Re: Upgrading of 2003 domain to 2008 domain, checklist, questions?

> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello markm75g,
>>
>> If it is now member server you can leave it in the domain. You should
>> never seize FSMO roles if the DC is still online which have them.
>> Would be nice if you had mentioned before that you also have CA
>> installed on the now demoted DC. Upgrading and changing/removing DC's
>> should be good planned and if possible also tested before. And it
>> should not go with a time pressure you set yourself.
>>
>> Do you have an actual system state backup from the demoted DC?
>>
>> Best regards
>>
> I had been using DPM 2007 to do the backups of the virtual servers,
> but from what i'm seeing it didnt capture the system state.. are you
> familiar with DPM? In the future would i be better actually
> installing a DPM client on the virtual server and backing up system
> state in this manner? I believe if i were to restore the VM via the
> DPM console, it would restore it, but due to the whole AD restoration
> from an image issue, it would do me no good.
>
> This 2008 box, which was formerly a DC, should i NOT ever use that box
> as a DC again, but let the DHCP and DNS on that box for now, plan on
> moving those roles to the new VSDCA box?
>
> Ultimately i'll move all 5 roles onto our one lightweight box, once i
> upgrade it from 2003 to 2008 (would i not enable GC on that box, per
> the infrastructure rule).
>
> For now i'm going to create this new 2008 VM, called VSDCA.. ill move
> the DNS and DHCP services over to it, then do a dcpromo on it, then do
> a demotion on the only existing VSDC02 box, i think this is right.
>
> Unfortunately i'm a one man band on our network with some time
> restrictions, which i know is not best practice :) Fortunately most
> of the users are out today and we have a small domain of about 30
> users.
>

> Hello markm75g,
>
> Again, please WAIT for starting anything new until we hopefully get fixed
> the domain to a running state before the demoting of the DC/CA started.
>
> Just to get you correct, except from the CA on the DC there was NOT another
> application running on one of them???
>
> If i read some FAQ from DPM 2007 is t should be possible to restore an entire
> server. So check the product documentation if you did the correct backup
> for this.
>
> If it is only the VM file, you will run in USN rollback, because the saved
> file of the demoted DC ofcourse is older then the running DC.
>
> What you can try for this case is, to restore the VM, hopefully no that old
> from the actual state. Then shut down the running DC VM and startup the

> VM, so that only ONE DC is running. That one with the old status including
> the CA. Then you can start a test with the domain members to see if every
> service/application/CA is running as expected.
>
> If everything works, you have to recreate all accounts/groups/policies etc.
> to an actual state, have to rejoin all computers again to the domain when
> they are not in AD UC listed to get AD back to the actual date. Then you
> have to cleanup AD database from ALL other DC's listed there. Then you should
> be able to start again with the installation of 2008 and go on again.
>
> For the CA i am not an expert, so BEFORE starting let someone in the

> NG read/check this posting about restoring a CA on DC from a backup done
> with DPM 2007 on a VM. I will crosspost this there.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello markm75g,
> >>
> >> If it is now member server you can leave it in the domain. You should
> >> never seize FSMO roles if the DC is still online which have them.
> >> Would be nice if you had mentioned before that you also have CA
> >> installed on the now demoted DC. Upgrading and changing/removing DC's
> >> should be good planned and if possible also tested before. And it
> >> should not go with a time pressure you set yourself.
> >>
> >> Do you have an actual system state backup from the demoted DC?
> >>
> >> Best regards
> >>
> > I had been using DPM 2007 to do the backups of the virtual servers,
> > but from what i'm seeing it didnt capture the system state.. are you
> > familiar with DPM? In the future would i be better actually
> > installing a DPM client on the virtual server and backing up system
> > state in this manner? I believe if i were to restore the VM via the
> > DPM console, it would restore it, but due to the whole AD restoration
> > from an image issue, it would do me no good.
> >
> > This 2008 box, which was formerly a DC, should i NOT ever use that box
> > as a DC again, but let the DHCP and DNS on that box for now, plan on
> > moving those roles to the new VSDCA box?
> >
> > Ultimately i'll move all 5 roles onto our one lightweight box, once i
> > upgrade it from 2003 to 2008 (would i not enable GC on that box, per
> > the infrastructure rule).
> >
> > For now i'm going to create this new 2008 VM, called VSDCA.. ill move
> > the DNS and DHCP services over to it, then do a dcpromo on it, then do
> > a demotion on the only existing VSDC02 box, i think this is right.
> >
> > Unfortunately i'm a one man band on our network with some time
> > restrictions, which i know is not best practice :) Fortunately most
> > of the users are out today and we have a small domain of about 30
> > users.
> >
>
>
>

> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello markm75g,
>>
>> Again, please WAIT for starting anything new until we hopefully get
>> fixed the domain to a running state before the demoting of the DC/CA
>> started.
>>
>> Just to get you correct, except from the CA on the DC there was NOT
>> another application running on one of them???
>>
>> If i read some FAQ from DPM 2007 is t should be possible to restore
>> an entire server. So check the product documentation if you did the
>> correct backup for this.
>>
>> If it is only the VM file, you will run in USN rollback, because the
>> saved file of the demoted DC ofcourse is older then the running DC.
>>
>> What you can try for this case is, to restore the VM, hopefully no
>> that old from the actual state. Then shut down the running DC VM and
>> startup the restored VM, so that only ONE DC is running. That one
>> with the old status including the CA. Then you can start a test with
>> the domain members to see if every service/application/CA is running
>> as expected.
>>
>> If everything works, you have to recreate all
>> accounts/groups/policies etc. to an actual state, have to rejoin all
>> computers again to the domain when they are not in AD UC listed to
>> get AD back to the actual date. Then you have to cleanup AD database
>> from ALL other DC's listed there. Then you should be able to start
>> again with the installation of 2008 and go on again.
>>
>> For the CA i am not an expert, so BEFORE starting let someone in the
>> microsoft.public.windows.server.security NG read/check this posting
>> about restoring a CA on DC from a backup done with DPM 2007 on a VM.
>> I will crosspost this there.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello markm75g,
>>>>
>>>> If it is now member server you can leave it in the domain. You
>>>> should never seize FSMO roles if the DC is still online which have
>>>> them. Would be nice if you had mentioned before that you also have
>>>> CA installed on the now demoted DC. Upgrading and changing/removing
>>>> DC's should be good planned and if possible also tested before. And
>>>> it should not go with a time pressure you set yourself.
>>>>
>>>> Do you have an actual system state backup from the demoted DC?
>>>>
>>>> Best regards
>>>>
>>> I had been using DPM 2007 to do the backups of the virtual servers,
>>> but from what i'm seeing it didnt capture the system state.. are you
>>> familiar with DPM? In the future would i be better actually
>>> installing a DPM client on the virtual server and backing up system
>>> state in this manner? I believe if i were to restore the VM via the
>>> DPM console, it would restore it, but due to the whole AD
>>> restoration from an image issue, it would do me no good.
>>>
>>> This 2008 box, which was formerly a DC, should i NOT ever use that
>>> box as a DC again, but let the DHCP and DNS on that box for now,
>>> plan on moving those roles to the new VSDCA box?
>>>
>>> Ultimately i'll move all 5 roles onto our one lightweight box, once
>>> i upgrade it from 2003 to 2008 (would i not enable GC on that box,
>>> per the infrastructure rule).
>>>
>>> For now i'm going to create this new 2008 VM, called VSDCA.. ill
>>> move the DNS and DHCP services over to it, then do a dcpromo on it,
>>> then do a demotion on the only existing VSDC02 box, i think this is
>>> right.
>>>
>>> Unfortunately i'm a one man band on our network with some time
>>> restrictions, which i know is not best practice :) Fortunately most
>>> of the users are out today and we have a small domain of about 30
>>> users.
>>>
> I guess that is true, i probably could have done the USN rollback, as
> yes, it did restore the whole VM when i first tried it.
>
> At this point i think i'm ok actually.
>
> As I had transfered the roles over to my other DC..
>
> Even though the upgrade to 2008 was failing on VSDC02, i just went
> ahead and created two fresh boxes that were 2008, calling them VSDCA
> and VSDCB and dcpromo'ing both of these.
>
> Since only one main app was affected by the CA thing, i just created a
> new CA on VSDCA.. I requested a new cert via the Communication VM and
> it is fine now.
>
> I also created a DNS on VSDCA and VSDCB and DHCP I recreated on VSDCA
> (it was formerly on VSDC01, which was demoted and is now offline).
>
> So at this point i have the following:
>
> VSDCA - 2008 server/ CA/ DC/ All 5 roles (not a GC) / DHCP/ DNS
>
> VSDCB - 2008 server/DC/GC/ DNS
>
> VSDC02 - 2003 server, DC/GC
>
> I think the only thing left to do is demote VSDC02, which at that
> point i'll have everything at 2008 level and since there will be no
> 2003 DCs, it can be native.
>
> *Down the road i will take your advice and make one physical machine a
> DC, with all 5 roles (not a GC).. the only thing, was I was planning
> on making this physical machine a MOM machine, as i figured MOM was
> best suited on a physical machine, but i dont think MOM and DC mix, i
> may have to adjust this plan.
>
> Thanks again for the help
>

> Hello markm75g,
>
> Make all DC's Global catalog server and aslso use AD integrated zones for
> DNS. Hopefully the old certificates from the not longer existing CA will
> not create a problem. To make sure you have no problems run the diagnostic
> tools replmon from the run line or repadmin /showrepl, dcdiag and netdiag
> from the command prompt on the old machine to check for errors, if you have
> some post the complete output from the command here or solve them first.
> For this tools you have to install the support\tools\suptools.msi from the
> 2003 installation disk.
>
> 2008 includes repadmin and dcdiag. For netdiag you can copy the version form
> the 2003 suuport tools to 2008, runs also there.
>
> Best regards
>
> Meinolf Weber

> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello markm75g,
>>
>> Make all DC's Global catalog server and aslso use AD integrated zones
>> for DNS. Hopefully the old certificates from the not longer existing
>> CA will not create a problem. To make sure you have no problems run
>> the diagnostic tools replmon from the run line or repadmin /showrepl,
>> dcdiag and netdiag from the command prompt on the old machine to
>> check for errors, if you have some post the complete output from the
>> command here or solve them first. For this tools you have to install
>> the support\tools\suptools.msi from the 2003 installation disk.
>>
>> 2008 includes repadmin and dcdiag. For netdiag you can copy the
>> version form the 2003 suuport tools to 2008, runs also there.
>>
>> Best regards
>>
>> Meinolf Weber
>>
> Thanks again,
>
> You mention making all DC's GCs, but what about the infrastructure
> rule, where if the one DC has all 5 roles inclusive of Infrastructure,
> it should not be a GC as well.. or does this not really matter.
>