Go Premium for a chance to win a PS4. Enter to Win


active directory migration and backup

Posted on 2015-01-18
Medium Priority
Last Modified: 2015-02-11
Hi All,

     I have 4 active directory servers as below.
dc1 windows 2003, runs dns, dhcp, global catalog
dc2 windows 2008 standard, runs dns, global catalog ( handling FSMO roles)
dc3 windows 2008 standard , dns
dc 4 windows 2012 standard

I need to migrate my domain level and make the windows 2012 the primary ( fsmo ) and remove the windows 2003, what is the best and recommend way to have a stable active directory in my network
Question by:ITMaster1979
LVL 38

Assisted Solution

Mahesh earned 1000 total points
ID: 40556392
I hope this is 2012 R2 and not 2012
U can migrate FSMO any time, that's not a problem

Now as far as upgrading functional level:
1st add one more 2012 \ 2012 R2 DC
Check event 13516 in file replication service events and 1394 under directory services for successful DC promotion
Also check if netlogon and sysvol shares are present on new 2012 DC
Check if all DCs are able to replicate with each other correctly and also check name resolution
Then move FSMO
Change any dns servers specified in DHCP scopes to new 2012 servers
change any static IP entries pointing to 2003 servers to 2012 DC servers, this is applicable to servers, desktops, network devices, printers and so on.
Then U need to 1st move DHCP to another server from existing 2003 DC, then demote 2003 DC

Then demote 2008 DC
Then raise functional level

Before demoting any DC, ensure that you will change primary DNS to point to 2012 \ 2012 r2 servers
As long as your DNS name resolution, AD replication, sysvol replication is working correctly your AD is OK
Besides that you may need additional security measures, delegations, policies, you can setup those letter once all your older OS DCs got demoted and everying from AD stand point is working correctly
LVL 24

Accepted Solution

VB ITS earned 1000 total points
ID: 40556950
He does not want to demote the 2008 DC, just the 2003 DC. The Forest and Domain Functional Levels must also be verified beforehand.

Here's what I would do before you introduce the first 2012 DC in your environment:

1. Check current AD Health

Check that your current environment is healthy by following the steps in these articles:
If you find any issues, you can use these articles to troubleshoot them:

- Troubleshoot AD health in Server 2003: http://technet.microsoft.com/en-us/library/cc738415%28v=ws.10%29.aspx
- Troubleshoot AD health in Server 2008: http://technet.microsoft.com/en-us/library/cc949120%28v=ws.10%29.aspx

2. Check Functional Levels

Check to make sure your Domain and Forest Functional Levels are at Windows Server 2003 at a minimum:
- Open Active Directory Users and Computers
- Right click on your domain name on the left pane
- Go down to Properties
- Your Domain and Forest Functional Levels will be displayed in the General tab towards the bottom
If your functional levels are not set to Windows Server 2003 then you'll need to raise them:

- Raising your Domain Functional Level: http://technet.microsoft.com/en-au/library/cc776703%28v=ws.10%29.aspx
- Raising your Forest Functional Level: http://technet.microsoft.com/en-au/library/cc780862%28v=ws.10%29.aspx

3. Introduce First 2012 Domain Controller

Now you're ready to introduce your first 2012 DC into your environment! Please see the below article which has step-by-step instructions to do this. Note that although this is a 2-part article, the second part just really shows you how to promote the 2012 server to a DC using PowerShell instead of the GUI.


You may notice that I have omitted the step to run adprep.exe - this is no longer required starting from Server 2012 as it runs automatically when you install the Active Directory Directory Services role. You can confirm this here: http://technet.microsoft.com/en-us/library/dd464018%28v=ws.10%29.aspx#BKMK_WS2012

4. Transfer FSMO Roles

Once you have verified that your new 2012 DC is functioning properly and your AD environment is healthy, you need to transfer the FSMO roles that may still be on the 2003 DC over to the new 2012 DC. Remember to also make sure your 2003 DC is no longer a Global Catalog server (steps are at the bottom of the below article):


5. Demote 2003 DC

This step is an easy one once you've performed the steps above. Just remember to transfer over all FSMO roles over to your other DCs before demoting your 2003 DC.


5. Raise AD Functional Levels (Optional)

Only perform this step if you no longer plan to introduce any further 2003 DCs to your environment. You must only raise your functional levels to the oldest version domain controller on your domain. For example if all your domain controllers are 2012 R2 then you can go all the way to 2012 R2. However if you have a Server 2008 DC then you can only raise the functional level to Windows Server 2008.

Raise Domain Functional Level: http://technet.microsoft.com/en-us/library/cc753104.aspx
Raise Forest Functional Level: http://technet.microsoft.com/en-us/library/cc730985.aspx

If you want to do some reading on functional levels to get a better understanding, please see this article: http://technet.microsoft.com/library/understanding-active-directory-functional-levels%28WS.10%29.aspx

6. Move Roles Off 2003 DC

Self explanatory step really. If you have specific roles on the old server that you need help with to transfer to your other servers then please let us know what these roles are.

7. Remove Old 2003 Server

After you have moved all the roles off the 2003 server, I would recommend you leave the server on for a few weeks. If no users report any errors, turn off the server and leave it off for a week or so. If you still don't hear anything then it's safe to remove this server from the domain, shut it down and re-purpose it or throw away or recycle it (remember to pull out the hard drives first or perform a military-grade wipe on them).
Hope this helps!

EDIT: Added steps 6 & 7.

Author Closing Comment

ID: 40602712

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question