New domain migration (2008 R2 to 2016 DC)

Purpose

To switch from old domain "very.long.name.net" to "new.net". The old servers are in a colo, the new ones are in Azure as VMs (Windows 7 support was still needed, so Azure AD was not usable.)

Process

Tunnels

The nice Windows minions created the Azure VMs for me and setup the ipsec endpoint, on my end I used PFSense to handle the ipsec tunnel between the colo and Azure. Very straight forward and similar to AWS. One thing I will say that Azure did right over AWS, was to implement IKEv2 and use SHA256. AWS is lagging behind on this, but since we are tunneling encrypted traffic anyway it makes no difference.

Just need to have them turn on IPv6 so I can bypass the tunnels altogether.

Trust

Creating the trust was simple enough.^[1]

• Create DNS conditional forwarder in the old domain controller to the new domain.
  • I did get an error that the IPs I used were not authoritative to the new domain. Does not seem to be an issue for what I am trying to do so moving on from here.
• Create DNS entries in the new servers (My Windows minions did this already. Good for them, except they disabled the firewall!)
• Open up domains and trust on the new server, create the two way connection, enter admin credentials for the old domain.

Group Permissions

The fun here is that I am not a Windows weenie, which makes the process fun to work through how Microsoft wants you to use their group structure. Thankfully I found a VERY useful article^[2] on how to best deploy the groups to allow cross permissions to resources during the migration process.

• In this case I will follow the AGDLP structure to ensure future compatibility. The last domain admins used random groups, and I followed their bad example and the existing group structure is useless.