Hi- This should work (been there done that), just be VERY CAREFUL that you don't accidentally somehow put these boxes on the production network.
You'll need to cleanup the old DCs with ntdsutil - search on metadata cleanup. DO NOT do it by hand with something like ADSIEdit. Be careful using snapshots to rollback your new lab as well as you will get into USN Rollback scenarios if you don't roll them ALL back at once. Thanks, Brian Desmond [email protected] c - 312.731.3132 -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, August 27, 2009 10:42 AM To: NT System Admin Issues Cc: [email protected] Subject: Advice: Using VMware ESX to practice upgrading a domain I know a number of folks on this mailing list use VMware, so I thought I would ask this here. I have a VMware ESX cluster, and want to practice the steps for upgrading my domain from AD 2000 to AD 2003 (then, AD2008 later). I can recall doing something similar 3 years back with the regular VMware Server, but that was on a physically isolated network. Here, I want to do it on the production ESX cluster. My AD structure: root domain, and then a child domain. The root domain is pretty much empty; we use the child domain for all our users, servers, etc. I already have a root domain DC and a working domain DC, as VMs. So here's what I am thinking of doing. Create a new vSwitch, but assign it to no physical NICs. That should completely isolate it. Create a new port group within this new vSwitch, using a separate, private IP range (i.e., 172.16.x.x) Clone each of the 2 DC VMs. Assign each of the new cloned DCs to the new port group. Start'em both up. >From the root cloned DC, manually seize all the FSMO roles for the root domain. (do I need to use ADSIEDIT to remove references to the other DCs for this domain?) - so now the cloned root DC has all the FSMO roles for the root domain From the child cloned DC, manually seize all the FSMO roles for the child domain. (do I need to use ADSIEDIT to remove references to the other DCs for this domain?) - so now the cloned child DC has all the FSMO roles for the child domain So what I have now is a virtualized copy of my domain structure, with each of the virtual DCs now having all the FSMO roles for their respective domains. I will then make a clone of both of these, so that I can always get back to this particular point in the configuration. Have I missed anything so far? At this point, I should be able to practice upgrading the domains to 2003 level. Do forest prep/schema prep on the root domain. Create a Win2003 member server from a template; join to the root domain, and then install AD on it. It should then pull up the whole domain to be a 2003 AD domain. The process of upgrading the domain to 2003 AD level should upgrade *both* the root and child domains, right? But (at this point) there are no Win2003 servers in the child domain, so is the 2003 server handling both domains at that point? That's where I am confused. Pointers/links/personal horror stories needed. Thanks -- Michael Leone Network Administrator, ISM Philadelphia Housing Authority 2500 Jackson St Philadelphia, PA 19145 Tel: 215-684-4180 Cell: 215-252-0143 <mailto:[email protected]> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
