Solved

Getting started with moving to a new Active Directory / Domain Controller setup

Posted on 2016-11-03
9
45 Views
Last Modified: 2016-11-10
We have a mix of Windows 2012 and 2003 servers acting as domain controllers.  We are about to kick off a project to replace this with a fresh start AD on only 2012 server.

We're thinking of running the new AD in parallel with the existing and migrating objects over to
reduce risk and down time.   Is this a good idea?  Are there any project plans out there that might highlight risks and best practices we should be following.

Our organisation is set up as follows:

site
0
Comment
Question by:canuckconsulting
9 Comments
 
LVL 6

Expert Comment

by:No More
ID: 41872441
Few points :

1, I'm hoping that you are talking about Windows Server 2012 R2

2, Less than 200 users , I would rather do Complete fresh start, then migrating to avoid possible problems after migration

3, Any Hyper-v server or Vmware ?
0
 

Author Comment

by:canuckconsulting
ID: 41872456
Thanks for the reply Daivid.

Yes, all Windows Server 2012 R2.  We have a number of VMWare vms but no Hyper-V.

I like the fresh start suggestion.  In fact I misspoke in my initial post.  We were going to create a separate AD and manually recreate required objects in it whilst running the existing AD in parallel.   I should not have used the word "migrate".
0
 
LVL 6

Expert Comment

by:No More
ID: 41872468
You have clear idea, Good luck
0
 

Author Comment

by:canuckconsulting
ID: 41872484
I'm afraid I don't have anything close to a clear idea beyond what I've typed above :).

I'm looking for best practices on setting up security, organizing objects, etc.  Even an existing project plan to reference would give us the leg up to start building around.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Accepted Solution

by:
No More earned 250 total points
ID: 41872553
Well you have to write down whole list of servers their roles etc, in detail

You need to collect list of users and groups and prepare powershell scripts for deploy to new domain

Roaming profiles, home folders, Group policy in place

Now Vpn connections between sites - security level

Client VPN If to Azure or other third party Sonicwall, Juniper

Optionally: Demote / remove old 2003 DC and raise forest/ domain level and add new Windows 2012r2 servers VM

Security : RODC in DMZ for VPN users, and NPS policies in place

Possible problems by doing completely fresh start :

1, Office 365 might have issue with different SID's of users in case there is  a Ad Azure connect /Dirsync in place

2, You will need to unjoin and rejoin computers to new domain

3, Without plan, things can go down from the hill, plan everything before any changes


I am actually afraid there aren't available existing projects, as every project is specific to different company needs and not sure if anybody would share any of these , because of privacy policy etc.
0
 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 125 total points
ID: 41872625
Definitely go with the new domain entirely. David Fiala has given a lot of great tips.

Keep things running in parallel is okay, but don't let it go indefinitely. I've seen a number of companies and consultants leave old servers running for long periods of time, in some cases exceeding a year.

From the workstation end, I've used ForensIT User Profile Wizard for migrating users' profiles. That saved a lot of headaches.

As for best practices, you really should be going based on the company's requirements (regulations to be followed, etc). For example, I work for a consumer products company that has to deal with HIPAA, SOX, and PCI compliance on the corporate end. But also, a lot of the functions here are very collaborative across business units unlike most companies where most projects and functions can be more in silos. On top of that, systems are going to be a major thing that affect how things are handled as well. What type of company are we talking about here, and about what size is it?

Like David has mentioned, you need to careful review what exists, and then plan appropriately. For example, you might want to fix a large number of things, but time will not allow for you to do so. And you need to be sure what the side effects might be.
0
 
LVL 5

Assisted Solution

by:sAMAccountName
sAMAccountName earned 125 total points
ID: 41873117
My first question is why you are abandoning the original directory?  Are there things which have eroded  the trust you have in it?  Is it broken to a degree that its beyond recovery?  Is it simply a notion that new is good?

If you are set on creating a new directory in parallel and manually migrating to it, its been done a thousand time with success, but dont convince yourself it will be a walk in the park.  

There will be disruptions.  At some point in the process, the two domains will exist simultaneously, with users, resources splity between them.  Unless you can send everyone home and shut the business down when you start with the expectation they dont come back until its done, you will have to overcome objects in two distinct domains with a security boundary between them trying to get to eachother.  Do you create a trust?  Do you move everything at once?  How can you approach this?.  During this time DNS will cause problems.  ACLs will cause problems.  Identities will cause problems.  All of these can be overcome, but you have to be keenly aware of what is happening.  

Consider this:  John has been working for years in domain.com with no problems at all.  He has a home directory and access to shared files and resources which he needs to collaborate with others.  On monday, he comes in and you hand him a sheet of paper that says your new login is newdomain\john.  He logs in fine, but when he tries to collaborate with people, things start going wrong - fast.  Some of Johns resources and files are still in domain.com.  Some are in newdomain.com.  How does john bridge that gap?  Will he be able to access shares he could previously access?  Did the gruops he was a member of get migrated and all the ACLs where that group was used get updated?  Are his printers in the same domain?  Does his email route the same way?  These are some examples of the kinds of problems you need to prepare for.  Theres a ton of resources out there that outline what you need to do.  Dont take this lightly, even with a small directory.

Theres a ton of articles with specific guidance in the googles:
Parallel AD migration (Google search)

I dont want to sound all doom and gloom, because what you want to do is very doable, but I do want to point out there are sharp corners that will make this journey memorable.  

Plan well, set expectations and thenexecute with deliberate precision.
0
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41873870
If you only want to upgrade your DCs then why don't you go through the normal process of adprep, install and promote 2K12 R2 DCs and demote the 2K3 DCs.
0
 

Author Comment

by:canuckconsulting
ID: 41879526
Thank you all for the advise.  Sorry for the late reply!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now