This document discusses upgrading from Windows 2000 to Windows 2003. It outlines the benefits of upgrading such as improved security and new features. It provides guidance on preparing for the upgrade including taking inventories of clients, domains, and schemas. It describes using ADPrep to prepare the forest and domains. The document discusses post-installation tasks such as verifying the new domain controller and functional levels. It aims to provide best practices for a smooth upgrade process.

1. Moving to Windows Server
2003 from Windows 2000
Dave Sayers, Senior Consultant
Windows Team, Microsoft Services Organisation

2. Agenda
 Benefits of Upgrading from Windows 2000
 Upgrading from Windows 2000
 Taking inventories
 Using ADPrep
 Post-installation tasks
 Functional Levels
 Tips and Tricks

3. Benefits of Upgrade
 Windows Server 2003 Active Directory an
evolutionary step
 Improvements in the existing feature set
 Security fixes
 Secure by default
 New features
 Straightforward upgrade path

4. Benefits of Upgrade
 Cross Forest Kerberos trust
 Improved Replication
 Link Value Replication, No GC Full Synchronisation
 No 5000 member group Limit
 Domain Rename
 Application Partitions
 Branch Office Improvements
 KCC, GC Caching
 Rapid GC Demotion

5. Benefits of Upgrade
 Schema “Defunct”
 Lingering Object Removal
 LDAP Improvements
 Virtual List View Support
 Correct Auxiliary Class Support
 InetOrgPerson
 Lightweight LDAP authentication
 Dynamic Entries
 Single Instance Store

6. Benefits of Upgrade
 Resultant Set Of Policy (RSOP)
 Planning and Reporting Modes
 Many new policy settings
 Filtering via WMI query
 Dynamically evaluate query and apply GP on
result
 Group Policy Management Console

7. Important Active Directory Changes
Improved Security Settings
 Allow anonymous SID / name translation
policy
 Clients in NT 4.0 resource domains may
experience:
 “Account Unknown” in ACL editor
 Authentication failure by Microsoft and Outlook
clients
 Intermittent results as Secure Channels move
between 2000 / 2003 DCs
 Everyone group

8. Important Active Directory Changes
Improved Security Settings
 Pre-Windows 2000 compatible access
 If Everyone is in Pre-Windows 2000
Compatible Access group, then:
 Anonymous Logon and Authenticated Users are
added
 Enterprise Domain Controllers is added to
Windows Authorization Access group
 Everyone may have been removed by the
administrator
 Common on 2000 domains upgraded from NT 4.0
 “ Enforce SMB signing” enabled
 Integrity of the client

9. Upgrade from Windows 2000
Overview
 Easy upgrade process
 No AD or OU namespace planning required
 No DNS namespace, deployment, or delegation
conflicts
 No user / workstation / profile migration
 Windows 2003 Server DCs
 Can play any role in Windows 2000 forest / domain
 Are fully compatible with Windows 2000 DCs
 How to introduce 2003 DCs?
 Add new DCs with DCPROMO
 Upgrade of existing 2000 DC (Winnt32.exe)

10. Upgrade Steps
 Check domain controllers’ SP level
 SP1 with QFE265089 required
 SP2 recommended
 Inventories
 Client/Domain Controller/Schema
 Prepare forest
 Adprep /forestprep
 Prepare domain(s)
 Adprep /domainprep
 Install Windows Server 2003 Member Server
 Run dcpromo
 Upgrade other domain controllers

11. Client Inventory
Update Windows 95 and Windows NT 4.0 Clients
 Security default on Server 2003 DCs
 By default, “Enforce SMB Signing” is enabled
 Temporarily relax settings on DCs or
update clients
 Windows 95
 Install DS client or new operating system
 Windows NT 4.0:
 SP3 or later required, SP6a recommended (DFS)
 All other Microsoft network clients
 No action required
 Latest SPs are always recommended

12. DC Inventory
ADPREP Operations and Mitigation
 ADPREP
 Adds new permissions, objects, and attributes
 Protect Schema update and index rebuild
 Schema Delete: fixed in SP2 or QFE
 Mandatory
 Inefficient replication of schema deltas:
SP3 or QFE
 Optional for small domains with fast links
 Index Replication Delay: SP3 or QFE
 Optional for large domains
 2000 DCs must have SP2 to source AD from
2003 DC*
 * If hosting application partitions

13. DC Inventory
QFE Strategy for 2000 DCs
 Guiding principals
 Do not let ADPREP drive forest-wide SP installation
 Single QFE resolves all ADPREP issues on SP1 → SP3 DCs
 Install performance fixes if you cannot tolerate outage
 Mixed version domains
 The faster you get to all 2003 DC forests, the less you need
2000 SP3
 Extended 2000 / 2003 interoperability
 Windows 2000 SP3 + SP3 regressions + NTFRS.EXE +
NTDSA.DLL QFE
 Inventory for DCs with 2003 REPADMIN /SHOWATTR
 See KB article 331161 for detailed explanation on QFEs

14. DC Inventory
DC, Domain, and Forest Health
 For each domain in the forest verify:
 FSMOs
 Accounted for and correctly located
 Schema + infrastructure used by ADPREP
 Event logs
 No significant replication, topology, or other events
 NETLOGON and SYSVOL
 Shares exist and contents synchronized by FRS
 DCs applying Policy - 1704 in application log, no 1202s
 DCs have free disk space
 AD database: Free space = 15-20% of NTDS.DIT size
 AD logs: Free space = 15-20% of *.log files
 DLT Service (optional)
 Stop service and delete object if not used - 312403
 System state backups
 Backup two DCs in each domain in the forest

15. DC Inventory
Replication Health
 Tombstone lifetime (TSL) and AD object deletion model
 Goal: Transitive replication of deltas between all DCs in the
forest hosting a particular NC
 Blockers: Connectivity, DNS configuration, authentication,
offline DCs, disjointed topologies, incorrect site or BridgeHead
selections, replication errors
 Do not decrease this value lightly, and do not increase above
default
 Demote DCs not replicating OB or IB deltas in TSL days
 DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE
 Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc.
 Exception: All or last DC in domain or alternate replication path
 Forest-wide replication check
 2003 REPADMIN on XP or 2003 member against 2000 or 2003
DCs
 REPADMIN /SHOWREPL * /CSV + Excel Autofilter for
drilldown

16. DC Inventory
REPADMIN /REPLSUM

17. DC Inventory
Plans for Non-Replicating DCs
 Connection fails for > 60 days
 DC3 not replicating IB OB deltas from
DC1
 Alternate path exists?
 Fix error and keep moving
 No IB / OB replication > 60 days
 DC3 not replicating IB or OB deltas
 Replicas for DC3 NCs exists?
 Yes - forced demote DC3
 No - fix replication, then clean up
lingering objects later
 Disjoint topology
 All DCs report replication success
 No “bridge” between site links
 Clean up lingering objects later
Site Link ABC Site Link DEF
DC3
DC3
DC1
DC1
DC2
DC2

18. Schema Inventory
Exchange 2000 and SFU
 E2K already installed before 2003 ADPREP?
 E2K ADPREP defines two non-RFC attributes
 LabeledURI + Secretary
 ADPREP /FORESTPREP defines same attributes
 Result: Mangled LDAPDISPLAYNAMES
 Fix: “Exchangefix.ldf” from SupportTools on 2003 CD
 Specify full path and wrap forest root DN in quotes
 E2K to be installed before 2003 DCs?
 Execute 2003 ADPREP or 2000 InetOrgPerson Kit first
 SFU 2
 SFU 2 defines UID incorrectly
 Adprep cannot extend unless QFE is applied
 KB articles: 325379 and 293783

