Solved

Best practices for upgrading from 2000 AD to a 2003 AD environment

Posted on 2006-06-23
8
362 Views
Last Modified: 2010-04-18
We are about to go through an Active Directory upgrade from W2k AD to W2k3 AD.  I've read various documents from Microsoft and gone through the checklists as far as verifying current replication is happening correctly, DNS resolution, etc.  Here is a brief summary of our environment followed by some key questions that we would like to advice on (best practices and/or real-world upgrade experiences instead of MS's document experience) :-)

Company itself - 2 main data center sites with approx 20 remote sites.  DCs exist only at the main sites.

5 DCs in total all running Windows 2000 SP4.

1 DC in the parent (w2k.pardomain.com)
2 DCs in south data center site (sdc1.childdom.pardomain.com  &  sdc2.childdom.pardomain.com)
2 DCs in north data center site (ndc1.childdom.pardomain.com  &  ndc2.childdom.pardomain.com)

Currently in AD/Sites we have two main sites setup a North and South (ndcx assigned to North, sdcx, w2k assigned to South).
DNS is running on all DCs.
DHCP is running on (w2k for the South region) and (ndc1 for the North region)

We have new hardware for all 5 DCs and the end result is that we will have all DCs on the new hardware with the same computer names and IP Addresses.

Various questions we have are:

1.  What would be considered the best practice for upgrading our domain.  Do we need to do an actual server OS upgrade or can we just prepare the domain for 2003AD, install 2003 on the new servers and dcpromo them in followed by dcpromo'ing the old 2000AD servers out?

2.  Once we have w2k upgraded, in the interim we will have a mixed configuration (2003AD and 2000AD) while we are working on converting the others servers, should we expect any DNS related issues in regards to clients resolving internal resources? (other than a server being offline, obviously)

3.  For DHCP, is it possible to export the current 2000 DHCP configuration and import that into 2003 DHCP?

4.  For DNS, (same as 3.) is it possible to export/import from 2000 to 2003
0
Comment
Question by:qsnow
  • 4
  • 4
8 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 16970080
Hi qsnow,
> 1.  What would be considered the best practice for upgrading our domain.  
> Do we need to do an actual server OS upgrade or can we just prepare
> the domain for 2003AD, install 2003 on the new servers and dcpromo them
> in followed by dcpromo'ing the old 2000AD servers out?

Yes, you can just prepare the AD for 2003 and install a 2003 DC in the domain.  That will effectively upgrade the domain to a 2003 domain in a 2000 Native Mode.

>
> 2.  Once we have w2k upgraded, in the interim we will have a mixed
> configuration (2003AD and 2000AD) while we are working on converting
> the others servers, should we expect any DNS related issues in regards
> to clients resolving internal resources? (other than a server being
> offline, obviously)

I would not expect any... but I'd make sure your event logs are clear of issues BEFORE beginning the upgrade.

>
> 3.  For DHCP, is it possible to export the current 2000 DHCP configuration
> and import that into 2003 DHCP?

Yes, though I had some difficulty doing this.  Given this is relatively unrelated to AD, I'd suggest moving this first and making sure it works.  Obviously, use a test environment.

>
> 4.  For DNS, (same as 3.) is it possible to export/import from 2000 to 2003

Make your DNS Active Directory Integrated, then the move should be easy.  Otherwise, save the zone files and you can reload them (I screwed that up once and was able to easily reload the zone files upon setting up the new DNS server)

Here's my recommended links (some MS, some not).
Here are some links that should get you going for upgrading a 2000 domain to 2003:

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers
http://support.microsoft.com/?kbid=331161

Commodore.ca | Windows | How To Upgrade Windows 2000 Domain to Windows 2003 Server
Quote from the top of this article: "Several glossy Microsoft presenters have stated that all you need to do to complete a Windows 2003 Domain upgrade is run ADPREP and then upgrade away.  This may work for very small / simple environments but it is definitely not good advice for most companies.  After upgrading five servers in two unrelated domains and installing many fresh copies of 2003 I can say that I personally would not skip a single step in the process I have developed below."
http://www.commodore.ca/windows/windows_2003_upgrade.htm

How can I transfer some or all of the FSMO Roles from one DC to another?
http://www.petri.co.il/transferring_fsmo_roles.htm

