Getting started with moving to a new Active Directory / Domain Controller setup

We have a mix of Windows 2012 and 2003 servers acting as domain controllers.  We are about to kick off a project to replace this with a fresh start AD on only 2012 server.

We're thinking of running the new AD in parallel with the existing and migrating objects over to
reduce risk and down time.   Is this a good idea?  Are there any project plans out there that might highlight risks and best practices we should be following.

Our organisation is set up as follows:

Who is Participating?
No MoreCommented:
Well you have to write down whole list of servers their roles etc, in detail

You need to collect list of users and groups and prepare powershell scripts for deploy to new domain

Roaming profiles, home folders, Group policy in place

Now Vpn connections between sites - security level

Client VPN If to Azure or other third party Sonicwall, Juniper

Optionally: Demote / remove old 2003 DC and raise forest/ domain level and add new Windows 2012r2 servers VM

Security : RODC in DMZ for VPN users, and NPS policies in place

Possible problems by doing completely fresh start :

1, Office 365 might have issue with different SID's of users in case there is  a Ad Azure connect /Dirsync in place

2, You will need to unjoin and rejoin computers to new domain

3, Without plan, things can go down from the hill, plan everything before any changes

I am actually afraid there aren't available existing projects, as every project is specific to different company needs and not sure if anybody would share any of these , because of privacy policy etc.
No MoreCommented:
Few points :

1, I'm hoping that you are talking about Windows Server 2012 R2

2, Less than 200 users , I would rather do Complete fresh start, then migrating to avoid possible problems after migration

3, Any Hyper-v server or Vmware ?
canuckconsultingAuthor Commented:
Thanks for the reply Daivid.

Yes, all Windows Server 2012 R2.  We have a number of VMWare vms but no Hyper-V.

I like the fresh start suggestion.  In fact I misspoke in my initial post.  We were going to create a separate AD and manually recreate required objects in it whilst running the existing AD in parallel.   I should not have used the word "migrate".
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

No MoreCommented:
You have clear idea, Good luck
canuckconsultingAuthor Commented:
I'm afraid I don't have anything close to a clear idea beyond what I've typed above :).

I'm looking for best practices on setting up security, organizing objects, etc.  Even an existing project plan to reference would give us the leg up to start building around.
Definitely go with the new domain entirely. David Fiala has given a lot of great tips.

Keep things running in parallel is okay, but don't let it go indefinitely. I've seen a number of companies and consultants leave old servers running for long periods of time, in some cases exceeding a year.

From the workstation end, I've used ForensIT User Profile Wizard for migrating users' profiles. That saved a lot of headaches.

As for best practices, you really should be going based on the company's requirements (regulations to be followed, etc). For example, I work for a consumer products company that has to deal with HIPAA, SOX, and PCI compliance on the corporate end. But also, a lot of the functions here are very collaborative across business units unlike most companies where most projects and functions can be more in silos. On top of that, systems are going to be a major thing that affect how things are handled as well. What type of company are we talking about here, and about what size is it?

Like David has mentioned, you need to careful review what exists, and then plan appropriately. For example, you might want to fix a large number of things, but time will not allow for you to do so. And you need to be sure what the side effects might be.
sAMAccountNameSr. Systems EngineerCommented:
My first question is why you are abandoning the original directory?  Are there things which have eroded  the trust you have in it?  Is it broken to a degree that its beyond recovery?  Is it simply a notion that new is good?

If you are set on creating a new directory in parallel and manually migrating to it, its been done a thousand time with success, but dont convince yourself it will be a walk in the park.  

There will be disruptions.  At some point in the process, the two domains will exist simultaneously, with users, resources splity between them.  Unless you can send everyone home and shut the business down when you start with the expectation they dont come back until its done, you will have to overcome objects in two distinct domains with a security boundary between them trying to get to eachother.  Do you create a trust?  Do you move everything at once?  How can you approach this?.  During this time DNS will cause problems.  ACLs will cause problems.  Identities will cause problems.  All of these can be overcome, but you have to be keenly aware of what is happening.  

Consider this:  John has been working for years in with no problems at all.  He has a home directory and access to shared files and resources which he needs to collaborate with others.  On monday, he comes in and you hand him a sheet of paper that says your new login is newdomain\john.  He logs in fine, but when he tries to collaborate with people, things start going wrong - fast.  Some of Johns resources and files are still in  Some are in  How does john bridge that gap?  Will he be able to access shares he could previously access?  Did the gruops he was a member of get migrated and all the ACLs where that group was used get updated?  Are his printers in the same domain?  Does his email route the same way?  These are some examples of the kinds of problems you need to prepare for.  Theres a ton of resources out there that outline what you need to do.  Dont take this lightly, even with a small directory.

Theres a ton of articles with specific guidance in the googles:
Parallel AD migration (Google search)

I dont want to sound all doom and gloom, because what you want to do is very doable, but I do want to point out there are sharp corners that will make this journey memorable.  

Plan well, set expectations and thenexecute with deliberate precision.
Niten KumarPrincipal Systems AdministratorCommented:
If you only want to upgrade your DCs then why don't you go through the normal process of adprep, install and promote 2K12 R2 DCs and demote the 2K3 DCs.
canuckconsultingAuthor Commented:
Thank you all for the advise.  Sorry for the late reply!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.