19. ADPREP /FORESTPREP
Preparing the Forest
 Client, DC, and schema inventory complete; backups made
 E2K / SFU schema conflicts resolved
 ADPREP /FORESTPREP
 Adds new SDs, attributes, and objects
 One time operation in each forest
 Run on console of schema FSMO
 Enterprise Administrator and Schema Administrators rights required
 SYNTAX
 X:i386ADPREP /FORESTPREP
 Where X is the fully qualified path to the 2003 media
 Do NOT execute ADPREP changes manually
 Verification
 “Command completed successfully” in ADPREP
 CN=Windows2003Update in configuration NC for all DCs in forest
 IB replication by all DCs in forest
 System32DebugAdprepLogs<Latest log>

20. ADPREP /DOMAINPREP
Preparing Each Domain
 ADPREP /DOMAINPREP
 Adds new SDs in Domain NC and SYSVOL
 Changes from ADPREP /FORESTPREP must replicate in
 One time operation on infrastructure FSMO in each domain
 Requires domain administrator rights in target domain
 SYNTAX
 X:i386ADPREP /DOMAINPREP
 Where X is the fully qualified path to the 2003 media
 Verification
 “Command completed successfully” in ADPREP
 CN=Windows2003Update in Domain NCSYSTEM…
 IB replication by all DCs in the domain
 System32DebugAdprepLogs<Latest log>

21. Install from Media Promotions
Sourcing AD and GCs from a Local Backup
 Overview
1. Create system state backup from existing 2003 DC
2. Restore backup to a LOCAL drive on a 2003 member
3. Run “DCPROMO /ADV”
 IFM rules
 DC being promoted must be on the network
 Only replica DCs are supported for IFM promotion
 Backup must be created from a 2003 DC in same domain
 Backup must have originated from GC to source that NC
 Move / copy rules for NTDS.DIT + log files
 Unattended IFM promotions supported

22. Post Upgrade / Install Operations
Verifying the New DC
 DC is healthy
 NETLOGON + SYSVOL shares exist
 DC responds to LDAP, RPC, and logon
requests
 SRV, CNAME, and A records are registered
in DNS
 FRS: Add canary file on local + direct
replication partner
 Active Directory: REPADMIN /SHOWREPS
 Policy being applied as noted by Event 1704
 Event log clean – may see event 1931 on
2000 upgrades

23. Admin Tools
 Windows 2003 AdminPak.msi installs on:
 Windows 2003
 XP SP1
 Some tools sign and encrypt LDAP traffic
between client and domain controller:
Active Directory Domains and TrustsActive Directory Domains and Trusts
Active Directory Sites and ServicesActive Directory Sites and Services
Active Directory SchemaActive Directory Schema
Active Directory Users and ComputersActive Directory Users and Computers
ADSI EditADSI Edit
Dsmove.exeDsmove.exe
Dsrm.exeDsrm.exe
Dsadd.exeDsadd.exe
Dsget.exeDsget.exe
Dsmod.exeDsmod.exe
Dsquery.exeDsquery.exe
Group Policy Management ConsoleGroup Policy Management Console
Object PickerObject Picker

24. Admin Tools
 LDAP Signing only available on Windows 2000
SP3 and higher
 Windows 2003 Admin Tools administering
Windows 2000 SP2 DC:
 LDAP signing and encryption of these tools can be
disabled – not recommended – KB 325465

25. Post Upgrade / Install Operations
More Best Practices
 Backup
 Create a new system state backup – mark old backups
 FSMO roles
 Transition PDC and Domain Naming Master to 2003
DC
 Install GPMC
 Schedule backups of Group Policy
 Test new policy in test domains then import
 Deal with DLT
 Restart service or delete objects incrementally objects
according to KB article 312403
 Monitor
 To not monitor AD is to fail

26. Post Upgrade / Install Operations
More Best Practices
 Account Lockout
 Evaluate account lockout settings
 SP4 or 812499 (QFE ready; KB pending) on
W2K DCs in the domain
 Install Resource Kit tools ACCTINFO and
LOCKOUTSTATUS
 NTDS Quotas
 Set using DSadd
 Restrict number of objects that can be created
in the directory

27. ACCTINFO Property Page
Additional Account Info tab in AD
Users and Computers snap-in
Domain Password Policy
Users computer name used to
change password on DC in AD
same site

28. Lockoutstatus.exe
Runs as a stand-alone utility or extension to ACCTINFO. Shows bad
password count and time across all DCs in domain.

29. Functional Levels
Getting to the Good Stuff
 Model to introduce new behavior into the
operating system
 Advanced by admin when all DCs in “scope” are
upgraded
 Analogy: Windows 2000 native mode (on steroids)
 Levels can only be increased – no rollback
 As you advance, earlier DC versions are ignored
 Clients are never impacted
 Available functional levels
 Windows 2003 Server domain functionality
 Windows 2003 Server interim forest functionality
 Not relevant in this scenario
 Windows 2003 Server forest functionality

30. Domain Functional Levels
Domain
Functionality
Enabled Features Supported DCs in
Domain
Windows 2000
Mixed
 Universal Groups
(non-security only)
Windows NT 4.0
Windows 2000
Windows2003
Windows 2000
Native
All mixed mode, plus:
 Group nesting
 Universal groups
 SIDHistory
 Group conversions
Windows 2000
Windows 2003
Windows 2003
Server Interim
Mixed / Native
Same as Windows 2000 Mixed / Native
mode – depends on whether domain is
Mixed or Native mode
Windows NT 4.0
Windows 2003

31. Domain Functional Levels (2)
Domain
Functionality
Enabled Features Supported DCs in
Domain
Windows 2003
Server
All Windows 2000 Native, plus:
 Update logon timestamp attribute
 Kerberos KDC version
 User password on inetOrgPerson
 DC rename with netdom
 Redirect users and computers
 Authorization Manager can store auth
policies
 Selective authentication cross-forest
Windows 2003

32. Forest Functional Levels
Forest
Functionality
Enabled Features Supported DCs in
Forest
Windows 2000 Windows NT 4.0
Windows 2000
Windows 2003
Windows 2003
Server Interim
All Windows 2000, plus:
 LVR replication
 Improved ISTG
 New attributes added to GC
Windows NT 4.0
Windows 2003
Windows 2003
Server
All Windows 2003 Server Interim, plus:
 Dynamic aux classes
 User to inetOrgPerson change
 Schema deactivation and reactivation
 Domain rename
 Cross-forest trust
 Basic and query-based groups
(for roles-based authorization)
 15 sec. intrasite replication frequency
Windows 2003

33. Goals by Functional Level
Run, Don’t Walk!
 Forest functional level changes
 Link Value Replication for Large group membership
 7MM users tested + more efficient deletion
 KCC scalability improved
 3000 sites a reality
 KCC branch office mode
 Fault tolerance with a static KCC generated topology
 To be documented in 2003 Branch Office Guide
 Change from 5 minute to 15 second intrasite
replication latency
 Why would you not go to FFL as fast as you
could?
 Application compatibility should be the only reason

34. Trips and Tricks
Good Things to Know
 Initial Sync requirements
 FSMOs must sync hosting NC before they will
function
 GC Sync requirements
 Must sync all NCs in the forest before advertising
 Faster to remove objects than Pre-SP3 2000 DCs
 Secedit /refereshpolicy replaced by GPUPDATE
 XP and 2003 is “the” management platform
 2003 REPADMIN, GPMC, Resultant Policy, 2003
Admin Pack
 2003 Admin Pack
 ADUC: RAS dial-in tab removed on XP
 Installs on XP and 2003 clients only

35. © 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.
ThisThis presentationpresentation is for informational purposes only.is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESSMICROSOFT MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, IN THIS SUMMARY.OR IMPLIED, IN THIS SUMMARY.