This document discusses upgrading from Windows 2000 to Windows 2003. It outlines the benefits of upgrading such as improved security and new features. It provides guidance on preparing for the upgrade including taking inventories of clients, domains, and schemas. It describes using ADPrep to prepare the forest and domains. The document discusses post-installation tasks such as verifying the new domain controller and functional levels. It aims to provide best practices for a smooth upgrade process.
1. Moving to Windows Server
2003 from Windows 2000
Dave Sayers, Senior Consultant
Windows Team, Microsoft Services Organisation
2. Agenda
Benefits of Upgrading from Windows 2000
Upgrading from Windows 2000
Taking inventories
Using ADPrep
Post-installation tasks
Functional Levels
Tips and Tricks
3. Benefits of Upgrade
Windows Server 2003 Active Directory an
evolutionary step
Improvements in the existing feature set
Security fixes
Secure by default
New features
Straightforward upgrade path
4. Benefits of Upgrade
Cross Forest Kerberos trust
Improved Replication
Link Value Replication, No GC Full Synchronisation
No 5000 member group Limit
Domain Rename
Application Partitions
Branch Office Improvements
KCC, GC Caching
Rapid GC Demotion
5. Benefits of Upgrade
Schema “Defunct”
Lingering Object Removal
LDAP Improvements
Virtual List View Support
Correct Auxiliary Class Support
InetOrgPerson
Lightweight LDAP authentication
Dynamic Entries
Single Instance Store
6. Benefits of Upgrade
Resultant Set Of Policy (RSOP)
Planning and Reporting Modes
Many new policy settings
Filtering via WMI query
Dynamically evaluate query and apply GP on
result
Group Policy Management Console
7. Important Active Directory Changes
Improved Security Settings
Allow anonymous SID / name translation
policy
Clients in NT 4.0 resource domains may
experience:
“Account Unknown” in ACL editor
Authentication failure by Microsoft and Outlook
clients
Intermittent results as Secure Channels move
between 2000 / 2003 DCs
Everyone group
8. Important Active Directory Changes
Improved Security Settings
Pre-Windows 2000 compatible access
If Everyone is in Pre-Windows 2000
Compatible Access group, then:
Anonymous Logon and Authenticated Users are
added
Enterprise Domain Controllers is added to
Windows Authorization Access group
Everyone may have been removed by the
administrator
Common on 2000 domains upgraded from NT 4.0
“ Enforce SMB signing” enabled
Integrity of the client
9. Upgrade from Windows 2000
Overview
Easy upgrade process
No AD or OU namespace planning required
No DNS namespace, deployment, or delegation
conflicts
No user / workstation / profile migration
Windows 2003 Server DCs
Can play any role in Windows 2000 forest / domain
Are fully compatible with Windows 2000 DCs
How to introduce 2003 DCs?
Add new DCs with DCPROMO
Upgrade of existing 2000 DC (Winnt32.exe)
10. Upgrade Steps
Check domain controllers’ SP level
SP1 with QFE265089 required
SP2 recommended
Inventories
Client/Domain Controller/Schema
Prepare forest
Adprep /forestprep
Prepare domain(s)
Adprep /domainprep
Install Windows Server 2003 Member Server
Run dcpromo
Upgrade other domain controllers
11. Client Inventory
Update Windows 95 and Windows NT 4.0 Clients
Security default on Server 2003 DCs
By default, “Enforce SMB Signing” is enabled
Temporarily relax settings on DCs or
update clients
Windows 95
Install DS client or new operating system
Windows NT 4.0:
SP3 or later required, SP6a recommended (DFS)
All other Microsoft network clients
No action required
Latest SPs are always recommended
12. DC Inventory
ADPREP Operations and Mitigation
ADPREP
Adds new permissions, objects, and attributes
Protect Schema update and index rebuild
Schema Delete: fixed in SP2 or QFE
Mandatory
Inefficient replication of schema deltas:
SP3 or QFE
Optional for small domains with fast links
Index Replication Delay: SP3 or QFE
Optional for large domains
2000 DCs must have SP2 to source AD from
2003 DC*
* If hosting application partitions
13. DC Inventory
QFE Strategy for 2000 DCs
Guiding principals
Do not let ADPREP drive forest-wide SP installation
Single QFE resolves all ADPREP issues on SP1 → SP3 DCs
Install performance fixes if you cannot tolerate outage
Mixed version domains
The faster you get to all 2003 DC forests, the less you need
2000 SP3
Extended 2000 / 2003 interoperability
Windows 2000 SP3 + SP3 regressions + NTFRS.EXE +
NTDSA.DLL QFE
Inventory for DCs with 2003 REPADMIN /SHOWATTR
See KB article 331161 for detailed explanation on QFEs
14. DC Inventory
DC, Domain, and Forest Health
For each domain in the forest verify:
FSMOs
Accounted for and correctly located
Schema + infrastructure used by ADPREP
Event logs
No significant replication, topology, or other events
NETLOGON and SYSVOL
Shares exist and contents synchronized by FRS
DCs applying Policy - 1704 in application log, no 1202s
DCs have free disk space
AD database: Free space = 15-20% of NTDS.DIT size
AD logs: Free space = 15-20% of *.log files
DLT Service (optional)
Stop service and delete object if not used - 312403
System state backups
Backup two DCs in each domain in the forest
15. DC Inventory
Replication Health
Tombstone lifetime (TSL) and AD object deletion model
Goal: Transitive replication of deltas between all DCs in the
forest hosting a particular NC
Blockers: Connectivity, DNS configuration, authentication,
offline DCs, disjointed topologies, incorrect site or BridgeHead
selections, replication errors
Do not decrease this value lightly, and do not increase above
default
Demote DCs not replicating OB or IB deltas in TSL days
DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE
Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc.
Exception: All or last DC in domain or alternate replication path
Forest-wide replication check
2003 REPADMIN on XP or 2003 member against 2000 or 2003
DCs
REPADMIN /SHOWREPL * /CSV + Excel Autofilter for
drilldown
17. DC Inventory
Plans for Non-Replicating DCs
Connection fails for > 60 days
DC3 not replicating IB OB deltas from
DC1
Alternate path exists?
Fix error and keep moving
No IB / OB replication > 60 days
DC3 not replicating IB or OB deltas
Replicas for DC3 NCs exists?
Yes - forced demote DC3
No - fix replication, then clean up
lingering objects later
Disjoint topology
All DCs report replication success
No “bridge” between site links
Clean up lingering objects later
Site Link ABC Site Link DEF
DC3
DC3
DC1
DC1
DC2
DC2
18. Schema Inventory
Exchange 2000 and SFU
E2K already installed before 2003 ADPREP?
E2K ADPREP defines two non-RFC attributes
LabeledURI + Secretary
ADPREP /FORESTPREP defines same attributes
Result: Mangled LDAPDISPLAYNAMES
Fix: “Exchangefix.ldf” from SupportTools on 2003 CD
Specify full path and wrap forest root DN in quotes
E2K to be installed before 2003 DCs?
Execute 2003 ADPREP or 2000 InetOrgPerson Kit first
SFU 2
SFU 2 defines UID incorrectly
Adprep cannot extend unless QFE is applied
KB articles: 325379 and 293783
19. ADPREP /FORESTPREP
Preparing the Forest
Client, DC, and schema inventory complete; backups made
E2K / SFU schema conflicts resolved
ADPREP /FORESTPREP
Adds new SDs, attributes, and objects
One time operation in each forest
Run on console of schema FSMO
Enterprise Administrator and Schema Administrators rights required
SYNTAX
X:i386ADPREP /FORESTPREP
Where X is the fully qualified path to the 2003 media
Do NOT execute ADPREP changes manually
Verification
“Command completed successfully” in ADPREP
CN=Windows2003Update in configuration NC for all DCs in forest
IB replication by all DCs in forest
System32DebugAdprepLogs<Latest log>
20. ADPREP /DOMAINPREP
Preparing Each Domain
ADPREP /DOMAINPREP
Adds new SDs in Domain NC and SYSVOL
Changes from ADPREP /FORESTPREP must replicate in
One time operation on infrastructure FSMO in each domain
Requires domain administrator rights in target domain
SYNTAX
X:i386ADPREP /DOMAINPREP
Where X is the fully qualified path to the 2003 media
Verification
“Command completed successfully” in ADPREP
CN=Windows2003Update in Domain NCSYSTEM…
IB replication by all DCs in the domain
System32DebugAdprepLogs<Latest log>
21. Install from Media Promotions
Sourcing AD and GCs from a Local Backup
Overview
1. Create system state backup from existing 2003 DC
2. Restore backup to a LOCAL drive on a 2003 member
3. Run “DCPROMO /ADV”
IFM rules
DC being promoted must be on the network
Only replica DCs are supported for IFM promotion
Backup must be created from a 2003 DC in same domain
Backup must have originated from GC to source that NC
Move / copy rules for NTDS.DIT + log files
Unattended IFM promotions supported
22. Post Upgrade / Install Operations
Verifying the New DC
DC is healthy
NETLOGON + SYSVOL shares exist
DC responds to LDAP, RPC, and logon
requests
SRV, CNAME, and A records are registered
in DNS
FRS: Add canary file on local + direct
replication partner
Active Directory: REPADMIN /SHOWREPS
Policy being applied as noted by Event 1704
Event log clean – may see event 1931 on
2000 upgrades
23. Admin Tools
Windows 2003 AdminPak.msi installs on:
Windows 2003
XP SP1
Some tools sign and encrypt LDAP traffic
between client and domain controller:
Active Directory Domains and TrustsActive Directory Domains and Trusts
Active Directory Sites and ServicesActive Directory Sites and Services
Active Directory SchemaActive Directory Schema
Active Directory Users and ComputersActive Directory Users and Computers
ADSI EditADSI Edit
Dsmove.exeDsmove.exe
Dsrm.exeDsrm.exe
Dsadd.exeDsadd.exe
Dsget.exeDsget.exe
Dsmod.exeDsmod.exe
Dsquery.exeDsquery.exe
Group Policy Management ConsoleGroup Policy Management Console
Object PickerObject Picker
24. Admin Tools
LDAP Signing only available on Windows 2000
SP3 and higher
Windows 2003 Admin Tools administering
