Wednesday, January 20, 2016

Active Directory migration from Windows 2003 to Windows 2016



I've inherited an old Windows 2003 based Active Directory installation and I'm tasked to upgrade it to modern standards. I've done various (successful) test in my lab using the plan below, but I really want a reality-check / best practices suggestions from other experts in the field.




Current status: a single-label, Windows-2000 mixed mode Active Directory Domain running on a Windows 2003 installation. The DNS component is running with unsecure dynamic updates.



Target status: migrate to a Windows 2012R2 level domain on a Windows 2016 installation (note: the target level of Windows 2012R2, rather than 2016, is due to my customer having other Windows 2012R2 servers). The migration should be done in the least disruptive manner; anyway, as I am going to work on it during a weekend, short service disruptions are accepted.



Caveats: while single-label domain are deprecated, I really need to keep it running as-is. I evaluated both a domain rename and/or a domain migration to a new name, but they simply seem too much to ask for my customer.



My plan:




  • install a new Windows 2016 server and add it, as a simple member, to the current domain


  • raise the current forest/domain functional level to Windows 2003

  • promote the new Windows 2016 server to the Domain Controller (with Global Catalog) role

  • demote the old server (via dcpromo)

  • on the new Windows 2016 server, use "Active Directory Sites and Services" to remove any eventual leftover from the demote operation

  • on the new Windows 2016, use "DNS Manager" to change the DNS dynamic update type to "Secure only"

  • raise the forest/domain functional level to Windows 2012R2

  • change the old server's original IP address (eg: from 192.168.1.1 to 192.168.1.2)

  • change the new server's IP address to match the old domain controller (eg: from 192.168.1.10 to 192.168.1.1). Note: I'm planning to do that due to current DHCP settings and gateway firewall/VPN rules

  • migrate from FSR to DFSR (see here and here)

  • install another Windows 2016 server on a branch office, adding it as a new Domain Controller (with Global Catalog).




Questions:




  • I am missing something important?

  • Is my idea of swapping the IP address of the old/new server to minimize firewall/VPN/DHCP changes a good one, or should I avoid that?

  • Anything should I be aware of?




UPDATE: after much discussion and testing, I convinced my customer to go for a domain rename. I've done it via the rendom utility, as per Microsoft recommendations, and all went smooth (it did not have any on-premise Exchange server, fortunately).


Answer




while single-label domain are deprecated, I really need to keep it
running as-is. I evaluated both a domain rename and/or a domain
migration to a new name, but they simply seem too much to ask for my
customer.




The right thing is sometimes the hardest. IMO, you're doing your customer a disservice by continuing to use and support the SLD. Do the "right" thing and perform a domain rename or migrate to a new domain.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...