Migrating Active Directory from Windows 2003 to Windows 2012 R2

Hello Everyone,

In this How-To, I decided to explore the process of Active Directory migration. As you all know, Active Directory is the backbone of any company. For some it can seem intimidating and for some maybe a walk in the park. either way, the point of this How-To is to show that migrating active directory and upgrading it, is not something that should be scary.
The process is very simple:
  1. Install newer servers into the Active Directory domain
  2. Transfer FSMO roles
  3. Uninstall domain controller role from old servesr & decommission.
There are two different ways to go about it. Cut-Over migration or Co-Existence.
You don't need to do a Cut-Over migration unless you need to preserve the legacy server IP.

I hope you find the following information helpful if not at the very least interesting.

So here are our objectives:
  1. FSMO migration
  2. Raising a Domain Functional level
  3. Testing
Prerequisites:
  1. Legacy Active Directory Infrastructure
  2. New Windows 2012 R2 server (Obviously)
Procedure:
 
Before migrating the FSMO roles, you need to gather the appropriate information.
On each domain/sub-domain export the current FSMO configuration to a text file.
- NETDOM /Query / Verify FSMO > c:\fsmo-%domain-Name%.txt
All 5 FSMO roles should be listed in the text file along with which server(s) hosts that role.
For example:
NETDOM /Query / Verify FSMO > c:\fsmo-NA.txt
Schema master               Server.Domain.com
Domain naming master        Server.domain.com
PDC                         server.domain.com
RID pool manager            server.domain.com
Infrastructure master       server.domain.com
The command completed successfully.
 
** It’s preferable to run this command “As Administrator” if you have the option.
 
Once you have the info and are ready to start the server migration, the steps are the following:
  1. On the new Windows 2012 R2 server, install the following roles:
    • Active Directory Domain Services role
    • DNS role.  (TCP/IP DNS config should point for now to another DNS server)
  2. Promote the Windows 2012 R2 server to a Domain Controller (DC)
    • Select “Add Domain Controller to an existing domain
    • Click on the “Select” button to specify the domain
    • When prompted for credentials, enter the domain admin/enterprise admin info
    • Choose the appropriate domain. Press “Next
    • Ensure that the server is a Global Catalog (GC).
    • Enter a password for DSRM. Press “Next”.
    • DNS delegation, press “Next”.
    • Press “Next”. Leaving the default values until the pre-requisites check.
    • Press “Install”. The server will automatically reboot.
    • After reboot, log in and change the TCP/IP DNS entry to point to itself as primary
At this point, the server has been properly added to the domain. To validate that this server is OK and that DNS is functioning properly, you can check to see if the DNS zone(s) replicated properly to the server. Also open Active Directory Users and Computers and see if the server is listed in the Domain Controllers OU.
Now we need to transfer the FSMOs to the new server(s)
*If this is a top level Domain, we need to transfer the Schema & Domain Naming Operations Masters (Please note, these 2 FSMOs are unique to a forest).
 
To transfer Domain Naming Operations Master:
  1. Open Active Directory Domain & Trusts.
  2. Right-click on Active Directory Domains and Trusts line and select “Change Active Directory Domain Controller”.
  3. Select the new Windows 2012 R2 server and press “OK”.
  4. Again, right-click on Active Directory Domains and Trusts line and select “Operations Masters” (refer to previous steps screenshot)
  5. In the dialogue box you will see the “Destination” server listed as the new server. Click “Change”.
  6. When the confirmation dialogue box appears, click on “Yes”.
  7. You will get a confirmation that it was changed successfully. Press “OK” then “Close”.
 To transfer the Schema Master
 
  1. Log onto the CURRENT schema master server.
  2. Open Command Prompt and type regsvr32 schmmgmt.dll. This enables the schema master MMC snap-in
  3. Open MMC and add the Active Directory Schema Snap-In.
  4. On the left pane, right-click the Active Directory Schema and choose “Change Domain Controller”.
  5. Select the new Windows 2012 R2 server and press “OK”.
  6. Again, On the left pane, right-click the Active Directory Schema and choose “Operations Master”
  7. Click on “Change”, then OK acknowledging all confirmation windows.
To transfer the RID, PDC, Infrastructure FSMO roles do the following:
 
  1. Open Active Directory Users & Computers.
  2. Right-click on the domain and select “Change Domain Controller”.
  3. Select the new Windows 2012 R2 server. Press “OK”.
  4. Again, right-click on the domain and select “Operations Masters”.
  5. On the RID tab, click the “Change” button to transfer the role to the new server.
  6. Repeat the same steps on the PDC and Infrastructure tabs.
At this point, all 5 FMSOs have been transferred. All that remains is to Raise the Domain Functionality level to Windows 2008 R2 (Or higher) and decommission the older server(s)
 
Validating & Decommissioning the Legacy Server(s)
  • On a server within the domain, open Command Prompt and type:
    NetDom /Query /Verify FSMO .
The output should show there isn’t any FSMO role assigned to the legacy Domain Controller. Once that is done, and the server can be decommissioned do the following:
 
  1. On the Legacy server, Uninstall the DNS role
  2. Afterwards, change the TCP/IP DNS configuration to point to another Domain Controller.
  3. Uninstall the Domain Controller Role by typing DCPromo.
  4. Acknowledge the alert
  5. Press “Next”. Make sure that the checkbox is NOT selected.
  6. Enter the password of the local administrator account. Press “Next”.
  7. Domain Controller will uninstall and ask for a reboot once you press “Finish”.
  8. Reboot the server
  9. When the server comes back up, the server will be a normal member server of that domain.
 Raising Domain Functional Level.
 
If all the Legacy servers have been decommissioned and only the new Windows 2012 R2 servers remain in the domain, you can safely raise the Domain Functional Level to Windows 2008 R2 (Or higher). To do that, do the following:
  1. Open Active Directory Users and Computers.
  2. Right-Click on the Domain and select Raise Domain Functional Level.
  3. Select Windows 2008 R2. Click “Raise”.
  4. Acknowledge the warning.
  5. Success! You’ll receive a confirmation window stating that it completed successfully.
  6. If you’d like, you can do again into the “Raise Domain Functional Level” and you will see that the current “Domain Functional Level” is listed as Windows 2008 R2
To raise the Forest Functional Level, do the following:
  1. Open Active Directory Domain & Trusts.
  2. Right-click on Active Directory Domains and Trusts line and select “Raise Forest Functional Level”.
  3. Select Windows 2008 R2. Click “Raise”.
  4. Acknowledge the warning.
  5. Success! You’ll receive a confirmation window stating that it completed successfully.
  6. If you’d like, you can do again into the “Raise Domain Functional Level” and you will see that the current “Domain Functional Level” is listed as Windows 2008 R2
Congragulations! you've officialy migrated Active Directory from the Legacy Servers (in our case Windows Server 2003) to WIndows 2012 R2. I think it's pretty simple and straight forward. obviously you need to ensure what is the best strategy that suits you, but all the components mentioned here such as transferring the FSMO roles are definitely part of the process.

I would love to have some feedback. Constructive criticism is not only appreciated, but welcomed!
Until next time!

Daniel Moscovici

No comments:

Post a Comment

Subscribe to: Posts (Atom)

Latest Post

Migrating File Server to Sharepoint Online

Hi Everyone, I ran across an interesting project and thought I'd share my experiences in this how to "Migrate an On-Premises file...