Domains and Lin Qingpoints Before adding Windows Server 2003 Architecture or Windows Server 2003 domain controllers, follow these steps:
Capacular access to the client in the domain you want to upgrade:
Windows 95, Windows NT 4.0 and Macintosh Clients: Macintosh clients may receive the following error messages during the trial connection to the network resource
Error-36 I / O
The local security settings defined in the Windows Server 2003 domain controller require the client to use the SMB Service signature. Windows 95 and Windows NT 4.0 Service Pack 2 (SP2) or earlier clients are not installed are not compatible with the SMB Service signature requirements enabled in the default Windows Server 2003 security settings. These clients cannot authenticate to the Windows Server 2003 domain controller, or they cannot access resources on the Windows Server 2003 domain controller. Windows 95 clients that are not installed Directory Service Customer You may receive the following error message when trying to authenticate to the Windows 2003 domain controller enabled SMB Service Signature.
The Domain Password You Supplied Is Not Correct, or Access To Your Logon Server Has Been Denied.
By disabling the SMB Service signature requirements in the "Group Policy" of the domain controller, or by installing a Windows 9x directory service client on a Windows 95 computer, Windows 95 clients can authenticate and access resources. The original Win9x directory service client is available on Windows 2000 Server CD-ROM. However, the additional client has been replaced by an improved Win9x directory service client. For additional information, click the article number below to see the article in the Microsoft Knowledge Base: 323466 Windows 95 and Windows 98 directory service client updates Run NT 4.0 SP2 and earlier versions of Windows NT 4.0 client Windows 95 computers with unplanned directory service clients have the same authentication and resource access issues. Installing the SP2 or earlier version of the Windows NT 4.0 client may receive the following error message when trying to authenticate the Windows 2003 domain controller enabled SMB Service Signature.
The system could not log you on.Make sure your User name and domain are correct, then type your password again.Letters in passwords must be typed using the correct case.Make sure that Caps Lock is not accidentally on.
Microsoft recommends that NT 4.0 SP6A is installed on NT 4.0 computers that authenticate to domains containing Windows Server 2003 computers. If you cannot update the software update to the affected Windows 95 and Windows NT 4.0 client before introducing the Windows Server 2003 domain controller, please temporarily disable the SMB Service signature requirements in "Group Policy" until you can be available in Windows 95 and NT. 4.0 The client software deployed on the client. SMB Service Signatures can be disabled in the following nodes of the Domain Controller Organization Unit: Computer Configuration / Windows Settings / Security Settings / Local Policy / Security Options / Microsoft Web Server: Digital Signing Communication (Always) The domain controller is not located in the organizational unit of the domain controller, and the Group Policy Object (GPO) of the default domain controller must be linked to all organizational units carrying Windows 2000 or Windows Server 2003 domain controllers. Alternatively, you can configure the SMB Service signature in the GPO linking to those organizational units. Other clients: Other operations do not need to perform other operations on Windows NT 4.0, Windows Millennium Edition, Windows Millennium Edition, Windows 2000, Windows XP Professional, or Windows Server 2003, installed on Windows 98. Copy Domain and Forest Domain Controllers: Make sure all Windows 2000 domain controllers in the forest have installed all the corresponding fixes and service packs. Microsoft recommends that all Windows 2000 domain controllers run Windows 2000 Service Pack 3 (SP3) or higher operating systems. If Windows 2000 SP3 cannot be fully deployed, all NTDSA.DLL files for all Windows 2000 domain controllers must be followed by June 4, 2001 and 5.0.2195.3673. For additional information, click the article number below to see the article in the Microsoft Knowledge Base: 331161 HotFixes To Install on Windows 2000 Domain Controllers Before Running Adprep / ForestPrep By default, Windows 2000 SP4, Windows XP and Windows Server 2003 The Active Directory Administrative Tool in the Customer Computer uses a lightweight directory access protocol (LDAP) signature. If these computers are used (or rely) NTLM authentication when connecting to the target Windows 2000 domain controller, the connection is invalid. To resolve this issue, you must install at least Windows 2000 SP3 on the target domain controller, or you must close the LDAP signature in the client of the Administration Tool. For additional information about LDAP, click the article number below to see the article in the Microsoft Knowledge Base: 325465 Windows 2000 Domain Controllers Require Service Pack 3 or Later When Using Windows Server 2003 Administration Tools The following scenario uses NTLM authentication:
The Windows 2000 domain controller you manage is located in the external forest connected to the NTLM (earlier version) trust relationship. You'll set the management unit on a particular domain controller referenced by the IP address. For example, you click Start, click Run, and type the following command: DSA.MSC / Server = ipaddress To determine the operating system of the Active Directory domain controller in the Active Directory domain, please in Lin Windows XP Professional or Windows Server 2003 Members of Windows Server 2003, then run the following repadmin command for the domain controller of each domain in the forest:> RepAdmin / showattr target domain domain controller name ncobj: domain: "/ filter: (& (objectCategory = computer) (primaryGroupID = 516))" / subtree / atts: operatingSystem, operatingSystemVersion, operatingSystemServicePackDN: CN = NA-DC-01, organizational unit = Domain Controllers, DC = company, DC = com1> operatingSystem: Windows Server 20031> operatingSystemVersion: 5.2 (3718) DN: CN = NA-DC-02, organizational unit = Domain Controllers, DC = company, DC = com1> operatingSystem: Windows 2000 Server1> operatingSystemVersion: 5.0 (2195) 1> OperatingSystemServicePack: Service Pack 1 Note: The properties of the domain controller do not track the installation of each fix. Verify end-end Active Directory replication in the entire forest. Verify that each domain controller in the upgraded forest is always in accordance with the schedule defined by the site link or connects to the object, copies all the names and its partners. Specifically, each domain controller must have at least one inbound and outbound connection objects for the following: Architecture and configuration: Sharing domain by all domain controllers in the forest: all domain controls in the same domain Shared on a member computer based on Windows XP or Windows Server 2003, using the following parameters with the following parameters using repadmin.exe's Windows Server 2003 version: repadmin / replsum / bysrc / byDest / sort: delta <-output formatted to fit on page
Destdc Largest Delta Fails / Total %% Error
NA-DC-01 13D.21H: 10M: 10S 97/143 67 (8240) There is no claim object ...
NA-DC-02 13D.04H: 11M: 07S 180/763 23 (8524) The DSA Operation ...
NA-DC-03 12D.03H: 54M: 41S 5/5 100 (8524) The DSA Operation ...
All domain controllers in the forest must have no errors, and the value in the "maximum delta" column must not be larger than the copying frequency defined by the matching site link or the connection object. Study any report for replication errors in the REPLSUM output, especially those who do not copy the inbound or outbound changes within Tombstone Retention Time (TSL) days (default is 60 days). To do this, check the output in the repadmin / showrepl * / csv> c: /repldrilldown.csv in the spreadsheet program of the .csv file, and then sort it according to "Last Success Time". Be careful when trying to resolve the replication error of an inbound or outbound change in the Tombstonelifetime days. If you do it, you may make those objects that are deleted in one domain controller, while still active objects in other domain controllers, if the deletion operation is not completely spread throughout the forest in the first 60 days. Consider mandatory downgrades such as domain controllers and use NTDSUTIL and other utilities to remove their remaining elements from Active Directory forest. Please contact your support provider or Microsoft PSS for additional help. All domain controllers currently offline must be online, and then the inbound and outbound replication are validated within Tombstonelifetime. If the domain controller cannot copy Active Directory, it may be necessary to mandate the domain controller and use the ntdsutil metadata cleanup command to remove them from the forest and then lift them in the back forest. Methods of mandatory degradation can be used to save the program on the operating system installation and the isolated domain controller. For additional information about how to delete an isolated Windows 2000 domain controller from a domain from a Windows 2000 domain controller, click the article number below to see the article in the Microsoft Knowledge Base: 216498 How to: Domain Controller Downgrade Failed This operation should be taken to restore the installation of the operating system and the installed program that should be restored when there is no other approach. You will lose the unproduced objects and properties of the isolated domain controller, including users, computers, trust relationships, their passwords, group and group membership. Verify that the contents of Sysvol share is consistent. The domain controller must be consistently and successfully applied to the default domain policy and the default domain controller policy in Sysvol to keep the normal operation of Active Directory. In the domain system volume (Sysvol shared) of the Windows 2000 domain controller in the same domain, the file system part of the verification policy is consistent. You can use gpotool.exe in the resource kit to determine if the policy of the entire domain is inconsistent. Use the HealthCheck in the Windows Server 2003 Support tool to determine if the Sysvol shared copy set is running normally in each domain. If the content of Sysvol shares is inconsistent, please solve all inconsistencies. Use the DCDIAG.EXE in the Support Tool to verify that all domain controllers have shared NetLogon and sysvol. To do this, type the following command at the command prompt: Dcdiag.exe / E / TEST: FRSSYSVOL Catup operation role. Architecture and structural operation hosts introduce forest ranges and domain scope architectural changes in forest and their domains. The structure operator role (also known as "flexible single host operation" or FSMO) is assigned to the online domain controller for each domain. If the forest contains multiple domains, the domain controller of the host operator must not be a global directory server. Architecture Operating Hosts are typically located on the main domain controllers in the forest root domain, but it can also reside on any domain controller in the forest. Finally, verify that the main domain controller, relative ID (RID), and domain name host operating the host assigned to the normal domain controller running.
