I agree with Michael in principal but I don't remove the cable. You get the same effect by disabling outbound replication from the SM with repadmin. Before repadmin had that option, pulling the cable was the way to go. Since I do all such work remotely it would really be a pain to have to have someone there to pull the cable. Disable replication, do the update, check the logs and the schema to ensure what you expect is there and enable outbound replication again.
You will find some people who don't think it is necessary to go to those lengths any more, heck, I saw the Manager of MS IT tell us they no longer do it but I'm with Michael, I will err on the side of caution, it only takes a couple of extra minutes. I also had a PFE recently tell me that's how they still do it at customer sites if they are involved in schema updates. The other thing I saw in your plans that I would do differently is to wait a bit more than the time to get a cup of coffee before demoting the old DC. Since you have the luxury of new hardware, you don't seem to be in that big of a hurry and you only have 2 DCs in the domain, I would shut down the old DC for a period of time before demoting it to ensure there are no dependencies that you were not aware of. That is the way I will be doing my 2 DC domains for the 2K8 upgrade, and in the larger ones, where we do a rolling replacement, the last 2K3 DC will be shutdown for at least a week before being demoted. -bob -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Tuesday, March 02, 2010 7:04 PM To: NT System Admin Issues Subject: RE: Demote a DC that is primary DNS for a forest? - REVISED Yeah, well, if the dfl and ffl haven't changed - then neither has the domain; regardless of the OS supporting the domain. Yes, I would remove the network cable (or disable the NIC). But heck, I'm an anal SOB. If the upgrades FAIL - then restore the backup of that DC. If they succeed - just enable the NIC. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Michael Leone [mailto:[email protected]] Sent: Tuesday, March 02, 2010 10:00 PM To: NT System Admin Issues Subject: Re: Demote a DC that is primary DNS for a forest? - REVISED On Tue, Mar 2, 2010 at 9:24 PM, Michael B. Smith <[email protected]> wrote: > No...as described below, you still have a Win2000 forest. > > You don't get a win2003 domain and/or forest until you start upgrading domain > functional levels and forest functional levels. It would be a Win2003 domain in Win2000 native mode, isn't it? My current Win2000 domain is at Native Mode. > > To upgrade domain functional levels, all DCs in the forest have to be at the > higher version. To upgrade forest functional levels, all domains in the > forest have to be at the higher version. Good points. Still, first steps and all .. we have all new hardware for Win2003 servers. And once we get them all in place, we will the upgrade domain and forest functional levels. > > In terms of domainprep/forestprep, I would recommend that you run those on > the schema master (after you've run a full backup, including system state) > with that server removed from the network. Especially in the case of certain > SFU and certain specific iNetOrgPerson changes, it IS possible that the > schema upgrades can fail. You need to protect yourself from that. Really. Removed from the network? You mean pull the NIC cable out of the schema master, and then perform the prep steps on it? I didn't think that would work, unless it could contact the other DCs to inform them of the change. Then what - just plug it back in and let it replicate the changes out? > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Michael Leone [mailto:[email protected]] > Sent: Tuesday, March 02, 2010 3:51 PM > To: NT System Admin Issues > Subject: Re: Demote a DC that is primary DNS for a forest? - REVISED > > So here's what we've come up with, as a plan: > > Run FORESTPREP/ADPREP this week. > On Sat: > > Upgrade Win2000 forest to Win2003 by DCPROMOing new-DC2 (which has DNS > installed) > Transfer all FSMO roles to new-DC2 > Demote old-DC1. > Use IP address of old-DC1 for new-DC1 (which has DNS installed). > DCPROMO new-DC1. > Transfer some FSMO roles to new-DC1, as balance. > > That means I now have a Win2003 forest. And I still have a DNS server at IP > address of old-DC1 (which is what all the static IPs point to). > And I've gotten rid of old-DC1, which is throwing an error about "trusted > machine account" when running DCDIAG (hence the need to demote it). > > That should cover me, I think. > > Then, next weekend, I can upgrade the child domain to Win2003 by DCPROMOing > more member Win2003 servers in that domain, and transferring roles > accordingly. > > Sound like a plan? > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
