Documente Academic
Documente Profesional
Documente Cultură
Prepare
Action
Plan Cleanup
RODC PowerShell Cmdlts
Server Core AD Best Practice Analyzer
AD Snapshots (ntdsutil.exe, Protecting objects from
dsamain.exe) accidental deletion
DS Auditing (auditpol.exe) GPO features (Central Store,
Restartable AD service ADMX files, GPP)
Administrative Center
DFSR replication of Sysvol Authentication mechanism
Fine-Grained Password Policy assurance for AD-FS
(FGPP) Advanced Encryption Services
Last Interactive Logon Info (AES 128 and 256) for
Offline Domain Join Kerberos
Managed Service Accounts
(MSA)
Support Lifecycle for Windows
Active Directory Recycle Bin
Server 2003 SP2:
(No built-in UI, PowerShell
only, or 3rd-party tools) Extended Support end date:
July 2015
New Active Directory Administrative GPO features and GPMC UI
Center additions
GUI for FGPP management Richer authorization through
July 2020
What are the upgrade goals?
Map existing resources (hardware, software, human)
What other roles do DCs perform?
Map the risks
Can you consolidate?
Can (should) you virtualize?
Time needed, downtime needed
Plan for rollback
Is it simpler to 1. New DCs, new
keep the old DCs names, new IPs
Simplest
name and/or IP
address?
2. New DCs, new
Medium complexity
names, old IPs
Possible options:
You can do all this only on Windows Server 2012 DCs running on
Hyper-V 3
If you decide to use the new DC(s) with new computer names and IP
addresses, do not forget:
Update Name Servers (NS) records
Zone Transfers
Domain Delegation
Bind Secondaries
Zone Scavenging
Forwarding to ISPs
Firewall ports (for eDNS)
DHCP settings for workstations that have dynamic IPs
Any workstation, server, device with manual DNS IP address
Schema If all ok, both
Domain Naming DCs agree to the
transfer Check Infrastructure FSMO
PDC Emulator roles (fSMORoleOwner
RID attribute) on the
DomainDnsZones and
Infrastructure ForestDnsZones
If not ok, http://support.microsoft.com/kb/
949257
consider forcing
Easiest: Use NTDSUTIL (seize)
ntdsutil roles con "con to ser localhost" q "tran sche mas" "tran
nam mas" "tran infra mas" "tran pdc" "tran rid mas" q q
If you must:
ntdsutil roles con "con to ser localhost" q "seize sche mas" "seize
nam mas" "seize infra mas" "seize pdc" "seize rid mas" q q
If all ok, demote
old DCs one by If demoting is
Take your time to test one
(dcpromo.exe) unsuccessful consider
forcing (/forceremoval)
+ clean AD from old
DC remains
Manually remove (ntdsutil.exe)
Consider shutting down old server objects http://support.microsoft.com/kb/
DC(s) for a few days (the from AD Sites 216498
who did it???! effect) and Services
Enable Recycle
Discard all old DCs Bin