[CypherBit]

I've recently taken over the support of a company that hasn't been patching their servers...in a very long time.
I've installed the updates on most of the "less important" servers and am now left with the most important one a Windows Server 2003.

I'ts the DC (FSMO holder), DNS, Exchange 2003 SP2, Radius, file server, root CA, that has quite a few other products installed such as Office 2003.
It's missing approximately 85 different patches, not including Exchange specific ones.

A backup of the systemstate, Exchange store and the data (file system) was created.

My question is how do I even approach to patch this server. I obviously want to, but am a bit worried since it is the most important server with that many roles. What kind of backups should I make, should I apply a few patches at once (althought this will prelong it esp. since I don't have that many chances of it being down)...

Any suggestions are appreciated.

[Ossian]

Well, get Office off it first -- that should never be installed on a server (TS as the exception) and IIRC Outlook and Exchange disagree with each other

Do a full backup -- perhap using imaging software if you can afford the downtime, then, IMHO, accept the patches as MS offers them -- they sometimes ask for e.g. SPs on their own but if they let you install multiple patches, they will not interfere.

And if you can, get another DC up and running so if the worst happens, you can "carpe FSMO" and keep your domain semi-functional

[CypherBit]

Ossian, thank you for your reply.

I was thinking along the same lines as far as Office (I really have no idea why they had it installed on all servers, similar with Adobe Reader and so on).

I considered doing a full image using ImageX, but that most probably won't be possible. Another DC is already up and running, but am not entirely sure it even works. I rebooted the main server once before and received a call that someone couldn't log on (obviously no cached credentials). Any suggestions as far as testing to see if the other DC is even functional.

[Ossian]

Tell the management, in writing, that you can take no responsibility for the availability of the network until you have fixed this.

Then book a lot of overtime (Fri afternoon to Monday morning is usually good) to deal with the DC properly

Consider nuking the second DC (try to unpromo it) and doing a good rebuild and promote

Also, see if you can get Exchange off the main DC -- there are many reasons NEVER to allow this (except in SBS) but many so-called admins like to break the rules!

IMHO the critical one will be the root CA -- make sure you have the master certificates backed up and checked as if you lose that you WILL have trouble

[CypherBit]

Thank you, I'll try to convince them of such a plan...might have a hard time, since I'm only here for a month and the previous admin(s) are still trusted and in the company (just different responsibilities).

Since the entire environment is a mess I'm considering my options as to what to do in the future and am leaning towards creating a brand new domain. If I just install a new DC it will carry over all the mess when replicating, same for DNS.
They're using a .local and would like to go to .com, have brand new servers all on w2k8 R2, probably using Hyper-V quite a bit if not for everything (maybe even for Exchange 2010). Budget probably won't be an issue.

It's just that I don't know how to approach this. There are approximately 70 users with quite basic needs no special permissions in place.
Should I build an entirely new domain, migrate (or create new ones?) just the users and mailboxes and have a trust between the domains until everything from the old environment is carried over?

I'd gladly provide more details as to what else there is on the network if that might help you to assist me better...with this medium/long term plan.

[Ossian]

Why not talk to the previous admin and see if together you can resolve it
If money is no object -- damn lucky in "the current economic climate" -- by all means go new and do a controlled migration -- you can do email via PST export on the clients

This will probably end up as one of those religious discussions, but IMHO it is preferred to have a local domain name different from your internet domain (company.corp vs company.com) so nothing wrong with having .local (unless you have macs IIRC)

[CypherBit]

I did and was told it's my problem now.

The server hardware is quite outdated so they know they'll have to buy new soon, this would just help me start fresh, even the previous admin team recommended something along those lines.

So I'd put up a new domain (not going into the .local discussion ), DNS, Exchange (can I just get another IP from our ISP and point the MX record to that...so two Exchange servers can coexist for a while?), prepare the applications they're using, printer/file server. Create a trust between them, migrate one user at a time using ADMT, export their mailbox to PST and have that one user up and running (and so on for the rest).

A few things concern me, such as CA, Radius, SharePoint. This would be by far the biggest project I'd undertake and would like to start preparing for it now. Any pointers, links, documentation would be greatly appreciated.

[cruachan]

Installing a basic CA is pretty straightforward, really it depends on what it is used for. If it's just OWA/ActiveSync/Outlook Anywhere then there's no major problems, things like EFS or Smartcards add a bit more complexity. Radius also depends on purpose, if it's just for wireless it's simple enough to get people onto wired connections whilst you migrate, remote access may be a bit more complex to schedule. Can't help you with Sharepoint I'm afraid.

Having 2 Exchange servers is possible, but if they are not in the same Exchange organisation then they can't be authoritative for the same email domain, so you would have to have different email addresses on each server during the migration. That may be another reason to upgrade the existing domain rather than build a new one.

I would document your plans carefully, including a recommendation that a routable DNS name is not used. It goes against MS best practice (Despite the fact that I sat an exam last week where every sample domain name had a .com suffix, but I digress ) and in fact with SBS you don't have a choice to use a suffix other than .local for AD.

I'd only look at building a new domain if:-
A: the change of domain name is absolutely required by management
B: Active Directory is in such a mess that a fresh start is simpler than cleaning it up.

For now, I would make sure that the second DC is also a GC, which should allow users to logon even if the main server is down and get it patched up to date.