Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012

Reading Time: 24 minutes

Your organization might still be running their Active Directory Domain Services on top of Windows Server 2003-based Domain Controllers. You might be looking to replace these servers with Windows Server 2012-based Domain Controllers, either to utilize the new features, make the most out of your virtualization project or to simply do away with the aging technology that is soon out of support.

In this blogpost, I’ll walk you through the steps required to replace your aging Windows Server 2003 (R2) Domain Controllers with spanking new Windows Server 2012 Domain Controllers, while keeping your Active Directory running smoothly. This process is called transitioning your Active Directory.

 

Table of contents

  • Ways to migrate Active Directory
  • Reasons to transition
  • Steps to transition
    • Before you begin
    • First steps
    • Prepare your Active Directory environment
    • Install the first Windows Server 2012 Domain Controller
    • Install additional Domain Controllers
    • Take care of FSMO roles and Global Catalog placement
    • Demote your old Domain Controllers
    • Raise the domain and forest functional levels
    • Enable Active Directory Optional Features
    • Run the Active Directory Best Practices analyzer
  • Concluding

 

Ways to migrate

In general, you can migrate your Active Directory environment to a next version in three distinct ways:

  1. Transitioning
  2. Restructuring
  3. In-place upgrading

However, migrating your Windows Server 2003 (R2) Active Directory environment to Windows Server 2012 can only be done in two ways:

  • Transitioning
    Migrating this way means adding Windows Server 2012 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.
  • Restructuring
    A second way to go from Windows Server 2003 (R2) Domain Controllers to Windows Server 2012 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2012) domain (with at least one Windows Server 2008 R2 Domain Controller) with the Active Directory Migration Tool (ADMT).

The third option to migrate, in-place upgrading, is not supported. 32bit version of Windows Server 2003 and Windows Server 2003 R2 cannot be upgraded in-place, because Windows Server 2012 is only available as a 64bit Operating System (OS). Cross-architecture upgrades are not supported. Also,I don’t consider in-place upgrading an x64 version of Windows Server 2003 (R2) to Windows Server 2008 (R2) and then to Windows Server 2012 a valid upgrade option, since you would be chaining migrations. This practice might introduce errors that might pile up towards the end of your migration.

 

Reasons to transition

Restructuring means filling a new Active Directory from scratch, while transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your current Windows Server 2003-based Domain Controllers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome
    (for instance Server Core or Enterprise edition Domain Controllers)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

 

Steps to transition

1. Before you begin

1.1 Avoid common mistakes

There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts.  I suggest you read it (twice). Most of the contents also apply to transitioning to Windows Server 2012.

1.2 Plan your server lifecycle

It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2012 with ease.

1.3 Assess your readiness

Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2012, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows Server 2012. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

1.4 Map out your 64bit transition

Since Windows Server 2012 is only available in 64bit flavors, you’ll need to make sure every aspect of your Active Directory Domain Controller implementation is 64bit ready. The MAP tool will not sort everything out for you, so you will have to dive into stuff like anti-malware, backup, software for uninterruptible power supplies, monitoring, systems management, time synchronization and your licensing (VAMT/ MAK / KMS) solution.

1.5 Review the considerations for upgrading

 Active Directory Domain Services in Windows Server 2012 breaks some functionality present in previous versions of Active Directory. For instance, NT 4.0 compatible encryption is off by default on Windows Server 2012 Domain Controllers. Review these considerations and determine whether they are show stoppers in your environment.

1.6 Backups

Make backups of all your Domain Controllers and verify you can restore these backups when needed.

1.7 Documentation

It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation.

The transitioning steps might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

1.8 Communications

When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me…

 

2. First steps

2.1 Install the Support Tools

During the transitioning, you’ll need some tools, that are not native to Windows Server 2003 Domain Controllers. Luckily, for the 32bit version of Windows Server 2003 and Windows Server 2003 R2, they are part of the free Windows Server 2003 Service Pack 2 32-bit Support Tools.

