?
Solved

In-place upgrade of Windows 2000 domain to Windows 2003 domain - rollback plan

Posted on 2009-02-18
15
Medium Priority
?
757 Views
Last Modified: 2012-05-06
We have a Windows 2000 domain that has two local and one remote domain controller.  We are wanting to upgrade to Windows 2003 - forest prep, domain prep and then upgrade the domain controllers.
However, we need to see if there is a possible rollback should apllications don't work with Win2k3.  I realize that this is supposed to be a one way trip, but I am doing due diligence of investigating it for the definite answer.
Thank you!
0
Comment
Question by:espnetadmin
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23671506
Some of the steps you are looking to do simply can not be rolled back. Once the forest is set up for 2003, it's done.

But what you could try is to bring up some new machines as new 2003 domain controllers as part of the domain, test your applications against the new DCs, and if everything works properly, then demote the 2000 machines.

I can't think of much that would work on 2000 that won't work on 2003.

Of course, if you didn't follow best practices, and you have other applications installed on your domain controllers besides AD and DNS, then it could become a bit more messy.
0
 

Author Comment

by:espnetadmin
ID: 23671595

One issue with adding a 2003 domain controller to a Windows 2000 domain - Forest Prep and Domain Prep have to be run against the domain.  At that point, we are half way towards a Windows 2003 domain.  Only things left at that point is to upgrade the domain controllers and then go to Native Mode.

I agree that most things that work on Win2k should work on Win2k3.

We do have other applications for our Inventory Control,  business contacts management and credit card processing that are the biggest issue of concern.  This is the reason for seeing if there is any way to rollback to Windows 2000.
0
 
LVL 18

Expert Comment

by:Americom
ID: 23671725
When comes to compatibility for application to run on win2k vs Win2k3, your best hope is to identify all the 3rd party applications(the major one) and ask those application vendors and see if they support for win2k3. I bet the will all said they do as this is year 2009.

dhoffman98 has good suggestion, add a win2k3 DC to your win2k domain first. Since you still have Win2k DC, it may not be an bad idea to get a newer and reliable hardware or create a VM with Win2k3 and promote it to a Win2k3 DC. After the promotion, your Window domain functional level will stall be the same(either Win2k mixed or Win2k native). There should be any major changes to your enviornment. If everything is working fine, you can then transfer all the FSMO to this relaibel Win2k3 and do the inplace upgrade of the other existing win2k DCs. I'm just not a fan of in-place upgrade as by the time we usually do upgrade of OS, the hardware is old of if it still can be used, the OS partition needs to be enlarge or file system needs to be cleaned. I usually prefer new install and start from scratch. So, when you kll all the win2k DC, then you can raise the win2k3 domain funcitonal to win2k3 native. Or you should probalby think about win2k8 instead of win2k3 at this time of the year, unless you don't have a budget for win2k8 CALs, but if you have a budget for Win2k3 CALs, may be that budget $ should be use on win2k8?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:zelron22
ID: 23672285
Another reason NOT to do an in place upgrade is that a server that's been around a while may have some quirks that you take for granted or ignore, but might not play nice with an OS upgrade.  I can tell you from experience that I have not had any significant issues building a new server to upgrade a domain, but I have been in at least 2 DR situations doing in place upgrades.
0
 

Author Comment

by:espnetadmin
ID: 23673259
Thank you for the suggestons of adding a Win2k3 DC to the Wndows 2000 domain.  However, there is a problem:

- Build Windows 2003 server
- Add it to the Win2k domain as a member server
- Run dcpromo on the Win2k3 to join it to the domain

At this point, a message comes up that Forest Prep and Domain Prep have to be run from the Windows 2003 CD to update the Windows 2000 domain.  As you can see in this article, there are a large number of changes / additions in this process:

http://support.microsoft.com/kb/309628

We don't have the time to build a Windows 2008 domain / Exchange org to migrate to right now.  We need to upgrade the existing domain to 2003 and then look to building a new Win2k8 domain to migrate to next year.  An in-place upgrade is the quickest way to get off of Windows 2000.


0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 498 total points
ID: 23673315
Whether you do inplace upgrade or add a new Win2k3 DC still required the forest prep and somain prep. It should be two separate process and can be taken separately. I would still suggest you to take care of the Forest and domain prep first. But adding a new separate win2k3 DC would be the fastest and less risky route.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23678291
Ditto.  The Forest Prep extends the schema so that Server 2003 servers can be promoted to DC's.  Domain Prep confirms that the Forest  Prep changes have been replicated to the domain you run it against.  These steps have to happen regardless of whether you do an in place upgrade or add a new server.  

I'm sure that the changes listed in the article are very helpful to a developer.