How To Create or Move a Global Catalog in Windows 2000
http://support.microsoft.com/?kbid=313994

[If you run Exchange 2000] Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers
http://support.microsoft.com/default.aspx?kbid=314649

Windows Server 2003 Upgrade Assistance Center
http://www.microsoft.com/windowsserver2003/upgrading/nt4/upgradeassistance/default.mspx

[If using R2 release of Windows 2003] Extending Your Active Directory Schema for New Features in Windows Server 2003 R2
http://www.microsoft.com/downloads/details.aspx?familyid=5B73CF03-84DD-480F-98F9-526EC09E9BA8&displaylang=en

Cheers!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16970133
How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003
http://support.microsoft.com/?id=325473

How can I move a DHCP database from one server to another?
http://www.windowsitpro.com/Article/ArticleID/13473/13473.html

How can I move DNS from one Windows 2000 Server to another Windows 2000 Server?
(Two Related if going 2000 to 2003 - read both before moving)
http://www.jsifaq.com/subG/TIP3300/rh3357.htm
http://www.jsifaq.com/SUBN/tip6700/rh6731.htm
0
 
LVL 1

Author Comment

by:qsnow
ID: 16970511
Leew,

Thanks for the fast/excellent reply.  A couple of followup's just to make sure I'm clear -- clarity is a good thing :-)

So, our process would be something like:

1. On w2k.pardomain.com
    Adprep /forestprep
    Adprep /domainprep
2. Wait for replication and verify replication happened
3. DCPromo 2003 server that is on new hardware into the pardomain.com

<unsure point - do we also need to run Adprep /domainprep on the child domain (sdc1.childdom.pardomain.com)>?

4. DCPromo (demote) server (sdc2.childdomain.pardomain.com) and remove him from the network
5. DCPromo 2003 server that is on new hardware with sdc2 naming convention and IP Address into the (childdom.pardomain.com domain)
6+.  Repeat of 4 and 5 to get all the DCs replaced/upgraded.

Does this sound like a correct procedure?  Any gotchas you can think of in this situation?  All of our DNS is AD Integrated already, so I assume once a 2003 server is introduced and DCPromo'd in, it should replicate all the DNS from the other servers.
0
 
LVL 1

Author Comment

by:qsnow
ID: 16970579
Sorry, one more - The last link you posted talked about R2 schema -- our new controllers will be R2.  We are safe just running the adprep from the R2, correct?  That will do the prep we need for 2003AD in general along with the R2 additions, correct?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16970658
You need to run ADPREP 3 times on an existing DC - twice (forest and domain) from the 2003 CD, and once from disk 2 of the R2 set, following the instructions I posted.  (Running it more than that won't hurt - or help, so if you're not sure, just run it again).  But note, there are TWO ADPREP programs.

I would run ADPREP on each domain to ensure they are up to date.  As I said, it won't hurt anything.

at step 4, I wouldn't demote right away - I'd turn off for a week or two - JUST TO BE CERTAIN.  Make sure after everything is working, you turn it back on and PROPERLY remove it from the domain, but I wouldn't demote it RIGHT AWAY.

Always, the best thing to do is setup a small test network and test it.  I can tell you what I experienced, but if nothing went wrong for me, there's no certainty you'll be doing EXACTLY the same things EVERYWHERE I did.  Test it.  Get familiar with the process, then do it in production.
0
 
LVL 1

Author Comment

by:qsnow
ID: 16970841
For our situation, I don't know that we can avoid demoting during this process, since we need the computer names for the new DCs on new hardware to match the names of the old -- if we tried to bring an old machine online in a week with the same name and demote, I'd suspect a slew of issues.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16970871
These are just DCs, right?  Why do you need the same computer names?

In my opinion, trying to preserve computer names is one of the biggest headaches an admin can have and in a well designed (and appropriately funded) network, there is little need for it.  
0
 
LVL 1

Author Comment

by:qsnow
ID: 16970937
Yes, they are mainly just DCs (dhcp, dns services as well)...  We have various 3rd party .NET apps as well as 3rd party vendor programs that may be using FQDN to pull information from our certain AD servers.  IP Address wise, since these machines are running DHCP and DNS, that would be an issue as well having to change all of our routers forwarders, and such.. so at a minimum, IP Address 'must' remain the same for the new roles of these machines.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now