RE: Upgrading W2K DC to W2003
From: Jack Wang [MSFT] (jackwa_at_online.microsoft.com)
Date: 11/08/04
- Next message: Tony Scarola: "Re: NT4 to Windows 2003 : which dns ?"
- Previous message: Bob Qin [MSFT]: "Re: my skull...Cannot join Windows XP-Professional-based computer to a Windows NT 4.0-based domain"
- In reply to: Roshan: "Upgrading W2K DC to W2003"
- Next in thread: Roshan Mathews: "RE: Upgrading W2K DC to W2003"
- Reply: Roshan Mathews: "RE: Upgrading W2K DC to W2003"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 08 Nov 2004 02:45:55 GMT
Hi Roshan,
Thank you for posting!
Please refer to the following information for your questions.
1. You only need to run adprep on the schema operations master.
2. You may upgrade other DCs to Windows Server 2003 later.
3. After running the adprep commands, you need to verify that the commands
successfully ran on the schema operations master.
To do so, please refer to the following steps.
Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003
--------------------------------------------------------------------------
The Windows Server 2003 adprep command that you run from the \I386 folder
of the Windows Server 2003 media prepares a Windows 2000 forest and its
domains for the addition of Windows Server 2003 domain controllers. The
Windows Server 2003 adprep /forestprep command adds the following features:
- Improved default security descriptors for object classes
- New user and group attributes
- New Schema objects and attributes like inetOrgPerson
The adprep utility supports two command-line arguments:
adprep /forestprep: Runs forest upgrade operations.
adprep /domainprep: Runs domain upgrade operations.
The adprep /forestprep command is a one-time operation performed on the
schema operation master (FSMO) of the forest. The forestprep operation must
complete and replicate to the infrastructure master of each domain before
you can run adprep /domainprep in that domain.
The adprep /domainprep command is a one-time operation that you run on the
infrastructure operations master domain controller of each domain in the
forest that will host new or upgraded Windows Server 2003 domain
controllers. The adprep /domainprep command verifies that the changes from
forestprep have replicated in the domain partition and then makes its own
changes to the domain partition and group policies in the Sysvol share.
You cannot perform either of the following actions unless the /forestprep
and the /domainprep operations have completed and replicated to all the
domain controllers in that domain:
- Upgrade the Windows 2000 domain controllers to Windows Server 2003
domain controllers by using Winnt32.exe. Note: You can upgrade the
Windows 2000 member servers and computers to Windows Server 2003 member
computers whenever you want.
- Promote new Windows Server 2003 domain controllers into the domain by
using Dcpromo.exe.
The domain that hosts the schema operations master is the only domain where
you must run both adprep /forestprep and adprep /domainprep. In all other
domains, you only have to run adprep /domainprep.
The adprep /forestprep and the adprep /domainprep commands do not add
attributes to the global catalog partial attribute set or cause a full
synchronization of the global catalog. The RTM version of adprep
/domainprep does cause a full sync of the \Policies folder in the Sysvol
tree. Even if you run forestprep and domainprep several times, completed
operations are performed only one time.
After the changes from adprep /forestprep and adprep /domainprep completely
replicate, you can upgrade the Windows 2000 domain controllers to Windows
Server 2003 by running Winnt32.exe from the \I386 folder of the Windows
Server 2003 media. Also, you can add new Windows Server 2003 domain
controllers to the domain by using Dcpromo.exe.
Upgrading the forest with the adprep /forestprep command
To prepare a Windows 2000 forest and domains to accept Windows Server 2003
domain controllers, follow these steps first in a lab environment, then in
a production environment:
1. Make sure that you have completed all the operations in the "Forest
Inventory" phase with special attention to the following items:
a. You have created system state backups.
b. All the Windows 2000 domain controllers in the forest have installed
all the appropriate hotfixes and service packs.
c. End-to-end replication of Active Directory is occurring throughout the
forest
d. FRS replicates the file system policy correctly throughout each domain.
2. Log on to the console of the schema operations master with an
account that is a member of the Schema Admins security group.
3. Verify that the schema FSMO has performed inbound replication of the
schema partition by typing the following at a Windows NT command prompt:
"repadmin /showreps" (without the quotation marks) (repadmin is installed
by the Support\Tools folder of Active Directory.)
4. Early Microsoft documentation recommends that you isolate the schema
operations master on a private network before you run adprep /forestprep.
