Gotcha's & Rollbacks for raising AD 2003 Interim to Native mode

Posted on 2007-11-27
Last Modified: 2012-05-05
Background information:
I am fully aware of *how* to raise interim mode to native mode and I know that our environment is ready to go (ie. selecting "Raise Domain Functional Level" in AD returns no errors and selecting "Raise Forest Functional Level" reports only one domain that must be upgraded first). What I need is documented justification for management that this process is safe to continue and that *if* (by some freak of nature) something goes wrong, there is a plan to backout/rollback. I have found plenty of info online re rolling back when upgrading from NT4 or to 2000, but since we are running only 2003 DCs in Interim Mode, this info does not apply to us.

Our current environment:
Primary Site:
  Over 100 WinXP PCs
  A few Win2000 PCs
  2 Win2000 Servers
  21 Win2003 Servers, of which there are:
       2 Domain Controllers (both CGs, one holds all FSMO roles)
       1 Exchange 2003
  1 ESX VI3 server running dev & test guest VMs only (no production services)
Second Site:
  About 30 WinXP PCs
  1 Win2003 Server, Domain Controller (GC)
Sites are linked by 1Mb WAN

Previous SysAdmin migrated Server OS from NT4 to 2003 a few years ago. AD is currently running in Interim 2003 mode but previous upgrade project was never completed. All previous NT4 servers have been decommissioned. Current Win2000 servers provide legacy file sharing & SQL services only (and will be decommissioned soon).

Q: What are some of the known gotcha's/issues/problems when upgrading AD 2003 Interim mode to 2003 native mode (if any)?

Q: How would we rollback (or at least plan & prepare for a rollback) if we encounter problems during the upgrade? Given our current site setup, can we utilize anything for backout/rollback purposes?

Personally, I believe this upgrade is a trivial process and that management fears are unfounded. Please comment...
Question by:mayday175
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

l84work earned 100 total points
ID: 20363665
No roll back possible!

Do AD Authoritative restore.

2.  Create a system state backup on your GC right before the change.
3.  Make the change.
4.  if broken, boot into safe mode and perform AD authoritative restore (RESTORE DATABASE).

LVL 30

Assisted Solution

LauraEHunterMVP earned 25 total points
ID: 20368241
As l84work says, the only rollback mechanism for a DFL/FFL upgrade is to do a full domain/forest recovery from a time prior to when you changed the functional level.

Having said that, there's almost zero risk involved in the process if, as you say, all of your NT4 BDCs have been long since decommissioned.  Your clients won't even notice the difference, really.

Author Comment

ID: 20370501
Thanks l84work. Resetting the Directory Services Restore Mode Administrator account password is a very good idea, as noone knows what the previous SysAdmin had set it to. If we need to restore a system state backup, I assume the restored DC will replicate the old AD data to the other DCs. Not having done a system state restore b4, my knowledge of this is only theoretical from MSCE studies I have done.

LauraEHunterMVP... I agree, this upgrade should be a no brainer. But I am sure you are aware that any change requires a documented backout/rollback plan b4 the change can be approved.

Before I allocate points for this question, would anyone else care to add any further comments?

Expert Comment

ID: 20372247
I assume the restored DC will replicate the old AD data to the other DCs.

>  Yes, it'll be done after authoritative restore.


Author Closing Comment

ID: 31411364
Thanks guys/girls. l84work gets most points for specific info & Laura get some for confirmation of whjat I already suspected. Thanks.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question