AD forest recovery

I currently have two Server 2003 DCs in the same domain, which are going to be retired and replaced with two new Server 2008R2 DCs. I will start by adding one additional Server 2008R2 DC, and then add the other one a couple of weeks later.

The organization where I'm going to perform this upgrade, has a few applications that might have added objects to the schema, but I am not sure (I have found a Powershell script that can check this though).

The organization wants me to turn off one of the DCs (the non-Schema master) when I run adprep, because in another branch, they had to run a full forest recovery after adprep failed and schema changes did not go through properly.

But I am thinking, do I really need to run a forest recovery? I only have two DCs, DC01 and DC02. So what if I remove the network cable on DC02, that way nothing will be replicated to it. Then I perform the upgrade on DC01, and if anything goes wrong, I just turn it off. Then I reconnect the network cable on DC02, seize all FSMO roles to it, and remove all traces after DC01 in the domain.

After that I can reinstall DC01 and run dcpromo on it, to make it a DC again, but the schema version will be 30 (server 2003) since thats whats on DC02, the single domain controller in the domain. I'm a bit unsure on what kind of info is replicated from DCs to other computers though. Does the DCs replicate anything to Exchange servers? Because they have an Exchange 2003 server in the domain as well.

Anyone with any info on this subject?
Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)


  • Options
    TheProfTheProf Users Awaiting Email Confirmation Posts: 331 ■■■■□□□□□□
    I am with you on this one... This is what I've done in the past for some customers who were afraid of the schema change issues:

    1. Move the schema role to another DC
    2. Make a system state backup of the DC with the schema role
    3. Successfully replicate any new changes
    4. Disconnect the network from that DC
    5. Run the adprep tool
    6. Validate all the work has been completed successfully by looking at the logs
    7. Reconnect the network and let the DC replicate
    8. Move the role back.

    I've personally never had any issues with ADprep, whether it was for exchange, Lync or AD upgrade. You just have to make sure to do it right and not skip any steps.
Sign In or Register to comment.