Real-world experience suggests that this step is not necessary and may
cause a schema operations master to reject schema changes when it is
restarted on a private network. If you want to isolate schema additions
that were made by adprep, Microsoft recommends that you temporarily disable
outbound replication of Active Directory with the repadmin command-line
utility. To do this, following these steps:
a. Click "Start", click "Run", type "cmd" (without the quotation marks),
and then click "OK".
b. Type the following, and then press ENTER:
"repadmin /options +DISABLE_OUTBOUND_REPL" (without the quotation marks)
5. Run adprep on the schema operations master. To do so, click "Start",
click "Run", type "cmd" (without the quotation marks), and then click
"OK". On the schema operations master, type the following command
"<X:\I386\>adprep /forestprep" (without the quotation marks) where
<X:\I386\> is the path of the Windows Server 2003 installation media. This
command runs the forest-wide schema upgrade.
Note Events with event ID 1153 that are logged in the Directory Service
event log, such as the sample that follows, can be ignored:
Event Type : Error
Event Source : NTDS General
Event Category: Internal Processing
Event ID : 1153
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User : Everyone Computer : <some DC>
Description: Class identifier 655562 (class name
msWMI-MergeablePolicyTemplate) has an invalid superclass 655560.
Inheritance ignored.
6. Verify that the adprep /forestprep command successfully ran on the
schema operations master. To do so, from the console of the schema
operations master, verify the following items:
- The adprep /forestprep command completed without error.
- The CN=Windows2003Update object is written under
CN=ForestUpdates,CN=Configuration,DC=<forest_root_domain>. Record the value
of the Revision attribute.
- (Optional) The schema version incremented to version 30. To do so, see
the ObjectVersion attribute under
CN=Schema,CN=Configuration,DC=<forest_root_domain>.If adprep /forestprep
does not run, verify the following items:
- The fully qualified path for Adprep.exe located in the \I386 folder of
the installation media was specified when adprep ran. To do so, type the
following command:
"<x>:\i386\adprep /forestprep" (without the quotation marks) where <x>
is the drive that hosts the installation media.
- The logged on user who runs adprep has membership to the Schema Admins
security group. To verify this, use the whoami /all command.
- If adprep still does not work, view the Adprep.log file in the
%systemroot%\System32\Debug\Adprep\Logs\<Latest_log> folder.
7. If you disabled outbound replication on the schema operations master in
step 4, enable replication so that the schema changes that were made by
adprep /forestprep can propagate. To do this, following these steps:
a. Click "Start", click "Run", type "cmd" (without the quotation marks),
and then click "OK".
b. Type the following, and then press ENTER:
"repadmin /options -DISABLE_OUTBOUND_REPL" (without the quotation marks)
8. Verify that the adprep /forestprep changes have replicated on all the
domain controllers in the forest. It is useful to monitor the following
attributes:
a. Incrementing the schema version
b. The CN=Windows2003Update,
CN=ForestUpdates,CN=Configuration,DC=<forest_root_domain> or
CN=Operations,CN=DomainUpdates,CN=System,DC=<forest_root_domain> and the
operations GUIDs under it have replicated in.
c. Search for new schema classes, objects, attributes, or other changes
that adprep /forestprep adds, such as inetOrgPerson. View the Sch<XX>.ldf
files (where <XX> is a number between 14 and 30) in the
%systemroot%\System32 folder to determine what objects and attributes
there should be. For example, inetOrgPerson is defined in Sch18.ldf.
9. Look for mangled LDAPDisplayNames.
If Exchange 2000 was installed before you ran the Windows Server 2003
adprep /forestprep command, see the "How to Identify Mangled Name
Attributes" section of the following article in the Microsoft Knowledge
Base:
KBLink:314649.KB.[LN]: Windows Server 2003 adprep /forestprep command
causes mangled attributes in Windows 2000 forests that contain Exchange
2000 serversIf you find mangled names, go to Scenario 3 of the "Exchange
2000 in Windows 2000 Forests" section of the same article.
10. Log on to the console of the schema operations master with an
account that is a member of the Schema Admins group security group of
the forest that hosts the schema operations master.
Upgrading the domain with the adprep /domainprep command
Run adprep /domainprep after the /forestprep changes fully replicate to the
infrastructure master domain controller in each domain that will host
Windows Server 2003 domain controllers. To do so, follow these steps:
1. Identify the infrastructure master domain controller in the domain
you are upgrading, and then log on with an account that is a member of
the Domain Admins security group in the domain you are upgrading. Note:
The enterprise administrator may not be a member of the Domain Admins
security group in child domains of the forest.
2. Run adprep /domainprep on the Infrastructure master. To do so, click
Start, click Run, type "cmd" (without the quotation marks), and then on
the Infrastructure master type the following command:
"X:\I386\adprep /domainprep" (without the quotation marks) where X:\I386\
is the path of the Windows Server 2003 installation media. This command
runs domain-wide changes in the target domain.
