Domain controller replacement - what's about old AD controller ? can stay on network?

Hello,
I discovered UCS and i’m enthusiast. But i have a question before start…
If i correctly understand, after following the “Active Directory Takeover (migration if Ms AD Domains to UCS)”, the tutorial talk about “switch off the old AD controller” as last step.
Question is simple : can i leave old Ms server “up & running” on network, to continue (a little bit) to use/switch others services as storage sharing or remote-desktop-service ?
Thanks a lots for you answer !
Kind regards.

If its only domain member server (no ad domain controller) they can still be active in the domain after mirgration same as the clients

bit the AD Domain Controllers must all be powerd off - so you need to migrate data in front of the migration to another member server in the domain if the DC have some data or applications

rg
Christian

You can NEVER put the old AD back onto the network.

it must not even be connected once it is powered off, take the disk drives out & store it some place for a year, just in case.

I have seen cases where old AD have been switched on ,because people wanted to find out what the old system contained.

the AD have sequence numbers to keep them aligned & auth for the client machines, put them both back and it will create havoc with the sequence numbers, DNS/DHCP & computer authentication to the server.
Also DO NOT do a migration lightly, if it fails the original AD is NOT in the same state as when you started.
Don’t care what people claim about nothing is touched in the original, it is NOT true.

Absolutely the BEST way to do a take over, is to do a clone of the original, setup a new switch, not connected to the original network, run a takeover “test” on your dummy, and if it works you should be good to do the original.

Thank you very much for your answer.
Your advice about takeover test is exactly what i tried.
VM virtual network with srv2012 VM copy, a new VM ad client and a new UCS5 VM. all snapshooted at the beginning.
But it make always error about 4 scripts not running. (all 4 about s4).
I tried :

  • join the AD (ok) then install takeover (don’t work, no take over run button, and alert about 4 module not registered, the 4 scripts failed)
  • create a new ucs domain, then try to install takeover to try takeover on a non joined AD. not working.
    I’m lost face to this problem…

those 4 are pending and make errors…
Capture d’écran de 2023-08-02 15-13-40

i presume if resolved i will found a “take over” button. actually, app “takeover” is installed (almost due to error), , but no “run” option … :frowning:

When you do a “take over”, the scripts trash any domain setup on the Univention, they basically clear the system down.

you should not be joining the the AD first, since that would add your UCS system to the MS domain & when it got cleared down , it would dissapear. and show up as a missing server.

(They may have fixed this)
generally I set the UCS as a separate system, to keep the MS domain clean of UCS clutter, then do a straight “takeover”

The system is joined to the MS domain so that it replicates all the dater from the “master” MS server.

Then at the final stages after this replication it copies over the sysvol (actually you do this), then you turn off the master , and some other scripts , fix up the ip address & various other domain strings.

So… it is absolutely critical all your services on your MS domain controller are working flawlessly & you have set emulation to i think 2008 version.

But this is why you use the test setup…

if your MS services are not working perfectly before you do the migration, doing the migration is not going to fix them.

1 Like

Thank you for your help !
Finaly, indeed, i discovered my win2012srv was “too young” :wink: max 2008 to migrate…
Then i tried a clean new DC, with new GPO, and surprising me, it was working fine, with win 10 & 11 client…
Did you think i can replace (then detach/re-attach each pc) old DC with this DC ?
ucs then emulate 2008 srv ? older than my 2012 ? is it safe ? stable ? secure ?
Thanks.

with this tool you can migrate user profiles from one domain to new domain (also with rejoin the pc)

https://www.forensit.com/

rg
Christian

yes you can use a new DC, but the login information will not be moved.
you have to setup each user & re-bind the machines, it’s a lot of work…

I actually recently did a “name” change against a UCS domain., that is to say i took a UCS setup & renamed the domain whilst keeping all the logins & machine bindings. as well as the AD keys and sequence numbers.

I looked at “forensit” but it would not handle such a case, specifically because it expects a MS AD controller.
which is NOT the same as a SAMBA domain controller.

it is NOT something I would take on lightly… be aware MS made some security changes in the AD late in 2022 that WILL break migrations. & cloning of AD’s

I had to write some code to go into the LDAP & re-format, re-stamp some of teh LDAP data fields.

Even the programmers on the SAMBA forum were very surprised it worked… because the tools available have not been worked on for some time…

Also be aware there are still some bugs , either in UCS or SAMBA that are breaking GPO’s, when they are worked on with win 10/11, it results in non execution sometimes…

There is a fixup in SAMBA, that you can run from the UCS command line to validate & correct the GPO access rights…

I think for some reason that UCS/SAMBA is stamping certain areas of the GPO file structure with linux “ROOT”!!!
rights & owners. after running the fixup tools these are reset & it all works again.

Mastodon