none
Active Directory upgrade plan - how to recover from disaster

    Question

  • Hello,

     I'm about to upgrade our AD to a 2008 R2 domain and forest functional levels. As a roll back plan, I'm planning on doing the following:

    1. Perform a full backup of AD
    2. Introduce a new domain controller server into each domain (i.e. ADbackup-01) and allow time for replication.
    3. Power off the newly created backup DCs and place them on an isolation network (these DCs can be used as fail back servers)

    4. Proceed with domain upgrade.
    5. Proceed with forest upgrade.

    If a worst case scenario situation did occur during the domain/forest upgrade, I'm planning on doing the following:
    1. Take all DCs offline
    2. Power backup DCs on
    3. Seize FSMO roles
    4. Clean up AD metadata (i.e. delete "failed upgrade DCs").
    5. Verify AD health with Dcdiag and event logs
    6. Introduce additional DCs and distribute FSMO roles as needed
    7. Verify AD health with Dcdiag and event logs

    8a. If needed, perform a full authoritative restore of AD using something like this - https://technet.microsoft.com/en-gb/library/cc961934.aspx

    Using a roll back DC seems like a much better option than an authoritative restore, before I go down this route I wanted to ask if there's an obvious risk I've missed?

    Thanks

    Tuesday, May 2, 2017 9:30 AM

Answers

  • Your plan would work and it is always good to keep a system state backup. Your new DCs should also be DNS/GC servers, do not forget that. The upgrade of functional levels should not be problematic but it always a good idea to make sure that all your AD-Integrated systems support it.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, May 3, 2017 12:10 AM

All replies

  • Hi Peter,

    Most of the points you have covered will help you to restore or build DC during the Disaster if the upgrade fails.However you can also review the excellent guide and link that will help to restore AD.

    https://gallery.technet.microsoft.com/Active-Directory-Forest-3078dfeb

    I would suggest go for Authoritative restore in case you have to, also perform the upgrade steps in the POC/TestDev Environment so you have all the steps covered and surprises.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, May 2, 2017 10:38 AM
  • Cheers Jimmy,

     Thanks for the guide. I know Ms offer specific forest restore guides, but what I'm wondering if there's a flaw in the methodology I mention above? The process is quicker in the unlikely event a roll back is needed.

    Tuesday, May 2, 2017 3:01 PM
  •  I'm about to upgrade our AD to a 2008 R2 domain and forest functional levels. As a roll back plan,

    For schema updates(raise),changes ,only perform a full forest recovery revoke the schema changes..

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, May 2, 2017 4:59 PM
  • Your plan would work and it is always good to keep a system state backup. Your new DCs should also be DNS/GC servers, do not forget that. The upgrade of functional levels should not be problematic but it always a good idea to make sure that all your AD-Integrated systems support it.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, May 3, 2017 12:10 AM
  • In addition, you can also check this PDF guide which provides step-wise instructions to reanimating deleted objects in active directory - https://www.lepide.com/whitepaper/reanimating-the-deleted-objects-of-active-directory.pdf
    Wednesday, May 3, 2017 7:56 AM
  • Hi Burak,

    For schema updates(raise),changes ,only perform a full forest recovery revoke the schema changes..

    Could you elaborate one above statement as opposed to the method I suggested? Presumably it's because the full forest recovery is the only published Ms statement you've seen on this matter?

     

    Wednesday, May 3, 2017 8:35 AM
  • Hi Burak,

    For schema updates(raise),changes ,only perform a full forest recovery revoke the schema changes..

    Could you elaborate one above statement as opposed to the method I suggested? Presumably it's because the full forest recovery is the only published Ms statement you've seen on this matter?

     

    "For schema updates(raise),changes ,only perform a full forest recovery revoke the schema changes.."  this is just keep in mind section :)

     Your scenario should be work and also proper way also a forest restore for a disaster recovery.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, May 3, 2017 8:49 AM
  • Hi Peter,

    No there is no flaw in your methodology, I would suggest to cover all the specifics and scenarios for the recovery.

    Forest recovery /Domain recovery /Backups/ Recycle Bin / check tombstone lifetime / GPO backups / DNS zone backups etc..


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, May 3, 2017 1:13 PM