Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Getting started with moving to a new Active Directory / Domain Controller setup

Posted on 2016-11-03
9
Medium Priority
?
108 Views
Last Modified: 2016-11-10
We have a mix of Windows 2012 and 2003 servers acting as domain controllers.  We are about to kick off a project to replace this with a fresh start AD on only 2012 server.

We're thinking of running the new AD in parallel with the existing and migrating objects over to
reduce risk and down time.   Is this a good idea?  Are there any project plans out there that might highlight risks and best practices we should be following.

Our organisation is set up as follows:

site
0
Comment
Question by:canuckconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41872441
Few points :

1, I'm hoping that you are talking about Windows Server 2012 R2

2, Less than 200 users , I would rather do Complete fresh start, then migrating to avoid possible problems after migration

3, Any Hyper-v server or Vmware ?
0
 

Author Comment

by:canuckconsulting
ID: 41872456
Thanks for the reply Daivid.

Yes, all Windows Server 2012 R2.  We have a number of VMWare vms but no Hyper-V.

I like the fresh start suggestion.  In fact I misspoke in my initial post.  We were going to create a separate AD and manually recreate required objects in it whilst running the existing AD in parallel.   I should not have used the word "migrate".
0
 
LVL 7

Expert Comment

by:No More
ID: 41872468
You have clear idea, Good luck
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:canuckconsulting
ID: 41872484
I'm afraid I don't have anything close to a clear idea beyond what I've typed above :).

I'm looking for best practices on setting up security, organizing objects, etc.  Even an existing project plan to reference would give us the leg up to start building around.
0
 
LVL 7

Accepted Solution

by:
No More earned 1000 total points
ID: 41872553
Well you have to write down whole list of servers their roles etc, in detail

You need to collect list of users and groups and prepare powershell scripts for deploy to new domain

Roaming profiles, home folders, Group policy in place

Now Vpn connections between sites - security level

Client VPN If to Azure or other third party Sonicwall, Juniper

Optionally: Demote / remove old 2003 DC and raise forest/ domain level and add new Windows 2012r2 servers VM

Security : RODC in DMZ for VPN users, and NPS policies in place

Possible problems by doing completely fresh start :

1, Office 365 might have issue with different SID's of users in case there is  a Ad Azure connect /Dirsync in place

2, You will need to unjoin and rejoin computers to new domain

3, Without plan, things can go down from the hill, plan everything before any changes


I am actually afraid there aren't available existing projects, as every project is specific to different company needs and not sure if anybody would share any of these , because of privacy policy etc.
0
 
LVL 31

Assisted Solution

by:masnrock
masnrock earned 500 total points
ID: 41872625
Definitely go with the new domain entirely. David Fiala has given a lot of great tips.

Keep things running in parallel is okay, but don't let it go indefinitely. I've seen a number of companies and consultants leave old servers running for long periods of time, in some cases exceeding a year.

From the workstation end, I've used ForensIT User Profile Wizard for migrating users' profiles. That saved a lot of headaches.

As for best practices, you really should be going based on the company's requirements (regulations to be followed, etc). For example, I work for a consumer products company that has to deal with HIPAA, SOX, and PCI compliance on the corporate end. But also, a lot of the functions here are very collaborative across business units unlike most companies where most projects and functions can be more in silos. On top of that, systems are going to be a major thing that affect how things are handled as well. What type of company are we talking about here, and about what size is it?

Like David has mentioned, you need to careful review what exists, and then plan appropriately. For example, you might want to fix a large number of things, but time will not allow for you to do so. And you need to be sure what the side effects might be.
0
 
LVL 6

Assisted Solution

by:sAMAccountName
sAMAccountName earned 500 total points
ID: 41873117
My first question is why you are abandoning the original directory?  Are there things which have eroded  the trust you have in it?  Is it broken to a degree that its beyond recovery?  Is it simply a notion that new is good?

If you are set on creating a new directory in parallel and manually migrating to it, its been done a thousand time with success, but dont convince yourself it will be a walk in the park.  

There will be disruptions.  At some point in the process, the two domains will exist simultaneously, with users, resources splity between them.  Unless you can send everyone home and shut the business down when you start with the expectation they dont come back until its done, you will have to overcome objects in two distinct domains with a security boundary between them trying to get to eachother.  Do you create a trust?  Do you move everything at once?  How can you approach this?.  During this time DNS will cause problems.  ACLs will cause problems.  Identities will cause problems.  All of these can be overcome, but you have to be keenly aware of what is happening.  

Consider this:  John has been working for years in domain.com with no problems at all.  He has a home directory and access to shared files and resources which he needs to collaborate with others.  On monday, he comes in and you hand him a sheet of paper that says your new login is newdomain\john.  He logs in fine, but when he tries to collaborate with people, things start going wrong - fast.  Some of Johns resources and files are still in domain.com.  Some are in newdomain.com.  How does john bridge that gap?  Will he be able to access shares he could previously access?  Did the gruops he was a member of get migrated and all the ACLs where that group was used get updated?  Are his printers in the same domain?  Does his email route the same way?  These are some examples of the kinds of problems you need to prepare for.  Theres a ton of resources out there that outline what you need to do.  Dont take this lightly, even with a small directory.

Theres a ton of articles with specific guidance in the googles:
Parallel AD migration (Google search)

I dont want to sound all doom and gloom, because what you want to do is very doable, but I do want to point out there are sharp corners that will make this journey memorable.  

Plan well, set expectations and thenexecute with deliberate precision.
0
 
LVL 7

Expert Comment

by:Niten Kumar
ID: 41873870
If you only want to upgrade your DCs then why don't you go through the normal process of adprep, install and promote 2K12 R2 DCs and demote the 2K3 DCs.
0
 

Author Comment

by:canuckconsulting
ID: 41879526
Thank you all for the advise.  Sorry for the late reply!
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question