For additional information about the operating host and its location, click the article number below to see the article in the Microsoft Knowledge Base: 197132 Windows 2000 Active Directory FSMO Role 223346 Place and optimize FSMO NetDom Query FSMO on the Windows 2000 domain controller Commands can be used to view the role of forest range and domain range. Event log View the event log for all domain controllers to find problems. In the event log, there is absolutely unable to indicate a serious event message with any of the following processes and components: Physical Connection Network Connection Name Registration Name Resolution Declaration Group Policy Security Policy Magnetic Disk System Architecture Top Top Structure Copy Engine Disk Space Capive Active Directory Database File NTDS.DIT's volume must be at least 15-20% of the NTDS.DIT file size. The available space on the volume that carries the Active Directory log file must also be at least 15-20% of the NTDS.DIT file size. For additional information about how to release more disk space, see the "Domain Controller of Insufficient Disk Space" in this article. DNS cleaning (optional) Enables DNS cleaning every 7 days to all DNS servers in the forest. In order to achieve the best results, do this in 61 days before the operating system is upgraded or earlier or earlier. Thus, when performing off defragmentation for NTDS.dit files, it is possible to provide sufficient time to the old DNS object for garbage collection for DNS cleaning. Disable the DLT Server service (optional) Unless the Windows 2000 or Windows XP client uses the Distributed Link Tracking Server (DLT) service, set the initial value of this service on all Windows 2000 Domain Controllers to "Disabled". For additional information, see the "Microsoft Recommendations for Distributed Link Track" section of the following Microsoft Knowledge Base article: 312403 Distributed Domain Controllers System Status Backup is at least two domain controllers in the forest in the forest Create a system status backup. If the upgrade is invalid, you can use this backup to restore all domains in the forest. Exchange 2000 in Windows 2000 Forest
Note: If you have installed Exchange 2000 Server in Windows 2000 Forest, please read this section.
The Exchange 2000 architecture defines three properties that meet non-request annotations (RFC): HouseIdentifier, Secretary, and Lableduri. Windows 2000 inletorPerson Kit and Windows Server 2003
The adprep command redefines these properties. When Active Directory finds a duplicate name, it modifies the name of one of the objects, plus "DUP" and some unique characters at the beginning of the name. So, you can run Windows 2000 INetorgPerson Kit or Windows Server 2003 architectural changes
Previously, if the Exchange 2000 created these three properties in Windows 2000 forest, the LDAPDisplayName of these attributes may have conflicts or misplaced after copying new RFC definitions. This phenomenon is called
dislocation.
