The easiest upgrade process for moving to Windows Server 2003 is upgrading from Windows 2000 Server, because it doesn't require planning the Domain Name System (DNS) and Active Directory namespace, nor does it normally involve restructuring domains or migration of security principals.
You must perform a couple of steps to prepare the Active Directory forest and domains for the new schema and changes and additions supplied by Windows Server 2003. Each Active Directory forest that you maintain must be updated first, prior to upgrading any of its domains. Likewise, each domain within a forest must be prepared prior to upgrading any of the domain controllers in the domain.
The Windows Setup program (Winnt32.exe) has a new /Checkupgradeonly parameter that enables it to assess the state of a server prior to installation. The Active Directory Preparation Wizard (Adprep.exe), which is used to prepare a Windows 2000 forest and domain for upgrade to Windows Server 2003, is included on the product CD.
Before you begin the upgrade process, all existing data (including all Active Directory information) should be backed up to reliable media and kept available for restoration in case of failure during the upgrade process. Further, the media should be tested to verify that you can restore from it.
Prior to rolling out Windows Server 2003 in your production environment, the upgrade process should be evaluated on a private network constructed for the purposes of testing. Use a domain controller for the domain in which you'll be starting the upgrade (a domain that is not the forest root).
Tip
Microsoft recommends that you install Windows Server 2003 as a member server within the forest root domain and let it run for a week or more prior to upgrading the forest and domains.
Assess every domain controller in your forest and make sure that it has the required service packs and hot fixes installed prior to beginning the upgrade. For the basic installation and upgrade of Windows Server 2003, all Windows 2000 domain controllers need Service Pack 1 with several Quick Fix Engineering (QFE) fixes, or you can simply install Service Pack 2, which incorporates those fixes. If you must run Windows Server 2003 tools on the Windows 2000 domain controllers, however, Service Pack 3 or later must be installed on those devices.
Thus, to simplify upgrade operations, unless you have a specific issue that precludes upgrading to Service Pack 3, it is recommended that you apply it (or a later service pack) to all domain controllers that run Windows 2000 in the forest.
Note
For more information about applying service packs to Windows 2000 domain controllers, refer to Knowledge Base articles 331161 and 325465 at the Microsoft support site.
Troubleshooting: Domain controller fails to join a Windows 2000 domain or forest
You might be unable to promote a Windows Server 2003 system to be a domain controller in an existing Windows 2000 domain or to join a new domain to an existing Windows 2000 forest. This is because Windows Server 2003 has a different schema (Version 30) than Windows 2000 (Version 13). To enable a Windows Server 2003 domain controller to join a Windows 2000 domain, you must first use the Active Directory Preparation Wizard (Adprep.exe) to update the Windows 2000 forest and domain. For more detailed information on this, see the Microsoft Knowledge Base article 278875.
Upgrading member servers and domain controllers requires a bit of preparation and testing, both prior to installing the new operating system as well as after. A set of tools useful for testing the Active Directory and networking environments is located on the Windows Server 2003 product CD in the SupportTools folder.
The tools include the following functionalities:
DNS configuration Dnscmd.exe allows you to view the configuration of DNS zones and resource records, which is useful in analyzing the DNS configuration of DNS servers and domain controllers.
Replication management To assess Active Directory replication, use the Repadmin utility to determine inbound and outbound replication partners. You can also use this tool to monitor replication status and replication consistency. Prior to upgrading a Windows 2000 domain, you must verify successful replication between at least two domain controllers in the domain (to ensure that you have rollback domain controllers in case the upgrade fails).
Network diagnostics To analyze connectivity issues and verify network operations, use the Netdiag utility, which allows you to run tests on the network clients and their connectivity to the rest of the network.
Domain controller diagnostics The Dcdiag utility lets you test connectivity to Active Directory and test whether the domain controller is providing the functionality required.
Domain trust diagnostics To assess the trust relationships within an Active Directory forest, you can use Nltest.exe to verify the trust status and supply a list of domain controllers. This tool can also be used to shut down domain controllers.
Directory view and modification To view or edit Active Directory contents, you can use the Adsiedit.msc tool, which lets you modify, delete, or add objects and attributes.
Flexible Single Master Operation (FSMO) role determination You can use the Netdom.exe tool to determine which servers are performing each of the operations master roles and what their configuration is by using the following syntax:
netdom query /domain:DomainName /userd:UserName /passwordd:* fsmo
Note
The /Passwordd option is set to asterisk (*) so that Netdom prompts you to enter a password. You can also enter the password after the option so that you aren't prompted.
Windows Server 2003 provides a method to assess whether a server can be upgraded. The WINNT32 /CHECKUPGRADEONLY command instructs Setup to determine whether noncompatible software or hardware is present in the server. The /Checkupgradeonly option starts by requesting updated setup files from the Windows Update Web site (http://windowsupdate.microsoft.com) and then runs the upgrade check, displaying the results (and saving them in the Upgrade.txt file in the %SystemRoot% folder).
Before installing the Windows Server 2003 operating system, all Windows 2000–based domain controllers in the forest must be running Windows 2000 Service Pack 1 with QFE 265089 or Windows 2000 Service Pack 2 or later. You can use the REPADMIN /SHOWATTR command to inventory the operating system and service pack revision level for all domain controllers in a particular domain. Follow these steps:
Start a command prompt on a computer that has the Windows Server 2003 Support Tools installed.
Type the following command:
repadmin /showattr HostName ncobj:domain: "/filter: (&(objectcategory=computer)(primaryGroupID=516))" /subtree / atts:operatingSystem,operatingSystemVersion,operatingSystemServicePackwhere HostName is the host name of a domain controller in the domain you want to examine, such as:
repadmin /showattr corpsvr02 ncobj:domain: "/filter: (&(objectcategory=computer)(primaryGroupID=516))" /subtree / atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack
The output of the command shows the distinguished name of each domain controller in the specified host's domain, followed by the operating system, operating system version, and operating system service pack, such as:
DN: CN=CORPSVR02,OU=Domain Controllers,DC=cpandl,DC=com 1> operatingSystem: Windows 2000 Server 1> operatingSystemVersion: 5.0 (2195) 1> operatingSystemServicePack: Service Pack 1 DN: CN=CORPSVR01,OU=Domain Controllers,DC=cpandl,DC=com 1> operatingSystem: Windows 2000 Server 1> operatingSystemVersion: 5.0 (2195) 1> operatingSystemServicePack: Service Pack 3Here, the first domain controller listed is running Windows 2000 Server with Service Pack 1. The second domain controller listed is running Windows 2000 Server with Service Pack 3. Keep in mind that the REPADMIN /SHOWATTR command doesn't show any hot fixes that might be installed.
Note domain controllers that need to have the appropriate service pack applied before upgrading, then repeat Steps 2 to 4 for each domain in the forest.
Prior to upgrading a Windows 2000 domain controller, you must prepare the forest and domains for the Windows Server 2003 schema modifications. The Active Directory Preparation tool (Adprep.exe) is provided to update this Active Directory forest and domain structural information. You must first prepare the forest, followed by each of the domains.
Each of these processes must be run on a specific domain controller to work:
The /Forestprep process must be performed on the Schema Master.
The /Domainprep process must be performed on the Infrastructure Master for each domain.
Using an account that is a member of the Enterprise Admin and Schema Admins groups for the forest root domain, you can prepare the forest by running the following command:
adprep /forestprep
Caution
Be sure to take your Schema Master offline to perform this operation. If the schema update fails, then you can log on to another domain controller in the forest root domain and seize the Schema Master role.
Once the forest is prepared, you next prepare each of your domains by using the following command using an account that is a member of Domain Admins and Enterprise Admins groups:
adprep /domainprep
The domain preparation must be performed on each Active Directory domain prior to attempting to upgrade a domain controller. Also, prior to adding the first Windows Server 2003 system as a new domain controller in an existing (Windows 2000) domain, forest and domain preparation must be successfully completed.
The Active Directory Preparation Wizard creates a detailed log of the changes made during the preparation process, which is written to %SystemRoot%System32DebugAdprepLogs DateTimeAdprep.log, where DateTime is a folder name composed of the year, month, date, and time of day in seconds when Adprep was run. This file shows each step of the process and the result code of the attempt to perform each operation.
Adprep also has a couple of optional parameters to control its operations during the preparation process. Following are the Adprep parameters:
The /Nofilecopy parameter prevents Adprep from copying any files from the source CD (or distribution folder) to the domain controller.
