Announcement

Collapse
No announcement yet.

Planning upgrade of domain and forrest functional level

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Planning upgrade of domain and forrest functional level

    We are planning to upgrade domain and forrest functional level in few months time from Windows 2000 Mixed to Windows 2003 Native. Here is scenario:

    We have two forrests, each forrest has single domain (a.local and z.local), single domain in each forrest. Outgoing and incoming trusts are established between domains. Type of trust is external. Each domain has forrest and domain functional level set to Windows 2000 Mixed. All domain controllers are Windows Server 2003 or Windows Server 2003 R2.
    Domain a.local has several AD sites with one DC on each site connected with WAN links.
    The plan is to upgrade forrest and domain functional level ONLY IN a.local forrest and domain. Another domain and forrest will stay as it is, on Windows 2000 mixed. Looking at http://forums.petri.com/showthread.php?t=45198 gave me an answer that there will be no issues between seperate forrests and their functional levels

    We plan first to upgrade from Windows 2000 mixed to Windows 2000 native. I suppose that after that it takes time to replicate to all domain controlers. After that we plan to upgrade from Windows 2000 native to Windows 2003 native.
    I know it's just few simple clicks step, but if something goes wrong there is no turning back.

    I can't find any best admin practices that will help me how to prepare for this, even in some worst case scenarios. So any help is most welcome.

    Best regards

  • #2
    Re: Planning upgrade of domain and forrest functional level

    Best practice would be to:
    Check AD is functioning properly (no replication errors etc)
    BACKUP everything
    If you have a spare DC, take it offline so you can use it as a recovery location
    Change mode
    Check AD is OK
    Once you are happy, bring spare DC online (within the tombstone period)
    Have a
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Planning upgrade of domain and forrest functional level

      Thank you for replying in such short notice.

      I have one DC as Hyper-V guest machine and his VHD disks are periodicly backuped, so I could use VHD backups in case I need to bring server old server online.

      In state "backup everything" I think you mean full system backup include ASR, or even better, having image of system partition.

      I was wondering... what will be scenario if you need to go back to old functional level? I suppose you will need to bring online old server that was not include in upgrade process and reinstall every other DC in domain that was affected with upgrade? Or maybe you just need to do non authoritive restore on other DC that was affected with upgrade process?
      Will be any problems with clients in network when the rollback will be commited?

      Comment


      • #4
        Re: Planning upgrade of domain and forrest functional level

        I meant "backup all the DCs" but you are right, an image would be an option as well as system state backups. I would prefer to keep the server offline rather than restoring it but I dont think thats an absolute requirement

        To recover, bring up offline DC in DSRM and do an authoritative restore of the whole of AD http://forums.techarena.in/active-di...tm#post4115675
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Planning upgrade of domain and forrest functional level

          If I may please interrupt, is an Auth restore required or a non-auth restore would be favourale is cases like this?

          As per my knowledge, an auth restore is required only when we need to restore a part of AD say an OU that gets accidently deleted.
          In this scenario, a non auth restore should be required as that would pull the changes from other online DCs....
          This method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC's to match the restored DC, thereby removing any changes made since backup. Authoritative restores do not have to be made of the entire directory, to restore only parts of the directory. When only parts of the active directory are restored, say an organizational unit, this information is pushed out to the remaining DC's and they are overwritten. However, the rest of the directory's information is then replicated to the restored DC's directory and it is updated.


          Can I be heard?

          Thanks,
          1kewldude
          MCSE,MCITP
          Last edited by 1kewldude; 21st May 2010, 11:36.

          Comment


          • #6
            Re: Planning upgrade of domain and forrest functional level

            A non-authoritative restore would be overwritten by more recent information from other DCs

            In this case the object would be (if necessary) to roll back to an earlier state of AD so an authoritative restore would be needed

            You will, no doubt, remember this from your studies for 70-294
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Planning upgrade of domain and forrest functional level

              Originally posted by Ossian View Post
              I meant "backup all the DCs" but you are right, an image would be an option as well as system state backups. I would prefer to keep the server offline rather than restoring it but I dont think thats an absolute requirement

              To recover, bring up offline DC in DSRM and do an authoritative restore of the whole of AD http://forums.techarena.in/active-di...tm#post4115675

              Apologies for not going through the whole article... now i gt it and YES an Auth restore would be the most desired option. I just missed the lines that the backup was taken in the form of image......

              Comment


              • #8
                Re: Planning upgrade of domain and forrest functional level

                OK glad we aggred that two forrests and their trusts won't be an issue

                Due to large infrastructure it would be a bit hard to take all DCs offline. Maybe we could took WAN links down throughout the weekend as an maintenance window. Then try for the weekend to raise the domain and forrest functional level and then if everything works as it shoud at the end of work bring up our WAN links and allow replication to other sites.

                If some unwanted issues occured we do authoritive restore and bring up WAN links so that replication to other sites can occur.

                This will cover the way how to revert back if the worst case scenario occur.
                It's good to know that you don't need to completly reinstall DC server and is sufficient to make authorative restore.

                If anyone has any good advice, feel free to point it out

                Comment


                • #9
                  Re: Planning upgrade of domain and forrest functional level

                  No, no, no
                  Take ONE DC offline as an insurance policy then raise the levels on one DC -- leave all the other DCs online so they pick up the changes
                  If you are sure all is OK then bring the offline DC back online as normal and it will replicate to the new level

                  IF (and only if) something goes wrong, bring up the offline DC in DSRM and do the authoritative restore, then bring it online and let it roll the rest of the domain back
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Planning upgrade of domain and forrest functional level

                    OK, thanks.

                    I will first try to test it in testlab before doing anything live
                    Will post results

                    Comment


                    • #11
                      Re: Planning upgrade of domain and forrest functional level

                      Looking at: http://support.microsoft.com/kb/322692 I found something interesting.

                      See below:


                      Prepare a back-out plan that includes of one of the following actions:
                      • Disconnect at least two domain controllers from each domain in the forest.
                      • Create a system state backup of at least two domain controllers from each domain in the forest.
                      Before the back-out plan can be used, all domain controllers in the forest must be decommissioned before the recovery process.

                      Note Level increases cannot be authoritatively restored. This means that all domain controllers that have replicated the level increase must be decommissioned.

                      After all the previous domain controllers are decommissioned, bring up the disconnected domain controllers or restore the domain controllers from the backup. Remove the metadata from all the other domain controllers, and then re-promote them. This is a difficult process and must be avoided.

                      Comment


                      • #12
                        Re: Planning upgrade of domain and forrest functional level

                        Ouch!
                        Missed that one

                        OTOH, every functional level upgrade I have done has gone absolutely smoothly
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment

                        Working...
                        X