Hello, I have a task to upgrade my existing Active Directory Windows 2003 Domain (32bit) to Windows 2012. Currently running applications are Active Directory, Exchange, Clustering, ISA 2006, DNS, DHCP, Domain/ Forest Functional level is Windows Server 2003, Printer server, Have queries regarding this. 1. Is Windows 2012 Active Directory stable now can i move towards it after testing it in Lab 2. What is the best practice for migrating to Windows 2012 from Windows 2003 in Lab Environment and then to Production environment 3. What support tools test are prerequistist before migration 4. suggest any links for migration 5. Migration from Windows 2003 to 2012 is better or Win 2003 -> 2008 -> 2012 which scenario is better and more reliable. Before upgrading my existing environment i want to test the same on vm player. My plan is to move my physical machine to virtual and use that virtual machine to migrate to 2012 in lab environment. by this my production machine will be running as its working now. Any other suggestions are welcomed

See my blog. Upgrade to Active directory 2012 Regards Biswajit Biswas My Blogs|TechnetWiki NinjaBest regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

Hello, to your questions. 1. Of course 2. to create a LAB please see http://jorgequestforknowledge.wordpress.com/2005/11/20/considerations-when-creating-an-ad-test-environment-part-1/ http://jorgequestforknowledge.wordpress.com/2005/11/20/considerations-when-creating-an-ad-test-environment-part-2-2/ http://blogs.dirteam.com/blogs/paulbergson/archive/2012/07/03/create-a-test-domain-old-style.aspx http://technet.microsoft.com/en-us/library/dd981009.aspx Migration for AD please follow steps in http://msmvps.com/blogs/mweber/archive/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012.aspx 3. At least dcdiag, repadmin, dnslint and also ADREPLSTATUS used the following way: dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file. 4. included 5. there is no need to go to Windows server 2008 and then to Windows server 2012, can be done direct. Which version from Exchange do you run? This is important for AD, more details in http://msmvps.com/blogs/mweber/archive/2010/05/23/exchange-server-and-it-s-relationship-to-active-directory.aspx Keep in mind that Exchange, SQL, ISA and clustering should NOT run on DCs, only on domain member machines. Your statement " My plan is to move my physical machine to virtual and use that virtual machine to migrate to 2012" sounds that you run all in one machine??? Details about Exchange, ISA, SQL and clustering migration please ask in the specific forums to get best help from the experts there. And provide always the used version and SP/patch level you run now and you like to migrate to. http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/threads http://social.technet.microsoft.com/Forums/en-US/category/sqlserver http://social.technet.microsoft.com/Forums/en-US/category/exchangeserverlegacy and http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver http://social.technet.microsoft.com/Forums/en-US/winserverClustering/threadsBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

First of all thanks for your prompt reply 1. Of course 2. to create a LAB please see http://jorgequestforknowledge.wordpress.com/2005/11/20/considerations-when-creating-an-ad-test-environment-part-1/ http://jorgequestforknowledge.wordpress.com/2005/11/20/considerations-when-creating-an-ad-test-environment-part-2-2/ http://blogs.dirteam.com/blogs/paulbergson/archive/2012/07/03/create-a-test-domain-old-style.aspx http://technet.microsoft.com/en-us/library/dd981009.aspx I have created a copy of Physical DC to Virtual DC which is isolated from my production network. Can i use that VM for test lab ?? At least dcdiag, repadmin, dnslint and also ADREPLSTATUS used the following way: What need to be checked on each of tests. I ran dcdiag on my Physical DC and its gives me failed status on System Log and Root hints. Rest is successful. Please find the link of dcdiag.log output at https://docs.google.com/file/d/0BykAc1ivIApILVpwMmZ6ejNwVzA/edit?usp=sharing Current Exchange Version is Version 6.5 Build 7638.2 Service Pack 2 Keep in mind that Exchange, SQL, ISA and clustering should NOT run on DCs, only on domain member machines yes they are running on member machines I just need to migrate directory services rest of the things will managed afterwards. On DC only AD, DNS and DHCP running

Hello, "I have created a copy of Physical DC to Virtual DC which is isolated from my production network. Can i use that VM for test lab ??" as long as you don't connect the lab machine to the domain no problem. What is "GATEWAY-2" listed in dcdiag, an old not correct demoted DC? Please assure that no other DCs exist in the AD database, AD sites and services DNS zones and Name server tabs. As dcdiag stated you have only one DC check with http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx the correct settings for the existing one. Be aware that you should use at least 2 DC/DNS/GC per domain for fail over and redundancy.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

