Forum Discussion

Anonymous's avatar
Anonymous
Sep 15, 2017

AD upgrade/refresh - what would you do?

We're a small single site organisation of around 600 users. We have an initiative in the works to refresh/upgrade our ageing AD infrastructure (we still have AD 2003 domains!!!). We have an opportun...
Azure Active Directory (AAD)
Stefan Metzler's avatar
Stefan Metzler
Copper Contributor
Sep 15, 2017

First of all please don't see a green field approach as an easy step to be done that resolved all your issues or mess within the environment. It requires a concept and strict planning. With 600 users you're not that flexibel and if you make it right, it may takes more than a year to complete with a lot of pain for your users!

 

Possible approaches:

  • Green Field approch without migration (Not the way to go!)
    • Creating a concept including necessary point (tiers, security, network segregation, Delegation model, Domain design, Topology, GPO, etc.)
      • This is required for AD, Applications, Services, Clients, etc.
    • PoC (if required)
    • Final implemation
    • Moving all data, rebuild all servers (applications)
      • Delta migration of the user data before switch over)
    • Hard switch over during weekend (big bang)

Green Field approch with migration (better)

  • Creating a concept including necessary point (tiers, security, network segregation, Delegation model, Domain design, Topology, GPO, etc.)
    • This is required for AD, Applications, Services, Clients, etc.
  • PoC (if required)
  • Final implemation
  • Starting with user, workstation, groups, services migration into the new empty forest while keeping SID history (ADMT is your friend)
    • During this period you have kind of an "hybrid infrastructure" while users are in the new Domain / Forest and resources are in the old Domain / Forest
  • After migration is completed
    • Remove SID history
    • Remove Forest Trust
    • Remove old Domain / Forest

 

Cleanup / upgrade approach (preferred) - depending on your infrastructure

  • There is no mess that cannot be cleaned up! Especially when talking about delegations, GPOs, Users, group nestings...

If you have a Microsoft Premier Contract, consulting Premier Field Engineer for such a project (doesn't matter which way you go!). They have field experience and knows exactly what needs to be done :-)

 

Keep in mind:

  • You cannot directly upgrade to Server 2016, it requires you to have a "step in middle" with Server 2012 R2!
  • Server 2003 is out of support. That meaning Microsoft is not able to help when something goes wrong during migration. Furthermore you're not getting any security / cumulative updates anymore - RISK for maleware, virus, ransomware, etc.

 

Resources