Note:
To install these tools, like replmon.exe and repadmin.exe the Windows Server 2003-based Domain Controller on which you install them, needs to run at least Service Pack 2. After you install the Support Tools, reboot and reapply the latest Service Pack for Windows Server 2003 again.

Installation is simple:

  1. Download both the support.cab and support.msi file for the Windows Server 2003 Service Pack 2 32-bit Support Tools and place them in one folder.
  2. Double-click support.msi.Welcome to the Windows Support Tools Setup Wizard (click for original screenshot)
  3. click Next > in the Welcome to the Windows Support Tools Setup Wizard screen.
  4. Select the I Agree radio button in the End User License Agreement screen and then click Next >.
  5. Click Next > in the User Information screen to accept the default Name: and Organization: fields (or change them first, if you want to).
  6. Click the Install Now button in the Destination Directory screen if you’re fine with the default location to install the Support Tools into (C:\Program Files\Support Tools) or change the location first.     Note:
    The Support Tools require 24 MB of free space.
  7. Click Finish in the Completing the Windows Support Tools Setup Wizard to close the wizard.

2.2 Check for proper replication

Since we’re applying big changes to our Active Directory infrastructure, we need to check forest-wide replication, before we can change anything. We’re going to rely on replication to replicate changes in the configuration to all Domain Controllers in the Active Directory forest, so let’s see if it’s trustworthy. Since we’re going to have to say goodbye to replmon.exe in our new environment, anyway, why not fire up repadmin.exe to this purpose?

  1. In the Start Menu on a Domain Controller, go to All Programs, then Windows Support Tools and click on Command Prompt.
  2. Type the following command:     repadmin.exe /replsummary

 

3. Prepare your environment

Before you can begin to introduce the first Windows Server 2012 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

3.1 Raise the domain and forest functional levels

To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.

Note:
Although you won’t run into problems when preparing the schema in an Active Directory environment running Windows 2000 domain functional level (DFL) and Windows 2000 forest functional level (FFL), you can’t actually install a Windows Server 2012-based Domain Controller in it.

So, before you can transition the Active Directory infrastructure to Windows Server 2012, you will need to get rid of all the Windows 2000 Server-based Domain Controllers, Windows NT4 Server-based Primary Domain Controllers and Windows NT4 Server-based Backup Domain Controllers.

In an Active Directory forest, containing one Active Directory domain, perform these action on a Domain Controller:

  1. Log on with an account that is a member of the Enterprise Admins group.
  2. Start the Active Directory domains and the Trusts MMC snap-in (domain.msc).
  3. In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…Raise Forest Functional Level (click for original screenshot)
  4. If the Current forest functional level: states Windows 2000, click Save As to generate a detailed report (else click OK and skip to 3.2 Update the Schema).
  5. Click Save to accept the default location (the domain name, appended with -log.csv in the My Documents folder for the logged on user account)
  6. Browse to the location where you saved the log, and open it.
  7. The log contains two sections of interest for our migration:
    1. The lines below The following domains include domain controllers that are running earlier versions of Windows:  contains Domain Controllers that are not running Windows Server 2003. These Domain Controllers do not have msds-behavior-version set to the desired target level. These are assumed to be either Windows Server 2000 domain controllers or newer Windows Server domain controller objects that are damaged.Note:
      If earlier version Domain Controllers or Domain Controllers that have damaged or missing computer objects were found, they are included in the report. The status of these Domain Controllers must be investigated, and the Domain Controller representation in Active Directory must be repaired or removed by using ntdsutil.exe.
    2. The lines below The following domains must be updated to a domain functional level of Windows 2000 native or Windows Server 2003: contain the Active Directory Domains we need to upgrade.
  8. Now, switch back to the Active Directory domains and the Trusts MMC snap-in (domain.msc)
  9. In an Active Directory forest, containing multiple Active Directory domains, perform the actions on one of the Domain Controllers in each of the Active Directory domains in the forest. Start with the Active Directory domain that is the root domain in the forest.Right-click the first domain in the domain list in the left pane that was mentioned in the detailed log file. Select Raise Domain Functional Level… from the context menu.Raise Domain Functional Level (click for original screenshot)
  10. From the Select an available domain functional level: drop-down list, select Windows Server 2003. Then, press Raise.
  11. In the This change affects the entire domain. After you raise the domain functional level, it cannot be reversed. warning message, click OK.
  12. After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the domain. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.
  13. Repeat steps 9 to 12 for each Active Directory domain mentioned in the detailed log. To track your progress, you might want to run a detailed log after raising each domains functional level.
  14. When you’ve successfully raised all Active Directory domains in the Active Directory forest, the option to raise the Forest Functional Level becomes available. In the left pane, right-click Active Directory Domains and Trusts, (above the domain name) and from the context menu, select Raise Forest Functional Level…

