Why upgrade?

Prepare
Action

Plan Cleanup
 RODC
 Server Core
 AD Snapshots (ntdsutil.exe,
dsamain.exe)
 DS Auditing (auditpol.exe)
 Restartable AD service
 Administrative Center
 PowerShell Cmdlts
 AD Best Practice Analyzer
 Protecting objects from
accidental deletion
 GPO features (Central Store,
ADMX files, GPP)
 DFSR replication of Sysvol
 Fine-Grained Password Policy
(FGPP)
 Last Interactive Logon Info
 Offline Domain Join
 Managed Service Accounts
(MSA)
 Authentication mechanism
assurance for AD-FS
 Advanced Encryption Services
(AES 128 and 256) for
Kerberos

 Active Directory Recycle Bin
(No built-in UI, PowerShell
only, or 3rd-party tools)
Support Lifecycle for Windows
Server 2003 SP2:
• Extended Support end date:
July 2015
 New Active Directory Administrative  GPO features and GPMC UI

Center additions
 GUI for FGPP management  Richer authorization through

 GUI for AD Recycle Bin Dynamic Access Control & File

 PowerShell History Viewer Classification Infrastructure

 Active Directory-based Activation

 Simplified Deployment and
Preparation
 Dynamic Access Control (DAC)
policies and claims
 Group Managed Service
Accounts (GMSA)
 Virtualization-Safe for the
Windows Server 2012 DC
(requires Hypervisor support
for VM-Generation-ID)
 Rapid virtual DC deployment through DC-cloning

(requires Hypervisor support for VM-Generation-ID)

 Increased Kerberos strength

(Kerberos Armoring - or FAST)

 Increased RID Pool
 Support Lifecycle for Windows
Server 2008 R2 SP1:
• Mainstream Support end
• No additional features…
date – January 2015
• Extended Support end date -

July 2020
• What are the upgrade goals?
• Map existing resources (hardware, software, human)
• What other roles do DCs perform?
• Map the risks
• Can you consolidate?
• Can (should) you virtualize?
• Time needed, downtime needed
• Plan for rollback
Is it simpler to 1. New DCs, new
keep the old DC’s names, new IPs
Simplest
name and/or IP
address?
2. New DCs, new
Medium complexity
names, old IPs
Possible options:

3. New DCs, old names, May be more complex

old IPs
DES Encryption types for the Kerberos authentication protocol issues:
• SAP
• Oracle Internet Directory (OID), CA Identity Manager, Tivoli Identity
Management
• Samba and other Linux/Unix interoperability
• NetApp, EMC Celerra or other storage devices
• Firewalls, VPN, RADIUS
• http://support.microsoft.com/kb/977321
NetApp filers or (potentially) other storage devices
• Resource SID Compression:
• Resource SID Compression in Windows Server 2012 may cause
authentication problems on NAS devices:
• http://support.microsoft.com/kb/2774190
• SMB Secure Negotiate
• "System error 2148073478," "extended error," or "Invalid Signature" error
on SMB connections in Windows 8 or Windows Server 2012:
• http://support.microsoft.com/kb/2686098
• Smart Cards, certificates, EFS Recovery Agent keys
• Non-compatible customized password filters
• Time keeping software
• Exchange servers with manual DC configuration
• LDAP Query Policies with non-default settings
• TSL - Default up to Windows Server 2003 R2 = 60 days, for later = 180
days
- If Forest is upgraded, TSL is not automatically changed
dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,
dc=ad,dc=petri-labs,dc=com” -scope base -attr tombstonelifetime
• Static ports:
• RPC Netlogon
• RPC Replication
• FRS
• Manual connection objects in AD Sites and Services
• Preferred Bridgehead Servers in AD Sites and Services
• Firewalls, TMG/UAG/ISA, VPN, RADIUS/IAS, Switches with 802.1X
• 3rd-party applications that are hard-coded to work against specific DCs
Make sure DFL and FFL are Windows 2000 Native or above
If they exist, all Windows 2000 DCs must be running SP4
• Issues with Win9X/NT4.0 client computers:
http://support.microsoft.com/kb/555038
http://support.microsoft.com/kb/946405
http://support.microsoft.com/kb/942564
• Issues with External Trusts to NT4.0 domains:
http://support.microsoft.com/kb/2021766
dsquery * "dc=ad,dc=petri-labs,dc=com" -scope base -attr msDS-Behavior-
Version
dsquery * "cn=partitions,cn=configuration,dc=ad,dc=petri-labs,dc=com" -
scope base -attr msDS-Behavior-Version
• Mixed Level = 0 or <not set>
• Windows Server 2003 interim = 1
• Windows Server 2003 = 2
• Windows Server 2008 = 3
• Windows Server 2008 R2 = 4
• Windows Server 2012 = 5
• Windows Server 2012 R2 = 6
• Replication issues
• USN Rollbacks, Lingering Objects, Strict Replication Consistency (?)
• DNS
• Events and Logs
• FSMO
• Consider temporarily disabling AV on the DCs
• Document everything! (Active Directory Topology Diagrammer, Visio)

