Migrate Windows Server 2008/R2 Active Directory to Windows Server 2012/R2 Active Directory

Forest Functional Prerequisites

  1. Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode.
  2. Open the Active Directory Users and Computers console, select the domain via the right mouse button on it.
  3. Select Raise Domain Functional Level and review the Current domain functional level reported minimum Windows Server 2003.

RBAC Requirement

Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.

Systems Requirement

Processor 1vCPU
RAM 4GB
Free disk space requirements 32 GB
Screen resolution 800 x 600 or higher
Network 1 Ethernet
DVD 1

Prepare Windows Machine

  1. Download Windows Server 2012 R2.
  2. Build Windows Server 2012 R2
  3. Join the Server to Domain with a static IP

Prepare Forest and Domain

  1. Mount Windows Server 2012 R2 ISO on to the Windows Server 2008 R2 Domain Controller.
  2. Log on to Windows 2008 R2 Domain as an administrator.
  3. Open command prompt as an administrator, and type adprep /forestprep and press enter.
  4. Open command prompt as an administrator, and type adprep /domainprep and press enter.

Install AD DS Role

  1. Open the Server Manager console and click on Add roles and features
  2. Select Role-based of featured-based installation and select Next.
  3. Select the Active Directory Domain Services role.
  4. Accept the default features required by clicking the Add Features button.
  5. On the Features screen click the Next button.
  6. On the Confirm installation selections screen click the Install button. Check off the Restart the destination server automatically if required
  7. Click the Close button once the installation has been completed.
  8. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller.
  9. Select add a Domain Controller into existing domain
  10. Ensure the target domain is specified.  If it is not, please either Select the proper domain or enter the proper domain in the field provided.
  11. Click Change, provide the required Enterprise Administrator credentials and click the Next button.
  12. Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC
  13. Click the Next button on the DNS options screen.
  14. Click the Next button once completed.
  15. Specify location for AD database and SYSVOL and Click the Next button.
  16. Next up is the Schema and Domain preparation.  Alternately, one could run ADPrep prior to commencing these steps, if ADPrep is not detected, it will automatically be completed on your behalf.
  17. Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.
  18. Should all the prerequisites pass, click the Install button to start the installation.
  19. After it completes the required tasks and the server restarts, the new Windows Server 2012 R2 Domain Controller setup is completed.

Check New Domain Controller in AD Sites and Services

  1. Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.
  2. Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Verify that your server is listed in Name Servers: lists.
  3. Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Check New Domain Controller in DNS Manager

  1. Open DNS Manager in new Domain Controller
  2. Expand Forward Lookup Zone
  3. Select FQDN of domain> Double Click on Name Server (NS)>Properties>Check New Server in Name Server Tab.

Transfer FSMO Role

Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:

ntdsutil

roles

connections

connect to server WIN2012R2SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master
Change DNS Properties of Servers and Workstation

On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.

Removing the Windows 2008 R2 domain controller

  1. On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click
  2. After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain
  3. On the Administrator Password Page, enter your password and click Next.
  4. On the Summary page, click Next, wait for the process to end, then click
  5. On the Completing the Active Directory Domain Services Installation Wizard, click
  6. On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.
  7. After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.

Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.

Why you should not use yourdomain.local domain?

Microsoft recommended use of .local domain when Microsoft released Microsoft Small Business Server. Microsoft also understood that an SBS customer may not have in house expertise to manage Active Directory Domain and Exchange Server. Microsoft understood that SBS user will not have proper firewall. It is obvious that Exchange autodiscovery, single sign on for SharePoint and Lync Server was not in scenario at that time. So Microsoft recommended use of .local domain in Active Directory. Those who worked in SBS environment thought that they could take that concept now and implement .local domain in any organization which is a fundamental design flaw.

You have to understand  that .local domain was a past concept. Moving forward technology has changed a lot since then. You should change yourself when technology changes. But when I visit clients I see that old dog doesn’t learn new trick. Which means their autodiscovery doesn’t work. These clients end up with many issues including blaming Microsoft. You should ask yourself did you design your Active Directory and DNS correctly. Why you expect your autodiscovery to function correctly when your DNS is messy?

When you are promoting a new domain or a new forest, it is highly recommended that you use registered domain name for example yourdomain.com.au. Again those who worked in past SBS era they will raise concern of hacking, TLD etc. I would address their concern by putting the question to them, did you design and configure a correct firewall and security in your corporate infrastructure. If not then you should hire a security professional who will address your concern. Simply promoting a yourdomain.local domain will not secure your domain and you will have a false sense of security that your Active Directory is safe. In realty your corporate network might be open and vulnerable to hacking.

Here are why you should use yourdomain.com.au or registered domain in Active Directory.