If you are using the inetorgperson kit or Windows Server 2003 in Windows 2000 in WINDOWS 2
The adprep command creates the initial definition of the Secretary and Lableduri properties, and Active Directory forest is not easy to be affected by this misplaced display. Specifically, the misplaced ldapdisplayName property does not appear in the following scenario: Add Windows 2000 inetorson Kit to Windows 2000 Forest before running the Windows Server 2003 Adprep command. Run the Windows Server 2003 ADPREP command before installing Exchange 2000. Add Exchange 2000 to the existing Windows Server 2003 forest. Install Exchange 2000 SP3 to the Exchange 2000 server before running ADPREP. If Exchange 2000 creates the initial definition of the Secretary and Lableduri attributes in the Windows 2000 domain, the misplacement properties may occur in Windows 2000 and Windows Server 2003 forests. This phenomenon may occur in the following scenarios:
Adding the Exchange 2000 SP2 and earlier versions of the INetorgperson class in the Windows 2000 forest before adding an InetorgPerson class from the inetorgperson Kit. Add the Exchange 2000 SP2 and earlier release of the InetogPerson class to the Windows 2000 forest before running the Windows Server 2003 Adprep / ForestPrep command. After running inletorgperson-fix.ldf from Windows 2000 inetorgperson Kit, the Exchange 2000 SP2 and earlier defined Windows 2000 domain controllers containing INetorgPerson do not receive Active Directory updates. Therefore, if you have already installed in Windows 2000 or will be installed in Exchange 2000 Server, follow these steps.
Scenario 1: Add an Exchange 2000 Architecture Change after running the adprep / forestprep command If you are running Windows Server 2003
After the adprep / forestprep command, the Exchange 2000 architectural changes will be introduced in the Windows 2000 forest, then "Overview: Upline Windows 2000 Domain Controller to Windows Server2003" section.
Scenario 2: Installing Exchange 2000 Architecture Changes before running the Windows Server Adprep / ForestPrep command If the Exchange 2000 schema changes have been installed, no Windows Server 2003 is run
Adprep / ForestPrep command, consider the following operation plan:
Use an account belonging to the architecture administrator group and an enterprise administrator group to log in to the console of the architecture operating host. Enable architectural updates on the architecture host. For additional information about how to allow an Active Directory schema to update, click the article number to view the article in the Microsoft Knowledge Base: 285172 Schema Updates Require Write Access To schema in Active Directory Click Start, click "Run", type notepad.exe in the Open box, and then click OK. Copy the text between the [Start Copy Here] and [End Copy Here] and [End Copy Here] signs in the following text (including the last "-" character) to "Notepad". [Start copy here] dn: CN = ms-Exch-Assistant-Name, CN = Schema, CN = Configuration, DC = Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchAssistantName-dn: CN = ms-Exch-LabeledURI, CN = Schema, CN = Configuration, DC = Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchLabeledURI-dn: CN = ms-Exch-House-Identifier, CN = Schema, CN = Configuration, DC = Xchangetype: Modifyreplace: lDAPDisplayNamelDAPDisplayName: msExchHouseIdentifier-dn: changetype: Modifyadd: schemaUpdateNowschemaUpdateNow : 1- [End Copy Here] In "Notepad", click Save "on the File menu. Create a% SystemDrive% / IOP folder (where% systemDrive% is a logical drive loaded with the Windows 2000 operating system). Save the document in the folder in the file name inetdPREvent.ldf. Exit "Notepad". Run the inetorgpersonprevent.ldf script.
Click Start, click "Run", type CMD in the Open box, and then click OK. Type the following command at the command prompt, then press Enter: CD% SystemDrive% / Iop Type the following command, then press Enter, where
Adprep / ForestPrep commands, HouseIdentifier, secretary, and labeleduri's LDAPDisplay property will become misalign. To identify the name of the misplaced, use ldp.exe to find the affected properties:
Install ldp.exe from the Support / Tools folder of Microsoft Windows 2000 or Windows Server 2003 media. Start ldp.exe from the domain controller or member computer in the forest.
