Migrate Active Directory Domain and Forest with Veeam Replica

Posted on Link State By Link State No Comments on Migrate Active Directory Domain and Forest with Veeam Replica
Active Directory migration

In this guide, we will discuss how to Migrate Active Directory Domain and Forest with Veeam Replica. Managing complex Active Directory environments requires careful planning, precision, and reliable tools. When it comes to migrating a domain or an entire forest, the stakes are high: errors in replication or synchronization can have significant impacts on the IT infrastructure. Please, see Active Directory: How to Setup a Domain Controller, and “Enter connection information for your on-premise directory or forests: Azure AD connect unable to connect directory, forest not available“.

In this context, Veeam proves to be a valuable ally, offering replication and backup solutions that simplify the migration process while reducing risks and downtime.

In this guide, I will share my hands-on experience migrating an Active Directory domain and forest using Veeam’s features. The goal is to provide a clear and detailed path, with tips, best practices, and critical points to monitor, for anyone facing a similar challenge.

Whether you are an experienced system administrator or an IT infrastructure engineer, you will find practical guidance to plan and execute a secure and efficient migration.

Also, see How to Add a Delete Lock on Azure Resources, Hardening Active Directory – GPO MSCT 1.0 CIS Benchmark – Policy Analyser, and MSSQL DMA Compatibility Mode: Prepare and Migrate Safely.

Virtual Environment Scenario

Below are the details of my virtual environment and can be different for you as well.

vCenter Win:   Vmware 5.5.0 - build 264648
VMware ESXi:  5.5.0 - build 3029944
New VCSA :       VCSA 6.7.0 - build 15129973
VMware ESXi 6.5.0 - build 15256549

Active Directory Environment

Remember that from the Windows 2012 R2 version it is possible to clone a DC through the official MS procedure. Please, see this post for more information. Here is also another interesting post.

AD Single Forest\Domain: Functional level 2012 R2

If you have distributed FSMO roles on different DCs move them on a single DC before migration and carry out the preparatory checks post moving FSMO roles.

DC01 all FSMO roles- Primary DNS - Sync time Externa NTP

Forest Role:

Master scheme, and
Domain name master

Domain role:

RID Master
PDC emulator
Master Infrastructure

DC02 - Secondary DNS
DC03 - Tertiary DNS

Veeam backup Enviroment: 9.5 U4 Virtual appliance (Hot add)

If possible, before proceeding with production, it is recommended to test everything in a laboratory and / or pre-production environment.

Please, see Install SQL Server Always On & Configure Veeam Plug‑in for SQL, how to Migrate Active Directory Domain and Forest with Veeam Replica, and Hardening Active Directory – GPO MSCT 1.0 CIS Benchmark – Policy Analyser.

Step by step check and migration of Active Directory

1: First of all check the UUID of the 3 DCs:

wmic csproduct get "uuid"

IMPORTANT** Never change UUID to a Domain Controller. The GUID is the means for AD to identify a DC for replication. It is important that it remains unchanged, above all, unique for each DC).

  1. VM migration  export and import generates new vHw device UUIDs, the new UUIDs for devices such as NICs tends to trigger   re-activation windows license of the VM.
  2. wmic csproduct get “uuid” ( if UUID changes the windows license it will be reset and could also corrupt the active direcory db and \ or have replication problems etc).
  3. Save the UUIDs of each DC.
  4. Set up a replication job (Application aware enable & Domain Admin user, from Active directory it is possible to give granular permissions to a single users) for each single DC starting from the DCs without FSMO role.

Edit Replication job and select the VM to replicate

Enter the destination information

Add network

Ensure the repo is selected

Select the data transfer mode and click on Next

Please, see “Migrate Veeam MSSQL Database to a new Microsoft SQL Server“, how to Install WSL on Windows, and “How to use the Program Compatibility Troubleshooter to Test Application Compatibility on Windows 11“.

Enable Guest Processing

6: Assigning the backup service user ” [email protected]” (preferred UPN format) “Domain Admin” and deny “interactive logon” and other restricition Deny “Logon as a Batch” ‘or’ “Deny Logon as a service” etc depends on your needs. See this link for more information.

TASK 1 – Migration of Active Directory

Check FSMO roles & Global Catalog: From dos:  

netdom query fsmo

7: From PS:  Get-ADForest “domain.local” | ft DomainNamingMaster, SchemaMaster Get-ADDomain “domain.local” | ft InfrastructureMaster, PDCEmulator, RIDMaster

  • Disable the DC3 node from the virtual service of the netscaler load balancer. (optional)
  • Full backup Active Directory (system state) of 3 DC (VM Online).
  • Precautionary reboot
  • Shutdown DC3 Windows 2012 R2.
  • Incremental Backup (VM Power Off).
  • Lunch Veeam Replica (VM Power Off)

Veeam Failover Now. Start up VM DC03_Replica on new DC VMware.

Check & compare UUID on replicated DC3_Replica –> wmic csproduct get “UUID”

Check functionality of new DC3_replica + check replication and check health AD status.

nltest /dclist:domain.local
dsquery server -domain "domain.local" | dsget server -isgc -dnsname
DsQuery Server -o rdn -Forest
 netdom query fsmo

repadmin /syncall or manual force replication from AD site & services

repadmin.exe /showrepl
repadmin.exe /replsum
repadmin.exe /replsum %computername%
dcdiag
netdiag.exe

DCDiag (part of WS03 SP1 Support tools) displays all information about Domain Controller information.

dcdiag.exe /V /C /D /E /s:#DomainControllerName# > c:\dcdiag.log

NetDiag provides information about specific network configuration for the local machine.

netdiag.exe /v > c:\netdiag.log

RepAdmin helps diagnose AD replication issues with WS03 and WS08 DC’s.