What is "GATEWAY-2" listed in dcdiag, an old not correct demoted DC? Please assure that no other DCs exist in the AD database, AD sites and services DNS zones and Name server tabs. As dcdiag stated you have only one DC check with http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx the correct settings for the existing one. Yes GATEWAY-2 was our old Additional DC which was demoted in March 2013. How can I correct this issue means by deleting traces of Gateway-2 machine for Active Directory Replication Status Tool, 2 DC required or it can work with one DC as well. For dnslint when i type dnslint.exe /ad /s "10.10.3.51" DNSLint will attempt to verify the DNS entries used in AD replication Using 127.0.0.1 for LDAP Starting with 10.10.3.51 for DNS This process may take several minutes to complete............... by-passing www.internic.net lookup... using 10.10.3.51 ..... C:\Program Files\Support Tools>

Hello, for Gateway-2 please check in the already mentioned locations and delete entries from it. And for AD database please verify with http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx With a single DC there is no need to check replication. BUT it is recommended to run at least 2 DC/DNS/GC per domain. Also an AD aware backup must be run according to http://technet.microsoft.com/en-us/library/cc753359(WS.10).aspx Keep in mind that snapshots, VM file copies, images are NOT AD aware backups and may result in USB rollbacks, when more then one DC is used.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, i have cleaned almost all the traces via metadata cleanup but forget to remove traces of Gateway-2 from ADSIEDIT.msc CN=Domain System Volume (SYSVOL share). and this giving me trouble here. Anyways i have deleted it and run dcdiag again and found no error. please check and download this file again https://docs.google.com/file/d/0BykAc1ivIApIMElsaU5MRGhrZms/edit?usp=sharing Secondly, let me know if dnslint command output is OK and have no errors Yes, I will have 2 DC after upgrading the AD to 2012. Keep in mind that snapshots, VM file copies, images are NOT AD aware backups and may result in USB rollbacks, when more then one DC is used. I am aware of it and will just use the vm to test migration and after success will do the same in production environment means physical tp physical(new) server

Hello, dcdiag is ok and DSNLint is not complete please run the command dnslint.exe /ad /s "10.10.3.51" and then check the log file that is created dnslint.htmBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

DNSLint Report System Date: Tue May 14 15:48:51 2013 Command run: dnslint.exe /ad /s 10.10.3.51 Root of Active Directory Forest: localhost.org Active Directory Forest Replication GUIDs Found: DC: TRANSIT GUID: 67921842-d996-40df-987c-7df5121c89db Total GUIDs found: 1 The following 2 DNS servers were checked for records related to AD forest replication: DNS server: User Specified DNS Server IP Address: 10.10.3.51 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: Unknown SOA record data from server: Authoritative name server: transit.localhost.org Hostmaster: hostmaster Zone serial number: 2216 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds Additional authoritative (NS) records from server: transit.localhost.org Unknown Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: 67921842-d996-40df-987c-7df5121c89db._msdcs.localhost.org Alias: transit.localhost.org Glue: 10.10.3.51 Total number of CNAME records found on this server: 1 Total number of CNAME records missing on this server: 0 Total number of glue (A) records this server could not find: 0 Additional authoritative (NS) records from server: transit.localhost.org Unknown Alias (CNAME) and glue (A) records for forest GUIDs from server: CNAME: 67921842-d996-40df-9d06-7df5121c89db._msdcs.localhost.org Alias: transit.localhost.org Glue: 10.10.3.51 Total number of CNAME records found on this server: 1 Total number of CNAME records missing on this server: 0 Total number of glue (A) records this server could not find: 0 Notes: One or more DNS servers may not be authoritative for the domain DNS server: transit.localhost.org IP Address: 10.10.3.51 UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: transit.localhost.org Hostmaster: hostmaster Zone serial number: 2216 Zone expires in: 1.00 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 3600 seconds

Hello, that output is ok.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, I have successfully installed Windows 2012 on VM and then made add AD DS Server Role to this server. How i can test replication on new Windows 2012 domain as there is no support tools available in Win 2012 DVD. Although i can see all my users/groups are replicated to new server Secondly, how can i verify that the DC i have created is Additional Domain Controller As i have tried several commands but the output is always my Primary Domain Controller netdom.exe query /d:domainname dc Returned only 1 domain controller nltest /dclist:domainname'local to check how many DC are available in forest repadmin.exe /showrepl to check how many GC available in forest returned only which is primary dc

