Why upgrade?

Prepare
Action

Plan Cleanup
 RODC
Server Core
AD Snapshots (ntdsutil.exe,
dsamain.exe)
DS Auditing (auditpol.exe)
Restartable AD service
Administrative Center
PowerShell Cmdlts
AD Best Practice Analyzer
Protecting objects from
accidental deletion
GPO features (Central Store,
ADMX files, GPP)
 DFSR replication of Sysvol
Fine-Grained Password Policy
(FGPP)
Last Interactive Logon Info
Offline Domain Join
Managed Service Accounts
(MSA)
Authentication mechanism
assurance for AD-FS
Advanced Encryption Services
(AES 128 and 256) for
Kerberos
 Support Lifecycle for Windows
Active Directory Recycle Bin
Server 2003 SP2:
(No built-in UI, PowerShell
only, or 3rd-party tools) Extended Support end date:

July 2015
 New Active Directory Administrative GPO features and GPMC UI

Center additions
GUI for FGPP management Richer authorization through

GUI for AD Recycle Bin Dynamic Access Control & File

PowerShell History Viewer Classification Infrastructure

Active Directory-based Activation

 Simplified Deployment and
Preparation
Dynamic Access Control (DAC)
policies and claims
Group Managed Service
Accounts (GMSA)
Virtualization-Safe for the
Windows Server 2012 DC
(requires Hypervisor support
for VM-Generation-ID)
 Rapid virtual DC deployment through DC-cloning

(requires Hypervisor support for VM-Generation-ID)

 Increased Kerberos strength

(Kerberos Armoring - or FAST)

Increased RID Pool
 Support Lifecycle for Windows
Server 2008 R2 SP1:
Mainstream Support end
No additional features
date January 2015
Extended Support end date -

July 2020
 What are the upgrade goals?
Map existing resources (hardware, software, human)
What other roles do DCs perform?
Map the risks
Can you consolidate?
Can (should) you virtualize?
Time needed, downtime needed
Plan for rollback
Is it simpler to 1. New DCs, new
keep the old DCs names, new IPs
Simplest
name and/or IP
address?
2. New DCs, new
Medium complexity
names, old IPs
Possible options:

3. New DCs, old names, May be more complex

old IPs
DES Encryption types for the Kerberos authentication protocol issues:
SAP
Oracle Internet Directory (OID), CA Identity Manager, Tivoli Identity
Management
Samba and other Linux/Unix interoperability
NetApp, EMC Celerra or other storage devices
Firewalls, VPN, RADIUS
http://support.microsoft.com/kb/977321
NetApp filers or (potentially) other storage devices
Resource SID Compression:
Resource SID Compression in Windows Server 2012 may cause
authentication problems on NAS devices:
http://support.microsoft.com/kb/2774190
SMB Secure Negotiate
"System error 2148073478," "extended error," or "Invalid Signature" error
on SMB connections in Windows 8 or Windows Server 2012:
http://support.microsoft.com/kb/2686098
 Smart Cards, certificates, EFS Recovery Agent keys
Non-compatible customized password filters
Time keeping software
Exchange servers with manual DC configuration
LDAP Query Policies with non-default settings
TSL - Default up to Windows Server 2003 R2 = 60 days, for later = 180
days
- If Forest is upgraded, TSL is not automatically changed
dsquery * cn=directory service,cn=windows nt,cn=services,cn=configuration,
dc=ad,dc=petri-labs,dc=com -scope base -attr tombstonelifetime
 Static ports:
RPC Netlogon
RPC Replication
FRS
Manual connection objects in AD Sites and Services
Preferred Bridgehead Servers in AD Sites and Services
Firewalls, TMG/UAG/ISA, VPN, RADIUS/IAS, Switches with 802.1X
3rd-party applications that are hard-coded to work against specific DCs
Make sure DFL and FFL are Windows 2000 Native or above
If they exist, all Windows 2000 DCs must be running SP4
Issues with Win9X/NT4.0 client computers:
http://support.microsoft.com/kb/555038
http://support.microsoft.com/kb/946405
http://support.microsoft.com/kb/942564
Issues with External Trusts to NT4.0 domains:
http://support.microsoft.com/kb/2021766
dsquery * "dc=ad,dc=petri-labs,dc=com" -scope base -attr msDS-Behavior-
Version
dsquery * "cn=partitions,cn=configuration,dc=ad,dc=petri-labs,dc=com" -
scope base -attr msDS-Behavior-Version
Mixed Level = 0 or <not set>
Windows Server 2003 interim = 1
Windows Server 2003 = 2
Windows Server 2008 = 3
Windows Server 2008 R2 = 4
Windows Server 2012 = 5
Windows Server 2012 R2 = 6
 Replication issues
USN Rollbacks, Lingering Objects, Strict Replication Consistency (?)
DNS
Events and Logs
FSMO
Consider temporarily disabling AV on the DCs
Document everything! (Active Directory Topology Diagrammer, Visio)

Make sure the user you're working
with is a member of:
Domain Admins
Enterprise Admins
Install RSAT on a Windows
workstation for easier management:
For Windows 7
For Windows 8

