RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: v-amanwa@xxxxxxxxxxxxxxxxxxxx (Amanda Wang [MSFT])
- Date: Mon, 23 May 2005 12:59:25 GMT
Hello,
I'm very glad to hear from you again.
Thanks for your introduction of your current enviroment and let me know
your concern more clearly.
You are right to install Exchange on member server instead of DC and it
will avoid many limitations.
Before running the adprep /forestprep and /domainprep commands from the
Windows Server 2003 CD, we need to confirm the following things in Q314649
article:
Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the
Windows Server 2003 adprep /forestprep Command
If Exchange 2000 schema changes have already been installed, but you have
not run the adprep /forestprep command in Windows Server 2003, consider the
following action plan: 1. Log on to the console of the schema operations
master by using an account that is a member of the schema administrators
enterprise administrators groups.
2. Enable Schema Updates on the schema master. For additional information
about how to permit updates to the Active Directory schema, click the
following article number to view the article in the Microsoft Knowledge
Base:
285172 Schema Updates Require Write Access to Schema in Active Directory
3. Click Start, click Run, type notepad.exe, and then click OK.
4. Copy the following text that appears between [start copy here] and [end
copy here] (including the trailing "-" characters), and then paste this
text into Notepad.
[start copy here]
dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchAssistantName
-
dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchLabeledURI
-
dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: lDAPDisplayName
lDAPDisplayName: msExchHouseIdentifier
-
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
[end copy here]
5. Save the contents of the Notepad file as
%systemdrive%\IOP\Inetorgpersonprevent.ldf (where %systemdrive% is the
logical drive that is hosting the Windows 2000 operating system and \IOP is
a folder that you create in the Save dialog box of Notepad. Quit Notepad.
6. Run the InetOrgPersonPrevent.ldf script: a. Click Start, click Run,
type cmd, and then click OK.
b. At a command prompt, type :
cd %systemdrive%\iop
and then press ENTER.
c. Type the following command:
ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dn path for forest root
domain"
where X is a case-sensitive constant and dn path for forest root domain is
the domain name path for the root domain of the forest enclosed in
quotation marks ("dc=corp,dc=tailspintoys,dc=com") is the domain name path
for the root domain of the forest. (Include the quotation marks.) Press
ENTER.
7. Verify that the LDAPDisplaynames for the CN=ms-Exch-Assistant-Name, the
CN=ms-Exch-LabeledURI, and the CN=ms-Exch-House-Identifier attributes in
the schema naming context now appear as msExchAssistantName,
msExchLabeledURI, and msExchHouseIdentifier before you run the Windows
Server 2003 adprep /forestprep command.
8. Run the adprep /forestprep command and the /domainprep command.
Scenario 3: You Did Not Run InetOrgPersonfix Before You Ran the Windows
Server 2003 adprep /forestprep Command
If you run the Windows Server 2003 adprep /forestprep command in a Windows
2000 forest that contains the Exchange 2000 schema changes, the
LdapDisplayname attributes for houseIdentier, Secretary, and labeledURI
become mangled. To identify mangled names, use Ldp.exe to locate the
affected attributes: 1. Install Ldp.exe from the Support\Tools folder of
the Windows 2000 or the Windows Server 2003 media.
2. Start Ldp.exe from a domain controller or a member computer in the
forest. a. On the Connection menu, click Connect, leave the Server box
empty, type 389 in the Port box, and then click OK.
b. On the Connection menu, click Bind, leave all the boxes empty, and then
click OK.
3. Record the distinguished name path for the SchemaNamingContext
attribute.
For example, for a domain controller in the CORP.ADATUM.COM forest, the
distinguished name path would be
CN=Schema,CN=Configuration,DC=corp,DC=adatum,DC=com.
4. On the Browse menu, click Search.
5. Configure the following settings: ? Base DN: Type the distinguished name
path for the schema naming context that is identified in step 3.
? Filter: Type (ldapdisplayname=dup*).
? Scope: Click Subtree.
6. Mangled HouseIdentifier, Secretary, and LabeledURI attributes have
LDAPDisplayName attributes that are similar to the following format:
lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d;
lDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f
lDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef
If the LDAP Display names for LabeledURI, Secretary and HouseIdentifier
were mangled, run the Windows Server 2003 InetOrgPersonfix.ldf script to
recover:a. Create a folder named %Systemdrive%\IOP, and then extract the
InetOrgPersonfix.ldf file to this folder.
b. At a command prompt, type cd %systemdrive%\iop, and then press ENTER.
c. Extract the InetOrgPersonfix.ldf file from the Support.cab file that is
located in the Support\Tools folder of the Windows Server 2003 installation
media.
d. From the console of the schema operations master, load the
InetOrgPersonfix.ldf file by using Ldifde.exe to correct the
LdapDisplayName attribute of the houseIdentifier, the Secretary, and the
labeledURI attributes. To do this, type the following command, where X is a
case-sensitive constant and dn path for forest root domain is the domain
name path for the root domain of the forest wrapped in quotation marks:
ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "dn path for forest root
domain"
7. Verify that the houseIdentifier, the Secretary, and the labeledURI
attributes in the schema naming context are not mangled.
8. Use Winnnt32.exe to upgrade the Windows 2000 domain controllers.
After verified the above scenarios, don't hesitate to run adprep
/forestprep and /domainprep from the Windows Server 2003 CD.
After you have run these commands from Windows Server 2003 CD, please don't
worry about the upgrade of this Win2k member server to Win 2k3 because this
schema have been extended before.
If you have any other questions or concerns related this issue, please feel
free to let me know. I'm very gald to help you.
Thanks & Regards
Amanda Wang [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================================
--------------------
>Thread-Topic: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
>thread-index: AcVdTgKlmZfGt915QJyQ8sb76Cxa1g==
>X-WBNR-Posting-Host: 216.190.22.29
>From: "=?Utf-8?B?c2tldGNoeQ==?=" <sketchy@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <31CB5B91-B194-437B-A1FB-91106FC2D93C@xxxxxxxxxxxxx>
<JkRK0kEXFHA.3052@xxxxxxxxxxxxxxxxxxxxx>
<03556CAA-7A88-4D90-A4FA-AF155539BA20@xxxxxxxxxxxxx>
<bUjBXYUXFHA.3052@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
>Date: Fri, 20 May 2005 08:10:08 -0700
>Lines: 276
>Message-ID: <6F4C23C7-7C48-4E18-8429-6B9AAE41E169@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.migration:10297
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Thank you Amanda for the helpfull article, and the thorough response.
>
>Once again, I hope to clarify the situation, as the answer you give leaves
>me with the impression that you think we have a different configuration
than
>we actually do. We do not have any exchange 2000 servers whatsoever. We
had
>at one time, but ran the upgrade as instructed, which I believe included
>working with adprep, which was the reason for my original question.
>
>Current environtment:
>
>Win2k server (DC, WINS, DNS, etc.)
>Win2k server (DC, WINS, DNS, etc.)
>Win2k server (member server, SQL 2000)
>Win2k server (member server, Exchange 2003, not 2000)
>
>The two new Win2k3 machines will replace the first two machines listed,
then
>those will be retired.
>
>The article addresses problems with mangled attributes for forests with
>Exchange 2000 servers. What I will have to investigate is if the this is
>still in effect on a member server that was adprepped and upgraded to
>Exchange 2003 running on Win2k. If you have any insight on this, let me
know.
>
>Yes, I agree with you that ideally, it would be wonderfull to build
>everything in a pristine condition. Unfortunately I didn't have the
choice
>at that time. This is actually why I'm choosing to go with a non-in-place
>upgrade for my domain controllers. Granted, the AD schema will be moved
over
>to the new boxes, but hopefully, the fact that there will be two new DC's
>with clean builds will hopefully make my life a little easier.
>
>Regardless, do you suggest that I run the adprep /forestprep and
/domainprep
>from the Windows Server 2003 CD? I'd hate to run it only to find out I
used
>an old version.
>
>--
>Sketchy
>
>
>"Amanda Wang [MSFT]" wrote:
>
>> Hello,
>>
>> Thanks for your update and the information is helpful.
>>
>> I have read the Q321648 article carefully and verify you are right if it
is
>> an in place upgrade.
>>
>> However, we strongly recommend you use not in place upgrade for security
>> purpose. When you try to upgrade Windows 2000 DC to Windows 2003 while
>> Exchange 2000 is installed. Under this circumstance, actually we suggest
>> you first upgrade Exchange and run Exchange 2003 setup /forestprep to
>> extend Windows 2000 AD and then we don't need to run Windows 2003 adprep
>> any more.
>>
>> Why we suggest to do so? The reason is that Windows Server 2003 adprep
>> /forestprep Command will Cause Mangled Attributes in Windows 2000
Forests
>> That Contain Exchange 2000 Servers. Fore the current situation, you
have
>> upgraded Exchange 2k to 2k3 on Windows 2k server. Therefore, please
read
>> the following article carefully and verify the scenarios in it:
>>
>> 314649 Windows Server 2003 adprep /forestprep Command Causes Mangled
>> Attributes
>> http://support.microsoft.com/?id=314649
>>
>> For further questions related Exchange, please contact
>> Microsoft.public.exchange2000 newsgroup to get the most qualified
support
>> on it.
>>
>> Meanwhile, you want to know if you have extended the schema for the
Win2k3
>> AD in general.
>>
>> If there is no ADPREP.LOG file in the
>> %systemroot%\system32\debug\adprep\logs\<latest log> directory that
means
>> you haven't run it before.
>>
>> HTH!
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ====================================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================================
>>
>> --------------------
>> >Thread-Topic: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
>> >thread-index: AcVcm746WnMhm7sKRQyHhMIgGFpi4g==
>> >X-WBNR-Posting-Host: 216.190.22.29
>> >From: "=?Utf-8?B?c2tldGNoeQ==?=" <sketchy@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >References: <31CB5B91-B194-437B-A1FB-91106FC2D93C@xxxxxxxxxxxxx>
>> <JkRK0kEXFHA.3052@xxxxxxxxxxxxxxxxxxxxx>
>> >Subject: RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
>> >Date: Thu, 19 May 2005 10:54:03 -0700
>> >Lines: 135
>> >Message-ID: <03556CAA-7A88-4D90-A4FA-AF155539BA20@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.migration
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:10262
>> >X-Tomcat-NG: microsoft.public.windows.server.migration
>> >
>> >Let my try to clarify my position.
>> >
>> >First, with regards to exchange (but getting off the subject of my
>> original
>> >question). Running Exchange 2003 on and Windows 2000 server is the
ONLY
>> way
>> >to do an in-place upgrade of an exchange server. E2k will not run on
an
>> >Windows 2003 server. More info on this subject can be found at:
>> >http://support.microsoft.com/?kbid=321648
>> >
>> >The ONLY reason I mentioned anything about my exchange box (a seperate
>> Win2k
>> >member server running E2k3 that is and has been running perfectly) is
the
>> >process of running ADPREP. So in other words, let us forget about the
>> >ellement of the Exchange server. ...I simply wanted to know if what I
ran
>> >already extended the schema for the Win2k3 AD in general. (I am still
>> >looking for the specific documentation that guided me on this).
>> >
>> >Based off of your response though, it sounds like I should plan on
running
>> >the ADPREP commands anyway. ...I looked for the log file that you
>> suggested
>> >on the domain controllers, and could not find them, so it's probably
>> safest
>> >to go ahead and run it.
>> >
>> >Thank you for your assistance on this. Much appreciated.
>> >
>> >--
>> >Sketchy
>> >
>> >
>> >"Amanda Wang [MSFT]" wrote:
>> >
>> >> Hello,
>> >>
>> >> Thanks for your post.
>> >>
>> >> I understand you want to know how to check if you have run the ADPREP
>> >> command. If I have misunderstood, please feel free to let me know.
>> >>
>> >> Based on my experience, Exchange 2k3 cannot be installed on win2k
>> server.
>> >> If it is an in-place upgrade, you need to upgrade win2k to win2k3
first
>> and
>> >> then upgrade Exchange.
>> >>
>> >> If it is not a in-place upgrade, you need to install win2k3 member
>> server
>> >> in a new machine, on old win2k server, run adprep/forestprep to
extend
>> >> win2k schema to win2k3, then promote win2k3 member to be a DC.
>> >>
>> >> Run exchange forestprep, then install Exchange 2k3 on the new win2k3
>> server.
>> >>
>> >> Also You mentioned that you may have run ADPREP command when you
>> upgraded
>> >> Exchange 2000 serer to Exchange 2003. When upgrading Exchange, the
>> >> commands you have run from Exchange 2003 media only for Exchange and
it
>> is
>> >> only extend the Exchange schema. Therefore, when upgrading Win2k3,
you
>> >> must run adprep command from \I386 folder of the Windows Server 2003
>> media
>> >> and this prepares for a Windows 2000 forest and its domains for the
>> >> addition of Windows Server 2003 domain controllers and extends the
>> Win2k3
>> >> schema.
>> >>
>> >> The schema and infrastructure operations masters are used to
introduce
>> >> forest and domain-wide schema changes to the forest and its domains
that
>> >> are made by the Windows Server 2003 adprep utility.
>> >>
>> >> Please refer to the following KB article and pay more attention to
the
>> >> content related to adprep in this article:
>> >>
>> >> How to upgrade Windows 2000 domain controllers to Windows Server 2003
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
>> >>
>> >> Also, if you want to check if the adprep command has been run before,
>> you
>> >> can check ADprep.log file in the
>> >> C:\WINNT\system32\debug\adprep\logs\20040617142836 directory for more
>> >> information.
>> >>
>> >> HTH!
>> >>
>> >> Thanks & Regards
>> >>
>> >> Amanda Wang [MSFT]
>> >>
>> >> Microsoft Online Partner Support
>> >>
>> >> Get Secure! - www.microsoft.com/security
>> >>
>> >> ====================================================================
>> >>
>> >> When responding to posts, please "Reply to Group" via your newsreader
so
>> >> that others may learn and benefit from your issue.
>> >>
>> >> =====================================================================
>> >>
>> >> --------------------
>> >> >Thread-Topic: Migrating from Win2k DC's to Win2k3 DC's; ADPrep
question
>> >> >thread-index: AcVbycuoT2KYtFCHQoCmY+XOV5tc3w==
>> >> >X-WBNR-Posting-Host: 216.190.22.29
>> >> >From: "=?Utf-8?B?c2tldGNoeQ==?=" <sketchy@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >> >Subject: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
>> >> >Date: Wed, 18 May 2005 09:51:11 -0700
>> >> >Lines: 18
>> >> >Message-ID: <31CB5B91-B194-437B-A1FB-91106FC2D93C@xxxxxxxxxxxxx>
>> >> >MIME-Version: 1.0
>> >> >Content-Type: text/plain;
>> >> > charset="Utf-8"
>> >> >Content-Transfer-Encoding: 7bit
>> >> >X-Newsreader: Microsoft CDO for Windows 2000
>> >> >Content-Class: urn:content-classes:message
>> >> >Importance: normal
>> >> >Priority: normal
>> >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >> >Newsgroups: microsoft.public.windows.server.migration
>> >> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >> >Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >> >Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.windows.server.migration:10230
>> >> >X-Tomcat-NG: microsoft.public.windows.server.migration
>> >> >
>> >> >Hello everyone,
>> >> >
>> >> >I'm planning to move my domain controller responsibilities from two
>> >> >antiquated Win2k DC's to some new servers that will be running
Win2k3,
>> >> then
>> >> >retiring the two old boxes. I've been reading up as much as I can
on
>> >> this,
>> >> >but do have a question inre to the ADPREP commands that I need to
run.
>> >> >
>> >> >The documentation states that one needs to run ADPREP /FORESTPREP
then
>> >> >ADPREP /DOMAINPREP before proceeding further. It states that you
>> should
>> >> only
>> >> >run this once however, implying that bad things happen if you do
this
>> more
>> >> >than once. The problem is that I believe I ran these same commands
>> when I
>> >> >upgraded my Exchange 2000 serer to Exchange 2003 (It's still running
>> >> Windows
>> >> >2000), but can't remember for sure. Is there a command or a switch
to
>> the
>> >> >ADPREP command that will allow me to check to see if my schema has
>> already
>> >> >been updated?
>> >> >
>> >> >--
>> >> >Sketchy
>> >> >
>> >>
>> >>
>> >
>>
>>
>
.
- References:
- Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: sketchy
- RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: Amanda Wang [MSFT]
- RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: sketchy
- RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: Amanda Wang [MSFT]
- RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- From: sketchy
- Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- Prev by Date: file share migration
- Next by Date: migrated W2k3 account's access to old NT4 resources
- Previous by thread: RE: Migrating from Win2k DC's to Win2k3 DC's; ADPrep question
- Next by thread: Event 4515
- Index(es):
Relevant Pages
|
