Solved

How do I upgrade/rollback a 2K to 2k3 native domain functional upgrade?

Posted on 2010-09-14
14
1,303 Views
Last Modified: 2012-05-10
We need to upgrade the functionality of our domain. We are currently running 2k3 OS on the DCs. We have a two-tiered environment with our Schema master domain at the top of the forest and our production domain under it. The Operations masters for both domains are running in VMWare. Several remote sites have physical DCs running as Global Catalogs.
The current functional levels are:
Forest = Windows 2000
Domain = Windows 2000 Native

We need to switch the functional levels to:
Forest = Windows 2003 Native
Domain = Windows 2003 Native

Before we proceed with the simple task of pushing the "OK" button to perform the upgrade we need to establish an install / rollback plan.

From what I have read, Microsoft has indicated under our current configuration upgrading the forest mode from 2k to 2k3 native will also push the domain mode in all the domains in the forest up to 2k3 native mode .

We plan to "VM Snapshot" the operations masters prior to the upgrade. To rollback from the upgrade requires bringing up the operations masters from the snapshots and then demote all the other DCs, remove the metadata and repromote them.

Has anyone been through an install / rollback like this and can confirm the correctness of upgrade process and the rollback plan?  
Any "gotchas" to look out for?
Thanks,
LB
0
Comment
Question by:fedsig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
14 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33675992
I don't think that I've ever heard of a problem with upgrading the domain functional level.  If there is a problem, you would surely get an error.  I've literally done this a hundred times without a single problem (except for having a random 2000 DC).
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676000
You should just upgrade each domain first, then upgrade the forest.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33676033
The upgrade in functional level won't do much other than enable some functions that already exist in the schema definitions. There aren't any real gotchas involved in it. If you do run into problems, the rollback method is to drop the functional level on all the domains, then drop the functional level of the forest.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 41

Expert Comment

by:Adam Brown
ID: 33676065
Oops. Sorry. Commented before testing :D There isn't a way to *drop* functional levels. Your rollback for this would be to take a full system backup of all Primary Domain Controllers in the forest. If something fails, I believe you'll need to do an NTDSUtil restore of Active Directory. But as was mentioned, you really shouldn't run into any problems.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33676085
@ acbrown2010 > drop the functional level on all the domains, then drop the functional level of the forest.

Ooo... opportunity to learn!  Can you expound on the procedure to lower the functional levels?  I'd always thought it was a domain/forest recovery from backup.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33676089
From technet: http://technet.microsoft.com/en-us/library/cc787290%28WS.10%29.aspx

"# With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy."
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676091
VMWare snapshots aren't AD-aware, and will cause USN rollbacks if you snapshot and restore them:  http://support.microsoft.com/default.aspx?scid=kb;en-us;875495

You would need a backup product like Veeam that uses the full VSS stack.

More info on DCs in a virtual environment: http://support.microsoft.com/kb/888794
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33676104
Razmus, Sorry :D Shot my mouth (fingers) off without thinking. However, in 2008 R2, it's possible. Read here: http://social.technet.microsoft.com/wiki/contents/articles/how-to-revert-back-or-lower-the-active-directory-forest-and-domain-functional-levels-in-windows-server-2008-r2.aspx

Unfortunately, you can still only go between Windows 2008 and Windows 2008 R2 levels.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33676164
acbrown2010 - Excellent!  Still gave me an opportunity to learn something new today though.  Most sincerely, Thank you.  8)

But to the original question -- don't use VMWare snapshot for this...  I think the experts have already given a pretty comprehensive answer for the correct procedure to restore, if you have to roll back.
0
 

Author Comment

by:fedsig
ID: 33676539
Thanks for the comments so far, but I'm perplexed...

The text below is from the Microsoft documentation on performing a functional upgrade from 2k to 2k3 native:

Prepare a back-out plan that includes of one of the following actions:

* Disconnect at least two domain controllers from each domain in the forest.
* Create a system state backup of at least two domain controllers from each domain in the forest.
Before the back-out plan can be used, all domain controllers in the forest must be decommissioned before the recovery process.

Note - Level increases cannot be authoritatively restored. This means that all domain controllers that have replicated the level increase must be decommissioned.

After all the previous domain controllers are decommissioned, bring up the disconnected domain controllers or restore the domain controllers from the backup. Remove the metadata from all the other domain controllers, and then re-promote them. This is a difficult process and must be avoided.


 
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 250 total points
ID: 33677488
They also tell you to backup your registry on any change.  It's basically to cover in the RARE case of a problem.  

If you plan to roll anything back you will need system-state backups for all DCs.  Like I mentioned earlier, VMWare snapshots only use file-system quiecence (sp?), and aren't application consistent backups like a normal backup.  Your domain(s)/forest would be a mess if you tried to restore from them.

At any rate, you can certainly have a backup plan for each domain, and execute the plan if something bad happens.  You can follow the documentation in the links I provided earlier that lists the only supported methods of restoring the system-state on your servers.  You have to treat them like physical servers, unless your have a different backup application that can use the full VSS stack.  Veeam B&R does, and BackupExec 2010 does as well (with VM license add-on).

If you want to have a plan for each domain, prepare the domain plan first, apply it to each of your domains individually, so your roll-back will only involve one set of DCs.  Upgrade the DC functional level, then move to the next domain until they're all completed.  

Then prepare the Forest plan (which would be slightly different) and upgrade the forest functional level.

I think you'll find that you can just go to AD Domains and Trusts and click the button...there's really not much to it.

http://support.microsoft.com/kb/322692
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33677562
If your domain controllers were installed new as 2003, you won't have a problem.  If you've P2Ved them, or continually upgraded from NT4 --> 2000 --> 2003, you may see a problem.  If you follow the article to use REPADMIN check the replication and any other problems and all is well, your level increase should be a breeze.
0
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 33677592
Fedsiq,
The authoritative restore method marks any changes restored from backup to be replicated to all servers on the network. As the guide you quote mentions, this can't be done with functional level changes. The strategy involves shutting down a few Domain Controllers on each domain so they do not receive the replication of the Functional level change, then testing to make sure nothing is broken. If nothing is broken, You're good and you can bring the inactive DCs back up. If something breaks, you'll have to decommission all DCs that received the replication data for the Functional Level increase and bring up the disconnected servers, seizing all necessary FSMO roles. Then rebuild the decommissioned servers and add them back as DCs.
0
 

Author Closing Comment

by:fedsig
ID: 33791574
Thanks
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question