    Raise Forest Functional Level (click for original screenshot)
  15. Click Raise.
  16. In the This change affects the entire forest. After you raise the forest functional level, it cannot be reversed. warning message, click OK.
  17. After a short while, you’ll see the The functional level was raised successfully. The new functional level will now replicate to each domain controller in the forest. The amount of time this will take varies, depending on your replication topology. informational message. Click OK.

Tip!
One of the new features of the Windows Server 2003 Domain Functional Level (DFL) is the ability to redirect User objects and Computer objects to newly created well-known locations. Take advantage of this goodie right away!

Tip!
You do not, necessarily, need to wait for replication of the functional level raise actions, since updating the schema can be performed while your domains and forest are still in the Windows 2000 functional level. (You can’t install your first Windows Server 2012-based Domain Controller though.)

3.2 Update the schema

With the Domain Functional Level and Forest Functional Level upgraded, we can prepare the Active Directory schema. Microsoft provides adprep.exe, but running adprep.exe on a Windows Server 2003 x64 server results in an ‘not a valid Win32 application’ error. Running it on a 32bit Windows Server 2003 edition results in the following error:

Adprep architecture error (click for original screenshot)

This leaves you with two options:

  1. Perform adprep.exe from a Windows Server 2012-based server with the Active Directory Domain Services installed, after you make sure DNS Name resolution works flawlessly.
  2. Perform adprep.exe from a workstation with Windows 8 x64, after you make sure DNS Name resolution works flawlessly.

Perform these steps on the Windows 8 workstation or Windows Server 2012-based server:

  • On this installation copy the entire contents of the \support\adprep folder from the Windows Server 2012 DVD to a folder on the local hard disk.
  • Install the PortQry tool version 2.0 on the machine. Unpack the installer.
  • Check for proper name resolution and network connectivity with the following commands: nslookup domain.tldBased on the output of this command, target the IP address(es) returned using the following commands

     portqry.exe -n ReturnedIPAddress -p udp -e 389

     portqry.exe -n ReturnedIPAddress -p udp -e 135

  • Run the following commands:
    1. adprep.exe /forestprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rdPress C followed by Enter to perform the forest preparation.The message Adprep successfully updated the forest-wide
      information.
      indicates successful preparation.
    2. adprep.exe /rodcprep /forest domain.tld /user EntAdm /userdomain domain.tld /password Passw0rd The message Rodcprep completed without errors. All partitions are updated. See the ADPrep.log in directory  C:\Windows\debug\adprep\logs\ for more information.
      indicates successful preparation.
    3. adprep.exe /domainprep /gpprep /domain domain.tld /user DomAdm /userdomain domain.tld /password P@ssw0rd The line with Adprep successfully updated the  domain-wide information. indicates successful preparation of the
      domain. Adprep successfully updated the Group Policy Object
      (GPO) information.
      indicates successful preparation of the cross
      domain planning functionality for Group Policy and RSOP Planning
      Mode.    

Note:
Perform the last command for each Active Directory domain in the forest.

After preparing your Active Directory for Windows Server 2012 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files.

