We help IT Professionals succeed at work.

Detailed Steps to upgrade Windows 2000 AD to Windows 2003 AD

Dear Expert,

We are still using windows 2000 Active Directory within our company (only one location).
There are two separate w2k Domain controllers in one forest and two separate exchange 2003 enterprise servers (installed on windows 2003 standard servers)

We would like to only upgrade to windows 2003 Active Directory without touching Exchange 2003 servers.

Can you give us some guidelines and detailed steps on how to perform this upgrade?
We do not want to touch the exchange 2003 environment.

Do we need to do any migration like ADMT for our existing objects such as desktops and other resource servers
or it is transparant in one shot.

I would like to just upgrade to windows 2003 AD and have the least changes in our existing environment without touching our existing exchange 2003 servers, desktops or other resouce servers.

Thanks a lot,

Charlie
Comment
Watch Question

Author

Commented:
Hi expert,
Please review my steps below and let me know if I miss any steps:

Upgrade Methologhy: Installing a windows 2003-based member server into existing windows 2000 domain

1) Insert "windows 2003 CD" into existing "win2k Schema Master"; Run "adprep /forestprep" in the "I386 Directory"
2) Insert "windows 2003 CD" into existing "win2k Infrastructure Master"; Run "adprep /domainprep" in the "I386 Directory"
3) Add a new windows 2003-based member server "Win2003-Server" into existing win2k domain
4) Run "Dcpromo" on this new Win2003-Server to create the first Windows server 2003-based domain controller
5) Perform In-Place upgrade on the existing win2k "naming Master" and "PDC Emulator" domain controllers
6) Disable SMB packet annd secure channel signing enforcement on Win2003-Server Domain controllers

I have the following questions:
a) After step (4), the new win2003 domain controller created:  Does that mean that we have 2 win2k old domain controllers that
    coexist with this newly created win2003 domain controller.  At this point, which domain controller is performing the user authentication.  For example, when users log into the domain, are they authenticated by win2k or win2003 domain?
b) If the step (4) fails to create win2003 domain controller for any reason, are we still keeping the existing win2k domain infrastructure?
c) I have done "Setup /forestprep" and "setup /doaminprep" when I installed exchange 2003 server years ago, do I still need to run "adprep /forestprep" and "adprep /domainprep"?
d) After step (6), Can our existing computers(windows xp, resource servers, exchange servers) and users automatically authenticate and communicate with win2003 domain?  Do we have to take any actions?

Thanks,

Charlie
Jian An LimSolutions Architect
BRONZE EXPERT
Top Expert 2016
Commented:
just answering question
A) yup, you will have 1 windows 2003 server and 2 windows 2000 server - forest level 2003 mixed
in time, you should remove windows 2000 DC and up your forest level to 2003 native

Users will authenticate accordingly. if you ping xxx.local (or the domain) - [ this will be in round robin format], that server is responsible for the user doing authentication.




B) you always can keep your windows 2000 DC, but it is recommended to remove in long run as with windows 2000 DC it might prevent you to install the latest technology like exchange 2010 and etc.

c) exchange /forestprep and windows /forestprep is different.
you need to redo it. In fact, if you want to upgrade to windows 2003 R2, you need to use that CD to do the forestprep to ensure your DC has the latest schema, hence understand when you doing your dcpromo

D) after steps 6 , all DC 2000 gone, all users will continue authenticate accordingly, and you dont need to do anything on any client.



one thing i want to raise is you probably want to move your FSMO role to your new server for the time being.
You missed a step 2.5: "ADPREP /domainprep /gpprep" (run from the IM)

a) When you have promoted a 2003 DC you'll have 3 DCs. DCs post WinNT are multi-masters and the new DC will just be seen as an additional DC. If a user logs in he/she will be authenticated by one of the three.

b) Yes

c) Yes. The Exchange extensions you ran will just prepare your domain for Exchange. Adprep from the 2003 media will prepare your forest/domain for 2003 DCs.

d) No. Clients dosn't care if it is a 2000 or 2003 DC they are talking to.

And, it's a good practice to have the FSMOs on the DC with the newest OS. I don't fancy inplace upgrades, so if they are dedicated DCs, I would reinstall them (one at the time).
 
Commented:
Yes, you still need to do the ForestPrep & DomainPrep to update the AD Schema with the new 2003 AD properties.  When you did that before for Exchange it was adding Exchange attributes, not the new AD ones unless you did both.

It is unclear to me if you want to do upgrades or are adding a new server.  Once you DCPromo a new 2003 server the domain will be running in Mixed Mode, you will still have your existing DCs and the new DC.  Clients will authenticate with whichever DC is first available.  This is all the same domain, so there is no need for ADMT which is used to migrate resources to a new domain/forest.

If your plan is to just upgrade the existing servers to 2003 then you can do that after the ADPREP /ForestPrep and ADPREP /DomainPrep.  If you don't plan to upgrade the existing servers then you might want to consider transferring the FSMO roles to the new server and can then consider retiring the old DCs.  When you get rid of the Windows 2000 DCs (can still have member servers) you can elevate the Forest & Domain levels to 2003 Native Mode.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.