Upgrading Windows 2003 R2 DFL and FFL to Windows 2008R2 and rollback plan

Hello Experts,

We are planning to upgrade DFL and FFL from Window Server 2003R2 to Windows Server 2008R2 for our single domain.

We have 8 Windows Server 2008 R2 DCs geographically located in the UK and Japan.
They consist of 7 VMs and 1 Physical server.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Steps to upgrade;

Raise the DFL
Force Replication (repadmin /syncall /Aped)
Raise FFL
Restart the KDC service on all the domain controllers.

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Below are the options I am considering as a rollback plan to Windows 2003 R2 DFL and FFL if we have any serious problems.

1.Before the upgrade I will take a snapshot of all the VMs and if needed revert 1st of all the DC that holds the FSMO roles and then do the remaining DCs

However for the only Physical server I will use the Server Backup tool to take a backup of the systemstate and restore if needed.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

2. Take a systemstate backup using the Server Backup tool within Windows Server 2008 R2 of the Domain controller holding the FSMO roles.

Perform an DSRM authoritative restore of Active Directory for the Domain controller that holds the FSMO roles using the built-in Windows Server backup tool.

On the rest of DC' s use the same procedure but perform a non-authoritative restore of Active Directory.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Any advice/recommendation would be appreciated in regards to rollback plan or problems experienced.



Before the upgrade I will take a snapshot of all the VMs...


never take snapshots of domain controllers; 2012 was the first version that is able to handle that
prior to that, you will cause problems

Never Snapshot a Domain Controller! Here’s Why…
http://windowsitpro.com/blog/never-snapshot-domain-controller-here-s-why



Before the upgrade I will take a snapshot of all the VMs...


never take snapshots of domain controllers; 2012 was the first version that is able to handle that
prior to that, you will cause problems

Never Snapshot a Domain Controller! Here’s Why…
http://windowsitpro.com/blog/never-snapshot-domain-controller-here-s-why



Thanks, Option 1 to take snapshots is a big NO NO!

Option 2 has been revised to the below;

2. Take systemstate backup of the DC with the FSMO roles only
--------------------------------------------------------------------------------------------------
Is there any known issues with RHEL environments that are integrated with Active Directory when upgrading DFL and FFL from Windows 2003R2 to Windows 2008R2?

I have read the krbtgt account password changes and will cause issues when upgrading DFL and FFL to get around this the KDC services will need to be restarted on all Domain Controllers.

Any other advice would be appreciated especially from past experience.



Is there any known issues with RHEL environments that are integrated with Active Directory...


not that i'm aware of
what are you using? samba? IMU?
we used IMU (previously SFU) for our RHEL/CentOS systems and was fine when we upgraded from 2003 to 2008 then 2008 R2



LDAP + Kerberos or Winbind



Have successfully upgraded DFL and FFL from my experience make sure you do the AD health checks and that you meet the pre-requisites.

Share this

Related Posts

There was an error in this gadget