Also, when you do get around to upgrading to 2008 you will again have to perform a forest prep and a domain prep to extend the 2003 schema to 2008.  You will also have to run it off of the Exchange CD to extend the schema for whatever version of Exchange you end up installing.

0
 
LVL 15

Accepted Solution

by:
zelron22 earned 501 total points
ID: 23678304
I should have expanded on my comment about the MS article that tells about the changes running the Forest Prep and Domain Prep make.  Since you have to perform these steps regardless of whether you do an inplace upgrade or add a new server, these changes will be made regardless of which path you take.

I've only ever had one issue extending a schema and that's because a non-compliant application was installed that modified the schema such that the forest prep failed.  A relatively short call to microsoft support resolved that issue.  Otherwise, as long as your active directory is in good shape -- replicating properly, no issues with DNS, etc., you shouldn't have any problems.
0
 

Author Comment

by:espnetadmin
ID: 23687129
This thread is covering some good points, but it is a bit off target now.  I think we all agree that there is no way to do a rollback after Windows 2003's Forest Prep and Domain Prep on a Windows 2000 domain / forest.  Correct?
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 501 total points
ID: 23693681
Yes, that's correct... because the schema will be updated and there is no way to undo a schema update.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23693808
Whoops...yes, there is, but it involves doing an authoritative restore of one domain controller in every domain in the forest.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 23694659
Well... actually... there is another way also.
What we do here is take some of our domain controllers off line before we do schema updates.
Then if the schema update fails, we sieze the FSMO on one of the offline DCs to make it authoritative and trash the old Schema FSMO.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23694687
Hmmm...have you actually tested that or have an article about that?  I believe that once the schema gets updated, it's applied to each DC in the domain.  The only thing the Schema master does is it's the one machine you get to change the schema on.  

One guy from Microsoft recommended taking the schema master off of the network (although this needed some tweaking because it kept failing because it didn't have a network connection) and extending the schema on it.  THEN if it failed on the schema master, you have another machine take over the FSMO of schema master and restore the schema master using a non-authoritative restore.

Or if the OS is mirrored break the mirror first and if it gets hosed, remirror it from the good drive.
0
 

Author Comment

by:espnetadmin
ID: 23694715
dhoffman was reading my mind...  Can someone punch a hole in this scenario?

AD Upgrade: (Not Migration)
Phase I:
Prior to upgrade of AD / Schema:
1.      Build a third Win2K DC with DNS, Wins, DHCP, and a GC.  Verify it has synced.
2.      Turn off, unplug, and shelf the DC and do not touch it under ANY circumstances.
Upgrade Steps:
1.      Build new 2003 or 2008 Server
2.      Run ForestPrep / DomainPrep from new server.
3.      Transfer existing FSMO, Wins, DNS, DHCP roles from existing DCs to new servers.
4.      Test and Verify  Run for a week

Phase IIa: Project considered a success:
1.      Rebuild Existing (previous) DCs as Win2K3/8 servers, promote, and transfer the roles back. (Only needed if equipment was not permanent)
2.      Project Complete.


Phase IIb: Upgrade Failed in Testing:
1.      Turn off, unplug, etc. any DCs
2.      Bring online the DC that was shelved prior to the upgrade.
3.      Manually seize all FSMO Roles.
4.      Verify DNS
5.      Verify WINS
6.      Verify DHCP
7.      Verify Global Catalog
8.      Reset / Rejoin computer accounts
0
 
LVL 18

Expert Comment

by:Americom
ID: 23695220
Try again:
AD Upgrade: (Not Migration)
Phase I:
Prior to upgrade of AD / Schema:
1.      Build a third Win2K DC with DNS, Wins, DHCP, and a GC.  Verify it has synced.
2.      Turn off, unplug, and shelf the DC and do not touch it under ANY circumstances.
I would not do these two steps. If there's any apps not working, it would be easier to make it work then revert the process with this offline DC without and FSMO. It's more risk doing so than update Schema and move on. Again, if any vendor's app not working due to the schema update, have them fixed. Not your problem as long as you get written confirmation from them that their apps will support the win2k3 schema. I'm 99.999% sure it will be fine.

Upgrade Steps:
1.      Build new 2003 or 2008 Server
2.      Run adprep with the /ForestPrep switch on the DC w/ schema master operations role
3.      Wait for the schema changes to be replciated to all the DCs that hold the infrastructure operations master roles in the domains.
4.      Run adprep with the /domainprep switch on the infrastructure master DC role in the domain.
5.      Wait for replication to all DCs in the domain
6.      You can proceed w/ installation of a first Win2k3 DC in that domain.
7.      Transfer existing FSMO, Wins, DNS, DHCP roles from existing DCs to new servers(win2k3).
8.      Test and Verify  Run for a week
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question