Link to home
Start Free TrialLog in
Avatar of efrimpol
efrimpolFlag for United States of America

asked on

Domain Rename/Upgrade from 2008 R2 to either 2012 R2 or 2016

Bit of a quandary.

I need to a) rename a Active Directory Domain and b) upgrade servers to either 2012 R2 or 2016 (heard a few issues with 2019, so that can wait).

Would you rename, then upgrade, or would you upgrade first, then rename?

Background:

The internal domain name is from a previous company (oldcompany.com) that was upgraded over the years from the NT days, so the network is actually quite old.
New company bought all the equipment because the old one went belly up, but continued using domain internally, except for email.

Exchange had been outsourced with new company, so all the clients were pointed to the email hosting company. Old company's email has been offline for a number of years now.

Idea was to be as least disruptive, but that may have been a bad call at the time.

Now I want to fix it all up.

The new has their own web presence under newcompanyinternational.com. I was thinking of just using newcompanyint.com internally, which is actually what the current email points to.

Just trying to get a feel before proceeding.
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

You can rename a Domain as long as your FFL and DFL is 2003 native or above. With 2008R2, should not be an issue. It is not an easy process but this site outlines it pretty well. http://www.rebeladmin.com/2015/05/step-by-step-guide-to-rename-active-directory-domain-name/
  That being said, never saw one that went 100% according to plan but since your Email is hosted, you have an edge there.  Personally, I would make sure I had a good System State from a DC, do the domain rename, keep it going for a few weeks to be sure there are no other issues, then "upgrade". I quote the upgrade because my personal feelings is never upgrade an OS unless you absolutely have to. A clean install is best. If you have multiple DCs, then I would demote one, install a clean version of the new OS on the server and then promote it back to a DC. The first DC with the new OS will update the forest and Schema for you. This is how we did it, going from 2008 to 2012R2 to 2016. If you have shared folders on the DC, you can easily backup the registry key for the shares (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares) and then import it into the new OS. We normally would format just the C: drive when doing this, leaving other drives alone.
  But this is just my take on things. Others may have different experiences.
Avatar of efrimpol

ASKER

Currently FFL & DDL are at 2008 R2.

Yes, I saw and was reading the article regarding the domain rename that have you pointed out prior to making the post. I am in the process of making a test environment and cloning some VMs and doing a dry run. The clones will be in an isolated test environment with no access to the live environment. See how it goes.

Regarding the upgrade, yes, it would make sense just to create the higher O/S DC as opposed to upgrading the DC. Once completed, transfer roles and demote the remaining DC and create the second DC. Then move on to upgrading the remaining member servers (printer/file,etc.).
Good Luck. Hope it goes without a hitch
thanks - probably won't happen for a month or two - will advise.
Domain rename is not supported in an environment with Exchange

If the DCs are only DCs, upgrading is perfectly safe. Usually antivirus applications, such as SEP need to be removed first.

It would be beneficial if web presence can move to www.newcompanyinternational.com, this way you can use newcompanyinternational.com internally too. There's no reason to use different namespaces anymore and using the same actually makes things easier.
Gentlemen,

It was pointed out to me in an after hours conversation that creating a new domain would be "safer" route as opposed to doing the rename. This would be more involved and more time consuming as a lot of migration would need to take place.

Thoughts?
Safer, yes. Since your Exchange is hosted and not on-prem or hybrid, and your FFL is high enough, you are not blocked from doing a Domain rename but it can be a risky deal. (Hence why I specified you should do a System State backup first) How much more involved it would be depends on how big your network is.
 I have to ask, what is the driving factor around the domain rename? Is it to have users UPNs match their email? Is the Netbios name an issue? Our internal domain name is a .local. Although we could change it, the sheer size of our main network makes this prohibitive for us business wise)  we simply added the correct User Principal name and all new accounts are made with it (all old accounts were modified for it.)
  There are a lot of migration documents out there. I imagine Shaun may have one (not sure, haven't looked) and I know his articles are extremely informative and helpful. I used the ADMT to migrate users and computers/servers between forests, consolidating 30 separate Forests into one (We are an education company and each Forest was originally a school. Now all share one Forest)  and although takes some planning and research to cross all the t's and dot all the i's, it is doable. But it will be more involved and you will have to make sure communication with users is top notch to prevent issues.
A bit of history...

Company A (website same name) went under. Company B see opportunity and buys all Company A's assets (computers, printers, everything, including inventory).

Company B sells Company A's inventory but under their name (Company B). Company B continues to use all the computers and equipment AS Company A. Email is changed from internal Company A to external (hosted) Company B.

So as far as anyone can detect, emails are being originated from Company B. Company A's internal email is eventually taken offline from external access and kept online for "historical views", but eventually is shut down (not removed from domain! - Kind of missed that point as of this writing, but mentioning it now. - That email server has been shut down for over 3 years now).

Changes are made to reflect Company B name on all outbound documents, but they were still using the ERP system first as dual company (Both Company A & B), but eventually Company A ceased and continued as Company B only until they got a replacement ERP system as Company B.

Whew!

The domain was never changed or altered in this whole time. It is running "INTERNALLY", except for email AS COMPANY A. That is the dilemma. They want to break completely away from Company A. No history. No paperwork. No servers or computers referencing Company A at all.

That's where I come into the picture and that's what I have been tasked with.

Current environemtn is VmWare. Servers running 2008 R2 and (2) 2003.

