2008 Domain function upgrade question
I am a new member, so steer me in the right direction if needed.
Situation:
We are replacing a third party application that does many functions that can be accomplished through AD group policy.
We have seven 2008 DCs, and one 2003 DC. I want to upgrade the domain function level to 2008, but have been asked for a contingency plan in the event that anything goes wrong.
All research indicates that domain function level upgrades go well, and I have nothing to worry about.
I have a question regarding a potential contingency plan, and a question about group policy.
Contingency plan:
Take one of the FSMO roles (RID master) and transfer it to the 2003 domain controller. Then shut him down and perform the upgrade. If things go well, retire him and seize the RID master role from one of the 2008 DCs. I know it is better to transfer rather than seize, but I don’t know why.
If things don’t go well, shut down all the 2008 DCs, bring the RID master (2003) back on line and begin seizing all the other roles. Then begin rebuilding new DCs.
Does anyone see any problems with this?
Group policy:
I am wondering whether I will experience any issues when trying to utilize some of the new group policy functionality combined with group policy objects that were in place prior to the upgrade. In short, do I need to create new group policy objects to utilize the expanded functionality, and run those in addition to the existing production GPOs.
I don’t know whether the existing GPOs have new features in them, or if I have to create new GPOs and run those alongside the old ones.
I know there are two questions, but they are integral. 125 per relevant answer.
Many thanks
Muqtar
Situation:
We are replacing a third party application that does many functions that can be accomplished through AD group policy.
We have seven 2008 DCs, and one 2003 DC. I want to upgrade the domain function level to 2008, but have been asked for a contingency plan in the event that anything goes wrong.
All research indicates that domain function level upgrades go well, and I have nothing to worry about.
I have a question regarding a potential contingency plan, and a question about group policy.
Contingency plan:
Take one of the FSMO roles (RID master) and transfer it to the 2003 domain controller. Then shut him down and perform the upgrade. If things go well, retire him and seize the RID master role from one of the 2008 DCs. I know it is better to transfer rather than seize, but I don’t know why.
If things don’t go well, shut down all the 2008 DCs, bring the RID master (2003) back on line and begin seizing all the other roles. Then begin rebuilding new DCs.
Does anyone see any problems with this?
Group policy:
I am wondering whether I will experience any issues when trying to utilize some of the new group policy functionality combined with group policy objects that were in place prior to the upgrade. In short, do I need to create new group policy objects to utilize the expanded functionality, and run those in addition to the existing production GPOs.
I don’t know whether the existing GPOs have new features in them, or if I have to create new GPOs and run those alongside the old ones.
I know there are two questions, but they are integral. 125 per relevant answer.
Many thanks
Muqtar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once you up either the domain functional level or the forest functional level to 2008, you can't go back. I would suggest that if you are concerned about the upgrade due to applications in the environment then call the vendors and ask if the new domain/forest functional level is supported. If that still doesn't satisfy you I recommend implementing a test environment with the same apps and performing a test. I would not recommend seizing a role from a DC unless you don't plan on using it again, because as stated above you'll have to do some hacking to get it back (good luck!) Other than that after the upgrade of the domain functional level and forest functional level then you should be able to take advantage of the benefits outlined here:
http://technet.microsoft.com/en-us/library/dd378796(WS.10).aspx
Your GPO's should migrate seemsless as well. My main concern would be the apps you mentioned.
http://technet.microsoft.com/en-us/library/dd378796(WS.10).aspx
Your GPO's should migrate seemsless as well. My main concern would be the apps you mentioned.
ASKER
So the contingency plan sounds like more of a risk than the actual upgrade?
Can you elaborate on why you came to this conclusion?
Can you elaborate on why you came to this conclusion?
ASKER
To clarify, we would leave the 2003 DC offline permanently if the upgrade goes well.
We would only turn it back on in the event that the upgrade caused a problem. At that point, only the 2003 DC would be online because we would have shut down the rest of the 2008 DCs and the 2003 DC would be alone in the world. At which point we would use him to seize all the other roles.
It would seem to me that if the 2003 DC doesn't know that the 2008 DC has seized the role in his absense, it wouldn't matter.
We would only turn it back on in the event that the upgrade caused a problem. At that point, only the 2003 DC would be online because we would have shut down the rest of the 2008 DCs and the 2003 DC would be alone in the world. At which point we would use him to seize all the other roles.
It would seem to me that if the 2003 DC doesn't know that the 2008 DC has seized the role in his absense, it wouldn't matter.
You need a fully functional domain before you move your forest level and domain level up. Also, the operation will fail since the AD database will still no about the 2003 DC on the domain since it is still part of the domain even if it is shutdown.
Again AD will still no about the 2003 DC being on the domain even if it is shutdown. Your plan will not work.
ASKER
@ Darius:
Will the rest of the domain know about the 2003 DC because he is the holder of the FSMO role, or because I haven't properly removed him.
If so, I gues I need to demote him before attempting the upgrade?
Will the rest of the domain know about the 2003 DC because he is the holder of the FSMO role, or because I haven't properly removed him.
If so, I gues I need to demote him before attempting the upgrade?
There is no issue in upgrading domain & forest only issue is can't be reverted back & lower version of windows can't be configured as an DC.
Secondly nothing will change & yes application use authentication like ntlm,kerberos to authenticate & it will not give you issue untill you have legacy application which doesn't support kerberos authentication else everything will work fine.
Now everyone is upgrading to windows 2008 coz MS support is going to be stopped for windows 2003.
Secondly nothing will change & yes application use authentication like ntlm,kerberos to authenticate & it will not give you issue untill you have legacy application which doesn't support kerberos authentication else everything will work fine.
Now everyone is upgrading to windows 2008 coz MS support is going to be stopped for windows 2003.
2003 DC has to be removed prior to raise level of domain else it will throw error all the dc are not in windows 2008. If you upgrade to windows 2008 you can't have windows 2003 as an DC.
Correct you must demote the 2003 server before you attempt the upgrade because you can not have any 2003 DCs in a 2008 functional level
ASKER
So how about this instead?
Demote the 2003 server and retire him.
Move all FSMO roles to a 2008 DC and grab an image of him with WinPE
Perform the upgrade.
If there are any problems, Shut down all DCs and restore the image of the 2008 server which *held* all FSMO roles and functioned in 2003 mode? Then begin building new DCs and promoting them.
Demote the 2003 server and retire him.
Move all FSMO roles to a 2008 DC and grab an image of him with WinPE
Perform the upgrade.
If there are any problems, Shut down all DCs and restore the image of the 2008 server which *held* all FSMO roles and functioned in 2003 mode? Then begin building new DCs and promoting them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all very much.
I am splitting the points between Awinish (group policy) and DariusG (AD function level).
I am splitting the points between Awinish (group policy) and DariusG (AD function level).
Domain and forest functional levels will not affect your application these are to give you access to the AD environment.