Upgrade Domain Controllers from Windows Server 2003 R2 to Windows Server 2012 R2 or 2008 R2 and Exchange 2010

We have Windows Server 2003 R2 Domian Controllers, which we want to upgrade to Windows Server 2012 R2. In our environment we also have Exchange 2010 v.

There are 2 sites
There are 2 domain controllers per site
and one exchange server that has 2 iis sites one for External clients and one for internal
We also have quite a bit of group policies that we'd like to retain
All but Exchange are VMs on VMware hosts
Our domain controllers are backed up with Veeam 7 and Exchange with Symantec BE 2012
Our Domain and Forest Functional Levels are both Windows Server 2003

Q1: I'm looking for the procedure to upgrade domain controllers and Active Directory to at least 2008 R2 functional level, given the above scenario.
Are there any underwater stones that someone doing upgrade should be aware?
What is the best way to backup and recover DCs, Exchange and AD in case of a failure?
Are there any changes to Group Policies that may happen during upgrade, which may cause them to apply in a wrong way?

Q2: Does it make sense to upgrade to 2012 R2 yet, or it's better to wait for a while till enough patches are released?
Who is Participating?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Answers are below...
Q1. high level steps are...
- Make sure replication is operating correctly before.
- forest/domain prep gpprep and rodc prep (using ADPREP)
- Introduce the first 2008R2 domain controller
- Add addtional DC's to your environment (i would recommend atleast 2 per site)
- Transfer the FSMO roles to a 2008R2 DC
- Configure DNS on servers to point to the new 2008R2 DC's (configure DHCP as well)
- Make sure that all DC's in your environment are GC's as well
- Decommission the 2003 DC's until they are all removed

Upgrade experience...
- When you do an upgrade from 2003 to 2008/R2 make sure that you monitor Sysvol closely. I have seen many times when you introduce 2008 into a 2003 environment not all Sysvol replicated initally to the 2008 DC's. I had to manually copy the scripts/policies to the 2008 DC's (replicaiton was working accordingly). This has happened to me twice doing upgrade.
- Also Slow Network detection GPO. If you have XP clients in your environment you will want to enable this policy as you will run into issues when all of the 2003 DC's have been eliminated with XP machines not getting drive mappings due to network connections are too fast and the drives do not map. keep that in mind.

Best way to proect AD is having multiple DC's in your environment. This allows for redundancy and also transfering roles to other DC's if something happens to your FSMO holder. You should also do a system state which is good if you are in a situation where you need to rebuild the entire domain as all of the DC's have been compromised/corrupted.

GPO's will work the same, however there are new GPO's in 2008 but your migrated ones will work accordingly.

As for upgrade to Server 2012 or 2008R2, if i were in your position i personally would upgrade to 2012R2 because it is the latest and if you upgrade to 2008R2 you will soon be in the same situation where you will need to upgrade again. If you have the licenses for 2012R2 then upgrade. Just make sure that you have the appropriate number of CALs for the users that will authenticate againts the 2012 DC's

ChrisConnect With a Mentor Commented:
Ok some simple steps/guidelines

Backup - best off using Windows Serverback up for AD so that you can restore the data back into AD, as restore a virtual domain controller isn't a great plan.
here is a nice step-by-step for that http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx

Exchange if you only have one server then make sure you have the data from the mailboxes and any certs and custom config then you can use recover server to resintall Exchange.

are you looking for an inplace upgrade as that not the best plan for DC's
If you have spare Physical Kit then i suggest installing  a member server to 2012 and then promoting to a DC's (it will do a schema prep as it installs the role)

then you can move the FSMO roles onto the new DC's

leave for a few days to settle in and then you can start working your way round dcpromo out the 2008 Dc's and then replacing with new Dc's. If you decommison properly and one at a time then you can avoid have to change where servers are point for DNS etc (this was the biggest issue for us with Static IP config so i removed server completely and then reused the same IP)

server 2012 r2 is good

stick with exchange 2010 for now
the only changes to group policy are improvements - you get additional templates for configuring win8 and 2012 features

you'll need 2012R2 if you have IE11 you want to control with GPO as this can only be done with Group Policy preferences and not from the old IE maintenance
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

AlumicorAuthor Commented:
So there is no way to have exchange backed up and recovered like nothing happened? There were a lot of customization done and I'm trying to find a solution to minimize amounts of work in case of failed upgrade
Do GPO Preferences actually work now for IE in 2012R2? Will it work for IE10? We don't really plan to upgrade IE, but who knows.
What about upgrading to 2012R2, does it have those Sysvol replication issues?
Will SzymkowskiSenior Solution ArchitectCommented:
•Our domain controllers are backed up with Veeam 7 and Exchange with Symantec BE 2012
You have stated that you are already using Backup Exec to take backups of your Exchange Enviornment. My personal opinion for backups for Exchange is to have an Exchange Aware Backup solution which you have. If possible based on your backup schedule you should take advantage of Symantec's GRT technology for Granular Recover for Exchange,

•Do GPO Preferences actually work now for IE in 2012R2? Will it work for IE10? We don't really plan to upgrade IE, but who knows.
I have not tested Preferences in my lab yet with 2012R2. I would assume that it works as the R2 release has changed/corrected a lot of features/functionality. But as i have stated i have not tested this myself.

•What about upgrading to 2012R2, does it have those Sysvol replication issues?
As for the Sysvol replication issues i had previously with 2008R2 i have not come across this while doing 2012 migration. This only happend a couple of times when doing 2008R2 migration so it might have been a bug at the time which now might be corrected. I just wanted to provide you with some of my own (baptism by fire experiences) the sysvol thing is something that i always look for now.

if you lose the data from exchange then its not problem but there are steps for recovering an entire server and just restoring the server as is. Basically most of the config is stored in AD i.e. accepted domains, etc etc so recovering the server will pull that data out and then restored the mailboxes into that.

IE preferences do work in with my testing, the only issue is where you have a mix of clients and DC's i.e. they can only be set/controlled for IE11 from 2012 r2 and there are some issues with 2003 DC's applying them.

I have not come across any replication issues either with 2012 R2
AlumicorAuthor Commented:
Thanks guys for sharing some of your experience. I understand it's hard to give more detailed answer as each environment is very unique and may carry various of other possibilities.
Your posts have given me enough info to start working with. Thank you for that!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.