Conventional IT wisdom says you should approach complex network changes with caution, rolling them out in stages so that your business can keep running if you hit any snags. But if you’re planning to roll out Windows 2000, where do you begin? That’s the focus of this week’s Microsoft Challenge, which was supplied by a TechRepublic member who’s about to deploy Windows 2000 throughout his organization.

“We have gone through the servers in question with the Compatibility Analyzer,” he wrote, “and have identified various drivers and applications that need updating. But now what?” With primary and backup domain controllers, Exchange Server, and IIS4 to deal with, what’s the most sensible strategy? Three TechRepublic members offered excellent battle plans, all based on hands-on experience with this tricky upgrade.

For starters, said TechRepublic member Magetower, make sure your existing network is running without any glitches or hiccups. “Your servers and services should be running at least the required level of service pack/driver required to do the upgrade. If you need to apply a service pack, let it run for a while to make sure it doesn’t create problems before upgrading.”

Next, you should map out exactly which Windows 2000 features you want to add to your network. This is especially important if you plan to implement Active Directory. In that case, said Magetower, “you would need to do the PDC first, as this will directly affect the upgrades of the other servers, particularly the Exchange Server.”

Instead of experimenting with your live network (with possibly disastrous consequences), why not build a small test lab using a spare PC or two? A TechRepublic member with the colorful handle Last Survivor recommended handling the job this way: “Take a spare machine and build it as a BDC in the active domain. Take it off the network. While still offline, upgrade the server to a PDC. Install Windows 2000 Server and see how well all your account information comes over. Play with the admin tools on this server to get a handle on how you want to design your new AD domain.”

Having a rock-solid network backup is essential, of course, but TechRepublic member sevans suggested going one step further by building in a fail-safe mechanism. “Before proceeding, you must provide a fallback to NT4. Create a new BDC, synch it with the existing domain, and take it offline. Now you can upgrade the PDC to Windows 2000, but keep in mind that this should be done offline until the AD installation portion of the upgrade is ready to begin. Once the upgrade is complete and all seems to be functioning well, start upgrading other DCs and the Exchange Server. Don’t leave your RAS servers until last. Above all, check and double-check DNS. Any DNS issues will prevent the AD from functioning correctly. Finally, make sure that all of your DCs are time-synched together, or the security policies and domain synchronizations will begin to fail.”

Last Survivor offered a slightly different plan to keep your Windows 2000 network from getting voted off the island:

  1. Build a BDC in your NT4.0 domain. Let it synch up, and then take it offline and put it in a safe place. This is your rollback insurance. If anything goes wrong, you can bring this closeted BDC back online, make it your temporary PDC, and get back to a functioning NT4 domain.
  2. Pick out one of your existing domain controllers, preferably the most powerful one, in the best location. Make this server your PDC and upgrade it first.
  3. Upgrade your Exchange Server, to extend the AD Schema.
  4. Upgrade your BDC. You can then safely turn on Native mode for Active Directory, which gives you all the 2000 features.
  5. Assuming those server upgrades go well, you can proceed to upgrade workstations, adding them one at a time to the new Windows 2000 AD.

Every expert who looked at this problem counseled caution when upgrading the IIS server, because it’s running proprietary applications. Magetower recommended cloning the server before attempting the upgrade; that safeguard lets you pull the new server offline and replace it with the old version in case of trouble.

Take it slow, have great backups, and start with the PDC. Anything else to watch out for? After doing this migration three times, sevans offered one final word of advice: “Cross your fingers and pray.”

Here’s Ed’s new Challenge
What would you do if you were placed in charge of Microsoft’s internal network? You’ve undoubtedly heard of the successful break-in that hackers in Eastern Europe staged against the Microsoft servers that hold the company’s crown jewels: source code for Windows, Office, and next-generation .Net services. Microsoft claims the hackers didn’t get away with anything valuable, but this must have been a wake-up call for the Redmond giant. TechRepublic members collectively have millions of years of experience managing mission-critical data. How would you protect critical data from unauthorized access? With tens of thousands of users, can you really restrict access using nothing but passwords? Here’s your chance to tell Microsoft how to run a safe, secure network. Be creative, be outrageous, be blunt. Click here to add your input. But don’t delay—this challenge closes at the end of the day on Thursday, Nov. 9.