Getting started with moving to a new Active Directory / Domain Controller setup

Posted on 2016-11-03
Last Modified: 2016-11-10
We have a mix of Windows 2012 and 2003 servers acting as domain controllers.  We are about to kick off a project to replace this with a fresh start AD on only 2012 server.

We're thinking of running the new AD in parallel with the existing and migrating objects over to
reduce risk and down time.   Is this a good idea?  Are there any project plans out there that might highlight risks and best practices we should be following.

Our organisation is set up as follows:

Question by:canuckconsulting

Expert Comment

by:No More
ID: 41872441
Few points :

1, I'm hoping that you are talking about Windows Server 2012 R2

2, Less than 200 users , I would rather do Complete fresh start, then migrating to avoid possible problems after migration

3, Any Hyper-v server or Vmware ?

Author Comment

ID: 41872456
Thanks for the reply Daivid.

Yes, all Windows Server 2012 R2.  We have a number of VMWare vms but no Hyper-V.

I like the fresh start suggestion.  In fact I misspoke in my initial post.  We were going to create a separate AD and manually recreate required objects in it whilst running the existing AD in parallel.   I should not have used the word "migrate".

Expert Comment

by:No More
ID: 41872468
You have clear idea, Good luck
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 41872484
I'm afraid I don't have anything close to a clear idea beyond what I've typed above :).

I'm looking for best practices on setting up security, organizing objects, etc.  Even an existing project plan to reference would give us the leg up to start building around.

Accepted Solution

No More earned 250 total points
ID: 41872553
Well you have to write down whole list of servers their roles etc, in detail

You need to collect list of users and groups and prepare powershell scripts for deploy to new domain

Roaming profiles, home folders, Group policy in place

Now Vpn connections between sites - security level

Client VPN If to Azure or other third party Sonicwall, Juniper

Optionally: Demote / remove old 2003 DC and raise forest/ domain level and add new Windows 2012r2 servers VM

Security : RODC in DMZ for VPN users, and NPS policies in place

Possible problems by doing completely fresh start :

1, Office 365 might have issue with different SID's of users in case there is  a Ad Azure connect /Dirsync in place

2, You will need to unjoin and rejoin computers to new domain

3, Without plan, things can go down from the hill, plan everything before any changes

I am actually afraid there aren't available existing projects, as every project is specific to different company needs and not sure if anybody would share any of these , because of privacy policy etc.
LVL 25

Assisted Solution

masnrock earned 125 total points
ID: 41872625
Definitely go with the new domain entirely. David Fiala has given a lot of great tips.

Keep things running in parallel is okay, but don't let it go indefinitely. I've seen a number of companies and consultants leave old servers running for long periods of time, in some cases exceeding a year.

From the workstation end, I've used ForensIT User Profile Wizard for migrating users' profiles. That saved a lot of headaches.

As for best practices, you really should be going based on the company's requirements (regulations to be followed, etc). For example, I work for a consumer products company that has to deal with HIPAA, SOX, and PCI compliance on the corporate end. But also, a lot of the functions here are very collaborative across business units unlike most companies where most projects and functions can be more in silos. On top of that, systems are going to be a major thing that affect how things are handled as well. What type of company are we talking about here, and about what size is it?

Like David has mentioned, you need to careful review what exists, and then plan appropriately. For example, you might want to fix a large number of things, but time will not allow for you to do so. And you need to be sure what the side effects might be.

Assisted Solution

sAMAccountName earned 125 total points
ID: 41873117
My first question is why you are abandoning the original directory?  Are there things which have eroded  the trust you have in it?  Is it broken to a degree that its beyond recovery?  Is it simply a notion that new is good?

If you are set on creating a new directory in parallel and manually migrating to it, its been done a thousand time with success, but dont convince yourself it will be a walk in the park.  

There will be disruptions.  At some point in the process, the two domains will exist simultaneously, with users, resources splity between them.  Unless you can send everyone home and shut the business down when you start with the expectation they dont come back until its done, you will have to overcome objects in two distinct domains with a security boundary between them trying to get to eachother.  Do you create a trust?  Do you move everything at once?  How can you approach this?.  During this time DNS will cause problems.  ACLs will cause problems.  Identities will cause problems.  All of these can be overcome, but you have to be keenly aware of what is happening.  

Consider this:  John has been working for years in with no problems at all.  He has a home directory and access to shared files and resources which he needs to collaborate with others.  On monday, he comes in and you hand him a sheet of paper that says your new login is newdomain\john.  He logs in fine, but when he tries to collaborate with people, things start going wrong - fast.  Some of Johns resources and files are still in  Some are in  How does john bridge that gap?  Will he be able to access shares he could previously access?  Did the gruops he was a member of get migrated and all the ACLs where that group was used get updated?  Are his printers in the same domain?  Does his email route the same way?  These are some examples of the kinds of problems you need to prepare for.  Theres a ton of resources out there that outline what you need to do.  Dont take this lightly, even with a small directory.

Theres a ton of articles with specific guidance in the googles:
Parallel AD migration (Google search)

I dont want to sound all doom and gloom, because what you want to do is very doable, but I do want to point out there are sharp corners that will make this journey memorable.  

Plan well, set expectations and thenexecute with deliberate precision.

Expert Comment

by:Niten Kumar
ID: 41873870
If you only want to upgrade your DCs then why don't you go through the normal process of adprep, install and promote 2K12 R2 DCs and demote the 2K3 DCs.

Author Comment

ID: 41879526
Thank you all for the advise.  Sorry for the late reply!

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question