  • To implement correct Exchange Autodiscovery
  • To discover correct registered domain for SharePoint and Lync Server
  • To implement single sign on
  • To install correct public certificates for Exchange, SharePoint and Lync. Note that Public Certificate Authority no longer issue certificate using .local domain
  • To use correct UPN of your registered domain
  • To setup correct local and public DNS
  • To design correct Active Directory. You shouldn’t use SBS server as your model. Microsoft retired SBS for many reasons. Brutal truth is Microsoft didn’t want to lose poor customer who couldn’t afford an open license or software assurance so most of SBS users got OEM license through hardware vendor or a reseller.
  • To follow the guidelines of IANA and IEEE when you deal with a domain.

What should you do if you already have a .local domain in SBS server?

If your SBS server is 2008, then create an Active Directory DNS zone using registered domain example: yourdomain.com.au then add HOST (A) record with PTR of webmail or mail and autodiscovery in yourdomain.com.au zone. Create public DNS record for webmail.yourdomain.com.au and autodiscover.yourdomain.com.au.

http://www.yourdomain.com.au (example registered domain) doesn’t resolve after creating yourdomain.com.au?

This happened when http://www.yourdomain.com.au is hosted with third party web hoster not internally. There is an easy fix, create a DNS forwarder or conditional forward for your http://www.yourdomain.com.au. Follow this URL to configure a conditional forwarder. For example: you can forward http://www.yourdomain.com.au to Google DNS server or the DNS server of your ISP or your web hoster who is actually hosting http://www.yourdomain.com.au. To find out who is hosting your website and their DNS record, go to https://www.easywhois.com/ type yourdomain.com.au and hit enter.

Further Study:

http://microsoftguru.com.au/2011/05/28/microsoft-active-directory-best-practice/ 

http://microsoftguru.com.au/2012/07/29/microsoft-active-directory-best-practice-part-ii/

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html 

http://technet.microsoft.com/en-us/library/cc757172%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/cc754941.aspx

http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx

Performing a Staged RODC Installation using the GUI

 

Staging an RODC allows an administrator to perform installation without travelling to the site. You can stage a RODC installation in four steps. Step1, Step2 and Step3 are performed in Head office by a member of domain admin where authoritative domain controller is located. Fourth step is performed in site office where site admin and RODC is located.

Assumption:

· RODC NetBIOS Name: DC4

· RODC Security Group: RODCAdmins

· Forest: Superplaneteers.com

Step1: Prepare Environment

· Install Operating System on RODC Server

· Activate Windows Server 2012

· Configure TCP/IP Properties of the Server

· Rename RODC Server to desired NetBIOS name (Example-DC4)

Step2: Add Site Admin into RODCAdmins Security Groups in AD

Open Active Directory Users and Computers, Right Click on desired OU, Click new, Click Group, Create a Security group named as RODCAdmins.

clip_image002

Add Site Admins into RODCAdmins group.

Step3: Create an RODC Computer Account

Open Active Directory users and Computers, Select Domain Controllers OU, Click on Action, Click Pre-create Read-only Domain Controller account

clip_image004

Click Next, On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy (PRP), select Use advanced mode installation, and then click Next.

clip_image006

On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials, Click Next

clip_image008

On the Specify the Computer Name page, type the computer name of the server that will be the RODC.

clip_image010

On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.

clip_image012

On the Additional Domain Controller Options page, make the following select Domain Naming System (DNS), Global Catalog (GC), Read-only Domain Controller (RODC) and then click Next:

clip_image014

On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. When you are finished, click Next.

clip_image016

On the Summary page, review your selections. Click Back to change any selections, if necessary.

clip_image018

When you are sure that your selections are accurate, click Next to create the RODC account.

clip_image020

On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

Step4: Attach a server to an RODC account using Server Manager

This step is performed in the site office where the RODC is located. The server where you perform this procedure must not be domain member. In Windows Server 2012, you use the Add Roles Wizard in Server Manager to attach a server to an RODC account. Follow the procedure to promote a RODC at the branch office.

1. Log on to Server DC4 as local Administrator. In Server Manager, click Add roles and features. On the Before you begin page, click Next.

2. On the Select installation type page, click Role-based or feature-based installation and then click Next.

3. On the Select destination server page, click Select the local server from the server pool, click Next.

4. On the Select server roles page, click Active Directory Domain Services, click Add Features and then click Next.

5. On the Select features page, select any additional features that you want to install and click Next.

6. On the Active Directory Domain Services page, review the information and then click Next.

7. On the Confirm installation selections page, click Install.

8. On the Results page, verify Installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.

9. On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain superplaneteers.com and specify an account who is a member of RODCAdmins group that is delegated to manage and install the RODC, and then click Next.

10. On the Domain Controller Options page, click Use existing RODC account in this case DC4, type and confirm the Directory Services Restore Mode password, and then click Next.

11. On the Additional Options page, select the head office domain controller that you want to replicate the AD DS installation data from or if you have correct sites configured then allow the wizard to select any domain controller and then click Next.

12. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.

13. On the Review Options page, confirm your selections, click Next.

14. Once Prerequisites Check is successful then click Install.

15. To complete the AD DS installation, the server will restart automatically.