Migrating DFS from 2000 Mode to 2008 made like a piece of cake

Starting:

This article will guide you through the steps for Migrating your DFS mode from 2000 to 2008, in the same time we’ll migrate DFS Namespace servers from 2008 to 2016 but keep the folder targets and replication groups intact without any change

This is a Microsoft summary about the process including my lab migration config step by step, I hope you find this useful and share it with others.

 

The Windows Server 2008 mode for domain-based namespaces includes support for access-based enumeration and increased scalability.

To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure.

NOTE:

After raising domain and forest functional level to 2008, you need to restart DFS services on the FSMO DC

clip_image001

To migrate a domain-based namespace to Windows Server 2008 mode

Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:

On the source DC/DFS Server

Dfsutil root export \\domain\namespace C:\filename.xml

clip_image002

clip_image003

Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.

clip_image004

clip_image005

In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:


Dfsutil root remove \\domain\namespace

clip_image006

Let’s go refresh the console and see if it’s deleted there

clip_image007

clip_image008

Next remove

clip_image009

clip_image010

I will remove the rest of the name spaces

clip_image011

All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups

clip_image012

NOTE:

Replication groups didn’t get affected

clip_image013

In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
Dfsutil root adddom
\\server\namespace v2

I will use the UI instead of the command

clip_image014

Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server

clip_image015

clip_image016

After restarting the services on FSMO server we are able to see the “Enable Windows Server 2008 Mode”

clip_image017

clip_image018

Next, I will copy all the xml files to the new server and import them there

My new server is 2016

clip_image019

To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:


Dfsutil root import merge path\filename.xml
\\domain\namespace

clip_image020

After the Import

clip_image021

clip_image022

I will continue to import the rest of the namespaces

First we need to create them with their matching namespaces from the GUI

clip_image023

clip_image024

Now I will import and merge the xml file

clip_image025

clip_image026

After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up

clip_image027

but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication

clip_image028

What has changed?

The only noticeable thing which has changed is the NameSpace Servers, everything else like ( Folder targets still the same, replication is identical to previous settings)

See this screenshot

clip_image029

Let’s check the access to the new namespace

clip_image030

Finally, Let’s import the latest namespace and its configuration (PublicFolder)

clip_image031

clip_image032

Let’s check the result on GUI

clip_image033

Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group

Here we go

clip_image034

Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc

clip_image035

Note

To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.

Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:


Dfsutil target add \\server\share

Note

You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.

From <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753875(v=ws.11)>

If you have any other issues or struggling, check out this link it might be of use

http://landie.tech/migrate-dfs-namespaces-from-2000-to-2008-mode/

Create 10 years Certificate template for Skype for Business, Exchange Server .etc

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:


On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

clip_image001[4]

IN certificate templates console right click on Web Server and click Duplicate template

clip_image002[4]

Select Windows Server 2003 Enterprise

clip_image003[4]

clip_image004[4]

Enable “Allow private key to be exported”

clip_image005[4]

clip_image006[4]

Select Enroll for the Authenticated users

clip_image007[4]

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

clip_image008[4]

Web Server V2 is on top

clip_image009[4]

Let’s check it on Certserv IIS

clip_image010[4]

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

clip_image011[4]

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

clip_image012[4]

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

clip_image013[4]

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

clip_image014[4]

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

clip_image015[4]

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

clip_image016[4]

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

clip_image018[4]

clip_image019[4]