2008 Domain function upgrade question

Muqtar
Muqtar used Ask the Experts™
on
I am a new member, so steer me in the right direction if needed.

Situation:
We are replacing a third party application that does many functions that can be accomplished through AD group policy.
We have seven 2008 DCs, and one 2003 DC. I want to upgrade the domain function level to 2008, but have been asked for a contingency plan in the event that anything goes wrong.
All research indicates that domain function level upgrades go well, and I have nothing to worry about.

I have a question regarding a potential contingency plan, and a question about group policy.

Contingency plan:
Take one of the FSMO roles (RID master) and transfer it to the 2003 domain controller. Then shut him down and perform the upgrade. If things go well, retire him and seize the RID master role from one of the 2008 DCs. I know it is better to transfer rather than seize, but I don’t know why.

If things don’t go well, shut down all the 2008 DCs, bring the RID master (2003) back on line and begin seizing all the other roles. Then begin rebuilding new DCs.
Does anyone see any problems with this?

Group policy:
I am wondering whether I will experience any issues when trying to utilize some of the new group policy functionality combined with group policy objects that were in place prior to the upgrade. In short, do I need to create new group policy objects to utilize the expanded functionality, and run those in addition to the existing production GPOs.

I don’t know whether the existing GPOs have new features in them, or if I have to create new GPOs and run those alongside the old ones.

I know there are two questions, but they are integral. 125 per relevant answer.

Many thanks
Muqtar
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
The difference between Transfer & Seize is the we are transfer the role when its going for maintenace like hardware upgrade,defrag or scan where server is down for sometime & seize means server is dead & can't be bring back.

If you seized the FSMO role from dc, it can't be bring online back w/o performing metadata cleanup means even though the dc is available to be bring back online it can't once role is seized.

There is new feature in windows 2008 like central store. The windows 2008 support new file version called admx which consists of language neutral file to support various language.

There is few new GPO settings have been defined which is only supported to windows vista,windows 7,windows 2008 etc so in order to avail those benefit you have to install client side preference on XP machine but it will not hamper your current domain. These are new functionality like printer mapping, drive mapping,registry key pushing, OS level GPO,so in order to utilize those new functions are needed.

If the domain functional level is upgrade it can't be reverted means you can't configure any DC of older version like windows 2003 but member server can still run as windows 2003.


 
Top Expert 2012

Commented:
Not a good plan at all you can cause your domain not to function at all.

Domain and forest functional levels will not affect your application these are to give you access to the AD environment.
Once you up either the domain functional level or the forest functional level to 2008, you can't go back.  I would suggest that if you are concerned about the upgrade due to applications in the environment then call the vendors and ask if the new domain/forest functional level is supported.  If that still doesn't satisfy you I recommend implementing a test environment with the same apps and performing a test.  I would not recommend seizing a role from a DC unless you don't plan on using it again, because as stated above you'll have to do some hacking to get it back (good luck!)  Other than that after the upgrade of the domain functional level and forest functional level then you should be able to take advantage of the benefits outlined here:

http://technet.microsoft.com/en-us/library/dd378796(WS.10).aspx

Your GPO's should migrate seemsless as well.  My main concern would be the apps you mentioned.

Author

Commented:
So the contingency plan sounds like more of a risk than the actual upgrade?

Can you elaborate on why you came to this conclusion?

Author

Commented:
To clarify, we would leave the 2003 DC offline permanently if the upgrade goes well.

We would only turn it back on in the event that the upgrade caused a problem. At that point, only the 2003 DC would be online because we would have shut down the rest of the 2008 DCs and the 2003 DC would be alone in the world. At which point we would use him to seize all the other roles.

It would seem to me that if the 2003 DC doesn't know that the 2008 DC has seized the role in his absense, it wouldn't matter.
Top Expert 2012

Commented:
You need a fully functional domain before you move your forest level and domain level up. Also, the operation will fail since the AD database will still no about the 2003 DC on the domain since it is still part of the domain even if it is shutdown.
Top Expert 2012

Commented:
Again AD will still no about the 2003 DC being on the domain even if it is shutdown. Your plan will not work.

Author

Commented:
@ Darius:
Will the rest of the domain know about the 2003 DC because he is the holder of the FSMO role, or because I haven't properly removed him.

If so, I gues I need to demote him before attempting the upgrade?

Commented:
There is no issue in upgrading domain & forest only issue is can't be reverted back & lower version of windows can't be configured as an DC.

Secondly nothing will change & yes application use authentication like ntlm,kerberos to authenticate & it will not give you issue untill you have legacy application which doesn't support kerberos authentication else everything will work fine.

Now everyone is upgrading to windows 2008 coz MS support is going to be stopped for windows 2003.

Commented:
2003 DC has to be removed prior to raise level of domain else it will throw error all the dc are not in windows 2008. If you upgrade to windows 2008 you can't have windows 2003 as  an DC.
 
Top Expert 2012

Commented:
Correct you must demote the 2003 server before you attempt the upgrade because you can not have any 2003 DCs in a 2008 functional level

Author

Commented:
So how about this instead?
Demote the 2003 server and retire him.
Move all FSMO roles to a 2008 DC and grab an image of him with WinPE
Perform the upgrade.
If there are any problems, Shut down all DCs and restore the image of the 2008 server which *held* all FSMO roles and functioned in 2003 mode? Then begin building new DCs and promoting them.

Top Expert 2012
Commented:
No, still not supported. Imaging of DCs is not supported.

You can take a backup of the 2008 DC that holds all FSMO roles then if you have a problem you can then do an authoritive restore on AD which will restore the AD to the state it was before the move to 2008 functional level.

I have not tried this myself but this is a supported solution but again I do not think you will have any issues.

Make sure you move FSMO roles before demoting the 2003 server

Author

Commented:
Thank you all very much.

I am splitting the points between Awinish (group policy) and DariusG (AD function level).


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial