Domain Controller Cross Forest migration Part 1

In this series of articles I will demonstrate the Cross forest migration for Microsoft Windows Active directory 2012 R2.

Before starting any step, I will have to do a revision for the current environment and check what is there, what can be migrated and what can not be.

Revisions:

  1. Check if the environment is using an old cryptographic algorithms that’s not supported during the migration .e.g. (SHA-1 1024bit Certification authorities).
  2. Notice that Group Policy user profile folder redirection might have a bug from SCCM. To fix this the SCCM needs to be checked for one option needs to be disabled
  3. Under the SCCM Configuration manager,

– Select Administration

– Select Client Settings

– Pull up PROPERTIES of Default Client Settings configuration and click on Compliance Settings

From <http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx>

– Enable User Data and Profiles mentioned above is the setting which drives the control of Folder Redirection and Remote User Profiles.

The above configuration by Default is set to NO. Once enabled (set to YES), it passes the control of Folder Redirection, Offline Files, and Remote User Profiles to WMI and stores this configuration under the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UserState\UserStateTechnologies\ConfigurationControls

TCP/IP crashes and errors: Hotfix released to correct a crash in TCP/IP.

Ref:

http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx

Hardware Requirements

  1. Windows 2008 R2 DC on the destination forest.
  2. Windows 2012 R2 ADMT and SQL express 2008 R2 or 2012 R2 express or full.

Reference:

https://support.microsoft.com/en-us/kb/2753560

Software Requirements

1- Rights Management Services Analyzer Tool

From <http://www.microsoft.com/en-us/download/details.aspx?id=46437>

RMS Analyzer provides the following features:

• Support for Azure RMS and AD RMS diagnostics

• Prerequisite checks for Azure RMS integration (such as any required hotfixes, registry key settings, Microsoft Online Sign-In Assistant)

• Ability to collect trace logs to capture real-time problems

• Diagnostics and remediation for Office 2013 and Office 2010

• Basic diagnostics for federation services

• Group membership check, based on groups and policy templates

• Display of your RMS configuration settings and verification tests to validate service health for RMS

• Ability to monitor multiple servers and find all RMS servers in trusted forests

By installing and using the software you accept the License terms which are located in the zip folder download. If you do not accept the terms, do not install or use the software.

2- Password Export Server (PES) – x64

http://www.microsoft.com/en-us/download/details.aspx?id=46437

3- Active Directory Migration Tool (ADMT) QFE – x86

Active Directory Migration 2008R2 to 2012 R2

Current Environment

Microsoft Active Directory 2008R2 with Exchange 2010

Requirements for migration

1- New Windows Server 2012 R2 server to be prepared.

2- Join the new Server to the old Dc.

First I will be Installing the new Server windows 2012 R2 which I will migrate all the roles to after preparing it and joining it to the domain as in the following snapshots.

clip_image001

Below I will add the server to the current existing DC.

clip_image002

Here I will leave the default settings but will have to enter the DSRM password as it’s mandatory.

clip_image003

clip_image004

clip_image005

clip_image006

clip_image007

clip_image008

clip_image009

clip_image010

to migrate the AD Operations Master roles. The simplest way to move these roles is via PowerShell. On Server 2012 AD PowerShell modules, this can be done from anywhere. Simply run the following command to view you current configuration, and change them:

PS C:\> netdom query FSMO

clip_image011

In order to Migrate all the roles from the DC (Kibtek.local) to the new Server I will use the following powershell cmdlet.

Move-ADDirectoryServerOperationMasterRole -identity “Destination DC’s Hostname” -OperationMasterRole 0,1,2,3,4

Once you copy and paste the powershell after you edit the destination host DC name you it will take couple of minutes to migrate all the FSMO roles to the new Server.

clip_image012

Making sure that all the roles have been migrated :

Netdom query FSMO

clip_image014

clip_image015

Adding second DC

clip_image016

Reference:

https://technet.microsoft.com/en-us/library/ee617229.aspx?f=255&MSPPError=-2147217396

Source: Default-First-Site-Name\DC2

******* 1 CONSECUTIVE FAILURES since 2015-03-23 19:37:45

Last error: 8524 (0x214c):

The DSA operation is unable to proceed because of a DNS lookup failure.

Naming Context: CN=Configuration,DC=kibtek,DC=local

Source: Default-First-Site-Name\DC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=kibtek,DC=local

Source: Default-First-Site-Name\DC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=kibtek,DC=local

Source: Default-First-Site-Name\DC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

clip_image017

Resolution:

After joining new DC you will see this error until the replication with the PDC and schema master is finished.

Use the repadmin /syncall to hasten the sync process.

clip_image018

Hope this was useful

Installing child domain in Windows 2012 R2 RTM causes replication failure

After Installing child domain in Windows 2012 R2 RTM causes the replication to fail.

Symptoms : Event ID 1202, 1126 and 1645

Evet ID 1202

clip_image001[6]

Event ID 1126

Event ID 1645

clip_image002[4]

After installing new child domain and join it to the Root domain

To show the child domain’s DNS partition enlisting use

Dnscmd /enumdirectorypartitions

clip_image003[4]

Add child domain’s DNS to the forest

dnscmd /enlistdirectorypartition

First Solution

Make sure windows is full updated, After you apply Windows update the problem should be gone.

clip_image004[4]

If not check the second solution:

Second: Make sure that your Child administrator and root administrator’s passwords are not identical.

Third: Make sure trust is set properly using the following command

clip_image005[4]
clip_image006[4]

The Troubleshooting Guy