Windows 2003 AD Migration to 2012 R2 AD Checklist

Overview

The following is a checklist I am compiling  as I go through an upgrade of a Single Forest/Single domain AD environment.
To give you an idea of scale: 4,500 clients, 500 servers and 5 AD Sites

My upgrade is in 4 steps:

  1. Upgrade schema
  2. Test new 2012 R2 DCs
  3. Replace all 2003 DCs
  4. Upgrade functional Level for Forest and Domain

All application servers (Dev/Test/Prod) all exist in the production AD environment, so testing up to 200 application servers still worked was going to be fun!

There was the odd NT and 2000 Server around , but they were not domain joined and were being replaced in 4 months. Even if they were not domain joined, they may still have drive or printer mappings to the 2003 AD environment, so would need to be tested if they hung around any longer.

Groundwork

W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations

The first place to start is this list. Yes i know it says Windows 2008 R2, but this is what MS Premier Support pointed me to:

I found the best thing to do was to copy and paste it into an excel spreadsheet and step through whether it was applicable pre schema or post schema upgrade and using a traffic light system for highlighting  on things I need to check (yellow) or escalate (red)

2003 AD checklist

Nothing like being methodical  in this process.

Below is a list of things I needed to find out from that list, so I have done posts to cover my research into them, which may save you some time.

1p – DES encryption removed: How do I find accounts that use DES encryption in Windows 2003 AD?

Exchange Server Supportability Matrix

If you have Exchange in your domain you need to make sure you are at the right patch level

http://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx

 AD Forest and Domain Functional Levels

Understanding Active Directory Domain Services (AD DS) Functional Levels

I’m going to a 2008 R2  domain functional level, but probably will leave the forest at 2008.

This gives you scope to add other domains at a 2008 or higher level. there is no benefit to going to a 2012 forest level unless you want to force any new domains to be 2012 domain functional level.

2008 R2 is also  the entry point so that you can role forward and back the functional level between 2008 r2 and 2012 r2

You need to understand the impact of changing the domain functional level in your environment and test.

By this I mean , are all your application servers and workstations going to be able to handle the new functional level?

Additional Hotfixes

Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED Windows 2003 and Windows 2012 R2 DC Environment need to wait for the hotfix to be available

 

Upgrade process

Best explained here ,

Migrate Active Directory from Server 2003 to Server 2012 R2

but you do not need to do the ADPrep first, as adding the first 2012 R2 Domain controller explained below will do the ADPrep if needed automatically.

Adding first Windows Server 2012 Domain Controller within Windows 2003/2008/2008R2 network

 

 

Leave a comment

Your email address will not be published. Required fields are marked *