New domain migration (2008 R2 to 2016 DC)

From Michael's Information Zone
Jump to navigation Jump to search


To switch from old domain "" to "". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, so Azure AD was not usable.) Process


The nice Windows minions created the Azure VMs for me and setup the ipsec endpoint, on my end I used PFSense to handle the ipsec tunnel between the colo and Azure. Very straight forward and similar to AWS. One thing I will say that Azure did right over AWS, was to implement IKEv2 and use SHA256. AWS is lagging behind on this, but since we are tunneling encrypted traffic anyway it makes no difference.

Just need to have them turn on IPv6 so I can bypass the tunnels altogether.


Creating the trust was simple enough.[1]

  • Create DNS conditional forwarder in the old domain controller to the new domain.
    • I did get an error that the IPs I used were not authoritative to the new domain. Does not seem to be an issue for what I am trying to do so moving on from here.
  • Create DNS entries in the new servers (My Windows minions did this already. Good for them, except they disabled the firewall!)
  • Open up domains and trust on the new server, create the two way connection, enter admin credentials for the old domain.

Managing Groups

Basic Structure

The fun here is that I am not a Windows weenie, which makes the process fun to work through how Microsoft wants you to use their group structure. Thankfully I found a VERY useful article[2] on how to best deploy the groups to allow cross permissions to resources during the migration process.

  • In this case I will follow the AGDLP structure to ensure future compatibility. The last domain admins used random groups, and I followed their bad example and the existing group structure is useless.

Group Policy Process

In this case I want to use loopback processing to ensure that users get different policies based on the computer they connect to.

For example; I want to apply an encryption policy if someone logs into a laptop, then a web browser policy for logging into a terminal server, a policy for logging into VDI environment, then a policy for logging into other servers. [3] For initial testing I want to use replace processing, or at least I think I do.

Replicate Distribution Lists

In this case I wanted to create a new DL structure. Something that would need fewer manual additions. So nothing of importance to note here.

Replicate Security Groups

The following example reads from the old domain, from a system that is already enrolled, then writes to the new domain. The old groups are Global and here I am creating Domain Local[4]

get-adgroup test-group | new-ADGroup -Server -Path "OU=SecurityGroups,DC=youdomain,DC=tld" -GroupScope 0 -Credential $PSCredential

File System Access

Since I plan on using the old domain for authentication, at least for the time being, I need to add the new Domain Local groups created previously so that users in the new domain can be added.

NOTE : The new groups I create are prefaced with "new_", thus the replace statement in the following powerhsell script.

get-adgroup -Filter {GroupScope -eq "Global"} -SearchBase "OU=SecurityGroups,DC=domain,DC=tld" | foreach {$_ | select -ExpandProperty name | foreach {$grouplist+="domain\$_"}}
get-childitem -Recurse $sourcedirectory | foreach {
    $fullpath=$_ | select -ExpandProperty fullname 
    $acloldobj=get-acl $fullpath
    $identitylist=$acloldobj | select -ExpandProperty access | select -ExpandProperty identityreference
    $acloldobj | select -ExpandProperty access | foreach {
       $FileSystemRights=$_ | select -ExpandProperty FileSystemRights
       $AccessControlType=$_ | select -ExpandProperty AccessControlType
       $IdentityReference=$_ | select -ExpandProperty identityreference
       $IsInherited=$_ | select -ExpandProperty IsInherited
       $InheritanceFlags=$_ | select -ExpandProperty InheritanceFlags
       $PropagationFlags=$_ | select -ExpandProperty PropagationFlags
       if ($grouplist -contains "$IdentityReference") {
            $newname=$identityreference -replace '\\','\new_'
            if ($identitylist -notcontains "$newname"){
                #echo $newname
                $newrule=New-Object System.Security.AccessControl.FileSystemAccessRule($newname,$FileSystemRights,$InheritanceFlags,$PropagationFlags,$AccessControlType)
                Set-Acl -Path $fullpath -AclObject $acl