They have a myriad of servers: (2) DCs, (1) DHCP, (1) Print Server, (4) Application Servers (<-- these 4 are being kept separate because they each run specific applications, one of which is SQL17) , (1) File Server, (1) MSACCESS Database Server, and (1) Antivirus Server.

Right now, DCHP can be combined with the second DC. The File and Database Servers can also be combined, so I end up getting rid of 2 servers, but still a lot of servers left.

I know that the 4 application servers cannot be combined. 3 are VMs and 1 is physical (that's the one running SQL17). All are resource heavy, hence why they each are on the their own server. 1 is the new ERP system, 1 is a document imaging system, and the other 2 are lab testing software. The physical is replacing the virtual, but company wants both running at same time until virtual can be eventual be shut down.

In addition, all the client computers will be need to be changed as well (domain-wise).

Like I said, this is going to be a huge undertaking and not for the faint of heart.
Forgot, about half of our staff has capability to work from home using laptops. They bring laptops to work but work from home once a week.
OK, thanks for the new info. Since Exchange still exists internally in part of your company, I think I have to agree with Shaun that a domain Rename may be out of the picture here. Taking the server down for years and keeping it in AD is not a good thing in my opinion and it may just be unrecoverable so removing Exchange may be an undertaking itself.
  8 servers is not really much (we have ~ 400) so migrating to a new clean forest may still be your best bet. As I said, ADMT is a pretty good tool and if you don't want to use it, there are 3rd party tools out there that can be used (for a price).
Replied before seeing you last post. Doesn't chagne my recommendation but I will say, if your users are using an Enterprise version of the windows Client (7 or above), you may want to visit directaccess. We are using it (we have around 300 road warriers). You will need to be in 2012 or 2016 to do it but it is a good option.
This network has been upgraded so many times since the days of NT 4, but always under the same domain name.

Would I (or should I?) just build a new Server 2012R2/2016/2019 VM and start from there?

Unjoin/Join remaining servers? Same with clients? How would this affect the application servers? Users remote into the server (25 concurrent).

I will look into ADMT. Not too familiar with ADMT as I have never used it.
Jeff,
All the clients (except 2!) are Win7Pro or higher. One of the XP boxes is running lab software that is attached to lab equipment. The other XP box will be replaced with Win10Pro.
To wit... it also sux that Win7/2008 EOL next Jan!
OK, Going with Pro means no DirectAccess so you will have to stay with what you have. Do you have a server acting as an RDS gateway or do you just have it setup as a Remote desktop server with licenses? We use Citrix so I cannot really help you there. For the most part, the only thing that should change is the domain part of the login if it is used. That should not be too hard
  Personally, I have a couple of 2019 servers but since we are mixed Win7/Win10 until later this year, and KMS is an issue with 2019, our AD will stay 2016 for a while. I would recommend that if you go that route.
  As far as the ERP software and associated DB, you will have to refer to the documentation. You may have to stand up a parallel system and export/import data to get it to work. For normal file/print servers, moving them to a new forest is a simple disjoin, point to new DNS and join new domain. You may need to have a two way trust between forests to minimize problems in the migration.
  No migration is without headaches. Plan for any disaster you can imagine.

For ADMT, here is a link to the official guide. It has all the information on using the tool (It's from Microsoft so not the easiest read)
https://www.microsoft.com/en-us/download/details.aspx?id=19188
Here is a link to a series of articles. A little older but still easier to read.
https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
No RDS Gateway. 25 RDS Licenses. No KMS Server here.

Forest/Domain is at 2008 R2.
Regarding a new forest, is this done on the current DC? Or on a new VM?
also, i just thought of something. Regarding disjoning/joining the endusers, does that 'reset' applications, such as Office, Adobe Pro, etc.? Is that where ADMT comes into play?
i have created clones of the 2 DCs and the DHCP server and placed them into a vSwitch with no adapter. They can talk to each other but cannot access the live network.

I can run tests there with no worries of affecting endusers
New forest is new server. Totally separate. A DC can only be in one forest. Not sure what reset applications means. If you are talking licensing, no. Since you are not using KMS, I imagine you are using commercial keys and they are in the machine, not the domain.
ADMT moves accounts, groups, passwords, SIDHistory, etc....
Reset applications - more or less like OOBE (out of box experience) as if logging into the computer for the first time. you open Adobe Reader and you have to Accept. You open Office App, like Outlook and instead of mailbox, you're prompted with Welcome to Outlook.. would you like to set up a mailbox access and you now have to do autodiscovery  (or something of that nature).
Ah, yes... You may. New Domain, new login, new profile. I know there is some stuff in ADMT about translating local profiles but we never tried it.
that bites
additional question in setting up a new vm/dc 2016. current 2008 dc is 192.168.1.5. We dont use vlans and we have vlan capable switch. IF I set up new vm under 192.168.10.5, can that be switched after migrating clients to the 1.5?
i meant that we DONT have vlan capable switch (layer 3), we have layer 2 only
ASKER CERTIFIED SOLUTION
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Got a new 2012 R2 VM and a Win 10.1803 VM up in running. I got AD DS up and running. Win10 has static IP and DNS pointing to new domain.

Both can get out to internet and client successfully joined new domain.

Stick a fork in me because I'm done. Will pick up next week.

Thanks.
I got the new forest/domain up and in running as Jeff suggested and so far it's working. I can now investigate looking what I need to do to migrate users/servers and other things over.
How do I award points?
Never mind. Saw it already done.