3.3 Check proper replication of the schema preparation

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the repadmin tool on one of your Windows Server 2003-based Domain Controllers to check and optionally troubleshoot Active Directory replication. The following one-liner will show you the schema version per Domain Controller:

repadmin /showattr * "cn=schema,cn=configuration,
dc=
domain,dc=tld" /atts:objectVersion

When all your Domain Controllers report Schema version 56, you’re good to go with the next steps.

 

4. Install the first Windows Server 2012 Domain Controller

Now that we’ve got all the preparations done, we can install Windows Server 2012 on our first Domain Controller to be.

Note!
When you use your organizations golden Windows Server image to build the Domain Controllers for your environment, instead of installing by hand as outlined in the steps below, make sure the Windows Server installation was sysprepped.

Either configure a Virtual Machine on your favorite virtualization platform or let the purchasing department spend their money on some physical datacenter iron.

Tip!
When installing physical servers, make sure you purchase a server with four spindles. Create two mirror (RAID1) volumes. Then, you can use the first set of spindles for Windows and programs, and the second set for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).

4.1 Install Windows Server

Boot your configuration from the Windows Server 2012 installation media. Then, perform these actions:

  • In the first screen of Windows Setup, choose the Language to install:, the Time and currency format: and the Keyboard or input method: for the Domain Controller installation. Click Next to continue.
  • Click Install now.
  • Select the Operating System (OS) you want to install.

Tip!
The Server Core installation option is the preferred installation option. Performing this type of installation will result in a lean mean Windows Server (virtual) machine, but will not allow you to manage it through the Graphical User Interface (GUI) you know from Windows Server 2003. You will need a Windows Server 2012 management server or Windows 8-based management workstation with the Remote Server Administration Tools (RSAT) to manage Server Core Domain Controllers most of the time. Click a Server with a GUI installation when this is your first Windows Server 2012 installation.

  • Click Next when done.
  • Select the I accept the license terms option and click Next in the License Terms screen.
  • Choose Custom: Install Windows only (advanced) to perform a clean Windows Server installation.
  • Choose where to install Windows Server in the Where do you want to install Windows? screen.
    1. When this is a physical server, choose the first set of spindles.
    2. When this is a virtual server, choose the entire virtual disk.

Note:
After installation of the virtual server, shrink the volume in the virtual disk to accommodate the partition(s) for the Active Directory database, Active Directory transaction logs and System Volume (SYSVOL).Click Next when done.

  • After installation, type a password for the built-in administrator account. You will use this account to sign in, until you promote it to a Domain Controller.     Tip!
    The password needs to comply with the default complexity requirements.Click Finish when done.
  • Press Ctrl+Alt+Del on the lock screen. Then, sign into your new Windows Server installation with the password you just set for Administrator.

4.2 Configure the server

After you’ve installed the server, make these configuration changes:

  1. Change the name of the server using the server naming policy of your organization.
  2. Provide the correct time zone for the location of the Domain Controller.
  3. Check for proper activation of the Windows Server Operating System.
  4. Update the server with the latest Service Pack and updates.
  5. Configure the server with a fixed IPv4 address, a fixed IPv6 address and proper name resolution. Plan for Active Directory-integrated DNS. Avoid multi-homing Domain Controllers.
  6. Configure the pagefile properly.
  7. Implement Information Security measures (anti-malware, UPS, monitoring, backup)
  8. Create a backup of the server.

Note:
Do not use the snapshot features of your backup or virtualization solution.

4.3 Configure Active Directory storage

Now that we have a Windows Server installation that is configured properly, we need to plan the storage of the Active Directory database, the Active Directory transaction logs and the System Volume (SYSVOL).

An Active Directory performance best practice is to place this data on separate spindles. This is easily achieved when you’re working with physical servers by placing an extra set of mirrored hard disks. The Active Directory Domain Services Configuration Wizard, that we’ll use in a short while will disable write-back caching on these separate spindles, and not the spindles the Operating System (OS) is on. The purpose behind this is to make the storage more robust by not writing data meant for disk to memory first, but straight to disk. In case of a black- or brown-out, the Active Directory database would not be instantly corrupted.

