My speech about upgrading Active Directory to Windows 2012 during Windows Professional Conference 2012 in Milan (Italy).
The topics have been : new features of Windows 2012 Directory Services (AD DS), virtualization safe technologies (D.C. cloning and snapshot compatibility), upgrading paths (on-place or addition af a new Windows 2012 D.C.) and migration / parallel environment with ADMT.
It3004 windows server 2012 upgrading active directory
1. IT3004 - Windows Server 2012: Fabrizio Volpe
MVP Directory
Upgrading Active Directory Services 2011 & 2012
(Italy)
MCITP
2. Agenda
• Nuove Funzionalità e Miglioramenti
• Scenari Cloud e Federation per i
Directory Services
• Upgrade Domain Controllers a
Windows Server 2012
• I Passaggi Successivi
3. Nuove Funzionalità e Miglioramenti
Recycle Bin Dynamic
Simplified Deployment
User Interface Access Control
Active Directory
Virtualization Safe Active Directory
PowerShell History
Technology Based Activation
Viewer User Interface
Fine-Grained Password
Rapid Deployment Kerberos Enhancements
Policy User Interface
Active Directory
Active Directory Group Managed Service
Replication & Topology
Platform Changes Accounts
Cmdlets
4. Simplified Deployment
• Solution
– integrate preparation steps into the
promotion process
• automate the pre-requisites between each of
them
– validate environment-wide pre-
requisites before beginning
deployment
– integrated with Server Manager and
remotable
– built on Windows PowerShell for
command-line and UI consistency
– configuration wizard aligns to the most
common deployment scenarios
6. Simplified Deployment: Cosa Cambia
?
Streamline the deployment process Minimize odds of deployment failures
Optimize for common deployment
Minimize number of touch-points
paths
Bring consistency with other Windows Gain UI-consistency by leveraging an
Server roles deployment experiences enhanced command-line experience
7. Install From Media
Create Full NoDefrag
%s
• Create IFM media without
defragmenting for a full AD
DC or an AD/LDS instance
Windows Server 2012
into folder %s
adds two additional
options to the
Ntdsutil.exe command-
Create Sysvol Full
NoDefrag %s line tool for the IFM (IFM
• Create IFM media with
SYSVOL and without Media Creation) menu
defragmenting for a full AD
DC into folder %s
8. Simplified Deployment
• Requirements
– Windows Server 2012
– target forest must be Windows Server 2003 functional level or
greater
– introducing the first Windows Server 2012 DC requires Enterprise
Admin and Schema Admin privileges
– subsequent DCs require only Domain Admin privileges within the
target domain
• Altre features impiegate
– DC Promotion Retry Logic
– Enhanced Install-from-media (IFM) options
– AD FS V2.1 in-the-box
9. Virtualization-Safe Technology
• Background
– common virtualization operations such as creating snapshots or copying
VMs/VHDs can rollback the state of a virtual DC
– introduces USN bubbles leading to permanently divergent state causing:
• lingering objects
• inconsistent passwords
• inconsistent attribute values
• schema mismatches if the Schema FSMO is rolled back
– the potential also exists for security principals to be created with duplicate
SIDs
11. Che succede se il VM-Generation ID è stato modificato
Before any changes are made to the local active directory database
the server checks to see what its ‘VM-Generation ID’ is, if it is not
what it is expecting then it will do several things.
The first thing that will be done is the local RID pool will be
invalidated and a new RID pool will be requested from the RID
master.
Next the invocation ID will be increased so that the when replication
happens even though the USN would be the same the domain
controllers invocation ID would be different meaning the other
domain controllers would accept the update and replicate.
12. Rapid Deployment – DC Cloning
DC Cloning Promote and configure ONLY once
Easier and faster to deploy replica DCs
Minimizes dependencies/interactions between
hypervisor administrators and Active Directory
administrators when deploying DCs
13. Prepare the environment
Step 1: Validate that the hypervisor supports
VM-Generation ID and therefore, cloning
Step 2: Verify the PDC emulator role is hosted by
a domain controller that runs Windows Server
2012 and that it is online and reachable by the
cloned domain controller during cloning.
14. Prepare the source domain
controller
Step 3: Authorize the source domain controller for
cloning
Step 4: Remove incompatible services or programs or
add them to the CustomDCCloneAllowList.xml file.