Make sure the user you're working
with is a member of:
• Domain Admins
• Enterprise Admins
• Schema Admins
Install RSAT on a Windows
workstation for easier management:
• For Windows 7
• For Windows 8
• For Windows 8.1
• Built-in into Server OSs
• Make sure you have a recent, supported tested and working backup:
• System State
• Boot Partition
• System Partition
• All GPOs (by using GPMC)
• Certificate Authority and important certificates and keys
• Scripts etc.
• Do you know the DCs’ DSRM password?
• Do NOT use a VM snapshot as backup!
• Consider disconnecting one DC in addition to backing up
• Consider disabling outbound replication on the Schema Master DC during
the Schema upgrade
• The bigger and more complex you are, the more you need to
test before you act.
• Consider regulations and standards (such as Change
Management procedures)
• Test environment needs to be as close to production as possible.
• Test and production need to be totally isolated from each other.
• Extend the Schema • Transfer FSMO
• Promote the first Windows • If needed, point relevant
Server 2012/2012 R2 DC applications to new DC
• Move relevant roles: • Configure connectors or other
• DHCP manual settings
• DNS • Wait a bit
• WINS • Decommission old DCs
• Certificate Services • Go to celebrate
• TS Licensing
• No more (manual) ADRPEP!
• No need to keep installation media
• No need to remember complex commands and where to run them
(forestprep, domainprep, rodcprep, gpprep)
• Automate the pre-requisites between each of them
• Validate environment-wide pre-requisites before beginning deployment
• Integrated with Server Manager and remoteable
• Built on Windows PowerShell for command-line and UI consistency
• Configuration wizard aligns to the most common deployment scenarios
• No more DCPROMO!
• Promotion is done through Server Manager UI: Remotable, built on
PowerShell, Automated
• In case of network “hickups” - indefinite retry loop
• Very fast and easy use Install From Media (IFM) + option to select offline
defrag for IFM database (used to be mandatory in Windows Server
2003/2008)
Check version:
dsquery * “cn=schema,cn=configuration, dc=ad,dc=petri-labs,dc=com”
-scope base -attr objectversion
(Forestperp success: 2003 R2 = 31, 2008 = 44, 2008 R2 = 47, 2012 = 56, 2012 R2 = 69)
dsquery * “cn=ActiveDirectoryUpdate,cn=ForestUpdates,
cn=configuration,dc=ad,dc=petri-labs,dc=com”
-scope base -attr revision
(Domainprep success: 2008 = 3, 2008 R2 = 5, 2012 = 11, 2012 R2 = 15)
Verify replication
repadmin /replsum /bysrc /bydest /sort:delta
• Always wait for KCC (15-30 minutes)
• If replication topology is complex – wait for replication for as long as it takes
(again – consider enabling Change Notification)
• Verify replication
repadmin /showreps
repadmin /replsum * /bysrc /bydest /sort:delta
• Make sure new DC is functioning:
• Check AD replication
• Check SYSVOL sharing and replication
• Check events
• Do not hurry (depending on the size of the DIT and SYSVOL)
 PDC Emulators of
PDC Emulator of the other domains in
Forest Root Domain is forest pull time
responsible for time from FRD PDCE Protect yourself against
keeping. a large time offset
If not properly (MaxPosPhaseCorrection,
configured – Event ID DCs pull time MaxNegPhaseCorrection
from PDCEs Registry/GPO values)
12 (W32Time).
http://support.microsoft.com/kb/ Servers and
816042 workstations pull
from DCs
• Remember Windows Server 2008/2012 issues a random
computer name by default…
• Never ever in your life use NEWSID! (punished by death!)
• Do NOT disable IPv6 (http://support.microsoft.com/kb/929852)
• Configure Windows Update
• Secure the server(s)
• Run Best Practice Analyzers
• Configure Anti-Virus exclusions (http://support.microsoft.com/kb/822158)
• Configure backups
• Never clone a DC operating system!
• Do not use snapshots for virtual DCs
• Do not pause/resume virtual DCs
• If on VMs, exclude DCs from Live Migration or vMotion
• Do not synchronize time with the host

• You can do all this only on Windows Server 2012 DCs running on
Hyper-V 3
If you decide to use the new DC(s) with new computer names and IP
addresses, do not forget:
• Update Name Servers (NS) records
• Zone Transfers
• Domain Delegation
• Bind Secondaries
• Zone Scavenging
• Forwarding to ISPs
• Firewall ports (for eDNS)
• DHCP settings for workstations that have dynamic IPs
• Any workstation, server, device with manual DNS IP address
Schema If all ok, both
Domain Naming DCs agree to the
transfer Check Infrastructure FSMO
PDC Emulator roles (fSMORoleOwner
RID attribute) on the
DomainDnsZones and
Infrastructure ForestDnsZones
If not ok, http://support.microsoft.com/kb/
949257
consider forcing
Easiest: Use NTDSUTIL (seize)
ntdsutil roles con "con to ser localhost" q "tran sche mas" "tran
nam mas" "tran infra mas" "tran pdc" "tran rid mas" q q

If you must:
ntdsutil roles con "con to ser localhost" q "seize sche mas" "seize
nam mas" "seize infra mas" "seize pdc" "seize rid mas" q q
 If all ok, demote
old DCs one by If demoting is
Take your time to test one
(dcpromo.exe) unsuccessful – consider
forcing (/forceremoval)
+ clean AD from old
DC remains
Manually remove (ntdsutil.exe)
Consider shutting down old server objects http://support.microsoft.com/kb/
DC(s) for a few days (the from AD Sites 216498
“who did it???!” effect) and Services
 Enable Recycle
Discard all old DCs Bin

Use Active Directory

Snapshots and create a
backup schedule
Migrate from FRS
Raise DFL, FFL as needed to DFS-R
Upgrading your AD to
Windows Server Plan and test Upgrading AD to
before you move Windows Server
2012/R2 is important
even if you do not plan 2012/R2 has benefits
to use any of the mostly in the
benefits virtualization and
deployment areas, but
Verify and clean also in management
after you move and monitoring
Upgrading is not rocket
science
Questions? Comments?
daniel@petri.co.il