Hello, for all GCs use without the quotes "dsquery server -isgc" in the domain you run the command. For the forest "dsquery server -forest -isgc" and for a domain "dsquery server -domain yourdomainname.tld -isgc" If i run "nltest /dclist:domainname.local" all DCs are listed. Assure to use a "." and NOT the from you used "'" "domainname'local". All support tools are already included in the OS, there are not tools separate on the disc since Windows server 2008. If the server is promoted to DC and has rebooted and no errors are listed then it is an additional DC. Differences are ONLY the FSMO roles and if you have chosen GC during promotion or not. "netdom query fsmo" will return the FSMO role holder.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, Correct me if I am wrong. When we install AD DS on Windows 2012 than another GlobalCatalog is created. means there will be two GC's. C:\Users\shariq.siddiqui>dsquery server -isgc "CN=TRANSIT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=localhost,DC=org" C:\Users\shariq.siddiqui>dsquery server -domain localhost.org -isgc "CN=TRANSIT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=localhost,DC=org" C:\Users\shariq.siddiqui>dsquery server -isgc "CN=TRANSIT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=localhost,DC=org" C:\Users\shariq.siddiqui>netdom query fsmo Schema master TRANSIT.localhost.org Domain naming master TRANSIT.localhost.org PDC TRANSIT.localhost.org RID pool manager TRANSIT.localhost.org Infrastructure master TRANSIT.localhost.org The command completed successfully. Yes, there were no errors after installation of AD DS and restarted When running dcdiag.exe /v /c /d /e /s:gateway on Win 2012 server got below error Problem signature: Problem Event Name: APPCRASH Application Name: dcdiag.exe Application Version: 6.2.9200.16384 Application Timestamp: 50109d63 Fault Module Name: ntdll.dll Fault Module Version: 6.2.9200.16384 Fault Module Timestamp: 5010acd2 Exception Code: c0000005 Exception Offset: 0000000000029224 OS Version: 6.2.9200.2.0.0.400.8 Locale ID: 1033 Additional Information 1: 6b1d Additional Information 2: 6b1d92518ef1462add600e9044dcc100 Additional Information 3: ae2c Additional Information 4: ae2c5ee54d2247077a27aa0891470a1b When I run the same command on Windows 2003 Server (FSMO role holder) than there is no entry for Gateway (Win 2012) in the log file. Please guide me how can i verify that there are two DC's running in my environment. same issue with Repadmin Even Sysvol / Netlogon folder is not shared on Win 2012. Secondly, ADREPLSTATUS from where should i run this command means Win 2003 PDC, Win 2012 ADC or from Windows 7 client ??

Hello, you have installed the Windows server 2012 DC this way http://msmvps.com/blogs/mweber/archive/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012.aspx into an EXISTING domain after adding the AD DS role? Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Yes i have installed from mentioned link and into an existing domain. I dint promoted the newly created AD DS (win 2012). I am doing it now

Hello, "I dint promoted the newly created AD DS (win 2012). I am doing it now" So HOW should you be able to have a DC??????Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, checked dcdiag, repadmin, ADREPLSTATUS, all are working fine and data is replicated between DC's. Checked SYSVOL / Netlogon folder and data is replicated dsquery server -isgc Returned two servers dsquery server -domain localhost.org -isgc Returned two servers didn't transfer FSMO Roles yet and i will do time configuration after roles are transfered. what is needed to furher check replication before transfering FSMO roles to win 2012 machine

Hello, sounds ok so far. If everything is clear then you can transfer the FSMO roles. Do not forget to reconfigure the time service on the old/new PDCEmulator, details you'll find in http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspxBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, Sorry for replying soo late I have transferred all the FSMO roles to Windows 2012 machine and so far its working good. When transferring Infrastructure master roles to Windows 2012 it prompts me that Windows 2012 machine is GC and it should not have this roles but i clicked yes and made it to have infrastructure role. tell me what is the best practice when 2 DC's are available and which role is assigned to which server Windows 2003 machine is off and 2012 machine is running. now check this server by other systems to this test lab and check dns settings, Domain functional level is still Windows 2003. Although this is lab testing and in production i will demote my Window 2003 machine and will only use Windows 2012 on PDC and ADC systems. So how can i raise functional level. To update the forest functional level, the Active Directory Domain Controllers in the forest must be running the appropriate version of windows, and no domains in the forest can have a domain functional level of Windows 2000 mixed. forest root domain name localhost.org Current forest functional level Windows Server 2003 The following domains include Active Directory Domain Controllers that are running earlier versions of windows: domain Name AD DC Version of Windows ForestDnsZones.localhost.org TRANSIT.localhost.org Windows Server 2003 5.2 (3790) Secondly, on Windows 2012 > Active Directory domains & trust > Right click > change Active Directory.. > The status of Windows 2012 DC is showing unavailable