Solved

How do I upgrade/rollback a 2K to 2k3 native domain functional upgrade?

Posted on 2010-09-14
14
1,286 Views
Last Modified: 2012-05-10
We need to upgrade the functionality of our domain. We are currently running 2k3 OS on the DCs. We have a two-tiered environment with our Schema master domain at the top of the forest and our production domain under it. The Operations masters for both domains are running in VMWare. Several remote sites have physical DCs running as Global Catalogs.
The current functional levels are:
Forest = Windows 2000
Domain = Windows 2000 Native

We need to switch the functional levels to:
Forest = Windows 2003 Native
Domain = Windows 2003 Native

Before we proceed with the simple task of pushing the "OK" button to perform the upgrade we need to establish an install / rollback plan.

From what I have read, Microsoft has indicated under our current configuration upgrading the forest mode from 2k to 2k3 native will also push the domain mode in all the domains in the forest up to 2k3 native mode .

We plan to "VM Snapshot" the operations masters prior to the upgrade. To rollback from the upgrade requires bringing up the operations masters from the snapshots and then demote all the other DCs, remove the metadata and repromote them.

Has anyone been through an install / rollback like this and can confirm the correctness of upgrade process and the rollback plan?  
Any "gotchas" to look out for?
Thanks,
LB
0
Comment
Question by:fedsig
  • 5
  • 5
  • 2
  • +1
14 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33675992
I don't think that I've ever heard of a problem with upgrading the domain functional level.  If there is a problem, you would surely get an error.  I've literally done this a hundred times without a single problem (except for having a random 2000 DC).
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676000
You should just upgrade each domain first, then upgrade the forest.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33676033
The upgrade in functional level won't do much other than enable some functions that already exist in the schema definitions. There aren't any real gotchas involved in it. If you do run into problems, the rollback method is to drop the functional level on all the domains, then drop the functional level of the forest.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:Adam Brown
ID: 33676065
Oops. Sorry. Commented before testing :D There isn't a way to *drop* functional levels. Your rollback for this would be to take a full system backup of all Primary Domain Controllers in the forest. If something fails, I believe you'll need to do an NTDSUtil restore of Active Directory. But as was mentioned, you really shouldn't run into any problems.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33676085
@ acbrown2010 > drop the functional level on all the domains, then drop the functional level of the forest.

Ooo... opportunity to learn!  Can you expound on the procedure to lower the functional levels?  I'd always thought it was a domain/forest recovery from backup.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33676089
From technet: http://technet.microsoft.com/en-us/library/cc787290%28WS.10%29.aspx

"# With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy."
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676091
VMWare snapshots aren't AD-aware, and will cause USN rollbacks if you snapshot and restore them:  http://support.microsoft.com/default.aspx?scid=kb;en-us;875495

You would need a backup product like Veeam that uses the full VSS stack.

More info on DCs in a virtual environment: http://support.microsoft.com/kb/888794
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33676104
Razmus, Sorry :D Shot my mouth (fingers) off without thinking. However, in 2008 R2, it's possible. Read here: http://social.technet.microsoft.com/wiki/contents/articles/how-to-revert-back-or-lower-the-active-directory-forest-and-domain-functional-levels-in-windows-server-2008-r2.aspx

Unfortunately, you can still only go between Windows 2008 and Windows 2008 R2 levels.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33676164
acbrown2010 - Excellent!  Still gave me an opportunity to learn something new today though.  Most sincerely, Thank you.  8)

But to the original question -- don't use VMWare snapshot for this...  I think the experts have already given a pretty comprehensive answer for the correct procedure to restore, if you have to roll back.
0
 

Author Comment

by:fedsig
ID: 33676539
Thanks for the comments so far, but I'm perplexed...

The text below is from the Microsoft documentation on performing a functional upgrade from 2k to 2k3 native:

Prepare a back-out plan that includes of one of the following actions:

* Disconnect at least two domain controllers from each domain in the forest.
* Create a system state backup of at least two domain controllers from each domain in the forest.
Before the back-out plan can be used, all domain controllers in the forest must be decommissioned before the recovery process.

Note - Level increases cannot be authoritatively restored. This means that all domain controllers that have replicated the level increase must be decommissioned.

After all the previous domain controllers are decommissioned, bring up the disconnected domain controllers or restore the domain controllers from the backup. Remove the metadata from all the other domain controllers, and then re-promote them. This is a difficult process and must be avoided.


 
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 250 total points
ID: 33677488
They also tell you to backup your registry on any change.  It's basically to cover in the RARE case of a problem.  

If you plan to roll anything back you will need system-state backups for all DCs.  Like I mentioned earlier, VMWare snapshots only use file-system quiecence (sp?), and aren't application consistent backups like a normal backup.  Your domain(s)/forest would be a mess if you tried to restore from them.

At any rate, you can certainly have a backup plan for each domain, and execute the plan if something bad happens.  You can follow the documentation in the links I provided earlier that lists the only supported methods of restoring the system-state on your servers.  You have to treat them like physical servers, unless your have a different backup application that can use the full VSS stack.  Veeam B&R does, and BackupExec 2010 does as well (with VM license add-on).

If you want to have a plan for each domain, prepare the domain plan first, apply it to each of your domains individually, so your roll-back will only involve one set of DCs.  Upgrade the DC functional level, then move to the next domain until they're all completed.  

Then prepare the Forest plan (which would be slightly different) and upgrade the forest functional level.

I think you'll find that you can just go to AD Domains and Trusts and click the button...there's really not much to it.

http://support.microsoft.com/kb/322692
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33677562
If your domain controllers were installed new as 2003, you won't have a problem.  If you've P2Ved them, or continually upgraded from NT4 --> 2000 --> 2003, you may see a problem.  If you follow the article to use REPADMIN check the replication and any other problems and all is well, your level increase should be a breeze.
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 33677592
Fedsiq,
The authoritative restore method marks any changes restored from backup to be replicated to all servers on the network. As the guide you quote mentions, this can't be done with functional level changes. The strategy involves shutting down a few Domain Controllers on each domain so they do not receive the replication of the Functional level change, then testing to make sure nothing is broken. If nothing is broken, You're good and you can bring the inactive DCs back up. If something breaks, you'll have to decommission all DCs that received the replication data for the Functional Level increase and bring up the disconnected servers, seizing all necessary FSMO roles. Then rebuild the decommissioned servers and add them back as DCs.
0
 

Author Closing Comment

by:fedsig
ID: 33791574
Thanks
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
domain controllers numbers 4 74
AD Cleanup by EmployeeID 11 47
exchange, active directory 4 25
Can not remove Old Primary Domain controller 7 51
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question