The following is a checklist I am compiling as I go through an upgrade of a Single Forest/Single domain AD environment.
To give you an idea of scale: 4,500 clients, 500 servers and 5 AD Sites
My upgrade is in 4 steps:
- Upgrade schema
- Test new 2012 R2 DCs
- Replace all 2003 DCs
- Upgrade functional Level for Forest and Domain
All application servers (Dev/Test/Prod) all exist in the production AD environment, so testing up to 200 application servers still worked was going to be fun!
There was the odd NT and 2000 Server around , but they were not domain joined and were being replaced in 4 months. Even if they were not domain joined, they may still have drive or printer mappings to the 2003 AD environment, so would need to be tested if they hung around any longer.
The first place to start is this list. Yes i know it says Windows 2008 R2, but this is what MS Premier Support pointed me to:
I found the best thing to do was to copy and paste it into an excel spreadsheet and step through whether it was applicable pre schema or post schema upgrade and using a traffic light system for highlighting on things I need to check (yellow) or escalate (red)
Nothing like being methodical in this process.
Below is a list of things I needed to find out from that list, so I have done posts to cover my research into them, which may save you some time.
1p – DES encryption removed: How do I find accounts that use DES encryption in Windows 2003 AD?
Exchange Server Supportability Matrix
If you have Exchange in your domain you need to make sure you are at the right patch level
AD Forest and Domain Functional Levels
I’m going to a 2008 R2 domain functional level, but probably will leave the forest at 2008.
This gives you scope to add other domains at a 2008 or higher level. there is no benefit to going to a 2012 forest level unless you want to force any new domains to be 2012 domain functional level.
2008 R2 is also the entry point so that you can role forward and back the functional level between 2008 r2 and 2012 r2
You need to understand the impact of changing the domain functional level in your environment and test.
By this I mean , are all your application servers and workstations going to be able to handle the new functional level?
Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED Windows 2003 and Windows 2012 R2 DC Environment need to wait for the hotfix to be available
Best explained here ,
but you do not need to do the ADPrep first, as adding the first 2012 R2 Domain controller explained below will do the ADPrep if needed automatically.