AD migration from SBS2011 to 2012 R2 and new domain

active-directory migration windows-server-2012-r2 windows-sbs-2011
12,826

Exchange 2007 and newer versions stop you from performing a domain rename. Since you say that you're ditching on-premise Exchange that's not a factor. That opens up the door for what I think would be a much easier process than any kind of creation of a new forest or domain:

  • Complete your migration to Office 365 and remove Exchange from your SBS 2011 environment.

  • Add a temporary DC to your existing domain and migrate AD (and all FSMO roles) away from the SBS server, demoting the SBS server back to a domain member in the process. (After this point you'll have 21 days to complete the migration.)

  • Perform the domain rename.

  • Add your permanent W2K12 R2 DC and demote / remove the temporary DC.

  • Rename / move the OUs (GPOs, etc) in AD to your liking.

  • Migrate any other functions away from the SBS machine and decommission it.

The temporary DC isn't strictly necessary, but I'd probably do it (because I'm superstitious). Domain rename sounds difficult but without Exchange it's actually pretty straightforward. If you're at all concerned mock up your environment using virtual machines on an isolated network and try it out (preferably using a real copy of your AD "harvested" from your production network and placed into the virtual environment).

You're going to have to ditch the default certification authority that the SBS 2011 setup created when you do this, too. Decommissioning an Enterprise CA isn't really that hard, either, assuming you're not actually using it for anything. (If you are, then no matter what migration strategy you take you'll need to worry about that.)

When you're all done you'll have a nice shiny new domain name, your OUs will look like whatever you want them to, all user passwords will be be intact, and all domain member computers will have intact domain trusts.

Planned, tested, and executed properly the production domain rename and migration could take only a couple of hours to complete. (Obviously, the time you spend up front planning and testing will pay immense dividends when you actually do the real thing.)

(I'd also export shares on the new W2K12R2 machine that reflected the shares exported by the old SBS machine, and I'd add the SBS machine as a DNS alias to the new server. Then existing shortcuts, UNCs, etc, will "just work" following the migration.)

Edit:

I don't know why people get so cagey around domain rename. You need to plan it out and execute it methodically, but it has been painless for me. I've done three production domain renames and had no problems (other than long-forgotten FQDNs in use in embedded devices that needed to be changed). Two environments had Exchange 2003 and one did not. One had a single DC, the other two had multiple DCs. I mocked-up the first two (the environments that had Exchange) in VMs, but the third I just ran on the production network w/o a mockup (because it was so simple-- single DC, no Exchange).

Here's that bullet point from above, "Perform the domain rename", broken down into steps.

In terms of Microsoft articles, I prefer: How Domain Rename Works The article contains a lot of superfluous background, but the basic steps are in there.

For a single domain forest with a single DC the process is pretty painless:

  • Decommission any enterprise CA root.

  • Create a new AD-integrated DNS zone for the new domain name.

  • Set the forest functional level to Windows 2003 or higher.

  • Run rendom /list to generate the forest description file (Domainlist.xml).

  • Edit the Domainlist.xml file to reflect the new DNS and NetBIOS domain names.

  • Run the rendom /showforest, which displays the Domainlist.xml file in a "friendly" way, and review the output to make sure you made the proper edits.

  • Run the rendom /upload command to install the new domain name into Active Directory. No rename occurs at this point-- you're just prepping AD for the rename. In a multi-DC environent this would initiate replication of the renaming instructions to all the DCs.

  • Run the rendom /prepare command to verify readiness to rename. In a multi-DC environment this command checks each DC to insure that they all have received the rename instructions. Renaming can't begin until all the DCs have replicated the renaming instructions. (It's necessary that the change happen to all the AD database replicas nearly simultaneously.) Once you've execute rendom /prepare you cannot add any new domains to the forest or DCs to the domain until you've executed rendom /clean (see below).

  • Run the rendom /execute command to execute the rename. This instructs the DCs to perform the rename. Each DC will switch their AD database into a single-user maintenance mode, perform the rename, then reboot back into a normal operating state.

  • Once all the DCs have completed the rename execute 'Gpfixup' with the appropriate old and new domain names to update any references to the old domain name to the new name in Group Policy Objects.

  • Change the primary DNS suffix on each DC because they don't change automatically. I don't know why Microsoft didn't have these change automatically, but they didn't. Reboot the DC again after making this change.

  • Reboot all domain member computers twice. This doesn't have to be done immediately (I kept a domain in this state for a couple of weeks). Domain member computers will "detect" that a domain rename has been performed and automatically update themselves during these two reboots.

  • Once you've rebooted all domain member computers twice execute the rendom /clean command to clear the rename instructions from AD and return the domain to a normal operating state.

  • Delete the old domain's DNS zone from AD once you've migrated any non-domain member records out of it.

Like I said-- a single domain, single DC environment is simple because you don't have to worry about replication of the domain rename instructions or being able to contact all the DCs.

As far as side-effects go:

  • You do need to be cognizant that domain DFS root names will change. If you have Group Policy Software Installation coming from domain DFS paths you're going to see reinstalls of software (because the Group Policy client will think the software isn't installed).

  • If you /clean the domain too early (before all member computers have been rebooted twice) you could run into a state where you have machines that need to be manually disjoined and rejoined to the domain.

  • In larger environments you're going to see increased replication traffic while the new DNS zones populate.

Share:
12,826

Related videos on Youtube

teleute00
Author by

teleute00

Updated on September 18, 2022

Comments

  • teleute00
    teleute00 almost 2 years

    We have an existing SBS2011 server, and would like to migrate to a new 2012 R2 server. Ideally, we'd like to do this in a new domain - 1. we'd like to reorganize the OUs to remove the "SBS" named stuff (i.e. all users aren't in users, they're in SBSUsers, etc...) and 2. we'd like to go to a domain name that's more in line with best practices (subdomain.ourdomain.com rather than name.local).

    I'm trying to figure out the best way to do this migration. Most things I've read say to migrate by adding the new DC to the existing domain, promoting it, letting everything sync, and then demoting the old one. However, this doesn't address either of our concerns re: naming or reorganization.

    I also thought about perhaps something cross forest, but from what I can tell you need either ADMT (not supported for 2012), or possibly a paid tool (not a likely option, as we're a non-profit and have a minimal budget for this).

    Finally, I could export the users and import them, but this seems like it would involve different steps for the users, computers, groups, etc...and I worry about how well it would mesh. Also, again as far as I can tell, without one of the above tools (and possibly not even then!) I still can't do it without making all the users reset their passwords.

    Exchange is not a variable here (I don't think!) as we're migrating it to Office 365, and for simplicity's sake not adding SSO for now, until everything else is sorted.

    Is there an option I'm missing that would allow us to meet all of our criteria - ability to change domain name and keep standard OU layout rather than SBS, not buying an expensive third party tool, and having no impact on user account/passwords?

    • teleute00
      teleute00 about 10 years
      From what I'm seeing, another potential (though it seems quite byzantine) path is: Lower the functional level of the 2012 DC to 2008 R2. Add a temporary 2008 R2 server and promote it to a DC in the new domain. Install ADMT on this new DC. Use it to do a cross forest migration (still fuzzy on how to do this, but it seems possible). Once everything has synced, remove the temp 2008 DC and then raise the functional level back up to 2012 (optional). Seem feasible? Is there a better way?
  • teleute00
    teleute00 about 10 years
    FYI - we did the migration last weekend (ended up doing it by hand). :-) But will still clarify a couple of things so I can give you points. When I investigated renaming a domain, I got tonnes of hits that were basically like "it's complicated and hideous and totally not recommended". Any good straightforward guides on that? And info on potential side-effects or consequences that isn't so fear mongering? :-) I know everything I read made me not want to go near it. Thanks!
  • Spence
    Spence about 10 years
    I dropped on an edit w/ some commentary about domain rename.
  • teleute00
    teleute00 about 10 years
    Wow - fantastic! Above and beyond. Thank you! I'm sure this will be helpful to others in the future as well.
  • zman
    zman about 9 years
    Anyone have a link regarding sbs2011 and exchange server 2010 domain rename issue?
  • AntoineL
    AntoineL about 8 years
    +1 for the point about decommission of the CA

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Moving the Windows Server from one computer to another
Setting disk quotas with Active Directory
How to convert regular windows 10 account to an active directory account?
How do I configure DNSMasq on DD-WRT when using Active Directory?
How can I list all members from AD group showing enable and disabled users?
How to join a system to a domain controller in Microsoft Azure
AdPrep logs show an LDAP error
Brute force attack with no IP to trace
Move application servers from one domain to another
What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)