Solved

Gotcha's & Rollbacks for raising AD 2003 Interim to Native mode

Posted on 2007-11-27
5
803 Views
Last Modified: 2012-05-05
Background information:
I am fully aware of *how* to raise interim mode to native mode and I know that our environment is ready to go (ie. selecting "Raise Domain Functional Level" in AD returns no errors and selecting "Raise Forest Functional Level" reports only one domain that must be upgraded first). What I need is documented justification for management that this process is safe to continue and that *if* (by some freak of nature) something goes wrong, there is a plan to backout/rollback. I have found plenty of info online re rolling back when upgrading from NT4 or to 2000, but since we are running only 2003 DCs in Interim Mode, this info does not apply to us.

Our current environment:
Primary Site:
  Over 100 WinXP PCs
  A few Win2000 PCs
  2 Win2000 Servers
  21 Win2003 Servers, of which there are:
       2 Domain Controllers (both CGs, one holds all FSMO roles)
       1 Exchange 2003
  1 ESX VI3 server running dev & test guest VMs only (no production services)
Second Site:
  About 30 WinXP PCs
  1 Win2003 Server, Domain Controller (GC)
Sites are linked by 1Mb WAN

Previous SysAdmin migrated Server OS from NT4 to 2003 a few years ago. AD is currently running in Interim 2003 mode but previous upgrade project was never completed. All previous NT4 servers have been decommissioned. Current Win2000 servers provide legacy file sharing & SQL services only (and will be decommissioned soon).


Q: What are some of the known gotcha's/issues/problems when upgrading AD 2003 Interim mode to 2003 native mode (if any)?

Q: How would we rollback (or at least plan & prepare for a rollback) if we encounter problems during the upgrade? Given our current site setup, can we utilize anything for backout/rollback purposes?

Personally, I believe this upgrade is a trivial process and that management fears are unfounded. Please comment...
0
Comment
Question by:mayday175
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
l84work earned 100 total points
ID: 20363665
No roll back possible!

Do AD Authoritative restore.

1.  CHANGE DSM PASSWORD using NTDSUTIL!!!
2.  Create a system state backup on your GC right before the change.
3.  Make the change.
4.  if broken, boot into safe mode and perform AD authoritative restore (RESTORE DATABASE).

0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 25 total points
ID: 20368241
As l84work says, the only rollback mechanism for a DFL/FFL upgrade is to do a full domain/forest recovery from a time prior to when you changed the functional level.

Having said that, there's almost zero risk involved in the process if, as you say, all of your NT4 BDCs have been long since decommissioned.  Your clients won't even notice the difference, really.
0
 
LVL 3

Author Comment

by:mayday175
ID: 20370501
Thanks l84work. Resetting the Directory Services Restore Mode Administrator account password is a very good idea, as noone knows what the previous SysAdmin had set it to. If we need to restore a system state backup, I assume the restored DC will replicate the old AD data to the other DCs. Not having done a system state restore b4, my knowledge of this is only theoretical from MSCE studies I have done.

LauraEHunterMVP... I agree, this upgrade should be a no brainer. But I am sure you are aware that any change requires a documented backout/rollback plan b4 the change can be approved.

Before I allocate points for this question, would anyone else care to add any further comments?
0
 
LVL 3

Expert Comment

by:l84work
ID: 20372247
I assume the restored DC will replicate the old AD data to the other DCs.

>  Yes, it'll be done after authoritative restore.

0
 
LVL 3

Author Closing Comment

by:mayday175
ID: 31411364
Thanks guys/girls. l84work gets most points for specific info & Laura get some for confirmation of whjat I already suspected. Thanks.
0

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now