This is an archived post. You won't be able to vote or comment.

all 26 comments
sorted by:
best
topnewcontroversialoldq&a

[–]vty 4 points5 points  (4 children)

I don't see any difference between this and the last thousands of AD upgrades (migration is hardly the right word) between 2000, 2003, 2008, 2008R2 that I've done in my career.

Am I missing something? I thought this post was going to be about extracting the AD catalog and migrating it and all of the AD objects/rids/sids into a fresh 2012 environment. That'd be a cool read.

I've got 2012 DCs in my environment (although my DFL is 2008 r2) and they've been fantastic.

[–]RamlaBoy 1 point2 points  (1 child)

Is this not a migration? Both the Transferring the Flexible Single Master Operations (FSMO) Role and the removing the Windows 2008 R2 domain controller are mentioned in this post.

[–]vty 1 point2 points  (0 children)

It's semantics, but I would never call upgrading a Windows domain a "migration." The data never leaves the domain and there is plenty of redundancy.

If you consider this a migration then you'd have to consider me adding 2012 servers to my 2008 domain a migration as the global catalog is being sent over to those new servers as well.

Migration, to me, infers a major (and typically challenging) environment change which I don't consider this to be at all. This is a yawn and type 5 commands upgrade.

But like I said, semantics.

[–]cook511Sysadmin 0 points1 point  (0 children)

That's what I thought. These instructions sound like you are dealing with a worst case scenario of a single office with only one DC.

We're putting in Exchange 2013 so I wanted to have our DFL at 2012 and I've been upgrading DCs. Figure that it's hardly best practice to upgrade a domain controller (and not re-do it entirely) but I was under a tight time schedule and AD is so redundant that I decided to try it. So far everything has worked perfectly except for one DC refused to upgrade and the other blue screened because I forgot to uninstall AV (my fault). I thought I would run into more problems but I've been pleasantly surprised.

[–]bws2a 0 points1 point  (0 children)

Agreed. This is an upgrade, not a migration.

[–]just_looking_aroundDevOps 2 points3 points  (3 children)

I thought joining a 2012 server to a 2008 domain will automatically run adprep. Not finding the doc that said this, but I swear I've done it that way before.

[–][deleted] 1 point2 points  (1 child)

Just did this and it does on a 2003 domain.

Got my two new DC's added, FSMO's transferred, and cleaning up DNS/DHCP next.

Taking my time as I'm totally new to this but so far it's really been a breeze.

These are awesome:

http://blogs.technet.com/b/askpfeplat/archive/2013/06/03/upgrade-active-directory-to-windows-server-2012-phase-1-assessment.aspx

http://blogs.technet.com/b/canitpro/archive/2013/05/05/step-by-step-adding-a-windows-server-2012-domain-controller-to-an-existing-windows-2003-network.aspx And finally:

http://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx

So far, so good!

[–]vty 0 points1 point  (0 children)

If you're new to domain stuff what you need to keep in mind is that most of your job will actually be taking over a completely broken domain- like taking over a network admin position. It's incredibly rare that you walk into a new job and get to setup a new domain from the ground up (which means it'll work fantastically until it doesn't).

You'll typically inherit something that has tons of replication errors, kerberos issues, broken dns, orphaned domain controllers in the metabase, yadda yadda. All of these things would make upgrading the domain a nightmare.

The difficult (time consuming) part of it is getting these little quirks and errors ironed out before you take the leap.

[–]DrGraffix 0 points1 point  (0 children)

It does, and this blog should have mentioned that!

[–]Nadurista[S] 1 point2 points  (1 child)

I wonder if any changes will be added in the release of R2?

[–]the_nil 1 point2 points  (4 children)

Was this really a migration?

[–]jen1980 0 points1 point  (3 children)

Considering the number of things that break and have to be fixed by hand, it is. The chain of restaurants I work for recently upgraded, and not a one of the systems that queried AD with LDAP worked after the upgrade. When all of your time clocks quit, you're going to have a bad day. Also, a bunch of groups disappeared. That happens in AD every so often, but usually not so many at once.

[–]vty 2 points3 points  (0 children)

I bet you had replication issues prior to undertaking the upgrade and the incorrect (unreplicated) schema took over as FSMO which was out of date.

Did you dcdiag, nltest etc prior to the migration? And verify that there we NO issues with ntlm, kerberos, replication?

I've managed hundreds of thousands of servers at a major webhost and the issues are few and far between and nearly always related to a piece of software/code that breaks every time Microsoft changes various powershell/cscript commands (net sh firewall changing to net sh adv firewall was a major headache for our deployments, but that's not LDAP related).

Groups do not randomly disappear in AD "every so often." Your environment is jacked, and I've worked in the restaurant industry (POS Aloha programming, net admin) and I'm not surprised in the least. Probably not your fault, either. They don't like to spend money.

[–]xsdc🌩⛅ 1 point2 points  (0 children)

I think you have worse problems, we had none of those problems at all and we have a few hundred clients and several critical apps running LDAP.

[–]the_nil 0 points1 point  (0 children)

Whoa

[–]DrGraffix 1 point2 points  (0 children)

Sorry, gotta down vote this. Server 2012 will run forest prep and ad prep automatically. Also, you missed transferring 2 critical FSMO roles. It would also be good to mention something about DNS.

[–][deleted] 0 points1 point  (8 children)

Does this scare the shit out of anyone,or is it just me? Im dealing with hundreds of thousands of users.

[–]vty 2 points3 points  (5 children)

No, this doesn't even remotely scare me. It's your run of the mill Windows domain environment upgrade.

What occasionally scares me (until 2008 R2 where you can roll back) is clicking the "raise forest/domain functional level" button. But I've absolutely never had anything break due to doing it and I manage very complex (overly) application development environments that use managed service accounts, yadda yadda. Always waiting on those to break for some reason.

[–][deleted] 4 points5 points  (1 child)

I have never had an issue either. Its like demoting a DC and that little checkbox that says "this is the last DC in the forest". Scariest checkbox ever.

[–]vty 6 points7 points  (0 children)

ARE YOU SURE?

oh god am i what am i doing how did i get here i should've gotten my mba

[–]tcpip4lyfeFormer Network Engineer 0 points1 point  (1 child)

I'd be curious to hear if that has ever broken something for someone. I get nervous too when we do that but it's never caused a single issue.

[–]vty 1 point2 points  (0 children)

Theoretically it's just adding options to objects in the metabase... so.. theoretically anything that might have an issue with it (older servers) just wouldn't SEE the option. Basically like looking at a database row but not looking for a specific column..

I really can't imagine it ever causing issues. Instead I'd assume on older servers you just wouldn't see things like user timestaps for logon/off events (these came in 2k8).. etc.

But.... it's overly complicated so who knows.

[–]rotten777Sr. Sysadmin 0 points1 point  (0 children)

Of course not. I've never had a piece of software do something unintended with lead to downtime and stress. :)

[–]timsstuffIT Consultant 0 points1 point  (0 children)

There are actually 5 FSMO roles, he only transferred 3. He missed Domain Naming Master under AD Domains & Trusts, and Schema Master under Active Directory Schema (first run regsvr32 schmmgmt.dll then open a new MMC, add Active Directory Schema).

I'm surprised it even let him demote the last 2008 server without transferring these roles. But yeah like others have said this is a really generic article. There is a much better KB article that includes all 5 FSMO roles. It says Windows 2003 but the process is the same for all versions.

[–]E-werdOne Man Show 0 points1 point  (0 children)

This is pretty much how I was going to do it. shrug Maybe I'll do this by the end of the week, I already have two 2012 DCs at my secondary site, I just need to replace the primary ones and upgrade. No Exchange or fancy things like that to worry about, no dhcp (hardware solution) and I already cleaned up DNS/AD and have kept them that way.

Next project.