Solved

Gotcha's & Rollbacks for raising AD 2003 Interim to Native mode

Posted on 2007-11-27
5
815 Views
Last Modified: 2012-05-05
Background information:
I am fully aware of *how* to raise interim mode to native mode and I know that our environment is ready to go (ie. selecting "Raise Domain Functional Level" in AD returns no errors and selecting "Raise Forest Functional Level" reports only one domain that must be upgraded first). What I need is documented justification for management that this process is safe to continue and that *if* (by some freak of nature) something goes wrong, there is a plan to backout/rollback. I have found plenty of info online re rolling back when upgrading from NT4 or to 2000, but since we are running only 2003 DCs in Interim Mode, this info does not apply to us.

Our current environment:
Primary Site:
  Over 100 WinXP PCs
  A few Win2000 PCs
  2 Win2000 Servers
  21 Win2003 Servers, of which there are:
       2 Domain Controllers (both CGs, one holds all FSMO roles)
       1 Exchange 2003
  1 ESX VI3 server running dev & test guest VMs only (no production services)
Second Site:
  About 30 WinXP PCs
  1 Win2003 Server, Domain Controller (GC)
Sites are linked by 1Mb WAN

Previous SysAdmin migrated Server OS from NT4 to 2003 a few years ago. AD is currently running in Interim 2003 mode but previous upgrade project was never completed. All previous NT4 servers have been decommissioned. Current Win2000 servers provide legacy file sharing & SQL services only (and will be decommissioned soon).


Q: What are some of the known gotcha's/issues/problems when upgrading AD 2003 Interim mode to 2003 native mode (if any)?

Q: How would we rollback (or at least plan & prepare for a rollback) if we encounter problems during the upgrade? Given our current site setup, can we utilize anything for backout/rollback purposes?

Personally, I believe this upgrade is a trivial process and that management fears are unfounded. Please comment...
0
Comment
Question by:mayday175
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
l84work earned 100 total points
ID: 20363665
No roll back possible!

Do AD Authoritative restore.

1.  CHANGE DSM PASSWORD using NTDSUTIL!!!
2.  Create a system state backup on your GC right before the change.
3.  Make the change.
4.  if broken, boot into safe mode and perform AD authoritative restore (RESTORE DATABASE).

0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 25 total points
ID: 20368241
As l84work says, the only rollback mechanism for a DFL/FFL upgrade is to do a full domain/forest recovery from a time prior to when you changed the functional level.

Having said that, there's almost zero risk involved in the process if, as you say, all of your NT4 BDCs have been long since decommissioned.  Your clients won't even notice the difference, really.
0
 
LVL 3

Author Comment

by:mayday175
ID: 20370501
Thanks l84work. Resetting the Directory Services Restore Mode Administrator account password is a very good idea, as noone knows what the previous SysAdmin had set it to. If we need to restore a system state backup, I assume the restored DC will replicate the old AD data to the other DCs. Not having done a system state restore b4, my knowledge of this is only theoretical from MSCE studies I have done.

LauraEHunterMVP... I agree, this upgrade should be a no brainer. But I am sure you are aware that any change requires a documented backout/rollback plan b4 the change can be approved.

Before I allocate points for this question, would anyone else care to add any further comments?
0
 
LVL 3

Expert Comment

by:l84work
ID: 20372247
I assume the restored DC will replicate the old AD data to the other DCs.

>  Yes, it'll be done after authoritative restore.

0
 
LVL 3

Author Closing Comment

by:mayday175
ID: 31411364
Thanks guys/girls. l84work gets most points for specific info & Laura get some for confirmation of whjat I already suspected. Thanks.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question