Solved

Server 2003 and 2012 Domain Controllers Concurrently?

Posted on 2015-02-17
5
314 Views
Last Modified: 2015-02-17
Hi,

I am preparing to migrated our Active Directory environment to be hosted on 2012 servers from 2003 and there is lots of information on this process on the internet.  It seems easy enough, though not to be taken lightly.  But to "cut over" fully, that is to shut down the old 2003 servers and point everything over to the new servers is a little more involved.  IE DHCP services as well as point all static configured network devices to the new DC (also DNS) will take longer.  

I would prefer to do this in stages, IE one week, get a few additional 2012 DC joined to the domain and replicating Active Directory and DNS services.  Run that for a week to suss out any potential issues as well as not having to do too much all at once in one day (recipe for problems in my opinion).  Then the next week, spend time migrating DHCP database to the new DC as well as updating the scope settings to point to the new DCs for DNS resolution.  Changing all of the static network devices DNS settings and then having one of the new DCs takeover all FSMO roles.

First and foremost, does this seem like a logic procedure and am I missing any steps.  I am guessing the new DC will pick up to use root hints as opposed to forwarders (which is what I want) from the DNS Zone replication data?

Second, will running 2003 with 2012 DCs in tandem for a couple of weeks cause problems, or is it ok?  

Thanks
0
Comment
Question by:CnicNV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 125 total points
ID: 40614755
The process I would follow is below...
- Prep you 2003 DC's for 2012 DC's
- Promote the 2012 DC's to domain controllers
- verify replication it working properly
- Transfer the FSMO roles to one of your new 2012 DC's
- Update your DHCP clients to point to the new 2012 DC's
- Change all of your static IP address to point to the new DC's/DNS servers
- Demote your 2003 domain controllers
- Check and validate your replication and ensure 2003 DC's have been demoted properly
- Migrate your DHCP services to your new DC's

Post migration
- Migrate your SYSVOL Share to DFS-R
https://technet.microsoft.com/fr-ca/library/dd640019%28v=ws.10%29.aspx

Will.
0
 
LVL 3

Assisted Solution

by:Matthew Borrusso
Matthew Borrusso earned 125 total points
ID: 40614767
Will is right on the money.
The only thing I will add is that when all is said and done, to remember to up the operating level of the forest and domain to level you need it to be.
Here is all the info you will need for that.

https://msdn.microsoft.com/en-us/library/cc771294.aspx
0
 
LVL 34

Assisted Solution

by:it_saige
it_saige earned 125 total points
ID: 40614893
There are a few potential gothchas.  With regards to the promotion of the 2012 Servers:

You want to make sure that your current Forest and Domain Functional Levels are set to at least Windows Server 2003:

Understanding Active Directory Domain Services (AD DS) Functional Levels

You also may have to modify the component services on the 2003 DC that you are performing the ADPREP on.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28584877.html#a40514872

Finally, Kerberos authentication can fail intermittently (Microsoft has a hotfix for this issue) -

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

Other than those that I can think of, the comments by Will and Mathew are spot on.

-saige-
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 40615108
Will's outline seems accurate. I will add one caveat though. Your initial plan to add 2012 DCs and then wait a week seems a little too cautious. A DC with nothing pointing at it adds no real benefit, and I'm not sure you'd know of any significant problems because nothing is trying to use it. 24 hours is all it should take to see any replication issues, so that additional 6 days just seems like idle time.
0
 

Author Closing Comment

by:CnicNV
ID: 40615190
Ok thanks everyone for the feedback.  It gives me more confidence going into this, I appreciate it :-)
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question