Upgrading Active Directory to Windows Server 2012

Print Friendly, PDF & Email

In this document we will see how to update the infrastructure of our Active Directory to the latest version, Windows Server 2012, this process is much simpler than in previous versions since the promotion process will prepare the D.A. and install necessary requirements,

The functional level of the forest of our D.A. will at least be 'Windows Server 2003″ to continue, otherwise, We'll raise it!

An upgrade of the DC itself could be performed if its OS. is Windows Server 2008 o Windows Server 2008 R2, if we have DC's with the Standard or Enterprise edition, we can upload them to Standard or Datacenter.

Prior to any migration, we will need to confirm that our Active Directory is consistent, Replication between all domain controllers is fine, and it would be nice to do a little cleanup of the metadata.

– DCDIAG. Running “dcdiag.exe > FICHERO_DE_LOG” to obtain diagnostics for each domain controller. It also analyzes the status of one or all domain controllers in a forest and reports any issues to facilitate resolution.

– REPADMIN. Running “repadmin.exe /showreps > FICHERO_DE_LOG” We will verify that replicas between sites and between domain controllers are correct.

– GPOTOOL. Running “gpotool.exe > FICHERO_DE_LOG” we will check the status of each policy we have in our Active Directory, we can have replication failures and have the same GPO in different sites with different configurations.

We have here a somewhat old but equally useful guide where it is explained how to perform certain tests or audits of our DA or that will also clarify concepts about certain terms.

 

As we mentioned before, Active Directory preparation will be optional, since when promoting our first Windows domain controller 2012 all the necessary tests will be carried out in compliance with all the requirements and you will prepare it for us, but we can run it if we want to pass optional parameters to our DA.

The first thing we will do is to prepare the Active Directory to allow domain controllers to have Windows Server 2012, we will do this with the ADPREP tool that is now only available for 64 Bit. We will run 'adprep.exe /forestprep’

to prepare the AD schema from any member server in the domain.

 

'adprep.exe /domainprep /gpprep’ to prepare each domain, We must be: Scheme Admins, Enterprise Admins or Domain Admins.

 

And optionally 'adprep.exe /rodcprep ‘ in case we are interested in having read-only domain controllers in our Active Directory. It will be enough to be Domain Admins for its execution.

 

Simply to promote the new DC on Windows Server 2012, we will have to add the ADDS Role from the Server Manager > “Add roles and features”,

 

In Server roles, Select “Active Directory Domain Services”,

 

We install the role that will require a server restart after configuring the promotion of this computer,

 

 

Click on “Promote this server to a domain controller”,

 

In this case, how are we going to migrate our domain 2003 (2008 or 2008 R2) a 2012, Select “Add a domain controller to an existing domain”,

 

We will make this equipment a DNS server and global catalog, in addition to setting a password if we need in Directory Services Restore Mode,

 

We can specify that we will replicate from a specific DC as well as import the AD configuration manually with a file by checking 'Install from media'.

 

Default folders for the database, log files or the SYSVOL folder,

 

We will confirm in the wizard that everything is correct,

 

The promotion wizard will show us if we meet the prerequisites, and this server will be promoted to us 2012 as part of our domain controllers. The computer will restart and will be ready to bring the rest of the services that run on a server that we want to unpromote later.

 

To move FSMOs quickly to our domain controller 2012, We can do it by command line with 'ntdsutil', Running:

Ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server NOMBRE_DC_SERVER_2012
server connections: q
fsmo maintenance: transfer naming master
fsmo maintenance: transfer infrastructure master
fsmo maintenance: transfer PDC
fsmo maintenance: transfer RID master
fsmo maintenance: Transfer Schema Master

 

Apart from FSMOs, we would have to review our DNS to confirm that we have the DNS zones of our organization, Configurations to consider:

– Zone transfers: Zone transfers to the new server must be configured. From the DNS console of any server, in the zone properties we go to the "Zone Transfers" tab, we will enable the option "Allow zone transfers" and "Only to the servers named in the Name Servers tab". We go to the "Name servers" tab and add if the destination DNS server is not there.
– Changes to client computers: We will have to change this configuration on our DHCP server pointing to the new DNS servers or directly on the computers (if they have fixed IP addressing) Following this document or via GPO!

 

This would be a screenshot when promoting the Windows Server domain controller 2012 If we have not previously executed 'ADPREP', the installation would do it automatically!

Later we will be able to depromote the old servers: Before you unpromote a domain controller, we have to take into account what services may depend on it, if we have LDAP applications that point to it, or Exchange organizations, all this must be modified to avoid problems. To unpromote a Windows domain controller 2003, 2008, or 2008 R2 we will run DCPROMO and follow the wizard. Once the wizard has finished and a replication time has passed, we must check that there are no remains and if not,, remove the old domain controllers from the references we find, such as in zone transfers from our DNS servers or in the Organizational Unit of “Domain Controllers”, nor should they be reflected in the “Active Directory sites and services” in addition to performing a cleanup in our Active Directory. It is highly recommended to use ADSIEdit for proper cleaning.

Last, we will now be able to raise the functional level of the forest and the domain: Once we have all the domain controllers based on Windows Server 2012, we will be able to raise the functional level of the forest and the domain(s) a “Windows Server Server 2012”. From the console “Active Directory Domains and Trusts”, Right-click on each domain > “To raise the funion level of the domain...”. Later we will do the same for our forest from the same console, con botón derecho en “Active Directory Domains and Trusts” > “Raising the functional level of the forest...”.

What's new in the new features in the Windows Active Directory 2012: http://technet.microsoft.com/en-us/library/hh831477.aspx

Recommended Posts

VPN with Citrix NetScaler III - Authentication with certificates
Read
Auditing access to removable storage devices
Read
Deploying Crowdsec on a Windows machine
Read
Windows metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

vSphere Security Guide Now Available 5.1

16 de April de 2013

Cloning Windows Server Domain Controllers 2012

2 of May de 2013