Note:
Disabling write-back caching deteriorates the performance of storage by roughly 30%.

However, creating ‘spindles’ in the virtual world is a bit more tricky. Luckily, virtualization solutions, nowadays, are smart enough to see when a virtual machine requests to have write-back caching off on its storage and offer the best available performance per storage block.

Since Active Directory would break, when we bring an Active Directory Domain Controller up without its files, we’ll keep all these files together in one virtual hard disk. So, in a virtual machine, shrink the system volume (C:\) sufficiently and create a separate NTFS-formatted volume for your Active Directory files:

  1. Open the Disk Management MMC Snap-in (diskmgmt.msc)
  2. Right-click the C: volume in the bottom main pane and select Shrink Volume… from the context menu.
    Shrink Volume (click for original screenshot)
  3. Shrink the volume with the amount you need. You can use the information here to plan the size of the volume. Apply a safety factor, but don’t make it too big. Active Directory has some builtin mechanisms to cope with scarce disk space. In the example above I shrink the volume by 20GB. Press Shrink.
  4. Right-click in the Unallocated space you created with the step above. Choose New Simple Volume… from the context menu.
  5. Click Next > in the Welcome to the New Simple Volume Wizard screen.
  6. Accept the maximum disk space allowed by clicking Next > in the Specify Volume Size screen.
  7. Accept the automatically assigned drive letter by clicking Next > in the Assign Drive Letter of Path screen.
  8. Accept the defaults for formatting the partition, by clicking Next > again. This will create a NTFS-based quickly formatted partition with label New Volume. Make changes if you want to.
  9. Click Finish.

4.4 Make the server a member of the domain

To allow Kerberos authentication between the Windows Server 2003 (R2) Domain Controllers and our Windows Server 2012 Domain Controller to be, we need to make the Windows Server a member of the Active Directory domain.

Restart to make the changes apply.
After the restart, make sure you log on with a domain account.

4.5 Install the Active Directory Domain Services role

We can now install the Active Directory Domain Services (AD DS) Server Role and accompanying tools, like the Active Directory Administrative Center and Active Directory PowerShell Cmdlets, onto the Windows Server 2012 installation.

If you want to click through this, follow these steps:

  1. Open Server Manager (if not opened automatically),
  2. Click on the Manage link in the top task pane and select Add Roles and Features from the context menu.
  3. Click Next > in the Before you begin screen.
  4. Click Next > to perform a Role-based or feature-based installation.
  5. Click Next > to select the local server as the target of the operation.
  6. Click Active Directory Domain Services in the list with available roles in the Select server roles screen.
  7. Click Add Features in the pop-up window.
  8. Now, click Next > in the Select server roles window.
  9. Click Next > in the Select features screen.
  10. Click Next > after you’ve read what Active Directory Domain Services does.
  11. Click Install in the Confirum installation selections screen to perform the installation of the Active Directory Domain Services Server Role with its accompanying tools.
  12. After the installation has completed, click Close.

4.6 Promote the server

With everything in place for our Domain Controller, we can go ahead and promote the Windows Server installation to a Domain Controller for your Active Directory domain. In this capacity it will operate as an additional Domain Controller, next to your Windows Server 2003-based Domain Controllers.

Perform these steps:

  • Make sure you are logged on as a domain administrator.
  • Open Server Manager (if not opened automatically).
  • Click on the yellow warning sign on the top action bar. It will feature the Post-deployment Configuration for Active Directory Domain Services.
  • Click the Promote this server to a domain controller link.
    This will trigger the Active Directory Domain Services Configuration Wizard to start.Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
  • In the Deployment Configuration screen, the default choices are the one you need, to make the server an additional Domain Controller for the domain already joined, using the credentials of the logged on user. Click Next >.Domain Controller Options screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
  • In the Domain Controller Options screen, the wizard asks us for the Directory Services Restore Mode (DSRM) password for this Domain Controller. Specify it.    

