DC upgrade

[ajbritton]

In the near future, my team will need to upgrade several sites which have single server networks from Windows 2000 to Windows 2003. In some of these situations it will be easiest to just backup the data, reinstall the server, restore the data, reinstall AD and recreate user/computer accounts. In other situations however, it will be desirable to retain the existing AD database. I'm trying to work out our options and so far I have the following...

1 - Do in-place upgrade of the server to 2003 (which I never like), backup the AD and data then wipe and reinstall the server, reinstall AD, restore AD and data. I'm not sure if this would work... restoring the system state of an upgraded server over a freshly installed server.

2 - ADPrep the existing forest & domain, make a temporary server on another PC (or Virtual Server), make it a DC, replicate, transfer FSMOs, make it GC. Un DC-Promo old server, remove from domain, delete old server account from domain. Reinstall the old server and reverse the process.

Or is there another way? Using LDIFDE to dump the AD to a file. How about using ADAM on a PC as a temporary DC? What about Samba. It would be slightly easier to carry a virtual pre-built Linux server with Samba than a virtual pre-built 2K3 server.

Any ideas? Oh, and feel free to point out any errors in my logic before I make any more serious f**k ups!

[kingswood]

I would go with option 2.

:-)

[GrumbleDook]

Option 2 ... definitely option 2.

Option 1 will work but when you restore the AD you still get some of the bloat that occurs during the upgrade from 2000 to 2003.

[ajbritton]

I looked into ADAM a little more, and I pretty sure it's not up to acting as a temporary domain controller. Good for testing ADSI scripts on though.

I also had a quick look on the Samba FAQs and get the impression that version 4 might be up to the job but it is not yet a stable release.

[john]

Option 2 is how I do mine

[plexer]

2: would also be my choice. If you demote the old one down and remove it from the domain extra would you rebuild it with the same name? would that cause any problems? just wondering if AD might still hold some objects point to the old name uid etc...?

Ben

[ajbritton]

@plexer - Yes, that's exactly what we will do. In practise, all you need to do is a 'metadata cleanup' from NTDSUTIL (or a slash & burn in ADSIEDIT if you can't do it any other way). We've had the same problem when installing new servers at the point where we want to rename them to be the same name as the old server (having already removed the old one). I think it's because when the computer account is deleted, it gets tombstoned. Tombstoned objects hang around for up to 60 days (IIRC)!