Home

AD upgrade/refresh - what would you do?

%3CLINGO-SUB%20id%3D%22lingo-sub-106729%22%20slang%3D%22en-US%22%3EAD%20upgrade%2Frefresh%20-%20what%20would%20you%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106729%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20a%20small%20single%20site%20organisation%20of%20around%20600%20users.%20We%20have%20an%20initiative%20in%20the%20works%20to%20refresh%2Fupgrade%20our%20ageing%20AD%20infrastructure%20(we%20still%20have%20AD%202003%20domains!!!).%3C%2FP%3E%3CP%3EWe%20have%20an%20opportunity%20to%20do%20things%20the%20right%20way%20-%20we%20have%20an%20historic%20mess%20within%20the%20AD%20(OU's%2C%20groups%2C%20users%2C%20accounts%2C%20policies%2C%20etc.)%20are%20are%20all%20in%20a%20bit%20of%20a%20state.%3C%2FP%3E%3CP%3EWhat%20would%20you%20do%3F%20Would%20you....%3C%2FP%3E%3CP%3Ea)%20Start%20a%20fresh%20new%20domain%20from%20scratch%20and%20migrate....%20or%3C%2FP%3E%3CP%3Eb)%20Upgrade%20the%20AD%202003%20and%20%22fix%22%20all%20the%20problems%20(if%20so%2C%20how%20would%20you%20go%20about%20it)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-106729%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106829%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20upgrade%2Frefresh%20-%20what%20would%20you%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106829%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20I%20understand%20correctly%2C%20out%20of%20those%20options%2C%20I'd%20personally%20go%20for%20option%20B%20(assuming%20this%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-gb%2Farticle%2FHow-to-prepare-a-non-routable-domain-such-as-local-domain-for-directory-synchronization-e7968303-c234-46c4-b8b0-b5c93c6d57a7%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eisn't%20relevant%3C%2FA%3E).%26nbsp%3B%20I'd%20use%20(free)%20tools%20like%20%3CA%20href%3D%22http%3A%2F%2Fwww.cjwdev.co.uk%2FSoftware%2FADTidy%2FInfo.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAD%20Tidy%3C%2FA%3E%20or%20%3CA%20href%3D%22http%3A%2F%2Fwww.cjwdev.co.uk%2FSoftware%2FADReportingTool%2FInfo.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAD%20Info%3C%2FA%3E%20to%20get%20a%20handle%20on%20the%20domain%2C%20weeding%20out%20old%2Fstale%20items%20and%20restoring%20order%20in%20the%20domain.%26nbsp%3B%20Just%20as%20importantly%20is%20building%20up%20some%20processes%20to%20avoid%20this%20from%20happening%20again%2C%20things%20like%20leavers%2Fstarters%2C%20naming%20conventions%20and%20structure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20also%20look%20at%20any%20related%20tasks%20that%20could%20be%20automated%2C%20the%20would%20go%20hand%20in%20hand%20with%20these%20sorts%20of%20operations.%20I'd%20throw%20in%20other%20infrastructure%20roles%2C%20like%20DHCP%2C%20DNS%2C%20printer%20servers%20etc%2C%20could%20they%20be%20refreshed%20alongside%20this%20work%2C%20or%20at%20a%20later%20stage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20that%20actual%20upgrade%2C%20I'd%20look%20adding%20a%26nbsp%3B2012%20R2%20DC(s)%2C%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcanitpro%2F2015%2F02%2F10%2Fstep-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Emoving%20over%20the%20roles%3C%2FA%3E%2C%20decommission%20the%202003%20ones.%202012%20R2%20can%20then%20be%20upgraded%20to%202016%2C%20or%20add%20a%20fresh%202016%20DC.%26nbsp%3B%20Could%20be%20lots%20of%20other%20steps%20or%20permutations%2C%20worth%20researching%20and%20there%20are%20considerations%20like%20licencing%20as%26nbsp%3Bwell.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106810%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20upgrade%2Frefresh%20-%20what%20would%20you%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106810%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20start%20by%20evalutating%20the%20need%20to%20keep%20AD%20on-prem%20by%20determining%20which%20systems%20you%20have%20that%20actually%20need%20this.%20It%20may%20be%20possible%20to%20move%20all%20of%20the%20accounts%20into%20Azure%20AD%20and%20with%20Azure%20App%20Proxy%20eliminate%20much%2C%20if%20not%20all%2C%20of%20the%20on-premises%20AD%20infrastructure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106765%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20upgrade%2Frefresh%20-%20what%20would%20you%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106765%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20of%20all%20please%20don't%20see%20a%20green%20field%20approach%20as%20an%20easy%20step%20to%20be%20done%20that%20resolved%20all%20your%20issues%20or%20mess%20within%20the%20environment.%20It%20requires%20a%20concept%20and%20strict%20planning.%20With%20600%20users%20you're%20not%20that%20flexibel%20and%20if%20you%20make%20it%20right%2C%20it%20may%20takes%20more%20than%20a%20year%20to%20complete%20with%20a%20lot%20of%20pain%20for%20your%20users!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossible%20approaches%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGreen%20Field%20approch%20without%20migration%20(Not%20the%20way%20to%20go!)%3CUL%3E%3CLI%3ECreating%20a%20concept%20including%20necessary%20point%20(tiers%2C%20security%2C%20network%20segregation%2C%20Delegation%20model%2C%20Domain%20design%2C%20Topology%2C%20GPO%2C%20etc.)%3CUL%3E%3CLI%3EThis%20is%20required%20for%20AD%2C%20Applications%2C%20Services%2C%20Clients%2C%20etc.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EPoC%20(if%20required)%3C%2FLI%3E%3CLI%3EFinal%20implemation%3C%2FLI%3E%3CLI%3EMoving%20all%20data%2C%20rebuild%20all%20servers%20(applications)%3CUL%3E%3CLI%3EDelta%20migration%20of%20the%20user%20data%20before%20switch%20over)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EHard%20switch%20over%20during%20weekend%20(big%20bang)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EGreen%20Field%20approch%20with%20migration%20(better)%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3ECreating%20a%20concept%20including%20necessary%20point%20(tiers%2C%20security%2C%20network%20segregation%2C%20Delegation%20model%2C%20Domain%20design%2C%20Topology%2C%20GPO%2C%20etc.)%3CUL%3E%3CLI%3EThis%20is%20required%20for%20AD%2C%20Applications%2C%20Services%2C%20Clients%2C%20etc.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EPoC%20(if%20required)%3C%2FLI%3E%3CLI%3EFinal%20implemation%3C%2FLI%3E%3CLI%3EStarting%20with%20user%2C%20workstation%2C%20groups%2C%20services%20migration%20into%20the%20new%20empty%20forest%20while%20keeping%20SID%20history%20(ADMT%20is%20your%20friend)%3CUL%3E%3CLI%3EDuring%20this%20period%20you%20have%20kind%20of%20an%20%22hybrid%20infrastructure%22%20while%20users%20are%20in%20the%20new%20Domain%20%2F%20Forest%20and%20resources%20are%20in%20the%20old%20Domain%20%2F%20Forest%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EAfter%20migration%20is%20completed%3CUL%3E%3CLI%3ERemove%20SID%20history%3C%2FLI%3E%3CLI%3ERemove%20Forest%20Trust%3C%2FLI%3E%3CLI%3ERemove%20old%20Domain%20%2F%20Forest%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECleanup%20%2F%20upgrade%20approach%20(preferred)%20-%20depending%20on%20your%20infrastructure%3C%2FP%3E%3CUL%3E%3CLI%3EThere%20is%20no%20mess%20that%20cannot%20be%20cleaned%20up!%20Especially%20when%20talking%20about%20delegations%2C%20GPOs%2C%20Users%2C%20group%20nestings...%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIf%20you%20have%20a%20Microsoft%20Premier%20Contract%2C%20consulting%20Premier%20Field%20Engineer%20for%20such%20a%20project%20(doesn't%20matter%20which%20way%20you%20go!).%20They%20have%20field%20experience%20and%20knows%20exactly%20what%20needs%20to%20be%20done%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%3A%3C%2FP%3E%3CUL%3E%3CLI%3EYou%20cannot%20directly%20upgrade%20to%20Server%202016%2C%20it%20requires%20you%20to%20have%20a%20%22step%20in%20middle%22%20with%20Server%202012%20R2!%3C%2FLI%3E%3CLI%3EServer%202003%20is%20out%20of%20support.%20That%20meaning%20Microsoft%20is%20not%20able%20to%20help%20when%20something%20goes%20wrong%20during%20migration.%20Furthermore%20you're%20not%20getting%20any%20security%20%2F%20cumulative%20updates%20anymore%20-%20RISK%20for%20maleware%2C%20virus%2C%20r%3CSPAN%3Eansomware%2C%20etc.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

We're a small single site organisation of around 600 users. We have an initiative in the works to refresh/upgrade our ageing AD infrastructure (we still have AD 2003 domains!!!).

We have an opportunity to do things the right way - we have an historic mess within the AD (OU's, groups, users, accounts, policies, etc.) are are all in a bit of a state.

What would you do? Would you....

a) Start a fresh new domain from scratch and migrate.... or

b) Upgrade the AD 2003 and "fix" all the problems (if so, how would you go about it)

3 Replies

First of all please don't see a green field approach as an easy step to be done that resolved all your issues or mess within the environment. It requires a concept and strict planning. With 600 users you're not that flexibel and if you make it right, it may takes more than a year to complete with a lot of pain for your users!

 

Possible approaches:

  • Green Field approch without migration (Not the way to go!)
    • Creating a concept including necessary point (tiers, security, network segregation, Delegation model, Domain design, Topology, GPO, etc.)
      • This is required for AD, Applications, Services, Clients, etc.
    • PoC (if required)
    • Final implemation
    • Moving all data, rebuild all servers (applications)
      • Delta migration of the user data before switch over)
    • Hard switch over during weekend (big bang)

Green Field approch with migration (better)

  • Creating a concept including necessary point (tiers, security, network segregation, Delegation model, Domain design, Topology, GPO, etc.)
    • This is required for AD, Applications, Services, Clients, etc.
  • PoC (if required)
  • Final implemation
  • Starting with user, workstation, groups, services migration into the new empty forest while keeping SID history (ADMT is your friend)
    • During this period you have kind of an "hybrid infrastructure" while users are in the new Domain / Forest and resources are in the old Domain / Forest
  • After migration is completed
    • Remove SID history
    • Remove Forest Trust
    • Remove old Domain / Forest

 

Cleanup / upgrade approach (preferred) - depending on your infrastructure

  • There is no mess that cannot be cleaned up! Especially when talking about delegations, GPOs, Users, group nestings...

If you have a Microsoft Premier Contract, consulting Premier Field Engineer for such a project (doesn't matter which way you go!). They have field experience and knows exactly what needs to be done :)

 

Keep in mind:

  • You cannot directly upgrade to Server 2016, it requires you to have a "step in middle" with Server 2012 R2!
  • Server 2003 is out of support. That meaning Microsoft is not able to help when something goes wrong during migration. Furthermore you're not getting any security / cumulative updates anymore - RISK for maleware, virus, ransomware, etc.

 

I would start by evalutating the need to keep AD on-prem by determining which systems you have that actually need this. It may be possible to move all of the accounts into Azure AD and with Azure App Proxy eliminate much, if not all, of the on-premises AD infrastructure.

 

 

If I understand correctly, out of those options, I'd personally go for option B (assuming this isn't relevant).  I'd use (free) tools like AD Tidy or AD Info to get a handle on the domain, weeding out old/stale items and restoring order in the domain.  Just as importantly is building up some processes to avoid this from happening again, things like leavers/starters, naming conventions and structure. 

 

I'd also look at any related tasks that could be automated, the would go hand in hand with these sorts of operations. I'd throw in other infrastructure roles, like DHCP, DNS, printer servers etc, could they be refreshed alongside this work, or at a later stage.

 

For that actual upgrade, I'd look adding a 2012 R2 DC(s), moving over the roles, decommission the 2003 ones. 2012 R2 can then be upgraded to 2016, or add a fresh 2016 DC.  Could be lots of other steps or permutations, worth researching and there are considerations like licencing as well.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies