RE: Upgrading W2K DC to W2003
From: Roshan Mathews (RoshanMathews_at_discussions.microsoft.com)
Date: 11/08/04
- Next message: Paul: "RE: Security settings changed when using File Server Migration Wiz"
- Previous message: Rebecca Chen [MSFT]: "RE: win2000 platform file server migrate to win2003 platform"
- In reply to: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Next in thread: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Reply: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 8 Nov 2004 02:23:02 -0800
Hi Jack,
Many thanks for your detailed info... it will help me...
Best regards, Roshan Mathews
"Jack Wang [MSFT]" wrote:
> Hi Roshan,
>
> Thank you for posting!
>
> Please refer to the following information for your questions.
>
> 1. You only need to run adprep on the schema operations master.
>
> 2. You may upgrade other DCs to Windows Server 2003 later.
>
> 3. After running the adprep commands, you need to verify that the commands
> successfully ran on the schema operations master.
>
> To do so, please refer to the following steps.
>
> Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003
> --------------------------------------------------------------------------
>
> The Windows Server 2003 adprep command that you run from the \I386 folder
> of the Windows Server 2003 media prepares a Windows 2000 forest and its
> domains for the addition of Windows Server 2003 domain controllers. The
> Windows Server 2003 adprep /forestprep command adds the following features:
>
>
> - Improved default security descriptors for object classes
>
> - New user and group attributes
>
> - New Schema objects and attributes like inetOrgPerson
>
>
> The adprep utility supports two command-line arguments:
>
>
> adprep /forestprep: Runs forest upgrade operations.
> adprep /domainprep: Runs domain upgrade operations.
>
> The adprep /forestprep command is a one-time operation performed on the
> schema operation master (FSMO) of the forest. The forestprep operation must
> complete and replicate to the infrastructure master of each domain before
> you can run adprep /domainprep in that domain.
>
> The adprep /domainprep command is a one-time operation that you run on the
> infrastructure operations master domain controller of each domain in the
> forest that will host new or upgraded Windows Server 2003 domain
> controllers. The adprep /domainprep command verifies that the changes from
> forestprep have replicated in the domain partition and then makes its own
> changes to the domain partition and group policies in the Sysvol share.
>
> You cannot perform either of the following actions unless the /forestprep
> and the /domainprep operations have completed and replicated to all the
> domain controllers in that domain:
>
> - Upgrade the Windows 2000 domain controllers to Windows Server 2003
> domain controllers by using Winnt32.exe. Note: You can upgrade the
> Windows 2000 member servers and computers to Windows Server 2003 member
> computers whenever you want.
>
> - Promote new Windows Server 2003 domain controllers into the domain by
> using Dcpromo.exe.
>
>
> The domain that hosts the schema operations master is the only domain where
> you must run both adprep /forestprep and adprep /domainprep. In all other
> domains, you only have to run adprep /domainprep.
>
> The adprep /forestprep and the adprep /domainprep commands do not add
> attributes to the global catalog partial attribute set or cause a full
> synchronization of the global catalog. The RTM version of adprep
> /domainprep does cause a full sync of the \Policies folder in the Sysvol
> tree. Even if you run forestprep and domainprep several times, completed
> operations are performed only one time.
>
> After the changes from adprep /forestprep and adprep /domainprep completely
> replicate, you can upgrade the Windows 2000 domain controllers to Windows
> Server 2003 by running Winnt32.exe from the \I386 folder of the Windows
> Server 2003 media. Also, you can add new Windows Server 2003 domain
> controllers to the domain by using Dcpromo.exe.
>
>
> Upgrading the forest with the adprep /forestprep command
>
> To prepare a Windows 2000 forest and domains to accept Windows Server 2003
> domain controllers, follow these steps first in a lab environment, then in
> a production environment:
>
> 1. Make sure that you have completed all the operations in the "Forest
> Inventory" phase with special attention to the following items:
>
> a. You have created system state backups.
>
> b. All the Windows 2000 domain controllers in the forest have installed
> all the appropriate hotfixes and service packs.
>
> c. End-to-end replication of Active Directory is occurring throughout the
> forest
>
> d. FRS replicates the file system policy correctly throughout each domain.
>
> 2. Log on to the console of the schema operations master with an
> account that is a member of the Schema Admins security group.
>
> 3. Verify that the schema FSMO has performed inbound replication of the
> schema partition by typing the following at a Windows NT command prompt:
>
> "repadmin /showreps" (without the quotation marks) (repadmin is installed
> by the Support\Tools folder of Active Directory.)
>
> 4. Early Microsoft documentation recommends that you isolate the schema
> operations master on a private network before you run adprep /forestprep.
> Real-world experience suggests that this step is not necessary and may
> cause a schema operations master to reject schema changes when it is
> restarted on a private network. If you want to isolate schema additions
> that were made by adprep, Microsoft recommends that you temporarily disable
> outbound replication of Active Directory with the repadmin command-line
> utility. To do this, following these steps:
>
> a. Click "Start", click "Run", type "cmd" (without the quotation marks),
> and then click "OK".
>
> b. Type the following, and then press ENTER:
>
> "repadmin /options +DISABLE_OUTBOUND_REPL" (without the quotation marks)
>
> 5. Run adprep on the schema operations master. To do so, click "Start",
> click "Run", type "cmd" (without the quotation marks), and then click
> "OK". On the schema operations master, type the following command
>
> "<X:\I386\>adprep /forestprep" (without the quotation marks) where
> <X:\I386\> is the path of the Windows Server 2003 installation media. This
> command runs the forest-wide schema upgrade.
>
> Note Events with event ID 1153 that are logged in the Directory Service
> event log, such as the sample that follows, can be ignored:
>
>
> Event Type : Error
> Event Source : NTDS General
> Event Category: Internal Processing
> Event ID : 1153
> Date: MM/DD/YYYY
> Time: HH:MM:SS AM|PM
> User : Everyone Computer : <some DC>
> Description: Class identifier 655562 (class name
> msWMI-MergeablePolicyTemplate) has an invalid superclass 655560.
> Inheritance ignored.
>
> 6. Verify that the adprep /forestprep command successfully ran on the
> schema operations master. To do so, from the console of the schema
> operations master, verify the following items:
>
> - The adprep /forestprep command completed without error.
>
> - The CN=Windows2003Update object is written under
> CN=ForestUpdates,CN=Configuration,DC=<forest_root_domain>. Record the value
> of the Revision attribute.
>
> - (Optional) The schema version incremented to version 30. To do so, see
> the ObjectVersion attribute under
> CN=Schema,CN=Configuration,DC=<forest_root_domain>.If adprep /forestprep
> does not run, verify the following items:
>
> - The fully qualified path for Adprep.exe located in the \I386 folder of
> the installation media was specified when adprep ran. To do so, type the
> following command:
>
> "<x>:\i386\adprep /forestprep" (without the quotation marks) where <x>
> is the drive that hosts the installation media.
>
> - The logged on user who runs adprep has membership to the Schema Admins
> security group. To verify this, use the whoami /all command.
>
> - If adprep still does not work, view the Adprep.log file in the
> %systemroot%\System32\Debug\Adprep\Logs\<Latest_log> folder.
>
> 7. If you disabled outbound replication on the schema operations master in
> step 4, enable replication so that the schema changes that were made by
> adprep /forestprep can propagate. To do this, following these steps:
>
> a. Click "Start", click "Run", type "cmd" (without the quotation marks),
> and then click "OK".
>
> b. Type the following, and then press ENTER:
>
> "repadmin /options -DISABLE_OUTBOUND_REPL" (without the quotation marks)
>
> 8. Verify that the adprep /forestprep changes have replicated on all the
> domain controllers in the forest. It is useful to monitor the following
> attributes:
>
> a. Incrementing the schema version
>
> b. The CN=Windows2003Update,
> CN=ForestUpdates,CN=Configuration,DC=<forest_root_domain> or
> CN=Operations,CN=DomainUpdates,CN=System,DC=<forest_root_domain> and the
> operations GUIDs under it have replicated in.
>
> c. Search for new schema classes, objects, attributes, or other changes
> that adprep /forestprep adds, such as inetOrgPerson. View the Sch<XX>.ldf
> files (where <XX> is a number between 14 and 30) in the
> %systemroot%\System32 folder to determine what objects and attributes
> there should be. For example, inetOrgPerson is defined in Sch18.ldf.
>
> 9. Look for mangled LDAPDisplayNames.
>
> If Exchange 2000 was installed before you ran the Windows Server 2003
> adprep /forestprep command, see the "How to Identify Mangled Name
> Attributes" section of the following article in the Microsoft Knowledge
> Base:
>
> KBLink:314649.KB.[LN]: Windows Server 2003 adprep /forestprep command
> causes mangled attributes in Windows 2000 forests that contain Exchange
> 2000 serversIf you find mangled names, go to Scenario 3 of the "Exchange
> 2000 in Windows 2000 Forests" section of the same article.
>
> 10. Log on to the console of the schema operations master with an
> account that is a member of the Schema Admins group security group of
> the forest that hosts the schema operations master.
>
> Upgrading the domain with the adprep /domainprep command
>
> Run adprep /domainprep after the /forestprep changes fully replicate to the
> infrastructure master domain controller in each domain that will host
> Windows Server 2003 domain controllers. To do so, follow these steps:
>
> 1. Identify the infrastructure master domain controller in the domain
> you are upgrading, and then log on with an account that is a member of
> the Domain Admins security group in the domain you are upgrading. Note:
> The enterprise administrator may not be a member of the Domain Admins
> security group in child domains of the forest.
>
> 2. Run adprep /domainprep on the Infrastructure master. To do so, click
> Start, click Run, type "cmd" (without the quotation marks), and then on
> the Infrastructure master type the following command:
>
> "X:\I386\adprep /domainprep" (without the quotation marks) where X:\I386\
> is the path of the Windows Server 2003 installation media. This command
> runs domain-wide changes in the target domain.
>
> Note: The adprep /domainprep command modifies files permissions in the
> Sysvol share. These modifications cause a full synchronization of files in
> that directory tree.
>
> 3. Verify that domainprep completed successfully. To do so, verify the
> following items:
>
> - The adprep /domainprep command completed without error.
>
> - The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=<dn path of
> domain you are upgrading> exists If adprep /domainprep does not run, verify
> the following items:
>
> - The logged on user who runs adprep has membership to the Domain Admins
> security group in the domain being you are upgrading. To do so, use the
> whoami /all command.
>
> - The fully qualified path for Adprep.exe located in the \I386 directory
> of the installation media was specified when you ran adprep. To do so, at a
> command prompt type the following command:
>
> "<x>:\i386\adprep /forestprep" (without the quotation marks) where <x>
> is the drive that hosts the installation media.
>
> - If adprep still does not work, view the Adprep.log file in the
> %systemroot%\System32\Debug\Adprep\Logs\<Latest_log> folder.
>
> 4. Verify that the adprep /domainprep changes have replicated. To do so,
> for the remaining domain controllers in the domain, verify the following
> items:
>
> - The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=<dn path of
> domain you are upgrading> object exists and the value for the Revision
> attribute matches the value of the same attribute on the infrastructure
> master of the domain.
>
> - (Optional) Look for objects, attributes or access control list (ACL)
> changes that adprep /domainprep added.Repeat steps 1-4 on the
> infrastructure master of the remaining domains in bulk or as you add or
> upgrade DC's in those domains to Windows Server 2003. Now you can promote
> new Windows Server 2003 computers into the forest by using DCPROMO. Or, you
> can upgrade existing Windows 2000 domain controllers to Windows Server 2003
> by using WINNT32.EXE.
>
> Upgrading Windows 2000 domain controllers by using Winnt32.exe
> --------------------------------------------------------------
>
> After the changes from /forestprep and /domainprep completely replicate and
> you have made a decision about security interoperability with
> earlier-version clients, you can upgrade Windows 2000 domain controllers to
> Windows Server 2003 and add new Windows Server 2003 domain controllers to
> the domain.
>
> The following computers must be among the first domain controllers that run
> Windows Server 2003 in the forest in each domain:
> - The domain naming master in the forest so that you can create default
> DNS program partitions.
> - The primary domain controller of the forest root domain so that the
> enterprise-wide security principals that Windows Server 2003's
> forestprep adds become visible in the ACL editor.
> - The primary domain controller in each non-root domain so that you can
> create new domain-specific Windows 2003 security principals.
>
>
> To do so, use WINNT32 to upgrade existing domain controllers that host the
> operational role you want. Or, transfer the role to a newly-promoted
> Windows Server 2003 domain controller. Perform the following steps for each
> Windows 2000 domain controller that you upgrade to Windows Server 2003 with
> WINNT32 and for each Windows Server 2003 workgroup or member computer that
> you promote:
>
> 1. Before you use WINNT32 to upgrade Windows 2000 member computers and
> domain controllers, remove Windows 2000 Administration Tools. To do so,
> use the Add/Remove Programs tool in Control Panel. (Windows 2000
> upgrades only.)
>
> 2. Install any hotfix files or other fixes that either Microsoft or the
> administrator determines is important.
>
> 3. Check each domain controller for possible upgrade issues. To do so, run
> the following command from the \I386 folder of the installation media:
>
> "winnt32.exe /checkupgradeonly" (without the quotation marks)Resolve any
> issues that the compatibility check identifies.
>
> 4. Run WINNT32.EXE from the \I386 folder of the installation media, and
> the restart the upgraded 2003 domain controller.
>
> 5. Lower the security settings for earlier-version clients as required.
>
> If Windows NT 4.0 clients do not have NT 4.0 SP6 or Windows 95 clients do
> not have the directory service client installed, disable SMB Service
> signing on the Default Domain Controllers policy on the Domain Controllers
> organizational unit, and then link this policy to all organizational units
> that host domain controllers.
>
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Security Options\Microsoft Network Server: Digitally sign
> communications (always)
>
> 6. Verify the health of the upgrade using the following data points:
>
> - The upgrade completed successfully.
>
> - The hotfixes that you added to the installation successfully replaced
> the original binaries.
>
> - Inbound and outbound replication of Active Directory is occurring for
> all naming contexts held by the domain controller.
>
> - The Netlogon and Sysvol shares exist.
>
> - The event log indicates that the domain controller and its services are
> healthy.
>
> Note: You may receive the following event message after you upgrade:
>
>
>
>
>
> Event Type: Error
> Event Source: NTDS Backup
> Event Category: Backup
> Event ID: 1913
> Date: <Date>
> Time: HH:MM:SSAM|PM
> User: N/A
> Computer: <computername>
> Description: Internal error: The Active Directory backup and restore
> operation encountered an unexpected error. Backup or restore will not
> succeed until this is corrected. You can safely ignore this event message.
>
> 7. Install the Windows Server 2003 Administration Tools (Windows 2000
> upgrades and Windows Server 2003 non-domain controllers only).
> Adminpak.msi is in the \I386 folder of the Windows Server 2003 CD-ROM.
> Windows Server 2003 media contains updated support tools in the
> Support\Tools\Suptools.msi file. Make sure that you reinstall this file.
>
> 8. Make new backups of at least the first two Windows 2000 domain
> controllers that you upgraded to Windows Server 2003 in each domain in
> the forest. Locate the backups of the Windows 2000 computers that you
> upgraded to Windows Server 2003 in locked storage so you do not
> accidentally use them to restore a domain controller that now runs
> Windows Server 2003.
>
> 9. (Optional) Perform an offline defragmentation of the Active Directory
> database on the domain controllers that you upgraded to Windows Server 2003
> after the single instance store (SIS) has completed (Windows 2000 upgrades
> only).
>
> The SIS reviews existing permissions on objects stored in Active Directory,
> and then applies a more efficient security descriptor on those objects. The
> SIS starts automatically (identified by event 1953 in the directory service
> event log) when upgraded domain controllers first start the Windows Server
> 2003 operating system. You benefit from the improved security descriptor
> store only when you log an event ID 1966 event message in the directory
> service event log:
>
>
> Event Type: Information
> Event Source: NTDS SDPROP
> Event Category: Internal Processing
> Event ID: 1966
> Date: MM/DD/YYYY
> Time: HH:MM:SS AM|PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: <computername>
> Description: The security descriptor propagator has completed a full
> propagation pass.
> Allocated space (MB):
> XX Free space (MB): XX
>
> This may have increased free space in the Active Directory database.
> User Action: Consider defragmenting the database offline to reclaim the
> free space that may be available in the Active Directory database. For more
> information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp. This event message indicates
> that the single instance store operation has completed and serves as a
> queues the administrator to perform of offline defragmentation of the
> Ntds.dit using NTDSUTIL.EXE.
>
> The offline defragmentation can reduce the size of a Windows 2000 Ntds.dit
> file by up to 40%, improves Active Directory performance, and updates the
> pages in the database for more efficient storage of Link Valued attributes.
>
>
> 10. Investigate the DLT Server Service. Windows Server 2003 domain
> controllers disable the DLT Server service on fresh and upgrade installs.
> If Windows 2000 or Windows XP clients in your organization use the DLT
> Server service, use Group Policy to enable the DLT Server service on new or
> upgraded Windows Server 2003 domain controllers. Otherwise, incrementally
> delete distributed link tracking objects from Active Directory.
>
> 11. Configure the best practice organizational unit structure. Microsoft
> recommends that administrators actively deploy the best practice
> organizational unit structure in all the Active Directory domains, and
> after they upgrade or deploy Windows Server 2003 domain controllers in
> Windows Domain mode, redirect the default containers that earlier-version
> APIs use to create users, computers and groups to an organizational unit
> container that the administrator specifies.
>
> 12. Repeat steps 1 through 10 as required for each new or upgraded Windows
> Server 2003 domain controller in the forest and step 11 (Best Practice
> organizational unit structure) for each Active Directory domain.
>
> For more information, please refer to the following article.
>
> 325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003
> http://support.microsoft.com/?id=325379
>
> Hope this helps!
>
> Sincerely,
> Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> | Thread-Topic: Upgrading W2K DC to W2003
> | thread-index: AcTFA4vUuiv4jKV9SrqdTjy9+SBSHg==
> | X-WBNR-Posting-Host: 212.138.47.11
> | From: =?Utf-8?B?Um9zaGFu?= <Roshan@discussions.microsoft.com>
> | Subject: Upgrading W2K DC to W2003
> | Date: Sun, 7 Nov 2004 11:54:09 -0800
> | Lines: 14
> | Message-ID: <ADED9B0B-1C3E-43FB-94AF-6B03F1E46947@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.migration
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15054
> | X-Tomcat-NG: microsoft.public.windows.server.migration
> |
> | Good Day to All,
> |
> | i have 5 DC (W2k) in three sites under one domain. i am planning to
> upgrade
> | the them to W2003. Kindly advice :
> | 1. Do i need to run the adprep on the Main server(OperationsMaster) in
> one
> | site or do i need to do it on all my DCs.
> | 2. Does all the other DC need to upgraded to windows 2003 immedaitely or
> can
> | i do it later stage.
> | 3. After running the adprep on the Main server, how long can i wait
> before
> | starting the upgrade process. If i wait does it affect any process or
> | updation or anything...
> |
> | Best Regards,
> | Roshan
> |
>
>
- Next message: Paul: "RE: Security settings changed when using File Server Migration Wiz"
- Previous message: Rebecca Chen [MSFT]: "RE: win2000 platform file server migrate to win2003 platform"
- In reply to: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Next in thread: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Reply: Jack Wang [MSFT]: "RE: Upgrading W2K DC to W2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
