Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory Migration Rollback

Posted on 2011-02-15
11
Medium Priority
?
1,519 Views
Last Modified: 2013-11-05
We are planning to upgrade our active Directory and we are looking for a rollback plan, we are thinking of taking one of the Domain controllers off and do the upgrade, if anything goes wrong we unplug the other DC's and bring the 2003 DC on, would this work? as far as I understand nothing changes at the client side, am I right?
0
Comment
Question by:Maroin
  • 5
  • 4
  • 2
11 Comments
 
LVL 21

Expert Comment

by:snusgubben
ID: 34898492
If you are planning a upgrade from 2003 to 2008 AD, then you'll have to take one DC offline and run a Metadata cleanup of the DC you took out. If/when the upgrade goes fine, you can never add the "offline" DC back in.

(If you're extending the schema all DCs needs to be online).

If this is what you are doing, I think this is not a risky job that's worth doing the above task...
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 34898561
It is actually worse than what snus stated; if you did have to rollback you would have to do a forest recovery.

In the past people would try to isolate the schema master but that is not really recommended anymore.  The DS team answered a question about this too:

http://blogs.technet.com/b/askds/archive/2010/04/16/friday-mail-sack-i-live-again-edition.aspx

See:  

Question

Is there a way to isolate a DC in order to do an AD Schema upgrade? I cannot find any documentation on how to do this.


Like snus said...test in a lab if you can...but the upgrade to 2008 or 2008 R2 has been done thousands of times and I've not heard of a forest recovery being needed.

Thanks

Mike
0
 

Author Comment

by:Maroin
ID: 34901645
Thanks for the replies, yes, we are migrating from 2003 to 2008 R2, we have a couple of critical custem apps that we can't test in the lab in advance, so we need to have a backout plan in case any application stops working,

We only have one domain with 3 domain controllers
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:Maroin
ID: 34901759
Still no one answered my question by the way, thought I will repeat it :D

"as far as I understand nothing changes at the client side, am I right? "

to explain, let's say I virtualize the 3 DC's and turn the physical ones off, do the upgrade using the virtual servers and if an application stops working turn the new set of DC's off and start the old 3 DC's, should this work? or some of the colients will stop working with 2003 after the migration?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34901786
Do the custom apps have any custom domain partitions (application partition)?

The vendor of those apps should be able to say if a schema/domain upgrade will affect their app.

Like Mike says, introducing 2008R2 DCs is a "routine" job. If your DCDIAGs are clean and the app vendors say go, you're doomed to succeed :)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34901815

"as far as I understand nothing changes at the client side, am I right? "

Correct.

If you have VM hosts you can make a lab and do the testing. Leaving the prod.environment up and running.
0
 

Author Comment

by:Maroin
ID: 34902458
We know nothing about how these apps work, and there is no one to support them, we've tried to move them to the lab with no success, so our only option is to move ahead and rollbak if they stop working

Thanks Snusgubben, are you assuming... talking from experience or do you have any official source?

Can any one confirm that clients are indpendant from the version of the AD?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34903112
Did those apps make any schema modifications?
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 1000 total points
ID: 34904739
I'm not assuming :)

When you prepare you forest/domain for 2008 R2 you make the forest ready to raise the functional level (FL). This has nothing to do with the clients, and they will not be aware that you prepare your domain.

If your functional level is 2003 at the moment, you can see here what happens when you raise the level to 2008/2008R2:

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

If your Apps don't have their custom Application NC, I can't see it's likely raising the FL will do any harm.


Can any one confirm that clients are indpendant from the version of the AD?

I guess mkline71 can confirm.


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34905041
* assuming you don't have any NT4 clients
0
 

Author Closing Comment

by:Maroin
ID: 34907700
Thanks everyone for the wonderfull support
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question