Category Archives: Windows Migration

Domain Controller Cross Forest migration Part 2

Current environment on the LAB.com DC

  1. Additional DC2
  2. SCVMM
  3. SCVMM SQL
  4. Exchange
  5. SCMM
  6. SCMM SQL

Computers

clip_image001[7]

 

Migration plan

AD 2012 R2 (LAB.com) to (Contoso.com) 2012 R2.

Users

 

clip_image002[6]

 

In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)

NOTE:

SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.

 

Requirements are :

Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work

 

clip_image002[4]

 

And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC..  PDC, SchemaMaster..etc

The checks I will perform are

  1. Check replication (In case there’s more than one DC In the source forest).
  2. DC health (DCDiag tool)
  3. Check the reachability of the PDC.

 

Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)

 

clip_image001[5]

 

1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

https://technet.microsoft.com/en-us/library/cc770963.aspx

 

image

 

2- Check DC health using DCDIAG tool

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting

https://technet.microsoft.com/en-us/library/cc731968.aspx

as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.

image

 

If the DNS is healthy then it should show as following. and we can continue to the next test.

image

For an extensive test, you can use the parameter /v along with this sign >c:dcdiag.txt to export the test to a file and look at it line by line.

image

 

If everything sounds good and healthy we shall move on to the next step which is DNS configuration


DNS Configuration

Preparation:

  1. DNS replication between both domains
  2. Installing Windows 2008 R2 for ADMT 3.2
  3. Setting up domain trust between forests.

 

 

  1. DNS replication between the source and target domain

In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.

In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.

Note:

You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.

clip_image003[7]

 

Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.

 

clip_image004[7]

 

Same will be done on the destination server.

 

clip_image005[7]

 

Checking Name Resolution for both domains:

 

clip_image006[7]

 

Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.




Creating Forest trust between Source and Destination Domain.

NOTE:

In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.

 

1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.

 

clip_image011[4]

clip_image012[4]

clip_image013[4]

clip_image014[4]

clip_image015[4]

clip_image016[4]

clip_image017[4]

clip_image018[4]

clip_image019[4]

clip_image020[4]

clip_image021[4]

clip_image022[4]

clip_image023[4]

clip_image024[4]

 

We will have to validate trust after creating it to make sure that trust in both ways are validated.

 

clip_image025[4]

 

clip_image026[4]

 

clip_image027[4]

 

Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.


Updating DNS Suffix Search list:

 

DNS suffix search list:

In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)

 

clip_image028[4]

 

On the target domain (contoso.com) we’ll have to open GPO .

Right Click on default domain policy / Edit

 

clip_image029[4]

Go to (Computer Configuration Policies Administrative Templates Network DNS client

Double click on the DNS Suffix Search list to open it and enable it.

clip_image031[4]

image

Click ok and apply the police and see how it should show in the report.

clip_image033[4]

 

Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.

 

image

 

Hope you find this helpful and stay tuned for the next part. Winking smile 

 

del.icio.us Tags: ,,

Domain Controller Cross Forest migration Part 1

In this series of articles I will demonstrate the Cross forest migration for Microsoft Windows Active directory 2012 R2.

 

Before starting any step, I will have to do a revision for the current environment and check what is there, what can be migrated and what can not be.

 

Revisions:

  1. Check if the environment is using an old cryptographic algorithms that’s not supported during the migration .e.g. (SHA-1 1024bit Certification authorities).
  2. Notice that Group Policy user profile folder redirection might have a bug from SCCM. To fix this the SCCM needs to be checked for one option needs to be disabled

Under the SCCM Configuration manager,

– Select Administration

– Select Client Settings

– Pull up PROPERTIES of Default Client Settings configuration and click on Compliance Settings

 

From <http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx>

 

– Enable User Data and Profiles mentioned above is the setting which drives the control of Folder Redirection and Remote User Profiles.
The above configuration by Default is set to NO. Once enabled (set to YES), it passes the control of Folder Redirection, Offline Files, and Remote User Profiles to WMI and stores this configuration under the registry path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUserStateUserStateTechnologiesConfigurationControls

  1. TCP/IP crashes and errors: Hotfix released to correct a crash in TCP/IP.

 

Ref:

http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx

 

Hardware Requirements

  1. Windows 2008 R2 DC on the destination forest.
  2. Windows 2012 R2 ADMT and SQL express 2008 R2 or 2012 R2 express or full.

Reference:

https://support.microsoft.com/en-us/kb/2753560

 

Software Requirements

1- Rights Management Services Analyzer Tool

 

From <http://www.microsoft.com/en-us/download/details.aspx?id=46437>

RMS Analyzer provides the following features:

• Support for Azure RMS and AD RMS diagnostics

• Prerequisite checks for Azure RMS integration (such as any required hotfixes, registry key settings, Microsoft Online Sign-In Assistant)

• Ability to collect trace logs to capture real-time problems

• Diagnostics and remediation for Office 2013 and Office 2010

• Basic diagnostics for federation services

• Group membership check, based on groups and policy templates

• Display of your RMS configuration settings and verification tests to validate service health for RMS

• Ability to monitor multiple servers and find all RMS servers in trusted forests

By installing and using the software you accept the License terms which are located in the zip folder download. If you do not accept the terms, do not install or use the software.

2- Password Export Server (PES) – x64

http://www.microsoft.com/en-us/download/details.aspx?id=46437

 

3- Active Directory Migration Tool (ADMT) QFE – x86

https://connect.microsoft.com/site1164/content/content.aspx?ContentID=30561&IsDraft=False>

 

I will publish the next parts as soon as I am done with them. stay tuned Winking smile  

 

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2

Active Directory Migration from Windows Server 2008 R2 to Windows Server 2012 R2
Friday, March 20, 2015
4:28 PM
Requirements:
  1. New VM machine with Windows Server 2012 R2 installed and up to date on it.
  2. ISO DVD copy of Windows 2012 R2 loaded on your 2008/R2 machine
First we’ll need to prepare the existing forest using the ADPREP command on the Windows 2012 R2 server DVD
You will have to insert the DVD on your 2008/R2 server and navigate to the following path
X:supportadprep
Then use the following command line
Adprep /forestprep
See the snapshot below
clip_image001
When this screen comes up, it’ll ask you to press C and enter to confirm the forest update. Click C and enter to continue and then it’ll show you the previous and next schema version
clip_image002
The process will continue to update the schema as in the below snapshot and it shouldn’t take time too
clip_image003
Here it has completed successfully and now we can move on to the next step.
clip_image004
Now you will have to join the 2012r2 VM machine that you have prepared to the existing DC 2008r2. after you do so you will have to promote this new 2012 server to an additional DC in the domain.
Open Server manager and add new ADDS role to this new server and follow the steps to add it as an additional DC.
clip_image005
clip_image006
clip_image007
clip_image008
When this finishes, the computer will automatically restarts.
Now you will have to start the Transferring of the FSMO from the 2008 R2 DC to the new one.
1- from ADUC on DC 2012r2 right click on Operations Masters
clip_image009
  1. Click on Change to the new DC and confirm OK to continue
clip_image010
Click Yes
clip_image011
clip_image012
We will have to do the same for the PDC and Infrastructure tabs
clip_image013
Note: make sure you close the firewall on both server for the transferring to be completed without issues
clip_image014
When you’ve made sure you have transferred all operation masters roles then close ADUC.

Mohammed Hamada