How to migrate an Active Directory domain correctly?

A

Andrey Tatarnikov2015-04-24 19:31:37

Active Directory

Andrey Tatarnikov, 2015-04-24 19:31:37

There is a machine with WinServer 2008 R2. By the machine the domain controller, DHCP, DNS is lifted.
Since the machine has not been well for a long time and has been decently polluted, we decided to move to a new host with WinServer 2012.
The plan is as follows:
1. Raise a new host, raise a domain with the same names (fqdn, netbios) on it
2. Export selective users and PC from the old (there are many "dead" PCs and unnecessary users)
3. Also selectively export DHCP settings (not all reservations, not all networks)
4. Selectively export DNS zones, do not use PTR
5. Import this whole economy into a new domain on a new host
6 Turn off the old host and turn on the new one
Question: what is the best and most correct way to do all this? What utilities to take? I don't want to re-enter the PC into the domain, just as I don't want to reconfigure domain authorization on internal systems, that is, I want to save the SSIDs of the transferred objects.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

Z

zxsavage, 2015-04-24
@zxsavage

I would do this:
1, 2, 4, 5 I would recommend that you include Windows Server 2012 in the same domain, promote it to a domain controller.
3. Right-click on the server in the DHCP snap-in - archive. On the new - restore. Stop DHCP on the old server, start on the new one.
6. Wait for the end of replication. Migrate FSMO roles. Turn off 2008, see if there are no network problems for a while. Enable 2008, downgrade to member server, exclude from domain.
-
The second option - recently migrated several domains to one using Microsoft's Active Directory Migration Tool. I don't know if it will help in your case. Used this guide part 1 part 2. Everything is described in sufficient detail and clearly, all pitfalls are taken into account.

W

wrench10x12, 2015-04-24
@wrench10x12

Option 1, for the professional:
Raise a new controller.
Wait for replication.
Migrate FSMO roles.
Configure DHCP separately.
Remove the old controller from the domain and put it out.
Delete unnecessary users, clean DNS and you are done and you are.
Just in case, raise the second controller with the old IP.
For everything about everything - a maximum of 4 hours with leisurely smoke breaks
Option 2, yours:
Go the way of dancing with tambourines and provide yourself with incomprehensible problems with SSIDs, trust, authorization and other fun things for the near and distant future.
When, as a result of such cool-hacking manipulations, everything eventually collapses, you have time to write a statement on your own.

T

tartarelin, 2015-04-24
@tartarelin

This is absolutely not serious, the answer is easily found with the help of Google, a completely ordinary operation.
For example, I did this scenario: https
://social.technet.microsoft.com/Forums/ru-RU/ ... no. 3. For some clients, specify 2012 as a DNS server. If everything is fine, set up for everyone. 4. Raise DHCP to 2012 so that it serves some of the clients, if everything is fine, transfer all clients to the new DHCP. 5. Transfer roles to 2012 FSMO. (When migrating the PDC role, don't forget to set the time) 5. Then lower the weight/priority of the DC on the 2008 server. It 's described in great detail here.
6. Turn off DC for 2008 and watch for a while, if everything is fine, downgrade DC 2008 to a member server.
And here, the same thing, in more detail - www.vitaliy.org/Node/View/1184
And as I understand it, you have a very dangerous AD configuration, with one DC it is strongly not recommended, you need to think about making an additional DC and at the same time set up a failover DHCP server, so that the failure of one of the servers will be completely invisible to users.