Active Directory Upgrade!

Hello experts,

I’m planning an active directory upgrade of my root and child Windows 2003 domains to windows 2012 R2. I’m trying to find a step by step guide that will assist me in my endeavor. I’ve searched the web but haven’t been able to find anything that I can follow word for word. Because I have two domains I’m a bit concerned about the order in which DC’s should be added and promoted etc. thanks in advance for any help provided.
CNBELGINAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
The process is relatively the same however, you need to make sure that both your Root and Child domains are both on 2003 Domain Functional Level and that the Forest functional level is also 2003.

When you are proceeding you should be starting with the Root domain first and then move on to your child domain. Once you have the 2012 DC's in both Root and child domains you can transfer the roles to the 2012 DC (also DHCP and any other roles that the 2003 DC might hold). From that point You simply demote your 2003 DC in both the Child and Root domains.

Once all of the 2003 DC's are removed from both root and child domains you can then raise the domain/forest functional level.

Will.
CNBELGINAuthor Commented:
Hello Will,

Thanks for your response.  All domains and forest are 2003 native

Just a few questions

1. After the upgrade how long can 2003 DC's remain in AD?
2. After 2012 DC's have been added does all AD changes have to be made from the new DC's?
3. Should i leave all 2003 DC's in place including the root DC's until all 2012 DC,s have been added to both root and child?
SandeshdubeySenior Server EngineerCommented:
In addition do you have exchange Server 2003 in the environment. To introduce Windows Server 2012 DC in existing domain you need to first migrate Exchange 2003 to Exchange 2007 or Exchange 2010/13 on member server(Win2008/R2/2012).If you planning for MS exchange 2013 deployment then upgrade path will be Exch2003 to Exch2007/2010 and then to Exch2013.

Introducing the first Windows Server 2012 Domain Controller
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx
http://markswinkels.nl/2012/06/how-to-install-a-domain-controller-in-windows-server-2012/

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

Configuring the time service on the PDC Emulator FSMO role holder
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

 Change all of the clients (and the new 2012 DC itself), to point to the 2008 DC for their preferred DNS server this may be in DHCP options or the TCP/IP settings.
 
If you are planning to remove Win2003 DC below links will be helpful.
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx (how to demote a DC)
http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx (how to decommisioning a DC)
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx (how to removing a DC from a Domain)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Will SzymkowskiSenior Solution ArchitectCommented:
Answer are below to your questions...
1. After the upgrade how long can 2003 DC's remain in AD?
The 2003 DC can be in the environment as long as you need. The DC's will continue to operate normally. However, it is best to cleanup/demote the 2003 DC's as soon as you can as the support is coming to an end.

2. After 2012 DC's have been added does all AD changes have to be made from the new DC's?
This really all depends on what you are doing in AD. Typically the 2012 DC will act as 2003 DC's as there are no added features with 2012 because the functional level has not been raised yet. However if you want to apply Group Policy Preferences for example something like this is not present on 2003 interface but it is when you are using GPMC.msc on 2012. However the PDC roles should be on one of the 2012 servers before you start using GPO's that are specific to 2012 DC's.

3. Should i leave all 2003 DC's in place including the root DC's until all 2012 DC,s have been added to both root and child?
I personally would just add all of the 2012 DC's first to both child and root domains and then once replication is good  and you have pointed DNS to the servers and clients you can start demoting 2003 DC's

Also make sure that you transfer the FSMO roles as a first step to a 2012 DC that you promote. This is one of the most important steps and get it out of the way first.

Will.
CNBELGINAuthor Commented:
Thanks Guys,

This is really helpful stuff.

Should i have any encryption concerns as it relates to this upgrade?
CNBELGINAuthor Commented:
Hello All,

So i built a test environment to test my AD upgrade. All went well except for the following.

1. When i added my first child DC i could not install DNS fully until i promoted the server and restarted it why is this?
2. After demoting my root 2003 DC, the DNS forward lookup zone was also deleted from the newly added 2012 root DC. What steps did i miss here?

Thanks Guys,
compdigit44Commented:
1) Even know the article is referring to Windows 2008 it this article should very similar to what you are describing..
https://support.microsoft.com/en-us/kb/2002584

2) I believe when you demote a DC it give you the option to remove the GC and DNS roles if present? Did you have DNS selected? Are you using AD integrated zones
CNBELGINAuthor Commented:
I'm testing this again, i know the about the option to remove GC but not DNS. Yes the Zones are AD integrated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.