Re: Replikation W2K <-> W2K3
From: Daniel Melanchthon [MVP] (melanchthon_at_gmx.de)
Date: 08/16/04
- Next message: Daniel Melanchthon [MVP]: "Re: Zugriff aufs Internet nach einrichtung von AD"
- Previous message: Christoph Tuszynski: "Re: Standardprofil"
- In reply to: Joerg Ott: "Re: Replikation W2K <-> W2K3"
- Next in thread: Ray Munzinger: "Re: Replikation W2K <-> W2K3"
- Reply: Ray Munzinger: "Re: Replikation W2K <-> W2K3"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 16 Aug 2004 20:37:43 +0200
Joerg Ott wrote:
> Vorsicht: Wenn im W2k-AD noch ein Exchange mit drinhängt ist das nicht ganz
> ohne !!
Jupp. Anbei mal ein paar Tips: Vor dem Ausetzen des ersten W2k3-DCs in
einer bestehenden W2k-Domain gilt es, das AD-Schema zu aktualisieren.
Dazu muß man Schemaänderungen auf dem DC, der die FSMO-Rolle
'Schema-Master' ausführt, erlauben:
1. Registrieren der Schema-DLL durch Start > Ausführen > 'regsvr32
schmmgmt.dll'
2. Start > Ausführen > mmc
3. Console > Add/Remove Snap-in > Add
4. Active Directory Schema > Add
5. Close > OK
6. Auswählen von 'Active Directory Schema', sod dass die Unterordner
aufblättern.
7. Rechter Mausklick auf 'Classes and Attributes' > Operations Master.
8. Aktivierung von 'Schema may be modified on this Domain Controller'.
Alternativ via Registry (wird allerdings nicht empfohlen):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Einfügen eines neuen DWORDs:
Value Name: Schema Update Allowed
Data Type: REG_DWORD
Base: Binary
Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.
Quelle:
Schema Updates Require Write Access to Schema in Active Directory
http://support.microsoft.com/?kbid=285172
In einer neu installierten Windows Server 2003 Domain hat die Gruppe
'Enterprise Domain Controllers' automatisch 'read access' to all newly
created GPOs. This ensures that the service can read all GPOs in the
forest.
Bei einer Migration von W2k auf W2k3 fehlt allen GPOs, die vor der
Migration erstellt wurden, diese Berechtigung. Es gibt ein
mitgeliefertes Script, dass dieses Problem löst, indem es bei allen
GPOs, die davon betroffen sind, das entsprechende Recht hinzufügt:
CD /D %programfiles%\gpmc\scripts
Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers"
/Permission:Read /Domain:<domain.tld>
<domain.tld> muß ersetzt werden durch den DNS-Domainnamen der
Windows-Domäne.
Bei der Migration von W2k auf W2k3 stellen sich noch mehr Fragen, als
mancher anfänglich bestimmt denkt. Es gibt einen KB-Artikel bei MS,
der mögliche Fehler und Ihre Ursachen bei der Migration durch a)
Update des vorhandenen W2k-DCs und b) Installation eines W2k3-DCs in
eine W2k-Domain aufzeigt.
Beide Verfahren setzen bestimmte Vorarbeiten an der W2k-Domain voraus.
Insbesondere, wenn Exchange 2000 in der Domain installiert ist, sollte
sorgfältig nach Dokumentation vorgegangen werden.
Ich zitiere hier die Schritte, die unbedingt *vor* der Installation
des ersten DCs/Upgrade des einzigen DCs durchgeführt werden müssen.
Bei vorhandenem Exchange 2000 ist Punkt 4 der entscheidende: "The
Exchange 2000 schema defines three inetOrgPerson attributes with
non-Request for Comment (RFC)-compliant LDAPDisplayNames:
houseIdentifier, secretary, and labeledURI." Diese Attribute müssen
entweder vor oder, wenn das Kind schon in den Brunen gefallen ist,
nach dem Durchführen von 'adprep /forestprep' und 'adprep /domainprep'
umbenannt werden. Wie das geht, steht in dem entsprechenden KB-Artikel.
"Common Mistakes When Upgrading a Windows 2000 Domain To a Windows
2003 Domain"
http://support.microsoft.com/default.aspx?scid=kb;en-us;555040
1. Do you have satisfying disk space that will allow you to complete
the upgrade process?
2. Do you have Windows 2000 Service Pack 4 on all the domain
controllers and Exchange Servers?
http://support.microsoft.com/default.aspx?scid=kb;en-us;331161
3. Do you have Exchange 2000 / Share Point 2001/2003 / Services for
Unix 2 in yours domain/forest? - Some application like these aren't
support by Windows 2003 servers, and should be upgraded to new version
or move them to alternative server.
http://support.microsoft.com/default.aspx?scid=kb;en-us;277734
http://support.microsoft.com/default.aspx?scid=kb;en-us;821732
4. Do you have to fix Active Directory schema? You can read and find
information on this issue in:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649
5. Do you have some third party software/hardware that dosen't support
by Windows 2003? You can read and find information on this issue in:
http://www.microsoft.com/hcl
6. Do you upgrade the application to that latest service pack? Some
application that reside in the domain - Like SQL Server that need to
upgrade to the latest service pack, even if they arent reside on
Windows 2003 servers.
