• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 26
  • Last Modified:

Transitioning a very old AD to a current version.

Hi,

I have been running an Active Directory server for a very long time without any updates.  It is time to upgrade it, or more accurately, to abandon it.  By that I mean to install a new AD, hopefully synchronize to the old one, and then retire the old one.  This is one area I've never had to become particularly competent in and that has come home to roost.

I'm looking for advice on how to do this gracefully so stuff doesn't break all over the place.  While I have very few users, I do have lots of servers and services that depend on that to work.

I have access to Windows servers vintage 2008 R2, 2012 and 2016.

Thanks!

--Ben
0
Ben Conner
Asked:
Ben Conner
2 Solutions
 
MaheshArchitectCommented:
what is your current ad version ?
0
 
MaheshArchitectCommented:
And what version you want to upgrade?
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Technically it is running on a 2008 R2 server but I -believe- it is emulating a 2000 AD.  How can I verify that?

The only thing I use it for is for machine authentication and dns resolution.  I have another non-Windows server I use for domain names we host.  I have a half dozen or fewer users but the issue will be the services that run on each server.   I have about 8 servers that tie in to it and 3-4 workstations.  

I could probably migrate to a 2008 R2 AD but don't know what the pros and cons are for each variant.  

These are all VMs running under VMWare vSphere, so I could test things in isolation if that would be helpful.

--Ben
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
yo_beeDirector of Information TechnologyCommented:
Open Active Directory Users and Computers | Right click the domain | select properties.  Here it will tell you what Domain Level you are at.  

If you are at 2000 and you don't have any 2000 Domain Controllers you can easily raise this to the highest level  that is acceptable (2008)

Once you are at the level 2008 you can add a second domain controller and have all the major roles (FSMO) to the new DC. With a newly added DC replication will happen giving you redundancy and the ability to stage for the decommissioning of the old DC.  

Once these steps are completed. I would leave both DC's running in parallel for a bit.

Once this has been running for a week or so and there are no errors you can safely decommission the old dc.

  How to check Domain Function Level:
https://support.microsoft.com/en-us/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels

Steps to transfer FSMO roles.
https://blogs.technet.microsoft.com/canitpro/2015/02/10/step-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2/
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Ok, the Domain functional level is: Windows 2000 native.  The Forest functional level is Windows 2000.
This is the only AD I have running in the network.  
Tried to raise the active level and got the following error:

You cannot raise the domain functional level because this domain includes Active Directory Domain Controllers that are not running the appropriate version of Windows.

Doing a 'Save As' on that screen produced a file with the server in question, which was wwpdc.local.webworldinc.com.  That server hasn't been active for years.  Can I drop it somewhere and proceed?  If I manage the servers and bring up Domain Controllers, the only one I see is NEWPDC (the current one).

--Ben
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
You need to run the ntdsutil to do a metadata cleanup and remove old DCs from the AD configuration.

See https://www.petri.com/delete_failed_dcs_from_ad
0
 
Ben ConnerCTO, SAS developerAuthor Commented:
Thanks to all for helping straighten this out.  I should have asked how to do this years ago.  Much appreciated!!

--Ben
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now