Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Getting started with moving to a new Active Directory / Domain Controller setup

Posted on 2016-11-03
Medium Priority
Last Modified: 2016-11-10
We have a mix of Windows 2012 and 2003 servers acting as domain controllers.  We are about to kick off a project to replace this with a fresh start AD on only 2012 server.

We're thinking of running the new AD in parallel with the existing and migrating objects over to
reduce risk and down time.   Is this a good idea?  Are there any project plans out there that might highlight risks and best practices we should be following.

Our organisation is set up as follows:

Question by:canuckconsulting

Expert Comment

by:No More
ID: 41872441
Few points :

1, I'm hoping that you are talking about Windows Server 2012 R2

2, Less than 200 users , I would rather do Complete fresh start, then migrating to avoid possible problems after migration

3, Any Hyper-v server or Vmware ?

Author Comment

ID: 41872456
Thanks for the reply Daivid.

Yes, all Windows Server 2012 R2.  We have a number of VMWare vms but no Hyper-V.

I like the fresh start suggestion.  In fact I misspoke in my initial post.  We were going to create a separate AD and manually recreate required objects in it whilst running the existing AD in parallel.   I should not have used the word "migrate".

Expert Comment

by:No More
ID: 41872468
You have clear idea, Good luck
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 41872484
I'm afraid I don't have anything close to a clear idea beyond what I've typed above :).

I'm looking for best practices on setting up security, organizing objects, etc.  Even an existing project plan to reference would give us the leg up to start building around.

Accepted Solution

No More earned 1000 total points
ID: 41872553
Well you have to write down whole list of servers their roles etc, in detail

You need to collect list of users and groups and prepare powershell scripts for deploy to new domain

Roaming profiles, home folders, Group policy in place

Now Vpn connections between sites - security level

Client VPN If to Azure or other third party Sonicwall, Juniper

Optionally: Demote / remove old 2003 DC and raise forest/ domain level and add new Windows 2012r2 servers VM

Security : RODC in DMZ for VPN users, and NPS policies in place

Possible problems by doing completely fresh start :

1, Office 365 might have issue with different SID's of users in case there is  a Ad Azure connect /Dirsync in place

2, You will need to unjoin and rejoin computers to new domain

3, Without plan, things can go down from the hill, plan everything before any changes

I am actually afraid there aren't available existing projects, as every project is specific to different company needs and not sure if anybody would share any of these , because of privacy policy etc.
LVL 33

Assisted Solution

masnrock earned 500 total points
ID: 41872625
Definitely go with the new domain entirely. David Fiala has given a lot of great tips.

Keep things running in parallel is okay, but don't let it go indefinitely. I've seen a number of companies and consultants leave old servers running for long periods of time, in some cases exceeding a year.

From the workstation end, I've used ForensIT User Profile Wizard for migrating users' profiles. That saved a lot of headaches.

As for best practices, you really should be going based on the company's requirements (regulations to be followed, etc). For example, I work for a consumer products company that has to deal with HIPAA, SOX, and PCI compliance on the corporate end. But also, a lot of the functions here are very collaborative across business units unlike most companies where most projects and functions can be more in silos. On top of that, systems are going to be a major thing that affect how things are handled as well. What type of company are we talking about here, and about what size is it?

Like David has mentioned, you need to careful review what exists, and then plan appropriately. For example, you might want to fix a large number of things, but time will not allow for you to do so. And you need to be sure what the side effects might be.

Assisted Solution

sAMAccountName earned 500 total points
ID: 41873117
My first question is why you are abandoning the original directory?  Are there things which have eroded  the trust you have in it?  Is it broken to a degree that its beyond recovery?  Is it simply a notion that new is good?

If you are set on creating a new directory in parallel and manually migrating to it, its been done a thousand time with success, but dont convince yourself it will be a walk in the park.  

There will be disruptions.  At some point in the process, the two domains will exist simultaneously, with users, resources splity between them.  Unless you can send everyone home and shut the business down when you start with the expectation they dont come back until its done, you will have to overcome objects in two distinct domains with a security boundary between them trying to get to eachother.  Do you create a trust?  Do you move everything at once?  How can you approach this?.  During this time DNS will cause problems.  ACLs will cause problems.  Identities will cause problems.  All of these can be overcome, but you have to be keenly aware of what is happening.  

Consider this:  John has been working for years in domain.com with no problems at all.  He has a home directory and access to shared files and resources which he needs to collaborate with others.  On monday, he comes in and you hand him a sheet of paper that says your new login is newdomain\john.  He logs in fine, but when he tries to collaborate with people, things start going wrong - fast.  Some of Johns resources and files are still in domain.com.  Some are in newdomain.com.  How does john bridge that gap?  Will he be able to access shares he could previously access?  Did the gruops he was a member of get migrated and all the ACLs where that group was used get updated?  Are his printers in the same domain?  Does his email route the same way?  These are some examples of the kinds of problems you need to prepare for.  Theres a ton of resources out there that outline what you need to do.  Dont take this lightly, even with a small directory.

Theres a ton of articles with specific guidance in the googles:
Parallel AD migration (Google search)

I dont want to sound all doom and gloom, because what you want to do is very doable, but I do want to point out there are sharp corners that will make this journey memorable.  

Plan well, set expectations and thenexecute with deliberate precision.

Expert Comment

by:Niten Kumar
ID: 41873870
If you only want to upgrade your DCs then why don't you go through the normal process of adprep, install and promote 2K12 R2 DCs and demote the 2K3 DCs.

Author Comment

ID: 41879526
Thank you all for the advise.  Sorry for the late reply!

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question