Active Directory Migration - WS2003 Legacy Server

I have a mixed version Windows network running of 3 WS2003 AD servers, which seems to be happily coexisting with WS2008, 2012 app and fileservers and mixed client network XP to Windows10.

I have been able to validate with help in previous questions on EE a plan to upgrade the main network, but the Accounts Department cannot be upgraded at the same time and I am not sure if I remove the AD partition from the WS2003 fileserver in Accounts and just leave it as a WS2003 fileserver, if that should continue to function in the upgraded WS2016 AD environment ? There will be also some filesharing from client computers to another WS2016 fileserver which I believe from posts on EE should not be a problem.

If the above is probably not going to work (AD is otherwise stable) then the question becomes whether and how to split the AD under the same forest, leaving the legacy AD roles from WS2013 to run off the original WS2003 AD partition for Accounts (with or without VLAN?) and migrate other objects to a new (tree ? domain?)

Any input/thoughts on breaking down the problem greatly appreciated...
Adam BellAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
From my previous experience, 2003 member servers can stay happily in 2016 DC server network, but at all if problem comes, MS will not support 2003 OS and hence at some day you need to ruled it out
Also you can keep both version of DCs (2003 and 2016) until co-existence period. This period can be longer or shorter

What you can do, before migrating DC to 2016 version, if accounts file server is so *critical*, migrate file server data to new windows 2008 R2 / 2012 R2 server and make that server alive as accounts file server

Now you can add 2016 DC servers in network and after that remove 2003 DC role from old file server as well

For XP machines, they will listen to 2008 R2 / 2012 R2 as file servers, again MS will not support in case any issues and then you must need to replace them with at least windows 7 / 8

As far as my understanding, do not create any new domain / forest only for keeping legacy OS servers, because these legacy OS servers are already getting exhausted beyond their extended life and at some point in future you need to discard them.
Only for that matter do not complicate your network by having another domain and subsequent domain management and maintenance overheads

Upgrade  / transition guidelines by MS:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers 

Mahesh.
0
 
Adam BellAuthor Commented:
Thank you  Mahesh.  That makes sense.

The goal is definitely to eliminate WS2003 from the network. I do have spare WS2008  license, and understand it is better not to get creative with AD structures as only about 80 users on network.  Will need to check which version of SQL server that box is running and decide if we can goto WS2008 or stick with 2003 until an complete accounts sys upgrade possible after year end process.

XP PC I will replace with Win10, fortunately accounts department which is critical, using 7/8 already.

Thanks for your input much appreciated.
0
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
If the above is probably not going to work (AD is otherwise stable) then the question becomes whether and how to split the AD under the same forest, leaving the legacy AD roles from WS2013 to run off the original WS2003 AD partition for Accounts (with or without VLAN?) and migrate other objects to a new (tree ? domain?)
Please don't do that. You will not gain anything by adding a domain another domain.

Do you have a spare 2012 R2 license for your fileserver?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Joseph HornseyConnect With a Mentor President and JanitorCommented:
A few thoughts:

  • Adding another domain isn't the most horrible idea in the world, but only for certain situations, and I don't think yours is one of those.  I agree with Mahesh and Shaun.  I'd recommend keeping your forest as-is.
  • Given the age of your systems and, as Mahesh pointed out, the OS end-of-life status, I think you need to make sure everything moves towards the goal of getting rid of those old systems and their unsupported OS's.  (This may be part of the overall plan you mentioned.)
  • Demoting the Win2K3 server to a member server shouldn't impact anything, assuming you have a basic single domain forest.  However, if there are multiple sites and that 2K3 DC is the only DC there, you could experience slower logons.
  • As far as file access goes, none of the systems should complain.  There may be some ramifications with Access-Based Enumeration on 2016 file shares, DFS, Group Policy drive mappings or other GPO settings, so be prepared to roll back.

Here's what I would do (based on what little I know of your environment):

  • Migrate the shared folders over time and make sure each of those work for each group.
  • Make sure any FSMOs on the 2K3 server have been transferred.
  • If the 2K3 server is a Global Catalog server, make sure you take that into account.
  • If the 2K3 server is running DNS, plan on how you'll handle that.  For example, are the zones Active-Directory Integrated?
  • If the 2K3 server is running DHCP, make sure it remains authorized (that shouldn't be an issue).
  • If you're using Internet Authentication Service for RADIUS authentication, you'll need to plan for that, too.
  • Finally, demote the 2K3 server to a member server.

That's all I can think of off the top of my head.  Hope that helps!
0
 
Adam BellAuthor Commented:
Hi Joseph

Thanks for this, all very good points.

As I plan to upgrade all hardware to WS2016 standard, I will have couple of spare 2018 licenses that can work on the new boxes as an interim measure if we experience filesharing problems.

That being said I think the simplest way forward (there is no AD/DNS hosting on the WS2003 box - it runs SQL Server of equivalent vintage) is probably just to leave at as a member server, keep a single domain etc..

The client PC's in the accounts dept which the SQL server services (SunSystem 4.xx) will be accessing files on another department server...currently a 2008 box.  Apologies should have made this clearer before. So am hoping they will be ok with 2016, if no we can rollback to 2008.

My fundamental goal in so far as it is possible at this stage is to plan for minimal rollbacks, i.e. get the new DC's up and running on 2016 (step by step upgrade for existing DC 2003-2008, 2008-2012, 2012-2016) over a weekend based on advice in a previous EE question, and hopefully avoid server rollbacks unless absolutely necessary, so that we have sufficient time to test the client PC's in order of critical priority before everyone shows up for work monday morning.

Hope that makes sense and thanks again for your input.
0
 
Adam BellAuthor Commented:
Shaun

Got it and have ditched that idea.

Yes do have a spare 2012 r2 license...

Only thing is I can't touch the accounts department sys till around May when  they've done year end.

Thanks for your input..
0
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
Only thing is I can't touch the accounts department sys till around May when  they've done year end.
Best to wait then. You can add new DC so long without doing the DFL and FFL
0
 
Adam BellAuthor Commented:
Thanks Shaun. understand that new DC with higher winver is viable, and from previous posts am hearing that straightforward up to WS2012, but some filesharing and other issues if WS2016, and FFL DFL would remain at WS2003 level.

It maybe therefore we goto WS2016 with 2012 downgrade license in upgrading all but account servers.

Then take the system from 2012 to 2016 in May with accounts system upgrade.

Thanks for your input.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Mahesh (https:#a42487284)
-- Shaun Vermaak (https:#a42487595)
-- Joseph Hornsey (https:#a42488255)
-- Shaun Vermaak (https:#a42488411)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.