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.

dnslint /ad /s #IPAddressOfServer#

Please, see How to troubleshoot Active Directory Replication issues, How to add a new Domain Controller to an Existing Domain, and Preliminary Guide for Active Directory and Initial Assessment.

Undo-Failover

If you encounter problems from Veeam ,igration. Please, run the “Undo Failover” and turn on the old DC previously off.

Check event viewer for AD service related.

No problems found -->  Veeam --> "Permanent Failover"

Reactivation of the Netscaler DC3 side balancing node (optional)

Task 2 – Migration of Active Directory

DC2 - no FSMO only secondary DNS - perform the previous steps of DC3

Disable the DC2 node from the virtual service of the netscaler load balancer (optional)

Please, see AD Recovery: Fix device ran into an issue with error 0xc00002e2, Perform Key Distribution Center Service [krbtgt] Password reset, and Raise or Downgrade AD Domain and Forest Functional Level,

Task 3 – Migration of Active Directory

DC01 all FSMO roles, For more information, please see this Microsoft Learn Article. Moving FSMO role from DC1 to DC2 from PS Active Directory:

Move-ADDirectoryServerOperationMasterRole -Identity "dc2.domain.local" -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
  • Waiting for replication check, check time domain etc.
  • Disable the DC1 node from the virtual service of the netscaler load balancer. (optional)
  • Full backup Active Directory (system state)dei 3 DC (VM Online).
  • Precautionary reboot
  • Shutdown DC1 Windows 2012 R2.
  • Incr backup (VM power Off).
  • Lunch Veeam Replica (VM power Off)
  • Veeam Failover Now —> start up VM DC01_Replica on new DC Vmware.
  • Check & compare UUID on replicated DC1_Replica –> wmic csproduct get “UUID”
  • Check functionality of new DC1_replica + check replication and check health AD status.

Active Directory Health, Replication, and Diagnostic Commands

nltest /dclist:doamin.local
dsquery server -domain "domain.local" | dsget server -isgc -dnsname
DsQuery Server -o rdn -Forest
netdom query fsmo
repadmin /syncall or manual force replication from AD site & services
repadmin.exe /showrepl
repadmin.exe /replsum
repadmin.exe /replsum %computername%
dcdiag
netdiag.exe
DCDiag (part of WS03 SP1 Support tools) displays all information about Domain Controller information.
dcdiag.exe /V /C /D /E /s:#DomainControllerName# > c:\dcdiag.log
NetDiag provides information about specific network configuration for the local machine.
netdiag.exe /v > c:\netdiag.log
RepAdmin helps diagnise AD replication issues with WS03 and WS08 DC’s.
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
dnslint /ad /s #IPAddressOfServer#

If you encounter problems from Veeam, perform “Undo Failover” and turn on the old DC previously off.

No problems found –> Veeam –> Perform “Permanent Failover

Check event viewer for AD service.
Reactivation of the Netscaler DC1 side balancing node. (optional)

Moving FSMO role da DC2 to DC1 + wait active directory replication or force it & check preparatory post fsmo roles move:

nltest /dclist:doamin.local
nltest /dclist:doamin.local
dsquery server -domain "domain.local" | dsget server -isgc -dnsname
DsQuery Server -o rdn -Forest
netdom query fsmo
repadmin /syncall or manual force replication from AD site & services
repadmin.exe /showrepl
repadmin.exe /replsum
repadmin.exe /replsum %computername%
dcdiag
netdiag.exe

Moving FSMO roles from DC2 a DC1 + wait Active Directory replication or force it & check AD status health post FSMO roles move.

Move-ADDirectoryServerOperationMasterRole -Identity "dc1.domain.local" -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

Reconfigure NTP server on DC1

w32tm /config /manualpeerlist:"Ip your external time sync server" /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

Verify Server Configuration

Confirm that the server is configured correctly:

w32tm /monitor
w32tm /query /status

Run the command on two DCs that are not PDC DC02 and DC03.

w32tm /config /syncfromflags:domhier /update
w32tm /resync /nowait
net stop w32time
net start w32time
w32tm /query /configuration

Please, see Active Directory Flexible Single-Master Operations Roles [FSMO], Veeam Agent for AIX: Initial Deploy/UUID Error, and Specify user account name when adding a DC to an existing Forest.

Validate Reachability from the PDC Emulator

Check that the configured time server is reachable from the PDC.

w32tm /stripchart /computer:"Ip your external time sync server" /samples:3 /dataonly
  • Check the correct domain time on the servers and clients.
  • Create a user, a group and verify that the objects are replicated on all DCs.
  • Create a file in the sysvol and verify the correct replication of the file on the sysvol of the DC partners.
  • Check Ip DNS forwarder.

I hope you found this article on how to Migrate Active Directory Domain and Forest with Veeam Replica very useful. Please, feel free to leave a comment below.

5/5 - (1 vote)
Backup, Windows Server Tags:, , ,

Related Posts

More Related Articles

WSUS Post deployment Configuration Failed The schema version of the database is from a newer version of wsus Windows Server
banner How to Edit Windows Hosts File via PowerToy Editor Utility Web Server
sadx Error 0x80070002: When trying to mount an image file Windows Server
adac Enable Active Directory Recycle Bin: How to delete and restore objects using Active Directory Administrative Center Windows Server
1 kAUgwdVYmcVgUSXiwUkObw Error 0x801c001d – Automatic registration failed: Failed to look up the registration service from AD Windows Server
Hyper V Virtual Switch Copy How to Create VDI Collections on Windows Server 2022 Network | Monitoring

Leave a Reply