The /Nospwarning parameter prevents Adprep from displaying a service pack warning when installing on domain controllers that do not have Service Pack 2 installed.
During the forest preparation process, Adprep copies the .ldf files containing the schema change from the installation folder (the CD or distribution folder) to the %SystemRoot% System32 folder on the domain controller. These schema change files are 17 consecutively numbered .ldf files named Sch14.ldf through Sch30.ldf.
Note
The number following the sch indicates the version of the schema—the Windows 2000 schema is Version 13. Because Windows Server 2003 uses Version 30 schema, the schema update files begin at 14 and go to 30.
Adprep also copies the Dcpromo.csv and 409.csv files from the installation folder to the %SystemRoot%System32DebugAdprepData folder on the domain controller.
Before you start the upgrade process, review your Information Technology (IT) planning information that identifies the Active Directory domain controllers and the upgrade path, including which domain controllers will host which global catalog, operations masters, and bridgehead server roles and the order in which the servers should be upgraded. Because DNS is an integral part of Active Directory, you should also review your DNS namespace and planning information at this point.
When you're ready to update the Windows 2000 Active Directory forest and domains, you begin by backing up the Schema Master (domain controller) for the forest and the Infrastructure Master for each domain that will be upgraded.
Using the Active Directory Preparation tool is a required next step prior to upgrading a Windows 2000 domain controller—Windows Setup will fail if it detects that the forest and/or the domain has not been updated for Windows Server 2003.
The Active Directory Preparation tool completes the following tasks:
Implements schema updates, integrating the Windows Server 2003 schema with existing schema.
Improves security on directory objects, enhances security descriptor defaults, and ends reliance on the Everyone group for access to services.
Creates new containers and directory objects. (You can view these objects to verify that the schema was updated correctly.)
Before you upgrade an Active Directory forest, verify that you have end-to-end replication of the domain information to all domain controllers in each domain and throughout the forest. At least one inbound and outbound replication partner for each directory partition must exist—the schema and configuration partitions are replicated throughout the forest, while the domain directory partition is replicated to all domain controllers in the domain. For the purposes of disaster recovery, it is critical that backups of the Schema Master and a domain controller in each domain be made prior to beginning the upgrade process.
Prior to starting the upgrade, verify that the system volume (Sysvol) information (specifically the default domain policy and the Default Domain Controller Policy) is correctly replicated to all domain controllers in the domain.
A tool called the FRS Health Check (Health_chk.cmd)—part of the Support Tools installed from the SupportTools folder on the Windows Server 2003 distribution CD—can be used to determine the status of the system volume replication (and many other factors).
Alternatively, you can use Gpotool.exe (in the Windows Server 2003 Resource Kit) with the /Verbose parameter to assess whether policies are being consistently applied within the domain.
Troubleshooting: Issues with upgrading domains hosting Microsoft Exchange 2000 Server
There are problems with upgrading domains that have integrated Exchange 2000 Server— essentially, Exchange 2000 Server defines three attributes differently than Windows Server 2003 does, and upgrading domains that have been modified by Exchange 2000 Server can result in mangled attributes. For details on this problem and how to work around it, see Microsoft Knowledge Base article 314649.
Caution
To avoid domain corruption, before you upgrade an Active Directory forest, all domain controllers within the forest require installation of either Service Pack 1 with QFE 265089 or Service Pack 2—see Microsoft Knowledge Base article 331161.
When running ADPREP /FORESTPREP, you will be prompted to verify that all domain controllers have the necessary service pack and QFE updates prior to ADPREP /FORESTPREP performing its operations. You can use REPADMIN /SHOWATTR to verify that service packs have been applied. Once you are certain that the correct service pack has been applied, you can press C to continue with the ADPREP /FORESTPREP process.
There are a couple of different perspectives on how to upgrade a forest, and, interestingly enough, both of them are recommended by Microsoft.
Early Microsoft documentation (including the help files that ship with the software) encourage you to take the Schema Master offline—disconnect it from your enterprise network—prior to performing the forest and domain preparation operations on it. Later documentation in the form of Knowledge Base article 821076, "Windows Server 2003 Help Files Contain Incorrect Information About How to Update a Windows 2000 Domain" (located at http://support.microsoft.com/default.aspx?scid=kb;en-us;821076), states that this information is incorrect.
Although this article does not provide any further insight into why Microsoft changed its opinion about taking the Schema Master offline prior to updating the Active Directory schema information, it encourages a moment of reflection on the issue. What if the forest and domain preparation has problems—what if you encounter errors, such as corrupted directory objects or attributes? Would it replicate corrupt directory information to other domain controllers? Does it make more sense for you to take the risk of problems and the consequences of those problems in your production environment (your actual enterprise network) or to test it offline first?
By isolating the Schema Master during the upgrade, you can verify that the upgrade was completed successfully before you integrate it back into your production environment. That way, if the upgrade fails and the Schema Master is rendered unusable, you can restore from backup and retry the upgrade preparation. Once you've verified that the upgrade is successful, you can connect the Schema Master to the network so that it can replicate the changes to all domains. Then, after you've verified that the schema changes have been replicated, you can run the ADPREP /DOMAINPREP command.
To start the forest update process, you can take the Schema Master off your local network and set it up on an isolated network (or you can leave it online in your production environment as suggested by Microsoft Knowledge Base article 821076). Log on using an account that is a member of the Enterprise Admins group and the Schema Admins group. Then use the Active Directory Preparation tool (Adprep.exe) from the command line, with the /Forestprep parameter. The Adprep.exe program is located in the I386 directory of the Windows Server 2003 product CD.
From the command line, run ADPREP /FORESTPREP. A detailed step-by-step log file (Adprep.log) is created by Adprep during the forest update operations and is written to the %SystemRoot%System32DebugAdprepLogsDateTime folder. If you encounter errors during the forest update process, review the log file for information to assist in troubleshooting the problems.
As part of the forest preparation process, a couple of new containers (ForestUpdates and Windows2003Update) are created in Active Directory (under the Configuration container). These containers can be viewed using the Adsiedit tool:
CN=ForestUpdates CN=Operations CN=Windows2003Update
The presence of these containers provides verification that the ADPREP /FORESTPREP command successfully completed the update.
When Adprep has successfully completed the operation, it displays the following line at the end of the screen messages: Adprep Successfully Updated The Forest-Wide Information.
Once you are certain that the upgrade of the forest information has been completed successfully, you must let it propagate throughout the forest. The domains in Active Directory cannot be upgraded until the forest upgrade has completely replicated to all domain controllers in the forest.
To provide the forest updates to the remaining domain controllers in the forest, the Schema Master must be connected back to your actual production network. Once reconnected, you must allow time for the information from the updated Schema Master to be replicated to all of the domain controllers in the forest (including domain controllers that communicate across slow links).
The domain preparation process must be completed for each of the domains in your Active Directory forest.
The domain-updating process using Adprep is performed on the Infrastructure Master. Like the Schema Master in the forest preparation process, the domain Infrastructure Master should be backed up, taken offline, and put on the private network, and then the updating process should be performed.
To perform the domain updating, you must log on to the Infrastructure Master domain controller with an account that is a member of both the Domain Admins and Enterprise Admins groups.
Using Adsiedit, verify that the forest update completed successfully prior to preparing the domains by checking under the Configuration container for the existence of the ForestUpdates container and for the Windows2003Update container under ForestUpdates.
Before beginning the domain upgrade process, make sure that all the inbound replication traffic has completed successfully. Use the following command line to verify the replication status:
repadmin /showreps
Once the forest update and completion of the domain replication processes have been verified, use ADPREP with the /Domainprep parameter to initiate the domain update process, as follows:
adprep /domainprep
Unlike the /Forestprep operation, the /Domainprep operation does not display process information or copy files. It does, however, write log files (also named Adprep.log) into a new dateand time-stamped subfolder (%SystemRoot%System32DebugAdprepLogsDateTime).
When ADPREP has completed the /Domainprep operation, it displays the following line: Adprep Successfully Updated The Domain-Wide Information.
As part of the domain update, new containers (DomainUpdates, Operations, and Windows2003Update) are created in Active Directory (under the System container). These containers can be viewed by using the Active Directory Users and Computers tool (in the Advanced view):
DomainUpdates Operations Windows2003Update
By finding these containers, you can verify that the /Domainprep operation successfully completed.
Once the domain update is finished, you must reattach the Infrastructure Master to your network and give it time to replicate changes to all domain controllers in the domain prior to upgrading the first domain controller to Windows Server 2003.
Troubleshooting: Legacy clients can't talk to new domain controller
Security settings on the new Windows Server 2003 domain controller are set to require Server Message Block (SMB) signing (of network communications) by clients.
A Macintosh client system shows an "-Error -3: I/O" error when attempting to connect to a Windows Server 2003 domain controller using SMB signing (the default). A domain controller without client support for SMB signing produces an error, indicating either the password is incorrect or logon server access is denied.
If the client is Windows NT 4 with Service Pack 2 or earlier (which also does not support SMB signing), the system indicates that the logon failed and asks you to reenter user credentials. Installing Service Pack 6a is recommended for all Windows NT 4 clients prior to connecting them to a Windows Server 2003 domain controller.
The Default Domain Controller Policy setting for SMB signing is enabled by default on Windows Server 2003, but can be disabled in the Group Policy Editor in the Microsoft Network Server node. Select Computer Configuration, select Windows Settings, Security Settings, Local Policies, Security Options, and finally Microsoft Network Server. In this node, select the Digitally Sign Communications (Always) setting, and then disable it.
Because disabling this setting reduces overall security of the network, this should be done only temporarily (until all clients are updated with the directory client on the Windows 2000 Server product CD or the newer update—see Knowledge Base article 323466).
The next step in the upgrade process is to use the Active Directory Installation Wizard (Dcpromo) to install Active Directory on a Windows Server 2003–based member server in the forest root domain. This creates the first Windows Server 2003 domain controller in the forest. So, if you haven't yet installed a Windows Server 2003 system in the forest root domain, you should do this now and then configure the system to be a domain controller. Afterward, you should continue the upgrade process by upgrading the operating system on the Windows 2000–based domain controller holding the Domain Naming Master role. If you choose not to upgrade the domain controller, transfer the Domain Naming Master role to a domain controller running Windows Server 2003. Afterward, upgrade the operating system on the Windows 2000–based domain controller holding the PDC Emulator role in each domain, or transfer the roles to Windows Server 2003–based domain controllers. You then upgrade all remaining Windows 2000–based domain controllers to Windows Server 2003.
When upgrading domain controllers, you also must evaluate the disk partition and available free disk space for upgrading the Active Directory database (Ntds.dit) and (Esent) log files—additional free space should include at least 10 percent of the existing size of the Active Directory database and 20 percent of the existing size of the log files (a minimum of 300 megabytes [MB]).
Prior to upgrading the domain controllers operating in your enterprise network, make, or verify that you have, functional (tested) backups of at least two domain controllers for each domain (preferably those domain controllers performing key operations master roles). Verify that you have multiple functional (tested) backups of the forest root domain controllers also.
You can perform the upgrade of the domain controller either interactively (using the product CD or distribution folder) or by an automated installation that uses an Unattend.txt file specified as a command-line argument to the WINNT32 command. For further information on either of these methods, see Chapter 4.
Tip
To use Windows Server 2003 administration tools with Windows 2000 domain controllers, you must install Service Pack 3 (or later) on your Windows 2000 domain controllers.
To perform an interactive upgrade process, complete the following steps:
Insert the CD, and select Install.
Setup checks compatibility, shows the compatibility screen, and then writes the Upgrade.txt file to %SystemRoot%.
Setup copies installation files and then reboots.
Setup presents the option to perform an upgrade or a new installation; you should select to perform an upgrade.
Setup copies files, configures settings, finalizes installation, and then reboots.
Other than the schema changes made using the Active Directory Preparation tool, Windows 2000 domains remain logically and operationally the same after upgrading to Windows Server 2003.
Similarly, domain functional levels stay the same after upgrade:
If you are currently operating in Windows 2000 Mixed mode, upgrading leaves the domain functional level at Windows 2000 Mixed.
If you are currently operating in Windows 2000 Native mode, upgrading leaves the domain functional level at Windows 2000 Native.
Depending upon the range of Windows server operating systems you are supporting on your network, you might want to raise the domain and forest functional levels after upgrade. For example, if after upgrade you are using Windows 2003 domain controllers, and you don't need to support domain controllers running earlier versions of Windows, you can gain extra functionality by changing the Windows Server 2003 domain and forest levels.
When you have upgraded all of the domain controllers in your environment to Windows Server 2003 Active Directory, you can then raise the forest and domain functional levels to Windows Server 2003, which enables an entire set of new features.
You can change the domain and forest functional levels using the Active Directory Domains and Trusts administrative tool.
To modify the functional level of a forest, right-click the Active Directory Domains And Trusts node, and select Raise Forest Functional Level.
To modify the functional level of a domain, right-click the domain name, and select Raise Domain Functional Level.
You must be prepared to seize (that is, forcibly take) the operational master roles held by the domain controller being upgraded in the event that the upgrade is unsuccessful.
To seize the Infrastructure Master, RID Master (which pertains to relative identifiers, or RIDs), and PDC Emulator roles, in Active Directory Users and Computers, rightclick the domain, select Operations Master, then click the needed RID, PDC, or Infrastructure tab. Select Change to transfer the operations (RID, PDC, or Infrastructure) master role to the target server.
To seize the Domain Naming Master role, in Active Directory Domains and Trusts, right-click the Active Directory Domains And Trusts node, and select Operations Master. Select Change to switch the Domain Naming Master role to another server.
To seize the Schema Master role, in the Active Directory Schema tool, right-click the Active Directory Schema node, and select Operations Master. Select Change to transfer the Schema Master role.
To seize the Global Catalog role, in Active Directory Sites and Services, navigate to SitesDefault-First-Site-NameServersServerNameNTDS Settings, right-click the NTDS Settings node, select Properties, and then click the Global Catalog option.
You can also seize roles from the command line:
Ensure that the current domain controller with the role you want to seize is permanently offline. If the server can be brought back online, don't perform this procedure unless you intend to completely reinstall this server.
Log on to the console of the server you want to assign as the new operations master. You can log on to the console locally or by using Remote Desktop.
Click Start, click Run, type cmd in the Open box, and then click OK.
At the command prompt, type ntdsutil. This starts the Directory Services Management tool.
At the Ntdsutil prompt, type roles. This puts the utility in Operations Master Maintenance mode.
At the Fsmo Maintenance prompt, type connections, and then, at the Server Connections prompt, type connect to server followed by the fully qualified domain name of the current Schema Master for the role, such as:
connect to server engdc01.technology.adatum.com
Once a successful connection is established, type quit to exit the Server Connections prompt, and then, at the Fsmo Maintenance prompt, type seize and then the identifier for the role to seize. The identifiers are as follows:
Type quit at the Fsmo Maintenance prompt, and type quit at the Ntdsutil prompt.
During an upgrade of a server (or domain controller) running Windows 2000, the local (and domain) user information, including profiles, rights, permissions, and group memberships, is retained.
With minor changes (in universal groups), Windows 2000 groups are directly upgraded to the same groups in Windows Server 2003. One of the main changes (from Windows 2000) in the handling of universal groups is that the universal group information is cached on local domain controllers and no longer must contact a global catalog to authenticate a member.
Upgrading Windows 2000 member servers to Windows Server 2003 is comparatively more straightforward than upgrading domain controllers. You still must assess the server hardware and verify its compatibility with Windows Server 2003, and you must determine whether it meets the baseline hardware requirements for the CPU (at least 128 megahertz [MHz]), 256 MB of RAM, and 2 GB or more of hard disk space.
At this point, you should review your IT planning information regarding servers that provide key network services, specifying servers to upgrade and identifying network operating system (NOS) version, services provided, and order of implementation. You must check the network services that are running on the member server and review for any specific considerations or configuration issues that must be taken into account prior to, or immediately following, the upgrade process. Your planning information should define the servers to upgrade, identify installed and updated NOS versions, and specify the roles and services the servers will provide postupgrade.
Upgrading Windows 2000 DNS to Windows Server 2003 is mostly a transparent upgrade with some enhancements to DNS—namely, the capability to create application directory partitions to store DNS records that are used to replicate DNS information on a domainwide and forest-wide basis.
In Windows 2000 Active Directory–integrated zones, all domain controllers in the domain receive the DNS replications. To remain compatible with Windows 2000 domain controllers hosting integrated zones, when you choose a replication option, opt to replicate the DNS records to all domain controllers in the domain. Once you've upgraded fully to Windows Server 2003, you change the replication so that only domain controllers that are also DNS servers get DNS information.