Migrating from a 2003 to 2012 Domain environment can sound complicated, but Microsoft has made it rather easy. My main reasons for migrating from a 2003 to 2012 environment are as followed:
- More stable AD
- More features
- FRS to DFSR means much smoother replication
- More secure
- 2008 Namespace for DFS
- AD Recycle Bin
Along with the domain/forest environment we will be also transitioning from FRS to DFSR for SYSVOL replication.
The environment is as follows:
NDC1 (2003 SP2) 10.0.0.10
NDC2 (2012 R2) 10.0.0.11
NFS1 (file server 2012 R2) 10.0.0.12
The first step is to join all the machines to the domain.
You’ll notice that if you try to add a 2012 R2 domain controller it requires at least a forest functional level of 2003, and by default 2003 domain controllers choose a functional level of 2000. So you’ll get this error if you try to add the new DC.
At this point we need to open up AD domains and trusts to raise the domain functional level to 2003.
Now choose 2003, and press ok to the prompts.
After you’re done, click the raise button again to verify it worked (also wait for AD to replicate if you have more than 1 DC)
Now right click the domains and trusts root and raise the forest functional level as well to 2003.
Now you should have a domain and forest functional level of 2003
Now when you try to promote your 2012 DC it will work but it will warn you that you cannot make read only DCs (ignore this). Doing this will upgrade your AD forest schema.
Now to proceed we need to transfer the 5 FSMO roles over to our 2012 DC before demoting the 2003 DC.
If you want to transfer all 5 FSMO roles via powershell use this commandlet (credits to Reddit for showing me this)
“Move-ADDirectoryServerOperationMasterRole -Identity <destinationserver> -OperationMasterRole 0,1,2,3,4”
If you’d like to do it via the GUI, continue reading on.
Open domains and trusts again.
Choose change active DC and select your 2012 DC from the menu.
Now right click AD domains and trusts and choose ” Operations Master” then click change to transfer the role over to your 2012 DC.
Now a quick netdom /query fsmo will confirm that you moved 1/5 of the roles.
Now open up users and computers change your DC to your 2012 DC, and transfer the RID, PDC, and Infra roles.
Note: you have to right click the domain on this menu to get the operations masters option.
Transfer the roles.
Now we have 4/5 roles , again we can confirm this.
Now to transfer the schema master role we need to register a dll, open up the run dialog and type “regsvr32 schmmgmt.dll”
NOTE: if you get some weird errors open up a command prompt in admin mode and type the command in.
Now type “MMC” in the run box and press enter, or do it in command prompt.
Click file , and add/remove snap in
Add the AD Schema module and click ok.
Change your DC like we did before, and then change your operations master…
Your 2012 R2 DC should now hold all 5 roles, again let’s verify.
Now if you have more than 2 DCs (your 2003 and 2012) you should wait for replication to finish before proceeding to demote the 2003 server.
You can also force replication by typing this into an admin cmd prompt “repadmin /syncall /force”
Your output should produce lots of “syncall terminated with no errors”
Now before demoting your 2003 DC, make sure that any static settings pointing to this DC as a DNS server are changed over to the 2012 DC.
(other servers, printers, DHCP, stuff like that)
Now log into your 2003 DC and open up an admin cmd prompt, type “dcpromo”
NOTE: seriously right click , run as , choose admin and uncheck the restrict box. I’ve had this cause problems for me before.
Let’s demote it. Click next, DO NOT check the box.
Choose a new local admin pass…
Now wait for the wizard to finish!
Once done it will ask you to restart the DC, if it failed make sure you run the CMD as admin and uncheck the restrict box like I said earlier. This 2003 server is now just a member of the domain and not a dc.
Jump back over to your 2012 DC, open up AD domains and Trusts. Right click and choose raise forest functional level.
Choose 2012 R2, and click OK to the prompts.
Right click it again and choose raise forest functional level to confirm it is now 2012 R2.
Now our domain functional level was raised to 2012 R2 as well!
Now we’re done!
If you had a DFS Namespace previously, you will have to migrate from FRS to DFSR, however if you didn’t, then DFSR won’t need to be migrated.
If you’d like to check out how to migrate FRS TO DFSR (which you totally should be doing) check out my next post here.