On the Connections menu, click Connect, keep the Server box to empty, type 389 in the Port box, and then click OK. On the Connections menu, click Binds, keep all boxes empty, and then click OK. Make a note of the discriminant path of the SchemanamingContext property. For example, for domain controllers in corp.adatum.com, the discriminating name path may be CN = Schema, CN = Configuration, DC = Corp, DC = Company, DC = COM. On the Browse menu, click Search. Use the following settings to configure the Search dialog:
"Basic DN": The discriminating name path of the schema name determined in step 3. "Filter": (ldapdisplayname = dup *) "scope": Subtree dislocation houseIdentifier, Secretary, and similar properties LDAPDisplayName form LabeledURI properties: lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d; lDAPDisplayName : DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85flDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef if labeledURI, Secretary and HouseIdentifier LDAP display name dislocation, run the script to Windows Server 2003 InetOrgPersonFix.ldf Recovery, then go to the "Upgrade Windows 2000 Domain Controller" in this article. Create a folder named% SystemDrive% / Iop and then decompress the inetorgpersonfix.ldf file into this folder. At the command prompt, type CD% SystemDrive% / IOP. Decompose the inetorgpersonfix.ldf file from the Support.cab file in the Support / Tools folder located in the Windows Server 2003 installation media. From the console of the Architecture Operating Host, use LDIFDE.EXE to load the inetoPersonfix.ldf file to correct the LDAPDisplayName property of HouseIdentifier, Secretary, and Lableduri properties. To do this, type the following command, where
Overview: Upgrade the Windows 2000 domain controller to Windows Server 2003 ADPREP.EXE utility from the Windows Server 2003 media / i386 folder prepared a Windows 2000 forest and its domain to add a Windows Server 2003 domain controller. . Adprep added the following features:
Improved default security descriptors for object classes New User and Group Properties Similar to INetorgperson's new architectural objects and properties Windows Server 2003's ADPREP helps ensure that the upgraded Windows 2000 forests and domains contain other support Windows Active Objects, properties, and permissions of the Directory environment. ADPREP supports two command line parameters:
ADPREP / ForestPrep: Running forest upgrade operation. ADPREP / DOMAINPREP: Run domain upgrade operation.
The Adprep / ForestPrep command is a one-time operation performed on the forest's architecture operating host (FSMO). Run in the domain
Before Adprep / DomainPrep,
The ForestPrep operation must be completed and copied to the structural host in each domain. The Adprep / DomainPrep command is a one-time operation running on the domain of the new or upgraded Windows Server 2003 domain controller in the forest.
ADPREP / DOMAINPREP Command Verification
If the changes in ForestPrep are replicated therefrom.
in case
ForestPrep changes does not exist, then
The adprep / domainprep command is not running. In addition, unless
/ ForestPrep and
/ DomainPrep operation has been completed and copied to all domain controllers in this domain, otherwise any of the following:
Using Winnt32.exe to upgrade the Windows 2000 domain controller to the Windows Server 2003 domain controller. Note: You can upgrade the Windows 2000 member server and computer at any time to the Windows Server 2003 member computer. Using DCPROMo.exe to upgrade the new Windows Server 2003 domain controller to the domain. You only need to run only in the domain that carries the schema operator host.
ADPREP / ForestPrep and
ADPREP / DOMAINPREP. On all other domains, just run
ADPREP / DOMAINPREP. Lin must complete the end-to-end replication, all domain controllers in the forest can find changes made by Adprep.
Even if you run a few times
ForestPrep and
DomainPrep, the completed operation is only once.
The adprep command does not add attributes to the global directory part of the attribute set, nor does it cause the global directory to fully synchronize. RTM version
ADPREP / DOMAINPREP does result in complete synchronization of / policies folders in the Sysvol tree.
ADPREP / ForestPrep and
After the changes in Adprep / DomainPrep are completely replicated, you can run Winnt32.exe from the Windows Server 2003 media / i386 folder, upgrade the Windows 2000 domain controller to Windows Server 2003. Alternatively, you can add new Windows Server 2003 domain controllers to the domain using DCPROMo.exe.
