Solved

Server 2003 and 2012 Domain Controllers Concurrently?

Posted on 2015-02-17
5
294 Views
Last Modified: 2015-02-17
Hi,

I am preparing to migrated our Active Directory environment to be hosted on 2012 servers from 2003 and there is lots of information on this process on the internet.  It seems easy enough, though not to be taken lightly.  But to "cut over" fully, that is to shut down the old 2003 servers and point everything over to the new servers is a little more involved.  IE DHCP services as well as point all static configured network devices to the new DC (also DNS) will take longer.  

I would prefer to do this in stages, IE one week, get a few additional 2012 DC joined to the domain and replicating Active Directory and DNS services.  Run that for a week to suss out any potential issues as well as not having to do too much all at once in one day (recipe for problems in my opinion).  Then the next week, spend time migrating DHCP database to the new DC as well as updating the scope settings to point to the new DCs for DNS resolution.  Changing all of the static network devices DNS settings and then having one of the new DCs takeover all FSMO roles.

First and foremost, does this seem like a logic procedure and am I missing any steps.  I am guessing the new DC will pick up to use root hints as opposed to forwarders (which is what I want) from the DNS Zone replication data?

Second, will running 2003 with 2012 DCs in tandem for a couple of weeks cause problems, or is it ok?  

Thanks
0
Comment
Question by:CnicNV
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 125 total points
Comment Utility
The process I would follow is below...
- Prep you 2003 DC's for 2012 DC's
- Promote the 2012 DC's to domain controllers
- verify replication it working properly
- Transfer the FSMO roles to one of your new 2012 DC's
- Update your DHCP clients to point to the new 2012 DC's
- Change all of your static IP address to point to the new DC's/DNS servers
- Demote your 2003 domain controllers
- Check and validate your replication and ensure 2003 DC's have been demoted properly
- Migrate your DHCP services to your new DC's

Post migration
- Migrate your SYSVOL Share to DFS-R
https://technet.microsoft.com/fr-ca/library/dd640019%28v=ws.10%29.aspx

Will.
0
 
LVL 3

Assisted Solution

by:Matthew Borrusso
Matthew Borrusso earned 125 total points
Comment Utility
Will is right on the money.
The only thing I will add is that when all is said and done, to remember to up the operating level of the forest and domain to level you need it to be.
Here is all the info you will need for that.

https://msdn.microsoft.com/en-us/library/cc771294.aspx
0
 
LVL 32

Assisted Solution

by:it_saige
it_saige earned 125 total points
Comment Utility
There are a few potential gothchas.  With regards to the promotion of the 2012 Servers:

You want to make sure that your current Forest and Domain Functional Levels are set to at least Windows Server 2003:

Understanding Active Directory Domain Services (AD DS) Functional Levels

You also may have to modify the component services on the 2003 DC that you are performing the ADPREP on.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28584877.html#a40514872

Finally, Kerberos authentication can fail intermittently (Microsoft has a hotfix for this issue) -

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

Other than those that I can think of, the comments by Will and Mathew are spot on.

-saige-
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
Comment Utility
Will's outline seems accurate. I will add one caveat though. Your initial plan to add 2012 DCs and then wait a week seems a little too cautious. A DC with nothing pointing at it adds no real benefit, and I'm not sure you'd know of any significant problems because nothing is trying to use it. 24 hours is all it should take to see any replication issues, so that additional 6 days just seems like idle time.
0
 

Author Closing Comment

by:CnicNV
Comment Utility
Ok thanks everyone for the feedback.  It gives me more confidence going into this, I appreciate it :-)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now