat / Samba for my domain... where is that backup DVD?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like