Using the Adprep / ForestPrep command to upgrade Lin to prepare Windows 2000 Forest and Domain to accept the Windows Server 2003 domain controller, first follow these steps in the laboratory environment, then follow these steps in the production environment:
Ensure all the operations of the "Lin Qingpoint" phase, especially pay attention to the following:
System status backup has been created. All Windows 2000 domain controllers in the forest have installed all the corresponding fixes and service packs. The end-to-end replication of Active Directory occurs in the entire forest. FRS has correctly copied file system policies in each domain. Use an account belonging to the architecture administrator group and an enterprise administrator group to log in to the console of the architecture operating host. Run the ADPREP on the architecture operating host. To do this, click Start, click Run, type the CMD, and type the following command on the schema operation host: x: / i386 / adprep / forestprep where x: / i386 / is Windows Server 2003 installation media path. This command runs the architecture upgrade of the forest range. Note: Events recorded 1153 recorded in the directory service event log (for example, the following example): Event Type: ErrorEvent Source: NTDS General Event Category: Internal ProcessingEvent ID: 1153 Date: mm / dd / yyytime: hh: MM: SS AM | PMUser: Everyone Computer:
The fully qualified path of the add.exe in the / i386 folder in the installation medium is specified at the ADPREP runtime. To do this, type the following command: x: / i386 / adprep / forestprep where x is driven to carry the installation media. Whether the logged in user running ADPREP belongs to the enterprise and architectural administrator group. To verify this, use the whoami / all command. If Adprep is still not running, view the adprep.log file in the% SystemRoot% / System32 / debug / ad / logs / limited_log folder. Verify that the ADPREP / ForestPrep changes have been copied to all domain controllers in the forest. This is useful when monitoring the following properties:
Incremental architectural version below CN = Windows2003Update, CN = Forestupdates, CN = Configuration, DC = forward_root_domain or cn = Operations, CN = DomainUpdates, CN = System, DC = Forest_Root_domain and the operation GUID is already copied. Search for new architectures, objects, properties, or other changes (such as inetorgperson) added by Adprep / ForestPrep. View the Schxx.ldf file in the% SystemRoot% / System32 folder (where XX is a number between 14 and 30), determines which objects and properties should be there. For example, inetorgperson is defined in SCH18.LDF. Find the misplaced LDAPDisplay name. If the Exchange 2000 installed before you run the Windows Server 2003 adprep / forestprep command, see the following Microsoft Knowledge Base article "How to Identify Mangled Name Attributes" section: 314649 Windows Server 2003 ADPREP Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers If the name of the misalignment is found, go to the scenario 3 in the "Exchange 2000" section in Windows 2000 "in this article. Log in to the console of the architecture operator using an account of the architecture administrator group and an enterprise administrator group belonging to the bearer architecture operating host. Using the Adprep / DomainPrep upgrade domain
/ forestPREP changes completely copied to each of the structural host domain controllers that will carry a Windows Server 2003 domain controller, run
ADPREP / DOMAINPREP. To do this, follow these steps:
Determine the structural host domain controller in the domain to be upgraded, and then log in using the account that belongs to the domain administrator group you want to upgrade. Note: The corporate administrator may not belong to the domain administrator group of the subdomain of the forest. Run add.exe on the structural host. To do this, click Start, click "Run", type the CMD, then type the following command on the structure host: x: / i386 / adprep / domainprep where the X: / i386 / is the path to Windows Server 2003 installation media . This command is changed in the target domain. Note: The adprep / domainprep command modifies the file permissions in the sysvol share. These modifications can cause full synchronization of the files in the directory tree. Verify that DomainPrep is successfully completed. To do this, please verify the following:
Does the adprep / domainprep command is done without an error. CN = Windows2003UPDATE, CN = DomainUpdates, cn = system, DC = Domain's domain path to upgrade the domain path exists if adprep / domainprep does not run, verify the following:
The logged-in user runs the ADPREP is a domain administrator group that belongs to the domain to which you want to upgrade. To do this, use the whoami / all command. The fully qualified path of the add.exe in the / i386 directory of the installation medium is specified when operating the ADPREP. To do this, type the following command at the command prompt: x: / i386 / adprep / forestPREP where x is driven to carry the installation medium. If Adprep is still not running, view the adprep.log file in the% SystemRoot% / System32 / debug / ad / logs / limited_log folder. Verify that the ADPREP / DOMAINPREP changes have been copied. To this end, for the remaining domain controllers in the domain, verify the following: CN = Windows2003Update, cn = domainupdates, cn = system, DC = DN path of domain you are upgrading objects, and the value of the revision attribute with the domain Whether the value of the same property of the structural host matches. (Optional) Find the object, attribute, or access control list (ACL) change added by the ADPREP / DomainPrep. Repeat steps 1 through 4 on the structural host of the remaining domain, or repeat steps 1 through 4 when adding or upgrading the domain controller in those domains to Windows Server 2003. Now you can use DCPROMO to upgrade the new Windows Server 2003 computer to the forest. Alternatively, you can use Winnt32.exe to upgrade an existing Windows 2000 domain controller to Windows Server 2003.
Creating Installation Media This section lists Microsoft to point out the required or very suitable fixes of the Windows Server 2003 domain controller. Consider adding the following fix to the installation media or install them before running DCPROMO for the new domain controller. Finally, these fixes are installed on the Windows Server 2003 member computer because they may be affected or their roles may change.
