Wednesday, June 10, 2020

Active Directory Upgrade Test Plans and Pitfalls

I was recently asked to describe a test plan for upgrading forest/domain functional levels and any potential pitfalls. Just sharing some of my feedback to this community peer.

Probably the biggest "pitfall" would be any custom schema extensions. There are scripts to check for this sort of thing. In general, the domain/forest upgrades are benign. It's all the secondary stuff that you must watch for. Particularly, if you're putting in domain controllers with new names and IPs - that's where you'll get into trouble. I like to keep the IPs if I can.

Usually, I spin up a new server then pick a night to swap it for the old. Mostly that consists of:
  • Demote the old server
  • Shut down old server (IP is now free)
  • Verify server is missing from ADDS
  • Re-IP the new to what the old was.
  • Promote the new (again, IP first)
  • Watch for NTDS settings to be created automatically. Avoid adding them manually unless you have issues. Not seeing it in 5 minutes isn’t an issue. Give it 15-20 minutes if you need to.


These are the other issues to watch for. Not specific to the domain upgrade but cause more problems IMO.

LDAP pointed to specific names or IPs. I tend to push everyone towards a CNAME for LDAP that resolves to my DC of choice. Do not try to get cute and DNS round robin with A records. Just a single CNAME.

DNS scavenging is a role held by a single DC. If you're doing AD integrated DNS, make sure you move the scavenger role/config or you'll figure out in 6 months that you have a bunch of stale DNS records.

This should be obvious, but, inventory your fSMO roles and move them in advance. Not as scary as it sounds. **You’ll need to be schema admin to move one

Your PDC emulator handles domain time propagation. Make sure that your new PCD emulator is set to NTP in the registry. You can do this with w32tm. Be sure to pick a reliable external time pool source. All other DCs should be set to NT5DS in the registry, not NTP (same as any other domain member server/client)

Migrate any other jobs, agents, etc. I’ve seen several things on DCs.
  • Scripts to back up DNS, GPO, and so on. Check your scheduled tasks.
  • Make sure your firewall team doesn’t pull security logs. This can be done via WMI/DCOM or agent based.
  • Sometimes people like to get a Windows Backup of a primary. Watch for this. Make sure your backup system accounts for it if you’re not replacing it.


Watch for DNS
  • What are your other DCs pointed to? Check their network adapters as well as their forwarder configs.
  • What are your members pointed to?
  • Make sure you set your new DCs up properly. I like to do this…
    • Local domain controller peer (if there is one)
    • Remote domain controller peer
    • Loopback (127.0.0.1)
  • Don’t “kitchen sink” your DCs. Build them core, keep DHCP, RADIUS, file services, etc. off of them.


Get familiar with the following commands:
dcdiag /skip:systemlog
repadmin /replsum
repadmin /syncall /Aed
repadmin /kcc << helpful for jump starting partner connections in NTDS when replacing your DCs

No comments:

Post a Comment