Windows 2000 SP2 DC:
LDAP signing and encryption of these tools can be
disabled – not recommended – KB 325465
25. Post Upgrade / Install Operations
More Best Practices
Backup
Create a new system state backup – mark old backups
FSMO roles
Transition PDC and Domain Naming Master to 2003
DC
Install GPMC
Schedule backups of Group Policy
Test new policy in test domains then import
Deal with DLT
Restart service or delete objects incrementally objects
according to KB article 312403
Monitor
To not monitor AD is to fail
26. Post Upgrade / Install Operations
More Best Practices
Account Lockout
Evaluate account lockout settings
SP4 or 812499 (QFE ready; KB pending) on
W2K DCs in the domain
Install Resource Kit tools ACCTINFO and
LOCKOUTSTATUS
NTDS Quotas
Set using DSadd
Restrict number of objects that can be created
in the directory
27. ACCTINFO Property Page
Additional Account Info tab in AD
Users and Computers snap-in
Domain Password Policy
Users computer name used to
change password on DC in AD
same site
28. Lockoutstatus.exe
Runs as a stand-alone utility or extension to ACCTINFO. Shows bad
password count and time across all DCs in domain.
29. Functional Levels
Getting to the Good Stuff
Model to introduce new behavior into the
operating system
Advanced by admin when all DCs in “scope” are
upgraded
Analogy: Windows 2000 native mode (on steroids)
Levels can only be increased – no rollback
As you advance, earlier DC versions are ignored
Clients are never impacted
Available functional levels
Windows 2003 Server domain functionality
Windows 2003 Server interim forest functionality
Not relevant in this scenario
Windows 2003 Server forest functionality
30. Domain Functional Levels
Domain
Functionality
Enabled Features Supported DCs in
Domain
Windows 2000
Mixed
Universal Groups
(non-security only)
Windows NT 4.0
Windows 2000
Windows2003
Windows 2000
Native
All mixed mode, plus:
Group nesting
Universal groups
SIDHistory
Group conversions
Windows 2000
Windows 2003
Windows 2003
Server Interim
Mixed / Native
Same as Windows 2000 Mixed / Native
mode – depends on whether domain is
Mixed or Native mode
Windows NT 4.0
Windows 2003
31. Domain Functional Levels (2)
Domain
Functionality
Enabled Features Supported DCs in
Domain
Windows 2003
Server
All Windows 2000 Native, plus:
Update logon timestamp attribute
Kerberos KDC version
User password on inetOrgPerson
DC rename with netdom
Redirect users and computers
Authorization Manager can store auth
policies
Selective authentication cross-forest
Windows 2003
32. Forest Functional Levels
Forest
Functionality
Enabled Features Supported DCs in
Forest
Windows 2000 Windows NT 4.0
Windows 2000
Windows 2003
Windows 2003
Server Interim
All Windows 2000, plus:
LVR replication
Improved ISTG
New attributes added to GC
Windows NT 4.0
Windows 2003
Windows 2003
Server
All Windows 2003 Server Interim, plus:
Dynamic aux classes
User to inetOrgPerson change
Schema deactivation and reactivation
Domain rename
Cross-forest trust
Basic and query-based groups
(for roles-based authorization)
15 sec. intrasite replication frequency
Windows 2003
33. Goals by Functional Level
Run, Don’t Walk!
Forest functional level changes
Link Value Replication for Large group membership
7MM users tested + more efficient deletion
KCC scalability improved
3000 sites a reality
KCC branch office mode
Fault tolerance with a static KCC generated topology
To be documented in 2003 Branch Office Guide
Change from 5 minute to 15 second intrasite
replication latency
Why would you not go to FFL as fast as you
could?
Application compatibility should be the only reason
34. Trips and Tricks
Good Things to Know
Initial Sync requirements
FSMOs must sync hosting NC before they will
function
GC Sync requirements
Must sync all NCs in the forest before advertising
Faster to remove objects than Pre-SP3 2000 DCs
Secedit /refereshpolicy replaced by GPUPDATE
XP and 2003 is “the” management platform
2003 REPADMIN, GPMC, Resultant Policy, 2003
Admin Pack
2003 Admin Pack
ADUC: RAS dial-in tab removed on XP
Installs on XP and 2003 clients only