Note:
Add this password to the documentation for the Domain Controller.Choose an Active Directory site, when appropriate. Accept the DNS Server and Global Catalog capabilities by pressing  Next > next.

  • Click Next > in the DNS Options screen.Additional Options screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
  • Click Next > in the Additional Options screen.Paths screen of the Active Directory Domain Services Configuration Wizard (click for original screenshot)
  • In the Paths screen, change the locations for the Active Directory database, log files and System Volume (SYSVOL), by replacing C:\Windows with the drive letter of the second partition on the server. Click Next > when done.
  • Click Next > in the Review Options screen.
  • Click Install in the Prerequisites Check screen. you will encounter a couple of warnings, but you can safely ignore these.

After promotion is successful, the server will automatically reboot.

4.7 Check for proper promotion

After the server has rebooted, log onto it with administrative privileges, and perform these actions to check for proper Domain Controller promotion:

4.7.1 Check the promotion logs

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize, specifically, are:

  • C:\Windows\debug\dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
  • C:\Windows\debug\dcpromoui.log
    All the events from a graphical interface perspective
4.7.2 Check the Event Viewer

Check the event viewer (eventvwr.msc) of the newly created Domain Controller for Active Directory-related events.

Six specific Application and Services Logs have been created to quickly find errors and warnings on Active Directory Domain Services:

  • Active Directory Web Services
  • DFS Replication
  • Directory Service
  • DNS Server
  • File Replication Service
  • Key Management Service

Check these logs for errors.

4.8 Configure the server

With the Active Directory Domain Services Server Role installed, we need to rerun Windows Update, to get the updates to the Server Role.

Also, this is a good time to configure scheduled system state backups, so you’d be able to restore this single Windows Server 2012-based Domain Controller in your environment.

 

5. Install additional Domain Controllers

With your first Windows Server 2012-based Domain Controller installed, you can go forward with installing additional Windows Server 2012-based Domain Controllers. All the steps for installing the first Domain Controller (Steps 4.1 through 4.8) apply to each of your Windows Server 2012-based Domain Controllers.

Because we will be demoting the Windows Server 2003-based Domain Controllers as one of the next steps, be sure to install at least two Domain Controllers per domain in the forest.

Note:
When you’re planning on using the Kerberos Armoring (FAST) feature after the migration, plan a sufficiently provisioned Domain Controller per Active Directory site per domain, because after Kerberos Armoring (FAST) is enabled, Windows 8 clients will only communicate with Windows Server 2012-based Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.

 

6. Take care of FSMO roles and Global Catalog placement

Using the Active Directory Sites and Services MMC Snap-in (dssite.msc) make new Windows Server 2012 Domain Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO), or go full out on the command line using ntdsutil.

In multiple Domain scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server, (and only) if there is another Domain Controller in the same Active Directory domain that is also not a Global Catalog;
  • Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 (R2)-based Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, or the following command using netdom.exe:

netdom.exe query fsmo

       

7. Demote your old Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that, you're going to have a hard time demoting your Domain Controllers.

Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your  ex-Domain Controllers though! Remember: “Everyone has a test environment, not just everyone has a production environment…

From my personal experience I can tell it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.

When your Windows Server 2003 (R2)-based Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2012 Domain Controller using Server Manager would then suffice to migrate DNS settings and information. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Windows Server 2003-based Domain Controller using the following steps:

  • Click Start, then click Run... Type dcpromo.exe as the name of the program and click OK.
  • Click Next > in the Welcome to the Active Directory Installation Wizard screen.
  • When the Domain Controller is a Global Catalog, you will see the This domain controller is a Global Catalog server. Global Catalogs are used to process user logons. You should make sure other Global Catalogs are accessible to users of this domain before removing Active Directory from this computer. warning. Click OK.Remove Active Directory screen of the Active Directory Installation Wizard (click for original screenshot)
  • In the Remove Active Directory screen, click Next >.
  • In the Administrator Password screen, type the new password for the local Administrator password for the soon demoted Domain Controller, twice.

