upgrading ad schema windows 2003 R2

  • Thread starter Thread starter IgorZ
  • Start date Start date
I

IgorZ

Hi,
we are faced with urgent need to update schema from windows 2003 v30 to
windows 2003 R2 v31 on an active directory forest comprising of around 30
sites. all belong to one domain, replication seems to work fine wher most
branches are connected via 1.5/1.5mbps links. we have Exchange 2003 and
linux servers using winbind to work with authenticating user accounts and
groups.

Would anyone have any suggstions on
1. How long approximately it may take to replicate changes after running
adprep/forest and adrprep /domain on our master GC onto 30 sites via 1.5mbps
links.
2. Do we need to do anything with Exchange 2003 prior?
3. Are there any risks involved in SQL 7.5, 2000, 2005 servers
4. Are there any risks for Windows 2000 SP4 domain controllers.
5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is successful? or
do i need to have it connected to main network?
6. In case if we discover some services are incompatible after the upgrade
of schema, can i roll back using same method as upgrade on master gc?

Thanks so much!
 
1. How long approximately it may take to replicate changes after running
adprep/forest and adrprep /domain on our master GC onto 30 sites via
1.5mbps links.
Click to expand...

Actually you update the schema master for the domain/forest. There is only
one for the domain/forest and other servers "check with" the schema master.
No replication.
2. Do we need to do anything with Exchange 2003 prior?
No

3. Are there any risks involved in SQL 7.5, 2000, 2005 servers
Click to expand...

None that I'm aware of.

4. Are there any risks for Windows 2000 SP4 domain controllers.
Click to expand...

They can't participate in the updated features R2 provides.


5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is successful? or
do i need to have it connected to main network?
Click to expand...


You run adprep on the schema master for your domain. You can do it online or
offline. The info does not replicate, clients "check with" the schema
master.
6. In case if we discover some services are incompatible after the upgrade
of schema, can i roll back using same method as upgrade on master gc?
Click to expand...

R2 is just an upgrade to some Win 2k3 features. You shouldn't have any
problems. Not sure if/ how you would roll back a schema update.

hth
DDS
 
Actually you update the schema master for the domain/forest.
There is only one for the domain/forest and other servers
"check with" the schema master.
No replication.
Click to expand...

This is incorrect. The schema is normal naming context just like the
other naming contexts and must be replicated to every DC in the forest.
When two DCs are out of sync with each other for schemas, all other
replication is put on hold between the two DCs until the schema
replication has completed. You will see an error message of Schema
Mismatch when this is occurring.


Varies based on your replication topology and DC operating systems and
any special replication configurations you have put into place. In
general it should be about the same as any set of changes that have to
replicate to all DCs (i.e. GC mods and Config changes). Depending on
your current design, it could be seconds, minutes, hours, or days. The
bandwidth isn't much of a consideration as the changes are small, it is
more about your topology. So what is your theoretical convergence time
for your forest? I.E. How long should it take for changes to get from
end to end? You either know or you look at your topology design to
figure it out.

Assuming your 30 sites each have 6 or less DCs each and they are all
Windows Server 2003 and you have a single hub with 30 spokes with a 15
minutes replication frequency on the site links (pretty standard
config)with a quiesced directory (i.e. no changes) you are likely
looking at 17-20 minutes or less to get the changes everywhere. If you
have varied from that or have Windows 2000 DCs then the times can
increase anywhere from a little to a lot.



2. Nothing needed from Exchange standpoint for the schema change.
However if you have put in SFU previously you should look for KBs
related to issues you can have there.

3. Shouldn't be

4. No.

5. The best procedure is to test in a lab so you have an understanding
of what you are doing and what to expect. You should also test your
critical apps to make sure nothing decided to go bonkers. Nothing
should, but maybe you have a really shitty app you depend on that does
something really stupid. That way you don't get surprised in production.

6. You can't roll back schema changes. You would have to rebuild the
entire forest from backups taken prior to the upgrade.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
1. How long approximately it may take to replicate changes after running
Actually you update the schema master for the domain/forest. There is only
one for the domain/forest and other servers "check with" the schema
master. No replication.
Click to expand...

Danny-

This is incorrect. The schema nc is replicated to *all* DCs in the forst. By
and large it is readonly on every DC but the schema master.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com
 
Danny Sanders said:
Actually you update the schema master for the domain/forest. There is only
one for the domain/forest and other servers "check with" the schema
master. No replication.
Click to expand...

