Upgrading Active Directory using virtualization

Last Friday, I delivered a session with Mike Resseler at TechEd North America 2014 in Houston: PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies.

Upgrading Active Directory using virtualization

Although Microsoft stressed the importance of its new cloud technologies throughout TechEd, on-premises technologies such as Active Directory Domain Services remain important too. Heck, in some Microsoft cloud scenarios, you actually need Active Directory on premises—and even a fairly recent version, too.

Upgrading Active Directory on premises, however, is not a simple feat.

Challenges ^

First, it’s time consuming. Doing it right means building a test plan, building a test environment, making a change plan, and more. A lot of time is spent on something that should be rather easy to do. But, because of the many dependencies on Active Directory, almost every upgrade project becomes very painful and slow.

Second, upgrading Active Directory is error prone. It’s easy to take Domain Controllers offline in the process and, thereby, deny all colleagues their logons. Active Directory is still the cornerstone in Microsoft-based networking environments.

Third, it’s pretty complex. The upgrade process requires several prerequisites, and after the upgrade you need to do some work to get everything OK.

Checklists on the Internet can help you through. These checklists typically contain steps such as building a test lab, testing the deployment, creating a recovery plan, testing the recovery plan, preparing the Active Directory for upgrade, installing the Active Directory Domain Services Server Role on a member server, upgrading Domain Controllers, modifying security principals as needed, updating Group Policy permissions, and performing clean-up tasks.

Fourth, and last, it’s expensive. Due to the complex nature and vast amount of the work, many organizations hired expensive consultants to get their Active Directory upgraded safely.

As Microsoft is moving to a faster pace in releasing new versions of Windows Server and, with that, new releases of Active Directory, this situation needs to end. It’s time to take matters into our own hands and make upgrading Active Directory more straightforward and cost effective.

Why upgrade ^

Organizations running older versions of Active Directory miss out on a lot of stuff. When they upgrade from Windows Server 2003 Active Directory to Windows Server 2012 R2 Active Directory, they gain a ton of new features.

Simplified deployment

Microsoft has introduced the Active Directory Domain Services Installation Wizard and PowerShell cmdlets to make deploying Domain Controllers a breeze.

The AD DS Installation Wizard takes care of all the complexity in single domain environments by validating the prerequisites and even automatically preparing the Active Directory schema for you when needed. It features indefinite retries, so you decide when promotion fails, not the piece of software you’re using.

In bigger environments, the improved Install from Media (IfM) functionality saves you hours of time because it no longer forces you to perform the mandatory offline defragmentation pass.

In Windows Server 2012 Active Directory and up, this means you can deploy full installations and Server Core installations of Domain Controllers, both from the server console and remotely, one at a time or a whole rack full at once.

Easier management

All that PowerShell goodness in Windows Server 2012 Active Directory (and up) provides a consistent and more easily scriptable experience. You don’t even need to learn PowerShell to actually use it; the Active Directory Administrative Center (dsac.exe) has a PowerShell History Viewer to learn, copy, and paste where you need it. The Active Directory Administrative Center also offers graphical user interfaces for fine-grained password policies and the Active Directory recycle bin.

Dynamic Access Control (DAC) offers the rich authorization scenarios many businesses need. Combinations of claims, based on any attribute of both user accounts and computer accounts, can be used on Windows Server 2012 File Servers (and up) to propose or set access control lists (ACLs) and classifications.

Active Directory–based Activation helps alleviate the burden of licensing devices. Windows and Office installations on domain-joined devices can be automatically activated, and then automatically deactivated when the device leaves the domain.

Virtualization enhancements

Virtual Windows Server 2012–based Domain Controllers (and up) incorporate Active Directory virtualization safeguards. These work on top of the VM-GenerationID technology that the hypervisor gives to every virtual machine running on top of it through its tools and integration components.

Virtual Domain Controllers use the VM-GenerationID to see when snapshots are applied or copied. These actions no longer result in USN Rollbacks and Lingering Objects—problems many Active Directory admins faced when virtualizing Domain Controllers.

This brings us to the age-old question of whether “to virtualize or not to virtualize.”

In Windows Server 2012 Active Directory (and up), all Active Directory features work in physical, virtual, and mixed environments. Windows Server 2012–based Domain Controllers (and up) are safe to virtualize on any VM-GenerationID-capable hypervisor:

  • Microsoft Windows Server 2012 Standard Edition (Hyper-V) and up
  • Microsoft Windows Server 2012 Enterprise Edition (Hyper-V) and up
  • Microsoft Hyper-V Server 2012 (Hyper-V) and up
  • Microsoft Windows 8 Professional (Hyper-V) and up
  • Microsoft Windows 8 Enterprise (Hyper-V) and up
  • VMware Workstation 9.0 and up
  • VMware vSphere 5.0 with Update 4 and up
  • VMware vSphere 5.1 and up
  • Citrix XenServer 6.2.0-70446c and up

Also, Domain Controllers running on the hypervisors above may be cloned for even faster deployments of replica Domain Controllers.

Functional levels

Now, when upgrading Active Directory, one of the aspects that is largely overseen by companies is the functional levels: the Domain Functional Level (DFL) and Forest Functional Level (FFL).

While the features in newer Active Directory versions might appeal to your environment, some of these features often require more than simply the new version of Windows Server on Domain Controllers.

For instance, when you want to use the Active Directory recycle bin feature, the Forest Functional Level needs to be configured as at least Windows Server 2008 R2. This means all Domain Controllers in the entire Active Directory forest need to run at least Windows Server 2008 R2.

Requiring Kerberos Armoring within an Active Directory environment requires the Windows Server 2012 Domain Functional Level, and it also requires all domain-joined devices to run at least Windows 8.

The list goes on…

Upgrading Active Directory safely ^

During our session, Mike and I proposed three ways to make your Active Directory upgrades safely.

Domain Controller Cloning

The first technology Active Directory admins can use to make their Windows Server 2012 Active Directory upgrades to Windows Server 2012 R2 more robust is Domain Controller Cloning.

An Active Directory admin can clone a fully functional Windows Server 2012–based Domain Controller and in-place upgrade the clone to Windows Server 2012 R2, while the original Domain Controller remains functional and offers authentication and authorization services in the environment.

Hyper-V Replica

Another built-in feature of Windows Server may also be of interest to Active Directory admins: Hyper-V Replica. Using this technology, admins can (test) failover a set of virtual Domain Controllers and member servers from the production environment to an isolated environment.

This is a useful way of creating a test environment for the Active Directory upgrade and its impact on dependent on-premises services, like Exchange, SharePoint, and third-party solutions.

Backup

Modern day backup and restore solutions, such as Veeam’s Backup & Replication, can also be of good use in testing and performing Active Directory upgrades. Just like Hyper-V Replica, Veeam’s Backup & Replication can be used to automatically create a test environment.

Concluding ^

When you’re faced with an Active Directory upgrade, make good use of virtualization. Virtualization makes Active Directory easier to deploy and more cost effective to run.

Also, for your Active Directory upgrade, use these three tricks to make your project, and your life, that much easier:

  • Domain Controller Cloning
  • Hyper-V Replica
  • Backup

Active Directory upgrades? Yes, we can.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account