Note:
The demoted Domain Controller will be a member server after the demotion.
You will be able to log onto it with domain credentials, as will you be able with
the local Administrator account and the password you set here.Click Next > when done.

  • In the Summary screen, click Next >.
  • After the Domain Controller has successfully been demoted, click Finish to close the wizard.
  • Click Restart Now in the pop-up for the Active Directory Installation Wizard to restart the server.

If you're unsuccessful, you might want to try to remove the barriers that prevent demotion one by one, or ultimately remove the server from Active Directory the hard way, which is described in Microsoft KnowledgeBase article 332199.

 

8. Raise the domain and forest functional levels

8.1 Raise the Domain Functional Level

After you've successfully demoted the last Windows Server 2003 (R2)-based Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2003 (R2)-based Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the Domain Functional Level (DFL) to Windows Server 2008 adds these features to your environment:

  1. Improved DFS Replication
    Support to use Distributed File System (DFS) Replication for the System Volume. Wen used in Windows Server 2008 mode, DFS also supports access-based enumeration and increased scalability.
  2. Advanced Encryption Standards
    After you raise the Domain Functional Level to Windows Server 2008 and reset the passwords for users, they can enjoy AES128 and AES256 support for the Kerberos protocol.
  3. Last Interactive Logon Information
    Last Interactive Logon Information displays information on the total number of failed logon attempts, the total number of failed logon attempts after a successful logon, the time of the last failed logon attempt and the time of the last successful logon attempt, when a user account is used to log on.
  4. Fine-grained password policies
    this feature allows you specify password and account lockout policies for user accounts and global security groups in a domain.

Upgrading the Domain Functional Level (DFL) to Windows Server 2008 R2 adds two features to your environment:

  1. Authentication Mechanism Assurance
    This mechanism adds information to the user’s Kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.
  2. Automatic SPN management
    In the past administrators regularly used Active Directory user accounts as service accounts for Exchange Server, SQL Server and Internet Information Services (IIS).
    Managed Service Accounts (MSAs) can now be used since Windows Server 2008 R2 and this features allows for automatic SPN management, one of the two main benefits of these accounts.

Upgrading the Domain Functional Level (DFL) to Windows Server 2012 adds one feature to your environment:

  1. The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 Domain Functional Level (DFL).

Start with the forest root domain and follow the steps outlined in section 3.1 Raise the domain and forest functional levels but instead of raising the Domain Functional Level to Windows Server 2003,  raise the Domain Functional level to Windows Server 2012:

Raise the Domain Functional Level (click for original screenshot)

8.2 Raise the Forest Functional Level

After you've successfully upgraded the Domain Functional Level (DFL) of all the domains in your Active Directory forest, you're ready to upgrade the Forest Functional Level (FFL).

  • Upgrading the Forest Functional Level (FFL) to Windows Server 2008 adds no features to your environment.
  • Upgrading the Forest Functional Level (FFL) to Windows Server 2008 R2 adds the Active Directory Recycle Bin functionality to your environment, but only after you enable it, afterwards.
  • Upgrading the Forest Functional Level (FFL) to Windows Server 2012 adds no features to your environment.

Although some of the Forest Functional Levels (FFLs) don’t add features, raising the Forest Functional Level (FFL) to Windows Server 2012 will result in all domains subsequently added to the forest will operate at the Windows Server 2012 Domain Functional Level (DFL).

Follow the steps outlined in section 3.1 Raise the domain and forest functional levels to raise the Forest Functional level to Windows Server 2012:

Raise the Forest Functional Level (click for original screenshot)

 

9. Enable Active Directory Optional Features

When your Active Directory environment runs a Forest Functional Level beyond Windows Server 2012, you can enable the Active Directory Recycle Bin.

