| T O P I C R E V I E W |
| BeFree |
Posted - 03/18/2005 : 8:28:47 PM
We have an issue that I believe many are facing, because of the HP/Compaq merger our not-very-old HP NetServers are off the Microsoft HCL. This means I can't really do an in-place upgrade of our Windows 2000 AD infrastructure to 2003. So the plan is to purchase new servers and migrate our AD. I'd like to get a sanity check on our initial plan to see if I have things straight.
To complicate matters, we use Citrix and our TS licensing server is on our first server, I'll call that DC1. Both DC1 & DC2 are NetServer lp1000r's at headquarters, LAN connected in the same site. We have 27 remote sites, each also with a Win200 AD server, in thier own AD site/subnet - replicating back to DC1 as HQ's bridgehead.
The plan is to get 3 Proliants (I know, I'll never learn ...) and perform a process such as the following:
1 - Build new Win2000 server, SP4 and the 42+ critical updates (!)
2 - DCPROMO it into the tree as another domain controller, call it DC5
3 - Move TS licenses from DC1 to newly built Win2000 DC5 AD server
4 - Change all the Citrix pointers for the farm to DC5. Test Citrix.
5 - Move FSMO Roles from DC1 to DC5 (Will spread out later)+ replicate
6 - Shut down DC1 & verify things still work (Exchange especially)
7 - Bring DC1 back up, DCPROMO out of tree, shut down & test email
8 - Build 2 more Proliants with Windows 2000, DCPROMO up as DC3 & DC4
9 - Shut down DC2 & test, then bring up and DCPROMO out of tree. Off
10 - Recreate DHCP scopes and WINs replication scheme that was on DC1 over to DC3, and from DC2 over to DC4. DC5 is primarily for TS Lics.
11 - OK, about those 27 remote sites, I suppose KCC will need to determine that DC1 is gone and that DC3 is the bridgehead (it will be set as such). This may take days, as they are in other countries over not very quick links? Could trigger KCC in replmon.
12 - Now that DC1 & DC2, the "obsolete" 2 year old servers are out of the picture, and we have DC3, 4 & 5 set up and running with AD 2000, and Citrix & Exchange still work, we can finally do an upgrade.
13 - Distribute FSMO roles as indicated in MS articles between DC3&4.
(Is there a "best" way to do this during an upgrade scenario?)
14 - Ensure health of AD with replmon, repadmin, Ultrasound, etc.
15 - Run the fix for mangled Exchange attributes, inetorgpersonprevent
15 - One a good day, when all the links are up, Run ADPREP /forestprep and then /domainprep on DC3
16 - Check that replication has been successful to all 30 DCs. This may take a long time, and from what I understand I won't be able to begin the AD upgrade until it has replicated to all DC's (?)
17 - Upgrade DC3 & DC4 to Windows 2003 (1 at a time of course)
18 - TEST everything
19 - After things have run OK for a month or so, the plan is to move to Exchange 2003. I will then build a new Exchange server, and do move mailbox from one to the other methodically over time.
20 - Upgrade the 27 remote sites to Windows 2003 - this may take a year or so -or- SHIP new Windows 2003 servers to these sites and once they're there DCPROMO them up, and DCPROMO the old 2K boxes out.
Question 1 - there is no problem upgrading just a few of the core AD servers to 2003 first, then doing Exchange 2003, and last upgrading the rest of the AD servers, correct? I know there are some features I won't be able to use until all the servers are 2003, but it won't all tumble down and make us use IM forever, will it ?
Question 2 - will I be stuck in Mixed mode forever? With DC5 still running Windows 2000 AD, and serving up the TS licenses, I can't go Native mode. I've been told that I can upgrade DC5 to 2003 and it can still provide TS licenses to the Windows 2000 Citrix servers. If anyone can confirm that I would be forever grateful, as well as any input, advice or changes to the above task list.
This Forum Rocks - thanks in advance !!
|
| 5 L A T E S T R E P L I E S (Newest First) |
| wkasdo |
Posted - 05/19/2005 : 03:03:26 AM
I confirm that Exchange 2000 works with W2003. There are two major issues that I know of:
- there is a possible schema corruption, see http://support.microsoft.com/default.aspx?kbid=314649
- In w2003 forest mode, the RUS incremental update does not work anymore: http://support.microsoft.com/default.aspx?scid=kb;en-us;831809
None of these match your situation. Did you reboot the W2003 server? You need to do that after you promote it to GC. |
| BeFree |
Posted - 05/18/2005 : 7:59:32 PM
I like the idea of going straight in with the Windows 2003 servers, instead of dcpromo'ing and then upgrading to 2003. But I can't seem to get Exchange 2000 to work after doing that. It can not see the newly created Windows 2003 AD as a Global Catalog. It does appear to actually be a GC, repadmin /showreps says IS_GC, and it's listed in DNS as a GC as well. But in Exchange System Manager on the Directory Access tab it does not recognize the 2003 server automatically. I can set it to manual and force it to that server, but the message stores don't mount and it complains that there is no GC. All the Microsoft literature I've read says that Exchange 2000 will work just fine with AD 2003, but they usually are talking about an upgrade path.
When we ran through the scenario of doing it as an upgrade after DCPROMO, the 2003 server does work just fine with Exchange. Only when it's a clean build of 2003 does it cause Exchange grief.
Can anyone confirm that this should work, promoting a Windows 2003 server and using it as a GC for Exchange 2000? Or will I need to keep a Windows 2000 GC available until Exchange 2003 has replaced 2K? |
| wkasdo |
Posted - 03/21/2005 : 01:42:03 AM
quote:
So you're saying a more direct route would be to run adprep, replicate schema, make a new 2003 member server an AD server with DCPROMO, move the roles, shut down 1&2 and I'd be there?
That's it, basically.
quote:
carry a Ghost image of DC1 to an identical server in the testlab and installed it, and then upgraded to 2003.
That _might_ be a problem. I have had issues with direct imageing of RAID configurations. Do you have the same problem if you do a manual build? quote:
but currently they are both AD and file server, which makes SYSVOL grumpy if users fill up the server
Hmm. Could be solved by partitioning, right? quote:
I'm not sure I exactly understand your point on making two central sites? For HQ make two sites referring to the same subnet?
I like to avoid any low-level tweaking such as preferred bridgeheads, manual connection objects and other stuff. So, if you have some central servers as bridgeheads (2?) and others for logon traffic, you can put the two bridgeheads in site by themselves with a different AD subnet (need not match the IP subnet in size!) you can avoid setting preferred bridgeheads. At the same time, the bridgeheads are not used for logon traffic by default. That's how I like to do it. YMMV. Let me know if you need more details on this.quote:
Because if I have to upgrade the Citrix servers OS to 2K3 then I believe I'll have to purchase a TS CAL for all of our Windows 2000 Pro and XP clients. (?)
Correct!
|
| BeFree |
Posted - 03/19/2005 : 4:45:09 PM
Thanks, and yes it did get sorta long-winded. I'm just very cautious ;-}
That's a good question, why not just make them 2K3 from the start? I suppose I was worried about running adprep from DC1 and then retiring it, but that should be fine once the whole schema is updated. The main objective is to not break Exchange. So you're saying a more direct route would be to run adprep, replicate schema, make a new 2003 member server an AD server with DCPROMO, move the roles, shut down 1&2 and I'd be there?
As far as the HCL situation, we did actually carry a Ghost image of DC1 to an identical server in the testlab and installed it, and then upgraded to 2003. It did work, but the MegaRAID service would not start until started manually, although it did work OK without it (saw the drives obviously). That's when we checked the HCL and realized it could be an issue. I'd like to be compliant, and we don't have to replace all 30 servers, only the main ones in DC are the HP NetServers. The remotes are Dells, but currently they are both AD and file server, which makes SYSVOL grumpy if users fill up the server. So that second server for the remote sites is on tap anyway to alleviate that problem.
Good point on the GC, we make them all GC's. And yes, I've had FSMO's on DC1 forever together and all is well. But there are some potential issues in multi-domain situations, which we don't have. I'm not sure I exactly understand your point on making two central sites? For HQ make two sites referring to the same subnet?
The concern that it may take a while goes to the point of 27 remote sites in other countries with slow links, some only 128k when they're working well. If one happens to go down during the schema replication process I'll have to wait until it comes back I think, or that at least seems prudent. (?)
Thanks for the confirmation that a 2003 AD TS licensing server can serve them to Citrix servers running 2000. Because if I have to upgrade the Citrix servers OS to 2K3 then I believe I'll have to purchase a TS CAL for all of our Windows 2000 Pro and XP clients. (?)
Thanks everyone for reading! And Thanks Mark, for such an excellent forum community!
|
| wkasdo |
Posted - 03/19/2005 : 11:53:15 AM
Hi, welcome to the forum! Off to a good start with a loooong question... ;-) Looks like you did a lot of investigating already.
A general comment for starters: build the new servers with W2003 from the start. Why not?
> This means I can't really do an in-place upgrade of our Windows 2000 AD infrastructure to 2003. So the plan is to purchase new servers and migrate our AD
That's extreme. If w2003 won't install you have no alternative but to buy new hardware. But if it installs, buying new servers just to conform to the HCL is a bit too much. Note that W2003 standard edition is less picky then Enterprise edition. I know HP would like you to upgrade, but buying 30 new servers just because your supplier wants you to... I don't know. I wouldn't.
> 5 - Move FSMO Roles from DC1 to DC5 (Will spread out later)+ replicate
Plus GC.
> 13 - Distribute FSMO roles as indicated in MS articles between DC3&4.
(Is there a "best" way to do this during an upgrade scenario?)
I'm not a great fan of distributing FSMO's. From a performance point of view that is only necessary on really large networks. Otherwise, you just increase your risk of FSMO downtime. Two servers have twice as much downtime as one...
> 11 - OK, about those 27 remote sites, I suppose KCC will need to determine that DC1 is gone and that DC3 is the bridgehead (it will be set as such).
Setting preferred bridgeheads is another thing to avoid. That makes it harder for AD to recover itself in case of trouble. Instead, use 2 central sites, one for logon traffic, and another for replication.
> 16 - Check that replication has been successful to all 30 DCs. This may take a long time, and from what I understand I won't be able to begin the AD upgrade until it has replicated to all DC's (?)
You're right, you should not upgrade until replication is complete. But what kind of network do you have if it does not complete within 24 hours or so?
> Question 1: there is no problem upgrading just a few of the core AD servers to 2003 first
no problem.
> Question 2 - will I be stuck in Mixed mode forever? With DC5 still running Windows 2000 AD, and serving up the TS licenses, I can't go Native mode
Sure you can go to native mode. You just need W2000 for that. But W2003 domain/forest mode is not possible until you upgrade all to W2003.
> I've been told that I can upgrade DC5 to 2003 and it can still provide TS licenses to the Windows 2000 Citrix servers.
Sure, that's possible. |
|
|
