Thursday, July 09, 2015

Replicating and then migrating Server 2003 ADAM instance to Server 2012R2 AD LDS

OK, so yes, we're one of those organisations that still have Windows Server 2003 floating around, at least it's all patched up...


One of the things we're using it for is an ADAM instance that supplies users/credentials for an Extranet service, though the servers involved are also domain controllers...


With 2003 on it's way out (5 days away!), we've been working our way around our servers upgrading or migrating as appropriate.


So as for our srv2003 domain controllers, we simply added a srv2012R2 server and dcpromo'ed it, largely job done...


But then there's the ADAM instance. 
Tried a backup and restore into AD LDS, no dice.
Tried simply copying the DB files, no dice.
Tried programmatically recreating the structure/accounts in a fresh AD LDS instance, no dice (our application didn't like something about the schema...)


So I tried adding AD LDS as a replication partner to the existing ADAM instance, no dice!
What?  This is supposed to work!


Looking through the error logs I found that there was an encryption error, which lead me to this article: https://support.microsoft.com/en-us/kb/973678


So I scheduled a time to install the hotfix and tried it out...


First up, the article says you don't need to reboot... But the hotfix asks you to reboot (now or later).
I elected not to reboot, which is what the article suggested.  No dice...


So I rebooted...


No dice...


Still the same error.


So I uninstalled the AD LDS instance and created a new one, just the same way (using the Wizard to set up a replicated instance).  And after waiting 10-15 minutes for the replication to complete (not because it's big, it just seems to do things on a sparse schedule), boom! It worked.


So, key take away: if you're getting the encryption error when syncing ADAM to AD LDS, don't just install the hotfix (and apply the reg key), but recreate the AD LDS instance as well.


Next steps for us:
  1. Switch the master over to be the AD LDS instance
  2. Add a second AD LDS instance for DR
  3. Remove the old ADAM instance.
I'll update this article if that proves interesting.