Tag Archives: Migration

Active Directory Domain Migration / Active Directory Forest Restructure

When plan for AD infrastructure design main concerns are to maintain the hierarchy and reduce the complexity. We can’t expect businesses to be same for years, as business grows we will also need to apply changes to the infrastructure design. For example company may move to a different business name, may be acquired by another company or else merge with another company. Any of the above situations may cause major AD infrastructure design change. This is where AD migration and Forest restructure techniques comes in handy.

There are mainly two types of AD migrations or restructure.

1)    InterForest – This is mainly happens when company involves with mergers, acquisitions which will need to integrate the resources between forests. When migrate between forest both target forest and source forest will exist. It make easier to roll back changes at any time.

2)    IntraForest – This is mainly apply when you try to reduce the complexity of the domain structure. So it will not involve with multiple forest. Source domain and target domain both will be under same forest. Unlike the interforest, if you need to roll back you need to go with reverse migration to get things back to previous state.

Let’s look in to the comparison between these two types against migration considerations.

Migration Considerations



Object Preservation

Objects are cloned. Original objects will be remain in the source.

User and Group objects will be migrated and will not exist in source. Computer and Service accounts will remain enabled in source location.

Password Retention



Local Profile Migration

Tools like ADMT should use to migrate the local profiles

Will be migrated automatically

Accounts in Closed Set

Do not need to migrate

Must migrate

Security Identifier (SID) history


Required for the user, group and computer accounts. No need for managed service accounts.

Microsoft provides a great tool called Active Directory Migration Tool (ADMT) to help with the migration and domain restructure process. The latest tool can download using http://go.microsoft.com/fwlink/?LinkId=401534


This tool simplifies the migration of AD objects as its automated most of the tasks. Using wizard with few clicks we can complete the process.

ADMT can run via GUI, command line or as a script. You can download complete guide for this tool from http://go.microsoft.com/fwlink/?LinkId=191734

If you have any question about post feel free to contact me on rebeladm@live.com

Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

For the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.

In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.

You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this

1)    Log in to domain controller as Domain admin or Enterprise Admin
2)    Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.


Before move in to the configurations we need to look into stages of the migration.

There are four stable states going along with the four migration phases.

1)    State 0 – Start
2)    State 1 – Prepared
3)    State 2 – Redirected
4)    State 3 – Eliminated

State 0 – Start

With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.

State 1 – Prepared

In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.

State 2 – Redirected

In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.

State 3 – Eliminated

In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.

In order to migrate from FRS to DFSR its must to go from State 1 to State 3.

Let’s look in to the migration steps.

Prepared State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 1 and press enter


4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state


Redirected State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 2 and press enter


4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state


Eliminated State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 3 and press enter


4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state


This completes the migration process and to confirm the SYSVOL share, type net share command and enter.


Also make sure in each domain controller FRS service is stopped and disabled.


If you have any question regarding the post feel free to email me at rebeladm@live.com


Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). It’s no wonder that some organizations still uses windows server 2003 versions in production environment.

If you still not plan for migration from legacy windows server versions, well time has come!!

This guide will explain how we can migrate AD CS from windows server 2003 to windows server 2012 R2.

In this demonstration I am using following setup.

Server Name

Operating System

Server Roles


Windows Server 2003 R2 Enterprise x86

AD CS ( Enterprise Certificate Authority )


Windows Server 2012 R2 x64

Backup windows server 2003 certificate authority database and its configuration

•    Log in to Windows 2003 Server as member of local administrator group
•    Go to Start > Administrative Tools > Certificate Authority


•    Right Click on Server Node > All Tasks > Backup CA


•    Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue


•    In next window click on check boxes to select options as highlighted and click on “Brows” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue


•    Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue


•    In next window it will provide the confirmation and click on “Finish” to complete the process

Backup CA Registry Settings

•    Click Start > Run and then type regedit and click “Ok”


•    Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

•    Right click on “Configuration” key and click on “Export”


•    In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup


Now we have the backup of the CA and move these files to the new windows 2012 R2 server.



Uninstall CA Service from windows server 2003

Now we have the backup files ready and before configure certificate services in new windows server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.

•    Click on Start > Control Panel > Add or Remove Programs


•    Then click on “Add/Remove Windows Components” button


•    In next window remove the tick in “Certificate Services” and click on next to continue


•    Once its completed the process it will give the confirmation and click on “Finish”


With it we done with windows server 2003 CA services and next step to get the windows server 2012 CA services install and configure.

Install windows server 2012 R2 Certificate Services

•    Log in to windows server 2012 as Domain Administrator or member of local administrator group

•    Go to Server Manager > Add roles and features


•    It will open up “Add roles and feature” wizard and click on next to continue


•    Then next window select “Role-based or Feature-based installation” and click next to continue


•    From the server selections keep the default selection and click on next to continue


•    In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about  required features need to be added. Click on add features to add them



•    Then in features section will let it run with default. Click next to continue


•    In next window, it will give brief description about AD CS. Click next to continue


•    Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue


•    Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS


•    Then in next window it gives option to add IIS role services. I will leave it default and click next to continue


•    Next window will give confirmation about service install and click on “Install” to start the installation process


•    Once installation completes you can close the wizard.

Configure AD CS

In this step will look in to configuration and restoring the backup we created.

•    Log in to server as Enterprise Administrator
•    Go to Server Manager > AD CS


•    In right hand panel it will show message as following screenshot and click on “More”


•    It will open up window and click on “Configure Active Directory Certificate Service ……”


•    It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue


•    In next window it asking which service you like to configure. Select “Certification Authority”,  “Certification Authority Web Enrollment” options and click next to continue


•    It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue


•    Next window select “Root CA” as the CA type and click next to continue


•    The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a  migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue


•    In next window click on “Import” button


•    In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok


•    Then it will import the key successfully and in window select the imported certificate and click next to continue


•    Next window we can define certificate database path. In here I will leave it default and click next to continue


•    Then in next window it will provide the configuration confirmation and click on configure to proceed with the process


•    Once its completed click on close to exit from the configuration wizard

Restore CA Backup

Now it’s comes to the most important part of the process which is to restore the CA backup we made from windows server 2003.

•    Go To Server Manager > Tools > Certification Authority


•    Then right click on server node > All Tasks > Restore CA


•    Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok


•    It will open up Certification Authority Restore Wizard, click next to continue


•    In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue


•    Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue


•    In next window click “Finish” to complete the import process


•    Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online

Restore Registry info

During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
Then click yes to proceed with registry key restore.


Once completed it will give confirmation about the restore.


Reissue Certificate Templates

We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.

•    Open the Certification Authority Snap-in
•    Right click on Certificate Templates Folder > New > Certificate Template to Reissue


•    From the certificate templates list click on the appropriate certificate template and click ok


Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.


So this confirms the migration is successful.