One of the new features in Windows Server 2012 is the ability to turn this feature on in the Graphical User Interface (GUI). Follow these steps to do so:

  1. Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Active Directory Administrative Center feature installed, with an account with administrative privileges.
  2. Start the Active Directory Administrative Center (dsac.exe)
  3. Select the domain name in the left pane.
  4. Click the Enable Recycle Bin … link in the right task pane.Enable Recycle Bin Confirmation Pop-up (click for original screenshot)
  5. Click OK in the Enable Recycle Bin Confirmation pop-up.Active Directory Administrative Center Refresh Pop-up (click for original screenshot)
  6. Also click OK in the Active Directory Administrative Center to acknowledge the need to refresh the Administrative Center console.
  7. Press the round refresh button in the grey top pane of the Active Directory Administrative Center to refresh it.

 

10. Run the Active Directory Best Practices analyzer

On Domain Controllers running Windows Server 2008 R2 and up, you can use the Active Directory Domain Services Best Practices Analyzer (BPA). With the BPA, you can scan your Active Directory infrastructure for compliance with the Best Practices. These best practices were designed with the input from Microsoft Consultancy Services and help you avoid most of the situations that can lead to data loss and unavailability of Domain Controllers.

The Active Directory Domain Services BPA can be run using the Server Manager or using the PowerShell Cmdlets. To run the scan from Server Manager perform the following steps:

Tip!
Server Manager can be used to scan a local or remote computer. To scan a remote computer, simply use the Connect to Another Computer option in Server Manager.

  1. Log onto a Windows Server 2012-based Domain Controller or a domain-joined Windows 8 installation, with the Remote Server Administration Tools installed and the Server Manager feature installed, with an account with administrative privileges.
  2. Open Server Manager.
  3. In the left pane of Server Manager, click on AD DS.
  4. Scroll down in the main pane to the Best Practice Analyzer section.Active Directory Best Practices Analyzer in Server Manager (click for original screenshot)
  5. Click on the Tasks button and then select Start BPA Scan from the context menu.
  6. Click Start Scan in the Select Servers screen.

Using your common sense, make the configuration changes for the non-compliant settings listed as warnings and errors.

 

Concluding

Transitioning your Active Directory to Windows Server 2012 seems as easy installing new Windows Server 2012 Domain Controllers to your current environment. It might be in small shops with only a single Domain Controller in a single Active Directory domain in its own forest with one single Active Directory site.

In larger environments, be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!

5 Responses to Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012

  1.  

    Hi

    Great article…

    Are there any caveats going from 2003 DC (still with 2000 DFL / FFL) to 2012 R2 direct?
    I have read that 2012R2 only supports DFS-R now and FRS is fully deprecated..
    But to support DFS-R don't you need to be 2008 at least, so therefore a two-jump process?

    Will 2012R2 somehow automagically convert replication methods as part of upgrade process? Or do we follow the guidance provided in the 2008 days still (i.e. "SYSVOL Replication Migration Guide: FRS to DFS Replication" and Ned's blogs)

    Cheers

    Richard

    • Windows Server 2012 R2 is the last version of Windows Server to support the File Replication Service (FRS) for SYSVOL replication on Domain Controllers.
      The challenge you're indicating will be there for the next version of Windows Server when you want to run them as Domain Controllers in a pre-existing environment.

      There's still time to properly migrate FRS to DFSR. 🙂
      The resources you mention will get you there.

       
  2.  

    Hi, we are demoting 65 2003 DC's as part of moving towards a 2012 domain/forest. To progress the demotions as quickly as possible how long should we leave between each of the 65 DC demotions?

    • Hi Mark,

      You should leave sufficient time between demotions to make the changes replicate to all other Domain Controllers.

      The placement of the Domain Controllers with the RID Master and PDC Emulator FSMO roles, the hardware running the Bridghead Domain Controllers per Active Directory site, Active Directory sites lay-out, site links, replication methods, replication schedules and whether you're still using FRS for SYSVOL Replication all affect the time needed for replication changes. Luckily, you can force replication to speed up the process.

      I recommend using Microsoft's free Active Directory Replication Status Tool to monitor replication during the process.

       
  3.  

    Hi Great article,

    during 2003 dc transition to 2102 we have DHCP also configured on 2003 DC how should we migrate that database to windows 2012.Any support would be of great help

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.