Difference between revisions of "New domain migration (2008 R2 to 2016 DC)"
Jump to navigation
Jump to search
↑ http://www.mustbegeek.com/create-two-way-forest-trust-in-windows-server-2008-r2/
Michael.mast (talk | contribs) (Created page with "==Purpose== To switch from old domain "very.long.name.net" to "new.net". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, s...") |
Michael.mast (talk | contribs) |
||
| Line 1: | Line 1: | ||
==Purpose== | ==Purpose== | ||
To switch from old domain "very.long.name.net" to "new.net". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, so Azure AD was not usable.) | To switch from old domain "very.long.name.net" to "new.net". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, so Azure AD was not usable.) | ||
| − | + | ==Process== | |
| − | + | ===Tunnels=== | |
The nice Windows minions created the Azure VMs for me and setup the ipsec endpoint, on my end I used PFSense to handle the ipsec tunnel between the colo and Azure. Very straight forward and similar to AWS. One thing I will say that Azure did right over AWS, was to implement IKEv2 and use SHA256. AWS is lagging behind on this, but since we are tunneling encrypted traffic anyway it makes no difference. | The nice Windows minions created the Azure VMs for me and setup the ipsec endpoint, on my end I used PFSense to handle the ipsec tunnel between the colo and Azure. Very straight forward and similar to AWS. One thing I will say that Azure did right over AWS, was to implement IKEv2 and use SHA256. AWS is lagging behind on this, but since we are tunneling encrypted traffic anyway it makes no difference. | ||
<br> | <br> | ||
<br> | <br> | ||
Just need to have them turn on IPv6 so I can bypass the tunnels altogether. | Just need to have them turn on IPv6 so I can bypass the tunnels altogether. | ||
| − | + | ===Trust=== | |
Creating the trust was simple enough.<ref>http://www.mustbegeek.com/create-two-way-forest-trust-in-windows-server-2008-r2/</ref> | Creating the trust was simple enough.<ref>http://www.mustbegeek.com/create-two-way-forest-trust-in-windows-server-2008-r2/</ref> | ||
*Create DNS conditional forwarder in the old domain controller to the new domain. | *Create DNS conditional forwarder in the old domain controller to the new domain. | ||
Revision as of 09:19, 18 June 2018
Contents
Purpose
To switch from old domain "very.long.name.net" to "new.net". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, so Azure AD was not usable.)
Process
Tunnels
The nice Windows minions created the Azure VMs for me and setup the ipsec endpoint, on my end I used PFSense to handle the ipsec tunnel between the colo and Azure. Very straight forward and similar to AWS. One thing I will say that Azure did right over AWS, was to implement IKEv2 and use SHA256. AWS is lagging behind on this, but since we are tunneling encrypted traffic anyway it makes no difference.
Just need to have them turn on IPv6 so I can bypass the tunnels altogether.
Trust
Creating the trust was simple enough.[1]
- Create DNS conditional forwarder in the old domain controller to the new domain.
- I did get an error that the IPs I used were not authoritative to the new domain. Does not seem to be an issue for what I am trying to do so moving on from here.
- Create DNS entries in the new servers (My Windows minions did this already. Good for them, except they disabled the firewall!)
- Open up domains and trust on the new server, create the two way connection, enter admin credentials for the old domain.