Note: Plan a post-RTM version of NTFRS.exe from Windows Server 2003.
Upgrade the Windows 2000 domain controller using Winnt32.exe
/ ForestPrep and
/ DomainPrep is completely copied and you have already determined the security interoperability with earlier versions, you can upgrade the Windows 2000 domain controller to Windows Server 2003 and add the new Windows Server 2003 domain controller to Domain.
The following computer must be the first domain controller of the Windows Server 2003 in every domain of the forest:
The domain named host in the forest so that the default DNS program section can be created. The main domain controllers of the forest root field so that the ACL editor is visible to the ACL editor. The main domain controllers in each non-root domain can create new domain-specific Windows 2003 security users. To do this, use the WinNT32 upgrade to carry the existing domain controller for the action role you want. Alternatively, pass the role to the newly upgraded Windows Server 2003 domain controller. Perform the following steps for each Windows 2000 domain controller that upgrades to Windows Server 2003 via Winnt32, performs the following steps:
Delete the Windows 2000 management tool before upgrading the Windows 2000 member computer and domain controller using Winnt32. To do this, use the Add / Remove Programs tool in Control Panel. (Windows 2000 upgrade only.) Install all the fix files listed in the "Creating Installation Media" section of this article, or install other fixes that Microsoft or administrators are considered important. Check each domain controller to find possible upgrade issues. To do this, run the following command from the installation medium / i386 folder: Winnt32.exe / checkupgradeonly resolves all questions determined by compatibility checks. Row Winnt32.exe from the / i386 folder of the installation medium and restart the upgraded 2003 domain controller. Reduce the security settings of earlier versions of the client as needed. If there is no NT 4.0 SP6 on the Windows NT 4.0 client, or the Directory service client is not installed on the Windows 95 client, disable the SMB Service Signature in the "Default Domain Controller" policy of the Domain Controller, and then The strategy link is connected to all organizational units of the bearing domain controller. Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Microsoft Web Server: Digital Signature Communication (Always) Use the following data points to verify that the upgrade is successful:
The upgrade is successful. The restoration you add to the installation successfully replaces the original binaries. All names of the domain controller control include an inbound and outbound copy of Active Directory. Netlogon and Sysvol share exist. Event log indicates that the domain controller and its service are operating normally. Note: The following events may be received after the upgrade: Event Type: ERROREVENT SOURCE: NTDS Backup Event Category: Backupevent ID: 1913 Date: DateTime: hh: mm: SSAM | PMUser: N / A Computer:
The event ID 1966 event message is recorded in the directory service event log: Event Type: Information Event Source: NTDS SDPEVENT CATEGORY: INTERNAL ProcessingEvent ID: 1966 Date: mm / dd / YYYYTime: HH: MM: SS AM | PM User: NT AUTHORITY / ANONYMorganizational unitS LOGONComputer:
Microsoft recommends administratively deploying the best practices organizational unit structure in all Active Directory domains and upgrades or deploying a Windows Server 2003 domain controller in Windows Domain Mode, using an earlier version of the API to create users, computers, and groups. The default container is redirected to the organizational unit container specified by the administrator. For additional information about the best practices organizational unit structure, check out the "Creating An Organizational Unit Design" in the Best Practice Active Directory Design for Managing Windows Networks White Paper. To see this white paper, visit the Microsoft Web site below: http://www.microsoft.com/technet/Prodtechnol/ad / Windows2000/PLAN/BPADDSGN.ASP About how to change the user, computer, group created by an early version of the API Other information from the default container, click the article number below to see the article in the Microsoft Knowledge Base: 324949 Redirecting The Users and Computers Containers in Windows Server 2003 Domains For each new or upgraded Windows in the forest Server 2003 domain controller, repeat steps 1 to 10 as needed, repeat step 11 (best practices organizational unit structure) for each Active Directory domain. In short: Upgrading the Windows 2000 Domain Controller using Winnt32 (if used, starting from the optimized combination installation media) Verify that the file that is repaired is installed on the upgraded computer installed on the upgraded computer. Required fixes Verify that new or upgraded servers are running normally (AD, FRS, Policy, etc.) OS upgrade 24 hours, perform offshield finishing (optional) If you have to start DLT Service, start it, otherwise use Q312403 / Q315229 Post Forest Wide DomainPreps Remove DLT object Delete DLT object After 60 days or longer (Tombstone retention time and garbage recycling days) Perform offline fragmentation