Note: The adprep /domainprep command modifies files permissions in the
Sysvol share. These modifications cause a full synchronization of files in
that directory tree.
3. Verify that domainprep completed successfully. To do so, verify the
following items:
- The adprep /domainprep command completed without error.
- The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=<dn path of
domain you are upgrading> exists If adprep /domainprep does not run, verify
the following items:
- The logged on user who runs adprep has membership to the Domain Admins
security group in the domain being you are upgrading. To do so, use the
whoami /all command.
- The fully qualified path for Adprep.exe located in the \I386 directory
of the installation media was specified when you ran adprep. To do so, at a
command prompt type the following command:
"<x>:\i386\adprep /forestprep" (without the quotation marks) where <x>
is the drive that hosts the installation media.
- If adprep still does not work, view the Adprep.log file in the
%systemroot%\System32\Debug\Adprep\Logs\<Latest_log> folder.
4. Verify that the adprep /domainprep changes have replicated. To do so,
for the remaining domain controllers in the domain, verify the following
items:
- The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=<dn path of
domain you are upgrading> object exists and the value for the Revision
attribute matches the value of the same attribute on the infrastructure
master of the domain.
- (Optional) Look for objects, attributes or access control list (ACL)
changes that adprep /domainprep added.Repeat steps 1-4 on the
infrastructure master of the remaining domains in bulk or as you add or
upgrade DC's in those domains to Windows Server 2003. Now you can promote
new Windows Server 2003 computers into the forest by using DCPROMO. Or, you
can upgrade existing Windows 2000 domain controllers to Windows Server 2003
by using WINNT32.EXE.
Upgrading Windows 2000 domain controllers by using Winnt32.exe
--------------------------------------------------------------
After the changes from /forestprep and /domainprep completely replicate and
you have made a decision about security interoperability with
earlier-version clients, you can upgrade Windows 2000 domain controllers to
Windows Server 2003 and add new Windows Server 2003 domain controllers to
the domain.
The following computers must be among the first domain controllers that run
Windows Server 2003 in the forest in each domain:
- The domain naming master in the forest so that you can create default
DNS program partitions.
- The primary domain controller of the forest root domain so that the
enterprise-wide security principals that Windows Server 2003's
forestprep adds become visible in the ACL editor.
- The primary domain controller in each non-root domain so that you can
create new domain-specific Windows 2003 security principals.
To do so, use WINNT32 to upgrade existing domain controllers that host the
operational role you want. Or, transfer the role to a newly-promoted
Windows Server 2003 domain controller. Perform the following steps for each
Windows 2000 domain controller that you upgrade to Windows Server 2003 with
WINNT32 and for each Windows Server 2003 workgroup or member computer that
you promote:
1. Before you use WINNT32 to upgrade Windows 2000 member computers and
domain controllers, remove Windows 2000 Administration Tools. To do so,
use the Add/Remove Programs tool in Control Panel. (Windows 2000
upgrades only.)
2. Install any hotfix files or other fixes that either Microsoft or the
administrator determines is important.
3. Check each domain controller for possible upgrade issues. To do so, run
the following command from the \I386 folder of the installation media:
"winnt32.exe /checkupgradeonly" (without the quotation marks)Resolve any
issues that the compatibility check identifies.
4. Run WINNT32.EXE from the \I386 folder of the installation media, and
the restart the upgraded 2003 domain controller.
5. Lower the security settings for earlier-version clients as required.
If Windows NT 4.0 clients do not have NT 4.0 SP6 or Windows 95 clients do
not have the directory service client installed, disable SMB Service
signing on the Default Domain Controllers policy on the Domain Controllers
organizational unit, and then link this policy to all organizational units
that host domain controllers.
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Microsoft Network Server: Digitally sign
communications (always)
6. Verify the health of the upgrade using the following data points:
- The upgrade completed successfully.
- The hotfixes that you added to the installation successfully replaced
the original binaries.
- Inbound and outbound replication of Active Directory is occurring for
all naming contexts held by the domain controller.
- The Netlogon and Sysvol shares exist.
- The event log indicates that the domain controller and its services are
healthy.
Note: You may receive the following event message after you upgrade:
Event Type: Error
Event Source: NTDS Backup
Event Category: Backup
Event ID: 1913
Date: <Date>
Time: HH:MM:SSAM|PM
User: N/A
Computer: <computername>
Description: Internal error: The Active Directory backup and restore
operation encountered an unexpected error. Backup or restore will not
succeed until this is corrected. You can safely ignore this event message.
