locked
Upgrading Windows 2008 R2 AD environments to Windows 2012 R2 RRS feed

  • Question

  • Hello,

    I am in the process of planning for the move to Windows 2012 R2 domain controllers from Windows Server 2008 R2 in our environment.  Does anyone have recommendations / best practices that should be followed given prior experience with this.  Here is my current setup:

    QA Domain

    - 2 QA AD Forest Domain Controllers (Both Virtual, Win 2008 R2)

    - 2 QA AD Domain Controllers (Both Virtual, Win 2008 R2)

    Production Domain

    - 2 Prod AD Forest Domain Controllers (Both Virtual, Win 2008 R2)

    - 3 Prod AD Domain Controllers (2 Virtual and 1 Physical, Win 2008 R2)

    - 1 Prod Read Only Domain Controller (Virtual, Win 2008 R2)

    - 1 Prod External DNS (Virtual, Win 2003 SP1)

    Essentially I plan to create new VMs for each VM in the list with Windows 2012 R2 installed.  Part of the plan is to migrate roles / catalog / etc. over to one of the new VMs and then systematically remove each old DC.  Then after a reasonable period of soaking, I would upgrade the Forest and Domain functional levels from Windows Server 2008 R2 to Windows Server 2012 R2. Let me know if you see any gotchas with this plan (e.g. RODC).

    Thanks in advance.

    Dave

    Tuesday, May 23, 2017 6:00 PM

Answers

  • These steps has to be done for all domain.

    - First, backup your current forest (Windows Backup / NT Backup)

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - join your Windows 2012 R2 Servers in your domain as member servers

    - Raise Schema using adprep (From Windows 2012 R2 ISO)

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Promote your first Windows 2012 R2 as DC

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Tranfer FSMO roles to your new Windows 2012 R2 DC

    - Update your Time Server settings (on the PDC emulator role)

    - Complete promotion of all other DC's from this domain

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Remove your old Windows 2008 R2 / 2003 as Domain controller

    - Raise Domain Functional Level

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Raise Forest Functional Level

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    -------
    Optional steps

    - Enable AD Recycle Bin

    - Migrate FRS to DFS-R replication (if it's not already migrated)

    - Enable GPO Central Store

    - Migrate DFS Namespace v1 to v2 (if you have any DFS)

    DHCP

    Some peoples like to install DHCP role on a DC.  If it's your case, you can migrate your DHCP role at any time using Powershell command (Windows 2008 R2+) or using Netsh (Windows 2003).  It's really easy actually.  the only thing you have to be careful is the IPHelpers that may have to be updated (if your DHCP does not keep it's IP Address.

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by DCLETech Wednesday, June 7, 2017 12:27 PM
    Wednesday, May 24, 2017 12:46 AM
  • Yes, the way to depromote a RODC is the same way as any other DC.

    The only thing you have to be careful is when you will migrate the FRS to DFS-R SYSVOL replication (if it's not already done).

    Because you have a RODC, you must either run the command "dfsrmig /CreateGlobalObjects" or run all 4 migration steps:
    dfsrmig /setblobalstate 0
    dfsrmig /setblobalstate 1
    dfsrmig /setblobalstate 2
    dfsrmig /setblobalstate 3https://blogs.technet.microsoft.com/filecab/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool/

    The dfsrmig /createglobalobjects is automatically run between the globalstate 0 and 1.

    hth


    This posting is provided AS IS without warranty of any kind

    • Proposed as answer by Hello_2018 Monday, June 5, 2017 5:33 AM
    • Marked as answer by DCLETech Wednesday, June 7, 2017 12:27 PM
    Wednesday, May 24, 2017 1:44 PM

All replies

  • These steps has to be done for all domain.

    - First, backup your current forest (Windows Backup / NT Backup)

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - join your Windows 2012 R2 Servers in your domain as member servers

    - Raise Schema using adprep (From Windows 2012 R2 ISO)

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Promote your first Windows 2012 R2 as DC

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Tranfer FSMO roles to your new Windows 2012 R2 DC

    - Update your Time Server settings (on the PDC emulator role)

    - Complete promotion of all other DC's from this domain

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Remove your old Windows 2008 R2 / 2003 as Domain controller

    - Raise Domain Functional Level

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    - Raise Forest Functional Level

    - Validate that replication between all current DC's is working well (DCDiag.exe / repadmin)

    -------
    Optional steps

    - Enable AD Recycle Bin

    - Migrate FRS to DFS-R replication (if it's not already migrated)

    - Enable GPO Central Store

    - Migrate DFS Namespace v1 to v2 (if you have any DFS)

    DHCP

    Some peoples like to install DHCP role on a DC.  If it's your case, you can migrate your DHCP role at any time using Powershell command (Windows 2008 R2+) or using Netsh (Windows 2003).  It's really easy actually.  the only thing you have to be careful is the IPHelpers that may have to be updated (if your DHCP does not keep it's IP Address.

    hth


    This posting is provided AS IS without warranty of any kind

    • Marked as answer by DCLETech Wednesday, June 7, 2017 12:27 PM
    Wednesday, May 24, 2017 12:46 AM
  • Thanks for the step thru cthivierge.  Definitely most helpful. 

    Just a couple of questions on this:

    - Do you see any issue with the RODC in this scenario?  Can it be replaced in the same way as the regular DCs?  I have had a few comments from colleagues that it may need to be removed prior to performing schema or functional level upgrades.

    - Just nailing down the order of operations a bit.  After moving FSMO roles, promoting new DCs and performing validation, should I remove the old Primary/Secondary DCs first and then the Forest Root DCs last?

    Thanks again,

    Dave

    Wednesday, May 24, 2017 12:26 PM
  • Yes, the way to depromote a RODC is the same way as any other DC.

    The only thing you have to be careful is when you will migrate the FRS to DFS-R SYSVOL replication (if it's not already done).

    Because you have a RODC, you must either run the command "dfsrmig /CreateGlobalObjects" or run all 4 migration steps:
    dfsrmig /setblobalstate 0
    dfsrmig /setblobalstate 1
    dfsrmig /setblobalstate 2
    dfsrmig /setblobalstate 3https://blogs.technet.microsoft.com/filecab/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool/

    The dfsrmig /createglobalobjects is automatically run between the globalstate 0 and 1.

    hth


    This posting is provided AS IS without warranty of any kind

    • Proposed as answer by Hello_2018 Monday, June 5, 2017 5:33 AM
    • Marked as answer by DCLETech Wednesday, June 7, 2017 12:27 PM
    Wednesday, May 24, 2017 1:44 PM