Step 5: Create DCCloneConfig.xml
Step 6: Take the source domain controller offline
15. Create the cloned domain
controller
Step 7: Copy or export the source VM
and add the XML if not already copied
Step 8: Create a new virtual machine
from the copy
Step 9: Start the new virtual machine
to commence cloning
16. Steps for deploying a clone
virtualized domain controller
• Prerequisites
• Step 1: Grant the source virtualized domain controller
the permission to be cloned
• Step 2: Run Get-
ADDCCloningExcludedApplicationList cmdlet
• Step 3: Run New-ADDCCloneConfigFile
• Step 4: Export and then import the virtual machine of
the source domain controller
18. Active Directory Platform Change
• Improved allocation and scale of
RIDs (relative identifiers), deferred
index creation
• Kerberos enhancements and
support for Kerberos claims in AD
FS
20. Active Directory forest in Windows
Azure
You can install Windows Server 2012, but be
aware that the virtualized domain controller
safeguards that are built into Windows Server
2012 are not available on Windows Azure Virtual
Networks. The virtualized domain controller
safeguards require support for VM-
GenerationID, which Windows Azure Virtual
Networks do not provide at the present time
http://www.windowsazure.com/en-
us/manage/services/networking/active-directory-
forest/
21. Active Directory Federation
Role description
• Simplified, secured
identity federation and
Web single sign-on
(SSO) capabilities.
– Federation Service role
service
– Federation Service Proxy
role
– Web Agent role services
22. Active Directory Federation in
Windows 2012
Integration with Dynamic Access Control scenarios
Improved installation experience using Server
Additional Windows PowerShell cmdlet
23. Active Directory cloud
deployments
Remote PowerShell
• Cloud-based servers can be promoted to domain
controllers
Active Directory is Deployment with
Cloning
24. Upgrade Domain Controllers a
Windows Server 2012
System requirements for installing AD DS on Windows Server
2012
• On domain controllers that you plan to upgrade to Windows
Server 2012, make sure that the drive that hosts the Active
Directory database (NTDS.DIT) has at least 20% free disk space
before you begin the operating system upgrade
Tipologia di Installazione
• Server Core
• Full
• Minimal Server Interface
25. Upgrade Domain Controllers a
Windows Server 2012
Supported in-place upgrade paths
• Domain controllers that run Windows
Server 2008 or Windows Server 2008
R2 can be upgraded to Windows Server
2012
• You cannot upgrade domain controllers
that run Windows Server 2003.
28. Migrare AD a Windows Server
2012
Upgrading forests and
• Using the new Server Manager
domains
Deploying new replica
• Using the new Server Manager
DCs
Managing AD DS • PowerShell History Viewer
using AD • AD Recycle bin GUI
Administrative Center • Fine Grained Password Policy GUI
32. Promoting a Domain Controller
with PowerShell
• Install the Active Directory Domain Services
role
• Prerequisite Checks
• Promoting the DC
• Best Practices Analyzer
34. Limiti di BPA e Prerequisites
Checker
No check on other
No inventory of
Microsoft
existing application
applications or
or services on the DC
3rd party applications
35. Best Practices for Implementing
Schema Updates
• Test your forest recovery plans.
• Test your schema extensions in your recovery
environment and in any other test/non-production
environments
36. Planning
• Infrastructure Planning and Design documents
– http://www.microsoft.com/en-
us/download/details.aspx?id=732
• Impatto delle nuove funzionalità
– Active Directory Web Services (ADWS)
– Virtualized Domain Controller Cloning
– Dynamic Access Control (DAC) & Kerberos Flexible
Authentication Secure Tunneling (FAST or AKA Kerberos
armoring)
37. Summary of Minimum
Requirements
With this deployed… ... these features become available
• New Active Directory Administrative Center
• Windows PowerShell History Viewer
+ First Windows Server 2012 domain- •
• Graphical Recycle Bin and FGPP management
Richer authorization through DAC & FCI
member • Active Directory-based Activation
(or Windows 8 with RSAT installed) • Requires Windows Server 2012 schema extensions
• Active Directory Replication & Topology Cmdlets
• AD FS (v2.1)
• Simplified Deployment and Preparation
• Dynamic Access Control policies and claims
• Kerberos Claims in AD FS (v2.1)
• Cross-domain Kerberos Constrained
+ First Windows Server 2012 DC Delegation
• Group Managed Service Accounts
• Virtualization-Safe for the Windows Server
2012 DC
• requires Hypervisor support for VM-Gen-ID
• Rapid virtual DC deployment through DC-
+ Windows Server 2012 DC holds PDC cloning
FSMO role • requires Hypervisor support for VM-Gen-ID
38. Migrazione e Ristrutturazione
Source domain: Target domain:
The source The target
domain must be domain must be ADMT 3.2 and
Active Directory running running PES 3.1
Migration Tool Windows Server Windows Server installation
version 3.2 2003, Windows 2003, Windows errors on
Server 2008, or Server 2008, or Windows Server
Windows Server Windows Server 2012
2008 R2 2008 R2
http://support.microsoft.com/kb/2753560/en-us
39. Troubleshooting Domain Controller Deployment
General Methodology for Troubleshooting
Domain Controller Configuration
•Tools and Commands
•Logging Options
http://technet.microsoft.com/en-
us/library/jj592690.aspx