January 14th 2020 has come and gone which means unless you have either migrated your 2008 servers and their workloads to Azure (to get free security updates) or you have purchased an extended support agreement – you now have the situation of having to keep unsupported servers running key workloads in your environment. Even if you DID take advantage of one of these options – lets be honest and say it’s not Optimal and is a temporary fix at best. They were designed to give YOU MORE TIME to migrate existing workloads OFF the unsupported operating system “as is” OR to buy you more time to rearchitect the workload.
…but what about workloads that can’t be migrated or rearchitected?
Yesterday we talked about a workhorse of a workload running on Windows Server 2008 / 2008 R2 – The File Server… Todays post is about a workload that I personally find WAY more critical to the everyday operation of your environment. It’s the workload that in my opinion is probably your MOST important workload because it is the single source for the security representing the digital personification of your ENTIRE user base right down to your CEO: Active Directory.
I have been designing and updating Active Directory Designs since it came out – it was my specialty when I was in consulting. But now that I work at Microsoft – why not go to the source? Who better to ask then Mr. “AskDS” himself – Ned Pyle, Principal Program Manager from the Windows Server Team to talk shop about the #2 Workload for servers: “Active Directory Domain Controllers”.
There are a lot of manual and time sensitive steps that Ned goes through in this demo – but trust me, it’s not that bad when you actually get started.
At a high level:
- Leave your existing Windows Server domain controller as is
- Setup your new Windows Server domain controller
- Synchronize the new Windows Server domain controller with the old one
- Promote the new domain controller
- Transfer FSMO roles and Leverage new capabilities (RODC, RecycleBin and more)
- Demote the old domain controller
- Repeat this at each site where DCs exist
- Raise functional levels of AD and leverage new tech like AD Recycle bin
The main thing to remember is replication between sites and allowing your changes to replicate (or forcing it to speed up). The best part about this approach with integrating another DC into existing sites is that you will be introducing very little disruption to your end users in these sites – due to the multi-master architecture in use for Active Directory.
All the detailed information including a variety of caveats that could come up are documented over on Docs which can be reached at https://aka.ms/ws2008ADMigration
I hope you have enjoyed these Windows Server 2008 / 2008 R2 migration series episodes so far. Did we miss anything yet?
© Microsoft. This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.