58
Why upgrade? Prepare
Action
Plan Cleanup
RODC
Server Core
AD Snapshots (ntdsutil.exe,
dsamain.exe)
DS Auditing (auditpol.exe)
Restartable AD service
Administrative Center
PowerShell Cmdlts
AD Best Practice Analyzer
Protecting objects from
accidental deletion
GPO features (Central Store,
ADMX files, GPP)
DFSR replication of Sysvol
Fine-Grained Password Policy
(FGPP)
Last Interactive Logon Info
Offline Domain Join
Managed Service Accounts
(MSA)
Authentication mechanism
assurance for AD-FS
Advanced Encryption Services
(AES 128 and 256) for
Kerberos
Support Lifecycle for Windows
Server 2003 SP2:
Extended Support end date:
July 2015
Active Directory Recycle Bin (No built-in UI, PowerShell only, or 3rd-party tools)
New Active Directory Administrative
Center
GUI for FGPP management
GUI for AD Recycle Bin
PowerShell History Viewer
Active Directory-based Activation
GPO features and GPMC UI
additions
Richer authorization through
Dynamic Access Control & File
Classification Infrastructure
Simplified Deployment and
Preparation
Dynamic Access Control (DAC)
policies and claims
Group Managed Service
Accounts (GMSA)
Virtualization-Safe for the
Windows Server 2012 DC
(requires Hypervisor support
for VM-Generation-ID)
Rapid virtual DC deployment through DC-cloning
(requires Hypervisor support for VM-Generation-ID)
Increased Kerberos strength
(Kerberos Armoring - or FAST)
Increased RID Pool
Support Lifecycle for Windows
Server 2008 R2 SP1:
Mainstream Support end
date January 2015
Extended Support end date -
July 2020
No additional features
What are the upgrade goals?
Map existing resources (hardware, software, human)
What other roles do DCs perform?
Map the risks
Can you consolidate?
Can (should) you virtualize?
Time needed, downtime needed
Plan for rollback
Is it simpler to keep the old DCs name and/or IP address?
Possible options:
1. New DCs, new names, new IPs
Simplest
Medium complexity 2. New DCs, new names, old IPs
3. New DCs, old names, old IPs
May be more complex
DES Encryption types for the Kerberos authentication protocol issues:
SAP
Oracle Internet Directory (OID), CA Identity Manager, Tivoli Identity Management
Samba and other Linux/Unix interoperability
NetApp, EMC Celerra or other storage devices
Firewalls, VPN, RADIUS
http://support.microsoft.com/kb/977321
NetApp filers or (potentially) other storage devices
Resource SID Compression:
Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices:
http://support.microsoft.com/kb/2774190
SMB Secure Negotiate
"System error 2148073478," "extended error," or "Invalid Signature" error on SMB connections in Windows 8 or Windows Server 2012:
http://support.microsoft.com/kb/2686098
Smart Cards, certificates, EFS Recovery Agent keys
Non-compatible customized password filters
Time keeping software
Exchange servers with manual DC configuration
LDAP Query Policies with non-default settings
TSL - Default up to Windows Server 2003 R2 = 60 days, for later = 180 days
- If Forest is upgraded, TSL is not automatically changed dsquery * cn=directory service,cn=windows nt,cn=services,cn=configuration, dc=ad,dc=petri-labs,dc=com -scope base -attr tombstonelifetime
Static ports:
RPC Netlogon
RPC Replication
FRS
Manual connection objects in AD Sites and Services
Preferred Bridgehead Servers in AD Sites and Services
Firewalls, TMG/UAG/ISA, VPN, RADIUS/IAS, Switches with 802.1X
3rd-party applications that are hard-coded to work against specific DCs
Make sure DFL and FFL are Windows 2000 Native or above
If they exist, all Windows 2000 DCs must be running SP4
Issues with Win9X/NT4.0 client computers:
http://support.microsoft.com/kb/555038
http://support.microsoft.com/kb/946405
http://support.microsoft.com/kb/942564
Issues with External Trusts to NT4.0 domains:
http://support.microsoft.com/kb/2021766
dsquery * "dc=ad,dc=petri-labs,dc=com" -scope base -attr msDS-Behavior-Version
dsquery * "cn=partitions,cn=configuration,dc=ad,dc=petri-labs,dc=com" -scope base -attr msDS-Behavior-Version
Mixed Level = 0 or
Windows Server 2003 interim = 1
Windows Server 2003 = 2
Windows Server 2008 = 3
Windows Server 2008 R2 = 4
Windows Server 2012 = 5
Windows Server 2012 R2 = 6
Replication issues
USN Rollbacks, Lingering Objects, Strict Replication Consistency (?)
DNS
Events and Logs
FSMO
Consider temporarily disabling AV on the DCs
Document everything! (Active Directory Topology Diagrammer, Visio)
Install RSAT on a Windows
workstation for easier management:
For Windows 7
For Windows 8
For Windows 8.1
Built-in into Server OSs
Make sure the user you're working with is a member of:
Domain Admins
Enterprise Admins
Schema Admins
Make sure you have a recent, supported tested and working backup:
System State
Boot Partition
System Partition
All GPOs (by using GPMC)
Certificate Authority and important certificates and keys
Scripts etc.
Do you know the DCs DSRM password? Do NOT use a VM snapshot as backup!
Consider disconnecting one DC in addition to backing up
Consider disabling outbound replication on the Schema Master DC during the Schema upgrade
The bigger and more complex you are, the more you need to test before you act.
Consider regulations and standards (such as Change Management procedures)
Test environment needs to be as close to production as possible.
Test and production need to be totally isolated from each other.
Extend the Schema
Promote the first Windows Server 2012/2012 R2 DC
Move relevant roles: DHCP
DNS
WINS
Certificate Services
TS Licensing
Transfer FSMO
If needed, point relevant applications to new DC
Configure connectors or other manual settings
Wait a bit
Decommission old DCs
Go to celebrate
No more (manual) ADRPEP!
No need to keep installation media
No need to remember complex commands and where to run them (forestprep, domainprep, rodcprep, gpprep)
Automate the pre-requisites between each of them
Validate environment-wide pre-requisites before beginning deployment
Integrated with Server Manager and remoteable
Built on Windows PowerShell for command-line and UI consistency
Configuration wizard aligns to the most common deployment scenarios
No more DCPROMO!
Promotion is done through Server Manager UI: Remotable, built on PowerShell, Automated
In case of network hickups - indefinite retry loop
Very fast and easy use Install From Media (IFM) + option to select offline defrag for IFM database (used to be mandatory in Windows Server 2003/2008)
Check version:
dsquery * cn=schema,cn=configuration, dc=ad,dc=petri-labs,dc=com -scope base -attr objectversion
(Forestperp success: 2003 R2 = 31, 2008 = 44, 2008 R2 = 47, 2012 = 56, 2012 R2 = 69)
dsquery * cn=ActiveDirectoryUpdate,cn=ForestUpdates, cn=configuration,dc=ad,dc=petri-labs,dc=com -scope base -attr revision
(Domainprep success: 2008 = 3, 2008 R2 = 5, 2012 = 11, 2012 R2 = 15)
Verify replication
repadmin /replsum /bysrc /bydest /sort:delta
Always wait for KCC (15-30 minutes)
If replication topology is complex wait for replication for as long as it takes (again consider enabling Change Notification)
Verify replication
repadmin /showreps
repadmin /replsum * /bysrc /bydest /sort:delta
Make sure new DC is functioning:
Check AD replication
Check SYSVOL sharing and replication
Check events
Do not hurry (depending on the size of the DIT and SYSVOL)
PDC Emulator of the Forest Root Domain is responsible for time keeping.
If not properly configured Event ID 12 (W32Time). http://support.microsoft.com/kb/816042
PDC Emulators of other domains in forest pull time from FRD PDCE Protect yourself against
a large time offset (MaxPosPhaseCorrection, MaxNegPhaseCorrection Registry/GPO values)
DCs pull time from PDCEs
Servers and workstations pull from DCs
Remember Windows Server 2008/2012 issues a random computer name by default
Never ever in your life use NEWSID! (punished by death!)
Do NOT disable IPv6 (http://support.microsoft.com/kb/929852)
Configure Windows Update
Secure the server(s)
Run Best Practice Analyzers
Configure Anti-Virus exclusions (http://support.microsoft.com/kb/822158)
Configure backups
Never clone a DC operating system!
Do not use snapshots for virtual DCs
Do not pause/resume virtual DCs
If on VMs, exclude DCs from Live Migration or vMotion
Do not synchronize time with the host
You can do all this only on Windows Server 2012 DCs running on Hyper-V 3
If you decide to use the new DC(s) with new computer names and IP addresses, do not forget: Update Name Servers (NS) records
Zone Transfers
Domain Delegation
Bind Secondaries
Zone Scavenging
Forwarding to ISPs
Firewall ports (for eDNS)
DHCP settings for workstations that have dynamic IPs
Any workstation, server, device with manual DNS IP address
Schema
Domain Naming
PDC Emulator
RID
Infrastructure
If all ok, both DCs agree to the transfer
Easiest: Use NTDSUTIL
Check Infrastructure FSMO roles (fSMORoleOwner attribute) on the DomainDnsZones and ForestDnsZones http://support.microsoft.com/kb/949257
If not ok, consider forcing (seize)
ntdsutil roles con "con to ser localhost" q "tran sche mas" "tran nam mas" "tran infra mas" "tran pdc" "tran rid mas" q q
If you must:
ntdsutil roles con "con to ser localhost" q "seize sche mas" "seize nam mas" "seize infra mas" "seize pdc" "seize rid mas" q q
Take your time to test
If all ok, demote old DCs one by one (dcpromo.exe)
Consider shutting down old DC(s) for a few days (the who did it???! effect)
If demoting is unsuccessful consider forcing (/forceremoval) + clean AD from old DC remains (ntdsutil.exe) http://support.microsoft.com/kb/216498
Manually remove server objects from AD Sites and Services
Discard all old DCs
Enable Recycle Bin
Raise DFL, FFL as needed
Use Active Directory Snapshots and create a backup schedule
Migrate from FRS to DFS-R
Upgrading your AD to Windows Server 2012/R2 is important even if you do not plan to use any of the benefits
Plan and test before you move
Upgrading is not rocket science
Upgrading AD to Windows Server 2012/R2 has benefits mostly in the virtualization and deployment areas, but also in management and monitoring
Verify and clean after you move
Questions? Comments?