7. Do you have legacy operating system or/and UNIX/Linux operating
system? You can read and find information on this issue in:
http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;555038
8. Do you have some disaster recovery plan? Do you have full system
backup (dont forget to test the backup data).
9. Do you have the "Active Directory restore mode" password? Witohut
this password you can't restore active driectroy from the latest backup.
10. Do you need to enable Windows 2000 Scehma update? - Windows 2000
Schema should be configure to allow Schema update.
http://support.microsoft.com/?kbid=285172
11. Do you have the correct version of Windows 2003? You cant install
active directory on "Web Server" edition or upgrade "Windows 2000
Advanced Server" to "Windows 2003 Server" (you will need "Windows
2003 Enterprise" edition). Also, usually you cant upgrade OEM Versions
of NT4/2000 to Windows 2003 or use Windows 2003 OEM version as upgrade
version :
http://support.microsoft.com/default.aspx?scid=kb;en-us;823762
12. If you plan to upgrade your Windows 2000 forest to Windows 2003,
please take care of upgrading your ADC to the Exchange 2003 version
before raising the functional level of the forest, because if you
don’t, you will have problems with older ADC being unable to handle
correctly Linked Value Replication on group membership.
http://support.microsoft.com/default.aspx?scid=kb;en-us;825916
http://support.microsoft.com/default.aspx?scid=kb;en-us;823601
13. Do yours system have correct DNS Infrastructure? Do the serves and
clients configure to use the correct DNS servers? (I find out that
some users configure there servers to use external DNS/ISP servers and
not local DNS servers). Also, using single-label DNS names may
required some configurations changes:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684
14. You can't upgrade from SBS 2000 to regular Windows 2003 domain.
However, you can upgrade SBS 2000 to SBS 2003, or to Windows 2003
domain by using export/import migration process.
15. Do you have Read permission (at least) for all GPO's in the
Domain? (If Domain Admin group wouldn't have this permission, GPO
upgrade will fail - usually in ADPREP /Domainprep step)
16. Do you need to open some ports in the company firewall/router?
http://support.microsoft.com/?kbid=289241
17. Did you move Exchange Enterprise Servers Group and Exchange Domain
Servers Group to another container?
http://support.microsoft.com/default.aspx?scid=kb;en-us;260914
18. Did you install the Windows 2003 on multihomed computer?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832478
19. Did you used InetOrgPerson object in the domain?
http://support.microsoft.com/default.aspx?scid=kb;en-us;307998
20. If you like to upgrade Small Business Server Domain Environment to
regular Windows 2003 Domain, read:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;555073
21. Install WINS server and configure the clients to use it. Although
most people think that there is no need to use WINS server in the
network, there may be some situations that you might need to use
NetBIOS name resolution in your network:
http://support.microsoft.com/default.aspx?scid=837391
I found some nice tips that can save time and may help you in the
upgrade process:
1. Move all FSMO roles to one domain controller and configure all the
DC's as GC's.
2. Move the domain controller from step 1 to unique VLAN that will be
isolated from the regular network.
3. Backup the domain controller from step 1 by using backup tape
backup, and some image utility.
4. After running ADPREP /Forestprep check that Windows 2003 schema
upgrade to contain new 2003 forest attributs.
5. After running ADPREP /Domainprep check that Windows 2003 schema
upgrade to contain new 2003 domain attributs.
6. Disable any antivirus software on the software before the upgrade
process.
7. Log on to the domain controller from step 1 with account that
member of: Enterprise Admin group, Domain Admin group, Schema Admin
group - and if you have Exchange System in your organization - the
account should be with Full Exchange Admin permission on the Exchange
organization, administrative groups (sites in Exchange 5.5
environment), Exchange Servers (and in Exchange 5.5 environment - also
full control on "Configuration" container).
8. Test this upgrade in a lab before implement it on production server.
9. Copy the I386 directory content fro Windows 2003 cd rom, to the
local server hard disk.
10. Verity that the all servers in the domain have the correct time
zone and the configure to be synchronization from the same server
(usually this the PDC emulator).
11. Activate the new Windows 2003 Server before implement any changes
on the system.
12. If you add new Windows 2003 server to the domain, make sure to
configure the correct domain name and domain suffix.
13. Don't use forbidden characters in the domain or/and server name
(etc *, _).
14. Before you implement - Windows 2003 CA, Windows 2003 Cluster,
Exchange 2003 configure at least one DC as Windows 2003 DC and GC, and
configure Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 to use
this server as default logon server.
15. If you have multidomain hierarchy, upgrade first the forest root
domain, and only after this upgrade complete, the rest of the forest.
16. If you have multisites hierarchy, let the changes of ADPREP
command to repliacte to all other sites. Verify that each DC upgrade
its schema version before you install the Windows 2003 Server.
17. After running ADPREP command, open
%systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there
are error messages that might need to be resolved.
18. Read: How to Troubleshoot Inter-Forest sIDHistory Migration with
ADMTv2 article before beggining the migration.
http://support.microsoft.com/default.aspx?scid=kb;en-us;322970
19. If you installed Exchange 2000/2003, its recommended to run
Policytest.exe utility before the upgrade:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281537&FR=1&PA=1&SD=HSCH
20. Read:
HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows Server
2003-Based Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;326209
HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003
Migration http://support.microsoft.com/default.aspx?scid=kb;en-us;325851
How to Use Active Directory Migration Tool Version 2 to Migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
Upgrading to Windows Small Business Server 2003
http://www.microsoft.com/WindowsServer2003/sbs/upgrade/default.mspx
Domain Migration Cookbook
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp1.mspx
And if something goes wrong?
1. If you follow the process that I described in the "Before you "run"
and upgrade system to Windows 2003..." section in this article, a roll
back should take no more then 30 minutes.
2. If you didnt follow the process that I describe in the "Before you
"run" and upgrade system to Windows 2003..." section in this article ,
a roll back may take a long time, and may require in worse situations
reinstall the Windows 2000 domain.
Please follow these short instructions:
1. Please check if you log on with user that have satisfying
permissions to upgrade the Schema and the system.
2. Check that you enable schema changes - and reapply ADPREP
/Forestprep and ADPREP /Domainprep commands.
3. Consider to use ADMT2 to migrate users from Windows 2000 domain to
the new Windows 2003 domain (in a new forest). You can read and find
information on this issue in:
http://www.microsoft.com/usa/presentations/Windows2003DeploymentScenarios.ppt
4. Follow the the instructions bellow if you unable to successfully
run adprep /domainprep on Windows 2000 Domainp:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;555055
5. Consider to call to Microsoft local support center.
Post checklist:
How to Verify That SRV DNS Records Have Been Created for a Domain
Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;816587
How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816106
Virus Scanning Recommendations on a Windows 2000 or on a Windows
Server 2003 Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
Operations That Are Performed by the Adprep.exe Utility When You Add a
Windows Server 2003 Domain Controller to a Windows 2000 Domain or Forest
http://support.microsoft.com/default.aspx?scid=kb;en-us;309628
Known issues:
KCC Error Event 1567 Occurs When You Install DNS on a Windows Server
2003-Based Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;813484
The Default Domain Controller Security Policy Icon and the Domain
Security Policy Icon Do Not Work When You Upgrade to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828291
Delegated Permissions Are Not Available and Inheritance Is
Automatically Disabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You
Upgrade from a Windows NT 4.0-Based Primary Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;811961
Cluster Service Does Not Start After You Upgrade to Windows Server
2003, Enterprise
http://support.microsoft.com/default.aspx?scid=kb;en-us;812877
A terminal server no longer runs in application mode after you upgrade
the terminal server to Windows Small Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828056
Exchange 2000 Recipient Update Service does not replicate changes
successfully in forest functional level 1 or 2 in Windows Server 2003
Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;831809
Inter-Forest Trust Appears as "External" or "Unknown"
http://support.microsoft.com/default.aspx?scid=kb;en-us;311484
"Microsoft Windows Has Detected Software That Is Not Completely
Installed on Your Computer" Message When You Upgrade a Windows 2000
Server-Based Computer to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;820277
Firewall Clients Cannot Connect to the Internet After You Upgrade an
ISA Server to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816533
ERR3:7075 Failed to change domain affiliation, hr=800706fb" error when
the Active Directory Migration Tool version 2 is run in test mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;828261
Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group
in Windows Server 2003 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;300532
Enterprise CA May Not Publish Certificates from Child Domain or
Trusted Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;219059
"The current DC is not in the domain controller's OU" error message
when you run the Dcdiag tool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;833436
More Information
Windows Server 2003 Upgrade Paths
http://support.microsoft.com/default.aspx?kbid=810613
Windows 2003 Deployment Scenarios
http://www.microsoft.com/usa/presentations/Windows2003DeploymentScenarios.ppt
.NET Enterprise Servers Online Books
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/net/onlinebooks/default.asp
HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
Exchange Migration and Upgrade Resources
http://www.microsoft.com/exchange/techinfo/interop/default.asp
-- Gruss aus dem Hoch im Norden! Daniel Melanchthon - MVP Exchange Server "Banging your head against a wall uses 150 calories an hour!"
- Next message: Daniel Melanchthon [MVP]: "Re: Zugriff aufs Internet nach einrichtung von AD"
- Previous message: Christoph Tuszynski: "Re: Standardprofil"
- In reply to: Joerg Ott: "Re: Replikation W2K <-> W2K3"
- Next in thread: Ray Munzinger: "Re: Replikation W2K <-> W2K3"
- Reply: Ray Munzinger: "Re: Replikation W2K <-> W2K3"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
