AD Install, upgrade and migration technologies - protege987/Active-Directory-Domain-Services GitHub Wiki

Overview

Installing AD DS is done through AD installation wizard but before the does this process. The wizard will check if the server is able to install it. After which would be completing the wizard

Process breakdown

ADPrep

Part of the process is configuring AD DS schema. This holds the master list all classes (object types) and attributes that can be used in the directory. The Active Directory Preparation Tool (ADPrep) is used to prepare an AD DS forest and domain for a newer version of the directory service. ADprep updates the AD DS schema and if you do not prepare your AD DS infrastructure, the upgrade will fail.

Forest level

Next will be deciding on the forest/domain functional level of the environment. This functional level defines the set of advanced AD DS features that are available. It also defines which OS can run on the DC in the domain or forest. This level will provide configuration support for the AD DS features and ensure compatibility with domain controllers running earlier operating systems.

Restructure or upgrade?

Depending on the environment upgrading might not be the best path.

For example, if your Windows NT 4.0 environment consists of multiple domains, rather than upgrading each domain it might be more productive to restructure the environment by consolidating some of those domains. Or if your Windows 2000 environment was poorly designed and you are upgrading your environment to Windows Server 2003, it might benefit you to restructure your existing environment before or after the upgrade takes place.

Both options can be done with Active Directory Migration Tool (ADMT). Note: ADMT 3.2 is no longer being developed

ADMT is able to migrate users, groups, and service accounts; moving computers; migrating trusts; and performing security translation.

Translate security on servers to add the security identifiers (SIDs) of the user accounts and group accounts in the target domain to the access control lists (ACLs) of the resources. After objects are migrated to the target domain, the objects contain the ACL entries from both the source and the target domains.

When you use ADMT to restructure Windows NT 4.0 domains, ADMT copies the accounts that are migrated, so that when the accounts are created in the target domain, they continue to exist in the source domain. SID history maintains resource permissions when you migrate accounts, thus enabling access to resources in the source domain.

You can also rename a domain and use it to change the structure of the domain trees in your forest. This process involves updating the Domain Name System (DNS) and trust infrastructures as well as Group Policy and service principal names (SPNs).

Being to rename provides flexibility as organization can change over time and can change the name and forest structure. You can also change the structure of the domain hierarchy and change the parent of a domain or move a domain located in one domain tree to another domain tree.

Sources:

• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780036(v=ws.10)?redirectedfrom=MSDN
• https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/support-policy-and-known-issues-for-admt
• https://www.varonis.com/blog/active-directory-migration-tool
• https://learn.microsoft.com/en-us/answers/questions/134788/can-i-security-translate-a-domain-controller-with