active directory migration

matteu31 467 Reputation points
2020-12-01T20:08:08.947+00:00

Hello,

I would like to find some documentation / checkilst about what I need to check before I migrate environment ?

I need to migrate 2012 DC / forest level to 2019 but there is exchange, sccm, forest trust with NT4 ... and I would like to know all what I need to check before the migration.
Technically, migration is not the issue but what point I need to check is :)

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,831 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vicky Wang 2,646 Reputation points
    2020-12-02T09:15:04.383+00:00

    Make sure all AD servers have current good replication (command line tools for this), and fix any AD replication issues first
    Make note of what IP’s your current AD servers have
    Make sure that the primary DNS entry for the primary NIC on the old AD servers is pointed not at itself, but another AD DNS server, second DNS entry can be itself.
    Make sure that the domain is at the highest available Domain Functional Level for the current (old) AD servers that is supported by your org (if you’re on Windows Server 2000, you’ll have to upgrade to 2003/2008 first)
    Make sure that the forest is at the highest Forest Functional Level for the current (old) AD servers that is supported by your org
    Make note of where your DHCP servers are, you’ll need to update these later
    Make sure you have good backups of your AD infrastructure!
    If you’re using Windows DHCP, and you haven’t already done so, create an AD service account for DHCP, and delegate control to that account for DHCP AD duties, only needed if you’re going to migrate DHCP to Server 2016 as well

    reference:https://medium.com/@silasthomas/check-list-active-directory-migration-to-server-2016-fc393842bd3b

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Hope this information can help you
    Best wishes
    Vicky

    1 person found this answer helpful.
    0 comments No comments

8 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.1K Reputation points MVP
    2020-12-01T20:14:07.207+00:00

    The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    For exchange / SCCM migration I'd start a new thread here.
    https://learn.microsoft.com/en-us/answers/topics/office-exchange-server-deployment.html
    https://learn.microsoft.com/en-us/answers/topics/mem-cm-site-deployment.html

    --please don't forget to Accept as answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 32,496 Reputation points
    2020-12-02T12:10:59.74+00:00

    Hi,

    You can promote a domain controller on Windows 2019 without impacting the NT4.0 trust but it will prevent weak cryptographic algorithm

    44290-image.png

    *I need to migrate 2012 DC / forest level to 2019 *

    There is no Windows 2019 FFL or DFL. The highest forest and domain functional level is Windows 2016.

    Regarding Exchange you can refer to the following link :

    supportability-matrix

    For SCCM , there is no impact when you are using a supported version.

    Technically, migration is not the issue but what point I need to check is :)

    If you want to migrate your domain controllers to Window 2019 , you have to check if FFL is Windows 2008 R2 or higher and the sysvol replication are using DFS-R.

    I recommend you to test the migration in non production environment if possible

    Please don't forget to mark this reply as answer if it help you to fix your issue

    1 person found this answer helpful.
    0 comments No comments

  3. Thameur-BOURBITA 32,496 Reputation points
    2020-12-04T08:32:55.79+00:00

    Hi,
    What I would like is here :
    FRS need to be migrated to DFS-R
    DFL need to be 2008+
    Verify AD is healthy
    Check matric for exchange / sccm / adfs / PKI

    Don't forget to check active directory and replication health before starting the migration.

    Trust with NT4 is security issue because I need to decrease security algorithm (rc4 enable) right ?
    Probably better to isolate it without any trust if possible should be better.

    Yes , I think it's time to migrate it or isolate it, because NT4.0 can be a source of many vulnerability because it use a weak cryptographic algorithm like RC2 , RC4 ,DES ... I invite you to read this article:

    10-questions-answers-about-nt-40-encryption

    Please don't forget to mark this reply as answer if it help you to fix your issue

    1 person found this answer helpful.
    0 comments No comments

  4. matteu31 467 Reputation points
    2020-12-01T20:42:31.337+00:00

    Thank you for your answer.

    Do I have to check other issue I can find for migration ?
    Does trus relationsheep can be a problem ? 2019 with NT4 ?
    There is ADFS on the environment, do I need to check if it's ok with 2019 ?
    There is CA server, same question ...

    Does microsoft write somewhere what need to be check before any operation ?
    You mentioned dfs-r + domain functionnal level but I suppose there are a lot of more.

    0 comments No comments