In the laboratory environment, analog upgrade is verified and perfect the upgrade process in the lab before upgrading the Windows Domain Controller to the production of Windows 2000 domain. If the upgrade of the laboratory environment reflects the situation of the production forest and performs smoothly, it can be considered to produce similar results in the production environment. For complex environments, the laboratory environment must reflect the production environment in the following aspects:
Hardware: Computer Type, Memory Size, Page File, Disk Size, Performance, and RAID Configuration, BIOS and Firmware Version Level Software: Client and Server Output, Client and Server Applications, Service Pack Version, Fix, Architecture Change, security group, group member identity, permission, policy setting, object count type, and location, version interoperability network structure: WINS, DHCP, link speed, available bandwidth load: Load simulator can analog password changes, object creation, Active Directory replication, login authentication and other events. Its purpose is not to copy the size of the production environment, but to find the cost and frequency of common operations, and join their impact on the production environment according to your current and future requirements (name query, copy traffic, network bandwidth and processor use. ). Manage: Executive tasks, useful tools, operating system operations: capacity, interoperability disk space: After completion of the following operations, write down the global directory domain controller and non-global directory domain controller for each domain. The starting size, peak size, and end size of the operating system, NTDS.DIT, and Active Directory log files: adprep / forestprep adprep / domainprep Upgrade Windows 2000 Domain Controller to Windows Server 2003 After the version is upgraded, execute offline fragmentation by understanding The environmental upgrade process and complexity and careful observation can be determined to determine the speed and attention to the implementation of the production environment upgrade. Only a small number of domain controllers and Active Directory objects that are connected to each other via high availability WAN (WAN), the upgrade process may only take only a few hours. For corporate deployments with hundreds of domain controllers and countless Active Directory objects, you may need more attention. In these cases, the upgrade process may take a few weeks or months to complete.
Use the "Simulation" upgrade in the laboratory to perform the following tasks:
Understand the internal work mechanism and related risks of the upgrade process. Discover the potential problem area of deployment processes in the environment. Test and develop rollback plans to prevent upgrading unsuccessful. Define the appropriate details level to apply to the upgrade process of the production domain.
A domain controller that is insufficient disk space On a domain controller that is insufficient disk space, use the following steps to release excess disk space on the volume carrying NTDS.DIT and log files:
Delete unused files (including * .tmp files) or buffer files used by the Internet browser. To do this, type the following command (press Enter after each command): CD / D Drive / Del * .tmp / s deletes all user files or memory dump files. To do this, type the following command (press Enter after each command): CD / D Drive / DEL * .dmp / s temporarily deleted or relocated the file from other servers or easy to reinstall. Files that can be deleted and easy to replace include all files in the Adminpak, support tools, and% SystemRoot% / System32 / DLLCACHE folder. Delete the old or unused user profile. To do this, click "Start", right-click My Computer, click Properties, click the User Profiles tab, then delete all profiles for the old and unused accounts . Don't delete any configuration files that may be used for service accounts. Delete symbols in% systemroot% / symbols. To do this, type the following command: rd / s% systemroot% / symbol is a complete or small part of the server's symbol set, this operation may get about 70 MB to 600 MB. Perform offline debris. NTDS.DIT files The offline fragmentation can release space, but it temporarily needs two times the current DIT file size. Please use other local volumes (if available) to perform offline debris. Alternatively, use the space on the best connection to the network server to perform offline fragmentation. If the disk space is still insufficient, remove unnecessary user accounts, computer accounts, DNS records, and DLT objects from Active Directory. Note: Until the Tombstonelifetime Number (the default is 60 days) and the garbage collection is complete, Active Directory deletes an object from the database. If you reduce the Tombstonelifetime to the value below the forest mid-end-to-end replication, it may cause inconsistencies in Active Directory. The information in this article applies to:
Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows Server 2003, Standard Edition Microsoft Windows Server 2003, Enterprise Edition Microsoft Windows Server 2003, Datacenter Edition Microsoft Exchange 2000 Server