7. Install the Windows Server 2003 Administration Tools (Windows 2000
upgrades and Windows Server 2003 non-domain controllers only).
Adminpak.msi is in the \I386 folder of the Windows Server 2003 CD-ROM.
Windows Server 2003 media contains updated support tools in the
Support\Tools\Suptools.msi file. Make sure that you reinstall this file.
8. Make new backups of at least the first two Windows 2000 domain
controllers that you upgraded to Windows Server 2003 in each domain in
the forest. Locate the backups of the Windows 2000 computers that you
upgraded to Windows Server 2003 in locked storage so you do not
accidentally use them to restore a domain controller that now runs
Windows Server 2003.
9. (Optional) Perform an offline defragmentation of the Active Directory
database on the domain controllers that you upgraded to Windows Server 2003
after the single instance store (SIS) has completed (Windows 2000 upgrades
only).
The SIS reviews existing permissions on objects stored in Active Directory,
and then applies a more efficient security descriptor on those objects. The
SIS starts automatically (identified by event 1953 in the directory service
event log) when upgraded domain controllers first start the Windows Server
2003 operating system. You benefit from the improved security descriptor
store only when you log an event ID 1966 event message in the directory
service event log:
Event Type: Information
Event Source: NTDS SDPROP
Event Category: Internal Processing
Event ID: 1966
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <computername>
Description: The security descriptor propagator has completed a full
propagation pass.
Allocated space (MB):
XX Free space (MB): XX
This may have increased free space in the Active Directory database.
User Action: Consider defragmenting the database offline to reclaim the
free space that may be available in the Active Directory database. For more
information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp. This event message indicates
that the single instance store operation has completed and serves as a
queues the administrator to perform of offline defragmentation of the
Ntds.dit using NTDSUTIL.EXE.
The offline defragmentation can reduce the size of a Windows 2000 Ntds.dit
file by up to 40%, improves Active Directory performance, and updates the
pages in the database for more efficient storage of Link Valued attributes.
10. Investigate the DLT Server Service. Windows Server 2003 domain
controllers disable the DLT Server service on fresh and upgrade installs.
If Windows 2000 or Windows XP clients in your organization use the DLT
Server service, use Group Policy to enable the DLT Server service on new or
upgraded Windows Server 2003 domain controllers. Otherwise, incrementally
delete distributed link tracking objects from Active Directory.
11. Configure the best practice organizational unit structure. Microsoft
recommends that administrators actively deploy the best practice
organizational unit structure in all the Active Directory domains, and
after they upgrade or deploy Windows Server 2003 domain controllers in
Windows Domain mode, redirect the default containers that earlier-version
APIs use to create users, computers and groups to an organizational unit
container that the administrator specifies.
12. Repeat steps 1 through 10 as required for each new or upgraded Windows
Server 2003 domain controller in the forest and step 11 (Best Practice
organizational unit structure) for each Active Directory domain.
For more information, please refer to the following article.
325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003
http://support.microsoft.com/?id=325379
Hope this helps!
Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Upgrading W2K DC to W2003
| thread-index: AcTFA4vUuiv4jKV9SrqdTjy9+SBSHg==
| X-WBNR-Posting-Host: 212.138.47.11
| From: =?Utf-8?B?Um9zaGFu?= <Roshan@discussions.microsoft.com>
| Subject: Upgrading W2K DC to W2003
| Date: Sun, 7 Nov 2004 11:54:09 -0800
| Lines: 14
| Message-ID: <ADED9B0B-1C3E-43FB-94AF-6B03F1E46947@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15054
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Good Day to All,
|
| i have 5 DC (W2k) in three sites under one domain. i am planning to
upgrade
| the them to W2003. Kindly advice :
| 1. Do i need to run the adprep on the Main server(OperationsMaster) in
one
| site or do i need to do it on all my DCs.
| 2. Does all the other DC need to upgraded to windows 2003 immedaitely or
can
| i do it later stage.
| 3. After running the adprep on the Main server, how long can i wait
before
| starting the upgrade process. If i wait does it affect any process or
| updation or anything...
|
| Best Regards,
| Roshan
|
- Next message: Tony Scarola: "Re: NT4 to Windows 2003 : which dns ?"
- Previous message: Bob Qin [MSFT]: "Re: my skull...Cannot join Windows XP-Professional-based computer to a Windows NT 4.0-based domain"
- In reply to: Roshan: "Upgrading W2K DC to W2003"
- Next in thread: Roshan Mathews: "RE: Upgrading W2K DC to W2003"
- Reply: Roshan Mathews: "RE: Upgrading W2K DC to W2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
