From our previous post we have discussed the importance of implementing security best practices for Active directory. And I have recommended to keep updated with the latest active directory domain services. Which is the windows server 2012 R2 ADDS.
Here are some benefits of moving to Windows server 2012R2 ADDS
Active Directory Administrative Center (ADAC) adds GUI management of recycle bin feature originally introduced in Windows Server 2008 R2.
Supports the creation and management of Active Directory sites, site-links, connection objects, and more using Windows PowerShell.
ADAC adds GUI support for the creating, editing and assignment of PSOs originally added in Windows Server 2008.
Extends offline domain-join by including Direct-Access prerequisites.
Virtualized DCs can be rapidly deployed by cloning existing virtual domain controllers using Windows PowerShell cmdlets.
Simplifies the task of configuring the distribution and management of volume software licenses.
There are two ways to do this upgrade
1. In-Place Upgrade
This is the easiest and the quickest, only require to put the windows 2012 installation media to the DVD rom and do the OS Upgrade. But this method is more risky and require downtime.
2. AD migration to 2012R2 version
This is the method that recommended by most of the consultants. Which does not require a down time. From this article I'm expecting to provide detail information about the AD migration to 2012R2.
According to this solution you have to domain join a windows server 2012R2 server to the existing active directory 2008 domain. Then after completing the prerequisites and domain perp, this new server will be promoted as an additional domain controller. All the directory objects will be replicated to the new server and it will work as an active domain controller to the existing active directory services.
Then you can transfer the FSMO roles to the new windows server 2012R2. After transferring the roles, new windows server 2012R2 DC will work as the primary domain controller and then you can decommission the existing Domain controllers. Before doing so please add another Windows server 2012R2 DC as an Additional domain controller to handle the load and also as a DR. This method does not need a downtime and if you follow the steps correctly, you can do a smooth upgrade to 2012R2 ADDS.
1. Complete the Prerequisites
Meta data clean up required only when you are having Domain controllers which is not operational right now, DC's that was forcefully removed from the system, DC's that was stopped replication and Tombstone life time expired or DC's were formatted without demoting first.
If you are having DC's Meta data in your ADDS, use Event viewer to track down. Or you can easily check this by navigating to the Active directory users and computers-Domain controllers OU and check whether there are any Domain controller exists that was not operational right now.
If you are having DC Meta data, you have to remove them before doing the upgrade. There are two ways to do the cleanup, GUI and Command prompt. In windows server 2003 GUI is not supported. But after 2008 its supported but I always prefer to use the Command prompt.
Clean up Meta data using command line
1. Login to one of DC's and Get the command prompt using run as administrator
2. Type- Ntdsutil
3. Type in ntdsutil: metadata cleanup
4. At the metadata cleanup: Type the server name which is removed forcefully.
remove selected server <ServerName>
5. Confirm the removal
For more information refer the technet article
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
2. Preparing the Forest Schema
Before adding a 2012R2 domain controller to the existing 2008 environment, it is mandatory to update the Active Directory schema to windows server 2012. You must update the schema from the domain controller that hosts the schema operations master role (FSMO). To do this you have to login to the Schema role holder DC using Enterprise admin and schema admin privileged account. Please follow the detail steps
5. Verify the successfully prompted domain controller
You can verify the DC by checking the DNS, Active directory users and computers and event viewer.
6. FSMO Role transfer to new Windows server 2012R2 Domain controller.
To finish up the AD Upgrade/Migration you have to move the FSMO roles to the new windows server 2012R2 Environment. Moving this roles will make 2012R2 DC as the primary server and after only you can demote the windows server 2008R2 DC's from your network. You can do this process can do using GUI or Command prompt. I prefer to do this using the command prompt which is less hassle.
7. Demote the existing windows server 2008R2 Domain controllers
Its not mandatory to demote the old servers right away, first you should have to implement other domain controllers to handle the load. After that you can demote the 2008 servers from the domain. Follow these steps.
Now DC role is removed and it's just a member server. If you want you can remove it from domain also.
Hope this is useful
Asitha De Silva
https://lk.linkedin.com/pub/asitha-de-silva/27/b09/429
References
https://technet.microsoft.com/en-us/library/hh994618.aspx?f=255&MSPPError=-2147217396
http://blogs.technet.com/b/canitpro/archive/2015/02/11/step-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2.aspx
https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx