It3004 windows server 2012 upgrading active directory


Published on

My speech about upgrading Active Directory to Windows 2012 during Windows Professional Conference 2012 in Milan (Italy).
The topics have been : new features of Windows 2012 Directory Services (AD DS), virtualization safe technologies (D.C. cloning and snapshot compatibility), upgrading paths (on-place or addition af a new Windows 2012 D.C.) and migration / parallel environment with ADMT.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • It3004 windows server 2012 upgrading active directory

    1. 1. IT3004 - Windows Server 2012: Fabrizio Volpe MVP DirectoryUpgrading Active Directory Services 2011 & 2012 (Italy) MCITP
    2. 2. Agenda• Nuove Funzionalità e Miglioramenti• Scenari Cloud e Federation per i Directory Services• Upgrade Domain Controllers a Windows Server 2012• I Passaggi Successivi
    3. 3. Nuove Funzionalità e Miglioramenti Recycle Bin DynamicSimplified Deployment User Interface Access Control Active Directory Virtualization Safe Active Directory PowerShell History Technology Based Activation Viewer User Interface Fine-Grained Password Rapid Deployment Kerberos Enhancements Policy User Interface Active Directory Active Directory Group Managed Service Replication & Topology Platform Changes Accounts Cmdlets
    4. 4. Simplified Deployment• Solution – integrate preparation steps into the promotion process • automate the pre-requisites between each of them – validate environment-wide pre- requisites before beginning deployment – integrated with Server Manager and remotable – built on Windows PowerShell for command-line and UI consistency – configuration wizard aligns to the most common deployment scenarios
    5. 5. Demo -Windows Server 2012 Domain Controller With GUI
    6. 6. Simplified Deployment: Cosa Cambia ?Streamline the deployment process Minimize odds of deployment failures Optimize for common deploymentMinimize number of touch-points pathsBring consistency with other Windows Gain UI-consistency by leveraging anServer roles deployment experiences enhanced command-line experience
    7. 7. Install From MediaCreate Full NoDefrag%s• Create IFM media without defragmenting for a full AD DC or an AD/LDS instance Windows Server 2012 into folder %s adds two additional options to the Ntdsutil.exe command-Create Sysvol FullNoDefrag %s line tool for the IFM (IFM• Create IFM media with SYSVOL and without Media Creation) menu defragmenting for a full AD DC into folder %s
    8. 8. Simplified Deployment• Requirements – Windows Server 2012 – target forest must be Windows Server 2003 functional level or greater – introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges – subsequent DCs require only Domain Admin privileges within the target domain• Altre features impiegate – DC Promotion Retry Logic – Enhanced Install-from-media (IFM) options – AD FS V2.1 in-the-box
    9. 9. Virtualization-Safe Technology• Background – common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC – introduces USN bubbles leading to permanently divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back – the potential also exists for security principals to be created with duplicate SIDs
    10. 10. Virtualization Safe Technology
    11. 11. Che succede se il VM-Generation ID è stato modificatoBefore any changes are made to the local active directory databasethe server checks to see what its ‘VM-Generation ID’ is, if it is notwhat it is expecting then it will do several things.The first thing that will be done is the local RID pool will beinvalidated and a new RID pool will be requested from the RIDmaster.Next the invocation ID will be increased so that the when replicationhappens even though the USN would be the same the domaincontrollers invocation ID would be different meaning the otherdomain controllers would accept the update and replicate.
    12. 12. Rapid Deployment – DC CloningDC Cloning Promote and configure ONLY once Easier and faster to deploy replica DCs Minimizes dependencies/interactions between hypervisor administrators and Active Directory administrators when deploying DCs
    13. 13. Prepare the environmentStep 1: Validate that the hypervisor supportsVM-Generation ID and therefore, cloningStep 2: Verify the PDC emulator role is hosted bya domain controller that runs Windows Server2012 and that it is online and reachable by thecloned domain controller during cloning.
    14. 14. Prepare the source domain controllerStep 3: Authorize the source domain controller forcloningStep 4: Remove incompatible services or programs oradd them to the CustomDCCloneAllowList.xml file.Step 5: Create DCCloneConfig.xmlStep 6: Take the source domain controller offline
    15. 15. Create the cloned domain controllerStep 7: Copy or export the source VMand add the XML if not already copiedStep 8: Create a new virtual machinefrom the copyStep 9: Start the new virtual machineto commence cloning
    16. 16. Steps for deploying a clone virtualized domain controller• Prerequisites• Step 1: Grant the source virtualized domain controller the permission to be cloned• Step 2: Run Get- ADDCCloningExcludedApplicationList cmdlet• Step 3: Run New-ADDCCloneConfigFile• Step 4: Export and then import the virtual machine of the source domain controller
    17. 17. Demo - DC Cloning
    18. 18. Active Directory Platform Change• Improved allocation and scale of RIDs (relative identifiers), deferred index creation• Kerberos enhancements and support for Kerberos claims in AD FS
    19. 19. Active Directory forest in WindowsAzure
    20. 20. Active Directory forest in Windows Azure You can install Windows Server 2012, but be aware that the virtualized domain controller safeguards that are built into Windows Server2012 are not available on Windows Azure Virtual Networks. The virtualized domain controller safeguards require support for VM- GenerationID, which Windows Azure Virtual Networks do not provide at the present time us/manage/services/networking/active-directory- forest/
    21. 21. Active Directory FederationRole description• Simplified, secured identity federation and Web single sign-on (SSO) capabilities. – Federation Service role service – Federation Service Proxy role – Web Agent role services
    22. 22. Active Directory Federation in Windows 2012Integration with Dynamic Access Control scenariosImproved installation experience using ServerAdditional Windows PowerShell cmdlet
    23. 23. Active Directory cloud deploymentsRemote PowerShell• Cloud-based servers can be promoted to domain controllersActive Directory is Deployment withCloning
    24. 24. Upgrade Domain Controllers a Windows Server 2012System requirements for installing AD DS on Windows Server2012 • On domain controllers that you plan to upgrade to Windows Server 2012, make sure that the drive that hosts the Active Directory database (NTDS.DIT) has at least 20% free disk space before you begin the operating system upgradeTipologia di Installazione • Server Core • Full • Minimal Server Interface
    25. 25. Upgrade Domain Controllers a Windows Server 2012Supported in-place upgrade paths • Domain controllers that run Windows Server 2008 or Windows Server 2008 R2 can be upgraded to Windows Server 2012 • You cannot upgrade domain controllers that run Windows Server 2003.
    26. 26. Upgrade Domain Controllers a Windows Server 2012Functional level features and requirements
    27. 27. Upgrade Domain Controllers a Windows Server 2012Operations master roles
    28. 28. Migrare AD a Windows Server 2012Upgrading forests and • Using the new Server Manager domainsDeploying new replica • Using the new Server Manager DCs Managing AD DS • PowerShell History Viewer using AD • AD Recycle bin GUIAdministrative Center • Fine Grained Password Policy GUI
    29. 29. Scenari di UpgradeDa Windows 2003 a Windows 2012Da Windows 2008 a Windows 2012
    30. 30. Demo – Upgrade To Windows 2012 DC
    31. 31. I Passaggi Successivi• Best Practices Analyzer (BPA)
    32. 32. Promoting a Domain Controller with PowerShell• Install the Active Directory Domain Services role• Prerequisite Checks• Promoting the DC• Best Practices Analyzer
    33. 33. Demo - Promoting a Domain Controller with PowerShell
    34. 34. Limiti di BPA e Prerequisites Checker No check on other No inventory of Microsoft existing application applications oror services on the DC 3rd party applications
    35. 35. Best Practices for Implementing Schema Updates• Test your forest recovery plans.• Test your schema extensions in your recovery environment and in any other test/non-production environments
    36. 36. Planning• Infrastructure Planning and Design documents – us/download/details.aspx?id=732• Impatto delle nuove funzionalità – Active Directory Web Services (ADWS) – Virtualized Domain Controller Cloning – Dynamic Access Control (DAC) & Kerberos Flexible Authentication Secure Tunneling (FAST or AKA Kerberos armoring)
    37. 37. Summary of Minimum Requirements With this deployed… ... these features become available • New Active Directory Administrative Center • Windows PowerShell History Viewer+ First Windows Server 2012 domain- • • Graphical Recycle Bin and FGPP management Richer authorization through DAC & FCImember • Active Directory-based Activation (or Windows 8 with RSAT installed) • Requires Windows Server 2012 schema extensions • Active Directory Replication & Topology Cmdlets • AD FS (v2.1) • Simplified Deployment and Preparation • Dynamic Access Control policies and claims • Kerberos Claims in AD FS (v2.1) • Cross-domain Kerberos Constrained+ First Windows Server 2012 DC Delegation • Group Managed Service Accounts • Virtualization-Safe for the Windows Server 2012 DC • requires Hypervisor support for VM-Gen-ID • Rapid virtual DC deployment through DC-+ Windows Server 2012 DC holds PDC cloningFSMO role • requires Hypervisor support for VM-Gen-ID
    38. 38. Migrazione e Ristrutturazione Source domain: Target domain: The source The target domain must be domain must be ADMT 3.2 andActive Directory running running PES 3.1 Migration Tool Windows Server Windows Server installation version 3.2 2003, Windows 2003, Windows errors on Server 2008, or Server 2008, or Windows Server Windows Server Windows Server 2012 2008 R2 2008 R2
    39. 39. Troubleshooting Domain Controller Deployment General Methodology for Troubleshooting Domain Controller Configuration •Tools and Commands •Logging Options us/library/jj592690.aspx
    40. 40. Demo - Troubleshooting
    41. 41. Q&A
    42. 42. Thank you