Gotcha's & Rollbacks for raising AD 2003 Interim to Native mode

Posted on 2007-11-27
Last Modified: 2012-05-05
Background information:
I am fully aware of *how* to raise interim mode to native mode and I know that our environment is ready to go (ie. selecting "Raise Domain Functional Level" in AD returns no errors and selecting "Raise Forest Functional Level" reports only one domain that must be upgraded first). What I need is documented justification for management that this process is safe to continue and that *if* (by some freak of nature) something goes wrong, there is a plan to backout/rollback. I have found plenty of info online re rolling back when upgrading from NT4 or to 2000, but since we are running only 2003 DCs in Interim Mode, this info does not apply to us.

Our current environment:
Primary Site:
  Over 100 WinXP PCs
  A few Win2000 PCs
  2 Win2000 Servers
  21 Win2003 Servers, of which there are:
       2 Domain Controllers (both CGs, one holds all FSMO roles)
       1 Exchange 2003
  1 ESX VI3 server running dev & test guest VMs only (no production services)
Second Site:
  About 30 WinXP PCs
  1 Win2003 Server, Domain Controller (GC)
Sites are linked by 1Mb WAN

Previous SysAdmin migrated Server OS from NT4 to 2003 a few years ago. AD is currently running in Interim 2003 mode but previous upgrade project was never completed. All previous NT4 servers have been decommissioned. Current Win2000 servers provide legacy file sharing & SQL services only (and will be decommissioned soon).

Q: What are some of the known gotcha's/issues/problems when upgrading AD 2003 Interim mode to 2003 native mode (if any)?

Q: How would we rollback (or at least plan & prepare for a rollback) if we encounter problems during the upgrade? Given our current site setup, can we utilize anything for backout/rollback purposes?

Personally, I believe this upgrade is a trivial process and that management fears are unfounded. Please comment...
Question by:mayday175
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

l84work earned 100 total points
ID: 20363665
No roll back possible!

Do AD Authoritative restore.

2.  Create a system state backup on your GC right before the change.
3.  Make the change.
4.  if broken, boot into safe mode and perform AD authoritative restore (RESTORE DATABASE).

LVL 30

Assisted Solution

LauraEHunterMVP earned 25 total points
ID: 20368241
As l84work says, the only rollback mechanism for a DFL/FFL upgrade is to do a full domain/forest recovery from a time prior to when you changed the functional level.

Having said that, there's almost zero risk involved in the process if, as you say, all of your NT4 BDCs have been long since decommissioned.  Your clients won't even notice the difference, really.

Author Comment

ID: 20370501
Thanks l84work. Resetting the Directory Services Restore Mode Administrator account password is a very good idea, as noone knows what the previous SysAdmin had set it to. If we need to restore a system state backup, I assume the restored DC will replicate the old AD data to the other DCs. Not having done a system state restore b4, my knowledge of this is only theoretical from MSCE studies I have done.

LauraEHunterMVP... I agree, this upgrade should be a no brainer. But I am sure you are aware that any change requires a documented backout/rollback plan b4 the change can be approved.

Before I allocate points for this question, would anyone else care to add any further comments?

Expert Comment

ID: 20372247
I assume the restored DC will replicate the old AD data to the other DCs.

>  Yes, it'll be done after authoritative restore.


Author Closing Comment

ID: 31411364
Thanks guys/girls. l84work gets most points for specific info & Laura get some for confirmation of whjat I already suspected. Thanks.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question