?
Solved

Upgrade Active Directory from Windows 2000 to Windows 2003

Posted on 2008-11-18
5
Medium Priority
?
1,007 Views
Last Modified: 2012-08-14
Hi All,

I want to upgrade our active directory from Windows 2000 to Windows 2003. Now Ive done a lot of research on the best and safest way to get this done, but I felt that a final post here certainly wasnt going to hurt. With that, heres a brief breakdown of the current scenario:

Current AD mode: NATIVE mode
Exchange 2003: MIXED mode

I have two Windows 2000 Domain Controllers, Server01 and Server01 and both are running SP4. Roles are configured as follows:

SRV001:   Domain Naming Master,  Schema Master,  Global Catalog
SRV001 is also running DHCP and DNS.
SRV002:   RID Master, PDC Emulator, Infrastructure Master
SRV002: Group policies are stored on this server.

In preparation of the upgrade, I have configured two new Windows 2003 servers, both are running Standard Edition with SP2. The servers are called HO1 and HO2.

Id like to know the best route upgrade AD and to get all roles transferred to the two new servers, effectively enabling me to switch off SRV001 and SRV002.

Also, please advise if Ive omitted any required information. Thanks!


0
Comment
Question by:MMeader
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
FOTC earned 750 total points
ID: 22985170
Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003
The Windows Server 2003 adprep command that you run from the \I386 folder of the Windows Server 2003 media prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers. The Windows Server 2003 adprep /forestprep command adds the following features:
"      Improved default security descriptors for object classes
"      New user and group attributes
"      New Schema objects and attributes like inetOrgPerson
The adprep utility supports two command-line arguments:
adprep /forestprep: Runs forest upgrade operations.
adprep /domainprep: Runs domain upgrade operations.
The adprep /forestprep command is a one-time operation performed on the schema operation master (FSMO) of the forest. The forestprep operation must complete and replicate to the infrastructure master of each domain before you can run adprep /domainprep in that domain.

The adprep /domainprep command is a one-time operation that you run on the infrastructure operations master domain controller of each domain in the forest that will host new or upgraded Windows Server 2003 domain controllers. The adprep /domainprep command verifies that the changes from forestprep have replicated in the domain partition and then makes its own changes to the domain partition and group policies in the Sysvol share.

You cannot perform either of the following actions unless the /forestprep and the /domainprep operations have completed and replicated to all the domain controllers in that domain:
"      Upgrade the Windows 2000 domain controllers to Windows Server 2003 domain controllers by using Winnt32.exe.

Note: You can upgrade the Windows 2000 member servers and computers to Windows Server 2003 member computers whenever you want.
"      Promote new Windows Server 2003 domain controllers into the domain by using Dcpromo.exe.
The domain that hosts the schema operations master is the only domain where you must run both adprep /forestprep and adprep /domainprep. In all other domains, you only have to run adprep /domainprep.

The adprep /forestprep and the adprep /domainprep commands do not add attributes to the global catalog partial attribute set or cause a full synchronization of the global catalog. The RTM version of adprep /domainprep does cause a full sync of the \Policies folder in the Sysvol tree. Even if you run forestprep and domainprep several times, completed operations are performed only one time.

After the changes from adprep /forestprep and adprep /domainprep completely replicate, you can upgrade the Windows 2000 domain controllers to Windows Server 2003 by running Winnt32.exe from the \I386 folder of the Windows Server 2003 media. Also, you can add new Windows Server 2003 domain controllers to the domain by using Dcpromo.exe.
Upgrading the forest with the adprep /forestprep command
To prepare a Windows 2000 forest and domains to accept Windows Server 2003 domain controllers, follow these steps first in a lab environment, then in a production environment:
1.      Make sure that you have completed all the operations in the "Forest Inventory" phase with special attention to the following items:
a.       You have created system state backups.
b.       All the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs.
c.       End-to-end replication of Active Directory is occurring throughout the forest
d.       FRS replicates the file system policy correctly throughout each domain.
2.      Log on to the console of the schema operations master with an account that is a member of the Schema Admins security group.
3.      Verify that the schema FSMO has performed inbound replication of the schema partition by typing the following at a Windows NT command prompt:
repadmin /showreps
(repadmin is installed by the Support\Tools folder of Active Directory.)
4.      Early Microsoft documentation recommends that you isolate the schema operations master on a private network before you run adprep /forestprep. Real-world experience suggests that this step is not necessary and may cause a schema operations master to reject schema changes when it is restarted on a private network. If you want to isolate schema additions that were made by adprep, Microsoft recommends that you temporarily disable outbound replication of Active Directory with the repadmin command-line utility. To do this, following these steps:
a.       Click Start, click Run, type cmd, and then click OK.
b.       Type the following, and then press ENTER:
repadmin /options +DISABLE_OUTBOUND_REPL
5.      Run adprep on the schema operations master. To do so, click Start, click Run, type cmd, and then click OK. On the schema operations master, type the following command
X:\I386\adprep /forestprep
where X:\I386\ is the path of the Windows Server 2003 installation media. This command runs the forest-wide schema upgrade.

Note Events with event ID 1153 that are logged in the Directory Service event log, such as the sample that follows, can be ignored:

Event Type : Error
Event Source : NTDS General
Event Category: Internal Processing
Event ID : 1153
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User : Everyone Computer : <some DC>
Description: Class identifier 655562 (class name msWMI-MergeablePolicyTemplate) has an invalid superclass 655560. Inheritance ignored.
6.      Verify that the adprep /forestprep command successfully ran on the schema operations master. To do so, from the console of the schema operations master, verify the following items:
"      The adprep /forestprep command completed without error.
"      The CN=Windows2003Update object is written under CN=ForestUpdates,CN=Configuration,DC=forest_root_domain. Record the value of the Revision attribute.
"      (Optional) The schema version incremented to version 30. To do so, see the ObjectVersion attribute under CN=Schema,CN=Configuration,DC=forest_root_domain.
If adprep /forestprep does not run, verify the following items:
"      The fully qualified path for Adprep.exe located in the \I386 folder of the installation media was specified when adprep ran. To do so, type the following command:
x:\i386\adprep /forestprep
where x is the drive that hosts the installation media.
"      The logged on user who runs adprep has membership to the Schema Admins security group. To verify this, use the whoami /all command.
"      If adprep still does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log folder.
7.      If you disabled outbound replication on the schema operations master in step 4, enable replication so that the schema changes that were made by adprep /forestprep can propagate. To do this, following these steps:
a.       Click Start, click Run, type cmd, and then click OK.
b.       Type the following, and then press ENTER:
repadmin /options -DISABLE_OUTBOUND_REPL
8.      Verify that the adprep /forestprep changes have replicated on all the domain controllers in the forest. It is useful to monitor the following attributes:
a.       Incrementing the schema version
b.       The CN=Windows2003Update, CN=ForestUpdates,CN=Configuration,DC=forest_root_domain or CN=Operations,CN=DomainUpdates,CN=System,DC=forest_root_domain and the operations GUIDs under it have replicated in.
c.       Search for new schema classes, objects, attributes, or other changes that adprep /forestprep adds, such as inetOrgPerson. View the SchXX.ldf files (where XX is a number between 14 and 30) in the %systemroot%\System32 folder to determine what objects and attributes there should be. For example, inetOrgPerson is defined in Sch18.ldf.
9.      Look for mangled LDAPDisplayNames.

If Exchange 2000 was installed before you ran the Windows Server 2003 adprep /forestprep command, see the following article in the Microsoft Knowledge Base:
314649 (http://support.microsoft.com/kb/314649/) Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers
If you find mangled names, go to Scenario 3 of the same article.
10.      Log on to the console of the schema operations master with an account that is a member of the Schema Admins group security group of the forest that hosts the schema operations master.
Upgrading the domain with the adprep /domainprep command
Run adprep /domainprep after the /forestprep changes fully replicate to the infrastructure master domain controller in each domain that will host Windows Server 2003 domain controllers. To do so, follow these steps:
1.      Identify the infrastructure master domain controller in the domain you are upgrading, and then log on with an account that is a member of the Domain Admins security group in the domain you are upgrading.

Note: The enterprise administrator may not be a member of the Domain Admins security group in child domains of the forest.
2.      Run adprep /domainprep on the Infrastructure master. To do so, click Start, click Run, type cmd, and then on the Infrastructure master type the following command:
X:\I386\adprep /domainprep
where X:\I386\ is the path of the Windows Server 2003 installation media. This command runs domain-wide changes in the target domain.

Note: The adprep /domainprep command modifies files permissions in the Sysvol share. These modifications cause a full synchronization of files in that directory tree.
3.      Verify that domainprep completed successfully. To do so, verify the following items:
"      The adprep /domainprep command completed without error.
"      The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading exists
If adprep /domainprep does not run, verify the following items:
"      The logged on user who runs adprep has membership to the Domain Admins security group in the domain being you are upgrading. To do so, use the whoami /all command.
"      The fully qualified path for Adprep.exe located in the \I386 directory of the installation media was specified when you ran adprep. To do so, at a command prompt type the following command:
x:\i386\adprep /forestprep
where x is the drive that hosts the installation media.
"      If adprep still does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log folder.
4.      Verify that the adprep /domainprep changes have replicated. To do so, for the remaining domain controllers in the domain, verify the following items:
"      The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading object exists and the value for the Revision attribute matches the value of the same attribute on the infrastructure master of the domain.
"      (Optional) Look for objects, attributes or access control list (ACL) changes that adprep /domainprep added.
Repeat steps 1-4 on the infrastructure master of the remaining domains in bulk or as you add or upgrade DC's in those domains to Windows Server 2003. Now you can promote new Windows Server 2003 computers into the forest by using DCPROMO. Or, you can upgrade existing Windows 2000 domain controllers to Windows Server 2003 by using WINNT32.EXE.


http://support.microsoft.com/kb/325379

0
 
LVL 3

Expert Comment

by:SweetJ21
ID: 22985365
I'm not familiar with Exchange server or how the domain functional level would affect it's performance, but as far as AD goes:
If you already have the two new Server 2003 machines installed and running, all you should need to do is promote them to domain controllers on the domain. After they're on the domain and you've verified that they're working properly, transfer the fsmo roles and Global Catalog to the Win2003 machines.
http://support.microsoft.com/kb/324801

After all of the roles have been removed from the Win2000 machines, you should be safe to turn them off and let the Win2003 machines do the work.

Once you've done some testing and verified that the new environment is working properly without the old machines, you should be safe to upgrade the domain/forest functional levels.
Make sure you have backups prior to the upgrade, just to be cautious.
0
 

Author Comment

by:MMeader
ID: 22992332
Thanks for the replies. As I mentioned, I've done research on how to get this done and I've got all the standard MS documentation which indicates how the upgrade should work. I'd like to get some feedback from "real-life" scenarios". What should I do with the DNS and DHCP services that are currently running on the one server? Should I transfer them to the new servers before or after the AD upgrade? What about the group policies, do they get transferred as part of the AD upgrade?
0
 
LVL 3

Assisted Solution

by:SweetJ21
SweetJ21 earned 750 total points
ID: 22998287
Any global catalog server should store copies of the group policies, so once you make one of the new servers a GC, you'll already have copies of the group policies stored on that machine.

Definitely move the services before the AD upgrade. If you're moving to Win2003 domain functional mode, your old domain controllers won't work when you do the upgrade. It might actually block you from performing the upgrade until you have removed the old servers from the domain. Move everything over and bring them offline before you do any functional level changes.

Give a little leeway time between taking them offline and upgrading the functional level though, so you still have the old servers available should anything go wrong.

Plan for the best, but prepare for the worst!
0
 

Author Closing Comment

by:MMeader
ID: 31517855
OK thanks. Well I'm going to attempt the transfer of DNS and DHCP this weekend, and then I'll approach AD from there. If i run into any issues I'll post a new follow-up question. Thanks again guys for taking the time to respond.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question