Schema Admins For Windows 8.1

Built-in into Server OSs
 Make sure you have a recent, supported tested and working backup:
System State
Boot Partition
System Partition
All GPOs (by using GPMC)
Certificate Authority and important certificates and keys
Scripts etc.
Do you know the DCs DSRM password?
Do NOT use a VM snapshot as backup!
Consider disconnecting one DC in addition to backing up
Consider disabling outbound replication on the Schema Master DC during
the Schema upgrade
 The bigger and more complex you are, the more you need to
test before you act.
Consider regulations and standards (such as Change
Management procedures)
Test environment needs to be as close to production as possible.
Test and production need to be totally isolated from each other.
 Extend the Schema Transfer FSMO
Promote the first Windows If needed, point relevant
Server 2012/2012 R2 DC applications to new DC
Move relevant roles: Configure connectors or other
DHCP manual settings
DNS Wait a bit
WINS Decommission old DCs
Certificate Services Go to celebrate
TS Licensing
 No more (manual) ADRPEP!
No need to keep installation media
No need to remember complex commands and where to run them
(forestprep, domainprep, rodcprep, gpprep)
Automate the pre-requisites between each of them
Validate environment-wide pre-requisites before beginning deployment
Integrated with Server Manager and remoteable
Built on Windows PowerShell for command-line and UI consistency
Configuration wizard aligns to the most common deployment scenarios
 No more DCPROMO!
Promotion is done through Server Manager UI: Remotable, built on
PowerShell, Automated
In case of network hickups - indefinite retry loop
Very fast and easy use Install From Media (IFM) + option to select offline
defrag for IFM database (used to be mandatory in Windows Server
2003/2008)
Check version:
dsquery * cn=schema,cn=configuration, dc=ad,dc=petri-labs,dc=com
-scope base -attr objectversion
(Forestperp success: 2003 R2 = 31, 2008 = 44, 2008 R2 = 47, 2012 = 56, 2012 R2 = 69)
dsquery * cn=ActiveDirectoryUpdate,cn=ForestUpdates,
cn=configuration,dc=ad,dc=petri-labs,dc=com
-scope base -attr revision
(Domainprep success: 2008 = 3, 2008 R2 = 5, 2012 = 11, 2012 R2 = 15)
Verify replication
repadmin /replsum /bysrc /bydest /sort:delta
 Always wait for KCC (15-30 minutes)
If replication topology is complex wait for replication for as long as it takes
(again consider enabling Change Notification)
Verify replication
repadmin /showreps
repadmin /replsum * /bysrc /bydest /sort:delta
Make sure new DC is functioning:
Check AD replication
Check SYSVOL sharing and replication
Check events
Do not hurry (depending on the size of the DIT and SYSVOL)
 PDC Emulators of
PDC Emulator of the other domains in
Forest Root Domain is forest pull time
responsible for time from FRD PDCE Protect yourself against
keeping. a large time offset
If not properly (MaxPosPhaseCorrection,
configured Event ID DCs pull time MaxNegPhaseCorrection
from PDCEs Registry/GPO values)
12 (W32Time).
http://support.microsoft.com/kb/ Servers and
816042 workstations pull
from DCs
 Remember Windows Server 2008/2012 issues a random
computer name by default
Never ever in your life use NEWSID! (punished by death!)
Do NOT disable IPv6 (http://support.microsoft.com/kb/929852)
Configure Windows Update
Secure the server(s)
Run Best Practice Analyzers
Configure Anti-Virus exclusions (http://support.microsoft.com/kb/822158)
Configure backups
 Never clone a DC operating system!
Do not use snapshots for virtual DCs
Do not pause/resume virtual DCs
If on VMs, exclude DCs from Live Migration or vMotion
Do not synchronize time with the host

You can do all this only on Windows Server 2012 DCs running on
Hyper-V 3
If you decide to use the new DC(s) with new computer names and IP
addresses, do not forget:
Update Name Servers (NS) records
Zone Transfers
Domain Delegation
Bind Secondaries
Zone Scavenging
Forwarding to ISPs
Firewall ports (for eDNS)
DHCP settings for workstations that have dynamic IPs
Any workstation, server, device with manual DNS IP address
Schema If all ok, both
Domain Naming DCs agree to the
transfer Check Infrastructure FSMO
PDC Emulator roles (fSMORoleOwner
RID attribute) on the
DomainDnsZones and
Infrastructure ForestDnsZones
If not ok, http://support.microsoft.com/kb/
949257
consider forcing
Easiest: Use NTDSUTIL (seize)
ntdsutil roles con "con to ser localhost" q "tran sche mas" "tran
nam mas" "tran infra mas" "tran pdc" "tran rid mas" q q

If you must:
ntdsutil roles con "con to ser localhost" q "seize sche mas" "seize
nam mas" "seize infra mas" "seize pdc" "seize rid mas" q q
 If all ok, demote
old DCs one by If demoting is
Take your time to test one
(dcpromo.exe) unsuccessful consider
forcing (/forceremoval)
+ clean AD from old
DC remains
Manually remove (ntdsutil.exe)
Consider shutting down old server objects http://support.microsoft.com/kb/
DC(s) for a few days (the from AD Sites 216498
who did it???! effect) and Services
 Enable Recycle
Discard all old DCs Bin

Use Active Directory

Snapshots and create a
backup schedule
Migrate from FRS
Raise DFL, FFL as needed to DFS-R
Upgrading your AD to
Windows Server Plan and test Upgrading AD to
before you move Windows Server
2012/R2 is important
even if you do not plan 2012/R2 has benefits
to use any of the mostly in the
benefits virtualization and
deployment areas, but
Verify and clean also in management
after you move and monitoring
Upgrading is not rocket
science
Questions? Comments?
daniel@petri.co.il