As Danny pointed out it is REPLICATED but....

You may have heard people say something like (the correct),

"There is only one Schema for the entire forest."

It is only editable in one place -- but it is replicated -- so in fact the
schema is
the same for the entire forest.
 
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
IgorZ said:
Hi,
we are faced with urgent need to update schema from windows 2003 v30 to
windows 2003 R2 v31 on an active directory forest comprising of around 30
sites. all belong to one domain, replication seems to work fine wher most
branches are connected via 1.5/1.5mbps links. we have Exchange 2003 and
linux servers using winbind to work with authenticating user accounts and
groups.

Would anyone have any suggstions on
1. How long approximately it may take to replicate changes after running
adprep/forest and adrprep /domain on our master GC onto 30 sites via
1.5mbps links.
Click to expand...

depends on your schedules
2. Do we need to do anything with Exchange 2003 prior?
Click to expand...

nope, but make sure to test the schema change in a test environment!
3. Are there any risks involved in SQL 7.5, 2000, 2005 servers
nope

4. Are there any risks for Windows 2000 SP4 domain controllers.
nope

5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is successful? or
do i need to have it connected to main network?
Click to expand...

nope, do not disconnect. disable outbound replication (be aware if you force
repl.)
6. In case if we discover some services are incompatible after the upgrade
of schema, can i roll back using same method as upgrade on master gc?
Click to expand...

undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup
 
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make schema
upgrade on it while it is disconnected? then when it is tested ok, put it
back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will be
hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
 
I would remove only the server holding the schema master.

hth
DDS

IgorZ said:
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make
schema upgrade on it while it is disconnected? then when it is tested ok,
put it back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will be
hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------


depends on your schedules


nope, but make sure to test the schema change in a test environment!


nope, do not disconnect. disable outbound replication (be aware if you
force repl.)


undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup
Click to expand...
Click to expand...
 
you could transfer the schema master to another DC, disable outbound AD repl
on that DC, update the schema, check everything on that DC and when OK
enable outbound AD repl., and transfer back the schema master to the
original DC

why dont you test this in a test env?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
IgorZ said:
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make
schema upgrade on it while it is disconnected? then when it is tested ok,
put it back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will be
hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------


depends on your schedules


nope, but make sure to test the schema change in a test environment!


nope, do not disconnect. disable outbound replication (be aware if you
force repl.)


undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup
Click to expand...
Click to expand...
 
Thanks

One thing i forgot to mention, ISA server we also have, is that affected in
any way? i couldnt find any info whether anything has to be applied there.

So in brief, i will be disconnecting gc that holds schema (as other gc's
have other roles), run domain/forest adprep, reboot it, and put it back on
the network.


Danny Sanders said:
I would remove only the server holding the schema master.

hth
DDS

IgorZ said:
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make
schema upgrade on it while it is disconnected? then when it is tested ok,
put it back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will
be hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi,
we are faced with urgent need to update schema from windows 2003 v30 to
windows 2003 R2 v31 on an active directory forest comprising of around
30 sites. all belong to one domain, replication seems to work fine wher
most branches are connected via 1.5/1.5mbps links. we have Exchange
2003 and linux servers using winbind to work with authenticating user
accounts and groups.

Would anyone have any suggstions on
1. How long approximately it may take to replicate changes after
running adprep/forest and adrprep /domain on our master GC onto 30
sites via 1.5mbps links.

depends on your schedules

2. Do we need to do anything with Exchange 2003 prior?

nope, but make sure to test the schema change in a test environment!

3. Are there any risks involved in SQL 7.5, 2000, 2005 servers

nope

4. Are there any risks for Windows 2000 SP4 domain controllers.

nope

5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is successful?
or do i need to have it connected to main network?

nope, do not disconnect. disable outbound replication (be aware if you
force repl.)

6. In case if we discover some services are incompatible after the
upgrade of schema, can i roll back using same method as upgrade on
master gc?

undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup


Thanks so much!
Click to expand...
Click to expand...
Click to expand...
 
You should not have any problems w/ ISA.


hth
DDS
IgorZ said:
Thanks

One thing i forgot to mention, ISA server we also have, is that affected
in any way? i couldnt find any info whether anything has to be applied
there.

So in brief, i will be disconnecting gc that holds schema (as other gc's
have other roles), run domain/forest adprep, reboot it, and put it back on
the network.


Danny Sanders said:
I would remove only the server holding the schema master.

hth
DDS

IgorZ said:
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make
schema upgrade on it while it is disconnected? then when it is tested
ok, put it back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will
be hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi,
we are faced with urgent need to update schema from windows 2003 v30
to windows 2003 R2 v31 on an active directory forest comprising of
around 30 sites. all belong to one domain, replication seems to work
fine wher most branches are connected via 1.5/1.5mbps links. we have
Exchange 2003 and linux servers using winbind to work with
authenticating user accounts and groups.

Would anyone have any suggstions on
1. How long approximately it may take to replicate changes after
running adprep/forest and adrprep /domain on our master GC onto 30
sites via 1.5mbps links.

depends on your schedules

2. Do we need to do anything with Exchange 2003 prior?

nope, but make sure to test the schema change in a test environment!

3. Are there any risks involved in SQL 7.5, 2000, 2005 servers

nope

4. Are there any risks for Windows 2000 SP4 domain controllers.

nope

5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is
successful? or do i need to have it connected to main network?

nope, do not disconnect. disable outbound replication (be aware if you
force repl.)

6. In case if we discover some services are incompatible after the
upgrade of schema, can i roll back using same method as upgrade on
master gc?

undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup


Thanks so much!
Click to expand...
Click to expand...
Click to expand...
 
Sorry i hurried with initial question, i realised we also have exchange 2000
(i am new in IT department here and it is a very big forest)
As far as i know before adprepping to new schema, i must do the following to
prevent incorrect labelled
objects in exchange:
Get the inetOrgPersonFix.ldf from Windows 2003 support folder
Ldifde /i /f inetOrgPersonFix.ldf /c "DC=X" "DC=OURDOMAIN DC=COM DC=AU"

1. Should i change these attributes using ldf file before adprep or after?
2. Is there anything anyone suggests also has t be done on Exchange 2000?
3. Current schema version is actually 13, should i first run adprep
/forestprep and adprep /domainprep from Windows 2003 CD1 to upgrade schema
to v30 and then after run adprep from Windows 2003 R2 CD2? Or can i just
straight ahead upgrade to new schema? (Not sure of the risks skipping that
step)

Thanks!

"Jorge de Almeida Pinto [MVP - DS]"
you could transfer the schema master to another DC, disable outbound AD
repl on that DC, update the schema, check everything on that DC and when
OK enable outbound AD repl., and transfer back the schema master to the
original DC

why dont you test this in a test env?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
IgorZ said:
Not sure on the correct upgrade process.
Would i have to move all FSMO roles to to one AD Controller and make
schema upgrade on it while it is disconnected? then when it is tested ok,
put it back on network and let it replicate?

I want to minimise risks since restoring backup on over 35 servers will
be hell.

Cheers


"Jorge de Almeida Pinto [MVP - DS]"
inline

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi,
we are faced with urgent need to update schema from windows 2003 v30 to
windows 2003 R2 v31 on an active directory forest comprising of around
30 sites. all belong to one domain, replication seems to work fine wher
most branches are connected via 1.5/1.5mbps links. we have Exchange
2003 and linux servers using winbind to work with authenticating user
accounts and groups.

Would anyone have any suggstions on
1. How long approximately it may take to replicate changes after
running adprep/forest and adrprep /domain on our master GC onto 30
sites via 1.5mbps links.

depends on your schedules

2. Do we need to do anything with Exchange 2003 prior?

nope, but make sure to test the schema change in a test environment!

3. Are there any risks involved in SQL 7.5, 2000, 2005 servers

nope

4. Are there any risks for Windows 2000 SP4 domain controllers.

nope

5. What would be best procedure? Should i disconnected master GC from
network while running adprep and connect it back once it is successful?
or do i need to have it connected to main network?

nope, do not disconnect. disable outbound replication (be aware if you
force repl.)

6. In case if we discover some services are incompatible after the
upgrade of schema, can i roll back using same method as upgrade on
master gc?

undoing a schema change after if it has replicated to all DCs is not
possible, except by restoring all DCs from backup


Thanks so much!
Click to expand...
Click to expand...
Click to expand...
 
Back
Top