- How to rename the local administrator with Group Policy - Mon, Nov 2 2015
- Active Directory authoritative restore with Windows Server Backup (wbadmin) - Fri, Oct 9 2015
- Best practices for securing Active Directory - Fri, Oct 2 2015
Your first step is to get a list of the applications that your company uses and what interaction they have with Active Directory (for example, if any applications authenticate with Active Directory). Some applications will authenticate against your domain, and some applications I’ve seen perform an LDAP query against an OU object within Active Directory. You may also find that some applications authenticate via LDAP against a particular domain controller’s NetBIOS name or IP address. In some cases, this is hardcoded into the applications, so you will want to research how this will affect you if you build new domain controllers or upgrade your current ones.
Once you know how your applications integrate with Active Directory, you will now be able to plan your migration. The best approach is to build new Windows Server 2012 R2 domain controllers and migrate your domain controller roles to your new. The steps to do this are as follows:
- Add Windows Server 2012 R2 member servers.
- Promote them to domain controllers.
- Transfer FSMO roles from the Windows Server 2003 domain controllers to the Windows Server 2012 R2 domain controllers.
- Demote the Windows Server 2003 domain controllers.
Exchange compatibility ^
If your organization is running Exchange, make sure to check the prerequisites for what version of Exchange you will need before migrating to Windows Server 2012 R2—in particular, the service pack level—so your mail continues to run smoothly after the upgrade.
Tools and tips ^
Useful tools that will help you with your migration planning are as follows:
- As part of your discovery phase (to catalog applications and application dependencies), consider using the Microsoft Assessment and Planning Toolkit (MAP), an agentless tool for inventorying and assessing desktop, server, and cloud migrations. If you use System Center Configuration Manager (SCCM), you can pull inventory reports from there as well.
- There is also a great free tool called Windows Server 2003 Migration Planning Assistant that will give you tips on how to migrate different workloads to give you a smooth migration.
- Before you build your new domain controllers, I recommend running a health check on your AD environment in terms of replication between your domain controllers. A great free tool is DCDiag. I recommend running this before you build your new domain controllers, and running it again after your new domain controllers have been built to make sure replication between them is working correctly.
- If you’re migrating your environment to a new domain, you will need a migration tool that will migrate your users, desktops, servers, and SIDs. Two tools I recommend are ADMT and Quest Migration Manager.
- It’s also important to clean up your DNS before and after the migration to make sure you don’t have any stale DC/DNS server records in your DNS as this will cause problems with your new environment. You can use the free DCDiag tool to check the DNS health.
Detailed guides ^
- Discover and assess your application dependencies, hardware, and application workloads in your environment. Check if your acpplications are compatible with Active Directory 2012 R2. Use the Microsoft Assessment and Planning Toolkit (MAP) to help you with this step.
- Check the health state of your Active Directory replication, domain controllers, sites and services, and DNS records before you build your new DCs.
- Build your new Windows Server 2012 R2 machines and promote them to DCs as detailed in this guide.
- Migrate the FSMO roles from your Windows Server 2003 domain controllers to your new Windows Server 2012 R2 DCs as detailed in this guide.
- Run DCDiag to check the replication health of all your domain controllers and to ensure that everything has been replicated to your new DCs (objects, GPOs, etc.).
- Test all your applications to make sure they are functioning correctly.
- When you’re happy with your new environment, you can now demote your Windows Server 2003 domain controllers as detailed in this guide.