Active Directory migration from Windows 2003 to Windows 2016

I've inherited an old Windows 2003 based Active Directory installation and I'm tasked to upgrade it to modern standards. I've done various (successful) test in my lab using the plan below, but I really want a reality-check / best practices suggestions from other experts in the field.

Current status: a single-label, Windows-2000 mixed mode Active Directory Domain running on a Windows 2003 installation. The DNS component is running with unsecure dynamic updates.

Target status: migrate to a Windows 2012R2 level domain on a Windows 2016 installation (note: the target level of Windows 2012R2, rather than 2016, is due to my customer having other Windows 2012R2 servers). The migration should be done in the least disruptive manner; anyway, as I am going to work on it during a weekend, short service disruptions are accepted.

Caveats: while single-label domain are deprecated, I really need to keep it running as-is. I evaluated both a domain rename and/or a domain migration to a new name, but they simply seem too much to ask for my customer.

My plan:

  • install a new Windows 2016 server and add it, as a simple member, to the current domain
  • raise the current forest/domain functional level to Windows 2003
  • promote the new Windows 2016 server to the Domain Controller (with Global Catalog) role
  • demote the old server (via dcpromo)
  • on the new Windows 2016 server, use "Active Directory Sites and Services" to remove any eventual leftover from the demote operation
  • on the new Windows 2016, use "DNS Manager" to change the DNS dynamic update type to "Secure only"
  • raise the forest/domain functional level to Windows 2012R2
  • change the old server's original IP address (eg: from 192.168.1.1 to 192.168.1.2)
  • change the new server's IP address to match the old domain controller (eg: from 192.168.1.10 to 192.168.1.1). Note: I'm planning to do that due to current DHCP settings and gateway firewall/VPN rules
  • migrate from FSR to DFSR (see here and here)
  • install another Windows 2016 server on a branch office, adding it as a new Domain Controller (with Global Catalog).

Questions:

  • I am missing something important?
  • Is my idea of swapping the IP address of the old/new server to minimize firewall/VPN/DHCP changes a good one, or should I avoid that?
  • Anything should I be aware of?

UPDATE: after much discussion and testing, I convinced my customer to go for a domain rename. I've done it via the rendom utility, as per Microsoft recommendations, and all went smooth (it did not have any on-premise Exchange server, fortunately).


while single-label domain are deprecated, I really need to keep it running as-is. I evaluated both a domain rename and/or a domain migration to a new name, but they simply seem too much to ask for my customer.

The right thing is sometimes the hardest. IMO, you're doing your customer a disservice by continuing to use and support the SLD. Do the "right" thing and perform a domain rename or migrate to a new domain.


on the new Windows 2016 server, use "Active Directory Sites and Services" to remove any eventual leftover from the demote operation

A side note, a left over I always have to clean when I migrate a 2003/2008 is within the DNS's console, the old DC is always still listed in the NS's field.

As there to be exact;

enter image description here

A second note I would make sure they don't use WINS too. Please double check there to be sure if you need to activate that or not, it was popular in those years.

For the domain rename I dont recommand it, it's a big task to do that can leave many error behind if a bad step is done.


Do not go through Sites and Services manually trying to cleanup domain controller metadata. You can make mistakes, and that is not the only place such data exists. Use the native NTDSUTIL command; it has a reliable metadata cleanup operation.

Transfer the FSMO roles to the new DC before demoting the old DC. I think you'll get a warning if you haven't, but I've never been tempted to try it.

Secure DNS updates require some additional configuration if you have non-Windows clients. This includes miscellaneous devices like printers that support DHCP. There are options depending on your needs:

  • You can configure the DHCP server to register DNS records on behalf of such clients (and populate the DnsUpdateProxy group if you have multiple DHCP servers), or
  • You can configure the systems to perform secure updates themselves (e.g., Linux will need a keytab file since secure updates require Kerberos authentication), or
  • You can create static DNS records and setup DHCP reservations for those devices

I would stop the NETLOGON service before changing the IP of the new DC and restart it immediately after. This should guarantee an immediate update of the relevant DNS records.

I agree with the previous poster about getting away from a single-label domain, but I understand that best practices are not always within reach. There can be considerable work associated with such a change in some environments.