4

I didn't create this environment/mess - just trying to "fix" it.

Currently only DC in network is a 2000 server. Just purchased two 2016 servers, getting ready to install/config. I know I can't join the 2016 servers to domain at this time as they won't join to 2000. So, what are my best options to upgrade/replace DC? This is a 20 office environment, with about 175 users total. DC is just DC, AD, and DNS, no DHCP, no FS, no other apps.

  • Do I really want to go through the hassle of installing a 2003 or 2008 server to transition the 2000 up to something the 2016 will talk with? If so, what are the best steps for this?
  • Do I just build the 2016 servers from scratch outside the network, like it's a new network, manually entering in the User and DNS information (not worried about time if this is the easier option) and then unplug the 2000 server and plug in the 2016 servers?
  • If I do the latter, would I then need to have each PC join the domain again? Or will they just authenticate if I have manually keyed that device/user information into the new servers?
  • Is there anything I can export from the 2000 server that I can restore/import to the 2016 server?

I've searched around the web and can't find this scenario specifically. Any ideas are greatly appreciated. Trying to make the easiest transition for the user base, especially since they are spread around in many remote offices.

Additional DC's in other locations is an issue for the future.

SnarfBlat
  • 51
  • 3
  • 4
    for the user base the easiest migration is going to be to move to an intermediate domain controller. then upgrading to 2016. – Drifter104 Nov 15 '16 at 23:51
  • 2
    I can not think of any situation where a new install+migration would be less work or in any way better then setting up a temporary DC in a VM or something. Particularly if your DC is as clean and as minimal as you say. – Zoredache Nov 16 '16 at 00:16
  • 3
    Anyway the migration steps are well covered in [other questions](http://serverfault.com/questions/339534/moving-primary-domain-controller-to-new-server) here. It is all pretty straight forward. – Zoredache Nov 16 '16 at 00:18
  • If I would be you, I would build something new and then include all features which might be useful for you and your company (DHCP, WSUS, ...) and then start to move PC by PC or team by team. If this is a 2000 DC which you didn´t setup there might be a lot shit in the system which you might not see or which might be needed to clean up. There might be also an totally outdated certification authority which you then need to migrate as well. – BastianW Nov 16 '16 at 12:41
  • @SnarfBlat: What version(s) of Windows are the member workstations and servers? – Greg Askew Nov 16 '16 at 16:05
  • Windows 7 is prevalent for PC's - no 10 yet - but that's inevitable in the near term. – SnarfBlat Nov 16 '16 at 16:20
  • Thanks for all the quick feedback. I'm glad it's just a potential two step process - was thinking it might be more. – SnarfBlat Nov 16 '16 at 16:21
  • To clarify - have purchased two new servers licenced to 2016. Should I build one for 2008 temporarily for the transition then, or use a different piece of HW for the interim? – SnarfBlat Nov 16 '16 at 16:24

2 Answers2

1

If the goal is to make it easiest for your users, then the rough steps are:

  • Install a 2008 DC and replicate with the existing 2000 DC
  • Move FSMO to the new 2008 DC
  • Decommission the old 2000 DC
  • Raise the functional level of AD to 2008

At this point, you're ready to bring in your 2016 DCs.

The big problem with your second bullet point is that making a new domain force all new AD accounts for your users and computers. Note that creating an account with the exact same name doesn't give the same permissions, because it's all based around SIDs.

So in that scenario, you will need to rejoin all the PCs, all of your users will need to reset their passwords, and it sounds like a big bag of hurt for anything more than a trivial (<5) number of users & computers. If one of your users happened to encrypt a file client-side, that's also reliant on AD SIDs, and wiping out your AD will wipe out access to the files.

As a bonus, the 2008 DC can be your secondary DC (always have 2 DCs), so you'll only need to install 1 new 2016 DC for now. That would be stable enough to let you go on to the next fire until 2008 support ends in 2020. If 2000 was good enough for the network thus far, it doesn't seem that moving to 2016 for AD is going to have huge benefits.

CC.
  • 1,186
  • 1
  • 10
  • 22
  • "So in that scenario..." that's what I was afraid of, but I'm happy that's it's just a two step process we're talking about then. And not concerned so much with 2016 offering more than the environment will take advantage of, more of getting them as current as possible so that it's stable for a good while. – SnarfBlat Nov 16 '16 at 16:19
0

I would consider a staged upgrade approach, introduce a Server 2008 DC to the existing domain then migrate all FSMO roles. the article below is guide to up grading the domain to 2008 or 2008 R2

https://technet.microsoft.com/en-us/library/cc731188(v=ws.10).aspx

once there you can add a 2016 DC and repeat the process. this way all users, groups and crucially computers will follow your Upgrade.

If you create a brand new forest then you could use the AD Migration tool to migrate objects from the old forest to the new:

https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx

you don't need to manually re-add all user accounts etc. if you use this tool.

Michael Brown
  • 3,204
  • 2
  • 9
  • 10
  • I have looked at some of the articles discussing 2008, etc. Just wasn't sure if I could jump form 2008 to 2016 then and make it a two step instead of more. I'll look more at this option. So I'd just load 2008 one one of the two new servers, or use a temporary server for that step? – SnarfBlat Nov 16 '16 at 16:16
  • Install server 2008 as a VM on an existing host server if you have one or install it on one of your new Servers if you don't. good luck – Michael Brown Nov 16 '16 at 16:37