Upgrading from very ancient AD server (server 2000) to Server 2012 R2 Essentials

Question

We currently have an Active Directory system based around 2 Windows Server 2000 servers. We would like to replace this with a Server 2012 R2 Essentials based AD / file server.

Since we cannot simply add the 2012 system as an AD server to the old system, we are planning to do it in the following way. Is this the best way, and are there anything we should look out for.

S1 = Server 2000 primary domain controller.

S2 = Server 2000 secondary domain controller.

T1 = Temporary Server 2008 system.

F1 = Final Server 2012 system.

1. Update S1 to 2008 compatible, using adprep (forestprep & domainprep) to allow 2008 DC to join domain. (DONE).
2. Spin up temporary 2008 server – DONE (T1).
3. Promote T1 to DC – DONE.
4. Make T1 master.
5. Demote all other existing DCs (S1 and S2).
6. Upgrade forest to 2003/2008 functional level.
7. promote F1 to DC.
8. Make F1 master.
9. Demote temporary server T1.
10. Remove temporary server T1 from domain/existence.
11. Run 2012 essentials install wizard on F1.

Does this seen reasonable, or is there a better way. Also, are there any things we should look out for or that we can use to test things as we go along.

Finally, I believe there is a 21 day limit on how long the 2008 server can be in an AD system with more than one machine. Does this limit start when we install the OS / add it to a domain, or when we first make it an AD server.

Answer 1

Note that you can't easily go back down in function level after doing so, only from a backup restore. When I did this, I shut off one of the DC's till I was 100% sure everything was good on the current function level. Going from 2003 to 2008 is one that seems to be the most risk, because some old programs might have issues. (We did not have any, but from what I read it makes the most changes)

Answer 2

These are generally OS and domain items. I don't have any SBS aka Essentials experience.

Take backups before you start and along the way so if things break you can get back to a known good state.

FRS is no longer present in 2012. Add step 6B to migrate Sysvol replication from NTFRS to DFSR https://technet.microsoft.com/en-us/library/dd640019(v=ws.11).aspx

If your domain corntroller is also your DNS server, you will need to update the DNS resolver address on clients. Easier if everything is DHCP, harder if many clients have static addresses. Either way, you may want to assign all potential DC addresses as resolvers before you begin, and then remove the retired addresses when your done.

Speaking of which, you seems to be starting with 2 DC's and ending with only 1. Never a good idea. Always have 2 DC's for redundancy.

Do you have any other old systems that are expecdting the DC's to provide DES encryption? Your 2008 and 2012 DC's will no longer use DES by default. You can turn it back on, but you shouldn't because DES has been shown to be vulnerable.

What kind of time span do you plan on doing the work over (hours/days/weeks)?
The reason I ask gets into some of the less frequently talked about details of Kerberos...
The KRBTGT account is a special account used to sign all Kerberos tickets in the domain. Each change in the domain functional level also changes the password on the KRBTGT account. The default Kerberos ticket life is 10 hours. AD stores the current and previous value of that password to prevent service interruption during changes. But if that password changes more than once in 10 hours, you will have issues with invalid Kerberos tickets. Options:

1. Wait 10 hours between changes in the DFL
2. Modify the domain policy to issue Kerberos tickets with a shorter lifetime (https://technet.microsoft.com/en-us/library/dd277401.aspx)

If you don't wait or don't change the lifetime, be prepared for those issues which will require reboots and/or logouts for computers and users to get new tickets.