Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain

A common problem while upgrading a Windows 2000 domain to Windows 2003 can be avoided easily by using some basic steps. In addition there should be some roll back option, that can help you to recover from failure in a short time.

Before you "run" and upgrade system to Windows 2003 domain there some considerations that must be take:
 
1. Do you have satisfying disk space that will allow you to complete the upgrade process?
2. Do you have Windows 2000 Service Pack 4 on all the domain controllers and Exchange Servers?
     http://support.microsoft.com/default.aspx?scid=kb;en-us;331161
3. Do you have Exchange 2000 / Share Point 2001/2003 / Services for Unix 2 in yours domain/forest? - Some application like
     these aren't support by Windows 2003 servers, and should be upgraded to new version or move them to alternative server.
 
     http://support.microsoft.com/default.aspx?scid=kb;en-us;277734
     http://support.microsoft.com/default.aspx?scid=kb;en-us;821732
4. Do you have to fix Active Directory schema? You can read and find information on this issue in:
      http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
      http://support.microsoft.com/default.aspx?scid=kb;en-us;314649
5. Do you have some third party software/hardware that dosen't support by Windows 2003?
         You can read and find information on this issue in:
     http://www.microsoft.com/hcl
6. Do you upgrade the application to that latest service pack? Some application that reside in the domain may needed
      to be upgraded to the latest service pack as recommended by the application vendor.
7. Do you have legacy operating system or/and UNIX/Linux operating system? You can read and find information on this issue in:
     http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;555038
8. Do you have some disaster recovery plan? Do you have full system backup (dont forget to test the backup data).
9. Do you have the "Active Directory restore mode" password? Witohut this password you can't restore active driectroy
      from the latest backup.
10. Do you need to enable Windows 2000 Scehma update? - Windows 2000 Schema should be configure to allow Schema update.
       http://support.microsoft.com/?kbid=285172
11. Do you have the correct version of Windows 2003? You cant install active directory on "Web Server" edition or upgrade
       "Windows 2000 Advanced  Server" to "Windows 2003 Server" (you will need "Windows 2003 Enterprise" edition).
      Also, usually you cant upgrade OEM Versions of NT4/2000 to Windows 2003 or use Windows 2003 OEM version as upgrade version :
      http://support.microsoft.com/default.aspx?scid=kb;en-us;823762
12. If you plan to upgrade your Windows 2000 forest to Windows 2003, please take care of upgrading your ADC to the Exchange 2003 version before raising the
       functional level of the forest, because if you don’t, you will have problems with older ADC being unable to handle correctly Linked Value Replication on group
       membership.
      http://support.microsoft.com/default.aspx?scid=kb;en-us;825916
      http://support.microsoft.com/default.aspx?scid=kb;en-us;823601
13. Do yours system have correct DNS Infrastructure? Do the serves and clients configure to use the correct DNS servers?
       (I find out that some users configure there servers to use external DNS/ISP servers and not local DNS servers).
       Also, using single-label DNS names may required some configurations changes:
       http://support.microsoft.com/default.aspx?scid=kb;en-us;300684
14. You can't upgrade from SBS 2000 to regular Windows 2003 domain. However, you can upgrade SBS 2000 to SBS 2003,
        or to Windows 2003 domain by using export/import migration process. 
15. Do you have Read permission (at least) for all GPO's in the Domain? (If Domain Admin group wouldn't have this permission,
         GPO upgrade will fail - usually in ADPREP /Domainprep step) 
16. Do you need to open some ports in the company firewall/router?
       http://support.microsoft.com/?kbid=289241
17. Did you move Exchange Enterprise Servers Group and Exchange Domain Servers Group to another container?
       http://support.microsoft.com/default.aspx?scid=kb;en-us;260914
18. Did you install the Windows 2003 on multihomed computer?
       http://support.microsoft.com/default.aspx?scid=kb;en-us;832478
19. Did you used InetOrgPerson object in the domain?
       http://support.microsoft.com/default.aspx?scid=kb;en-us;307998
20. If you like to upgrade Small Business Server Domain Environment to regular Windows 2003 Domain, read:
       http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;555073
21. Install WINS server and configure the clients to use it. Although most people think that there is no need to use WINS server in
       the network, there may be some situations that you might need to use NetBIOS name resolution in your network:
       http://support.microsoft.com/default.aspx?scid=837391
22. If you like to migrate to Windows 2003 R2 Domain, please consider the migration in two stages:
         a. Migration from NT/2000 Domain to Windows 2003 Domain
         b. Migration from Windows 2003 Domain to Windows 2003 R2 Domain.
 
     Note: There no technical limitation to migrate directlly to Windows 2003 R2 Domain, but
                using this two stages allow you to reduce the project risk, allow faster rollback and facilitate
                troubleshooting.
               
I found some nice tips that can save time and may help you in the upgrade process:
 
1. Move all FSMO roles to one domain controller and configure all the DC's as GC's.
2. Move the domain controller from step 1 to unique VLAN that will be isolated from the regular network.
3. Backup the domain controller from step 1 by using backup tape backup, and some image utility.
4. After running ADPREP /Forestprep check that Windows 2003 schema upgrade to contain new 2003 forest attributs.
5. After running ADPREP /Domainprep check that Windows 2003 schema upgrade to contain new 2003 domain attributs.
6. Disable any antivirus software on the software before the upgrade process.
7. Log on to the domain controller from step 1 with account that member of: Enterprise Admin group, Domain Admin group,
      Schema Admin group - and if you have Exchange System in your organization - the account should be with Full
      Exchange Admin permission on the Exchange organization, administrative groups (sites in Exchange 5.5 environment),
      Exchange Servers (and in Exchange 5.5 environment - also full control on "Configuration" container).
8. Test this upgrade in a lab before implement it on production server.
9. Copy the I386 directory content from the Windows 2003 cd rom, to the local server hard disk.
10. Verity that the all servers in the domain have the correct time zone and the configure to be synchronization
       from the same server (usually this the PDC emulator).
11. Activate the new Windows 2003 Server before implement any changes on the system.
12. If you add new Windows 2003 server to the domain, make sure to configure the correct domain name and domain suffix.
13. Don't use forbidden characters in the domain or/and server name (etc *, _).
14. Before you implement - Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 configure at
        least one DC as Windows 2003 DC and GC, and configure Windows 2003 CA, Windows 2003 Cluster, Exchange 2003
        to use this server as default logon server.
15. If you have multidomain hierarchy, upgrade first the forest root domain, and only after this upgrade complete, the
       rest of the forest.
16. If you have multisites hierarchy, let the changes of ADPREP command to repliacte to all other sites. Verify that each
        DC upgrade its schema version before you install the Windows 2003 Server.
17. After running ADPREP command, open %systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there
       are error messages that might need to be resolved.
18. Read: How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2 article before beggining the migration.
        http://support.microsoft.com/default.aspx?scid=kb;en-us;322970
19. If you installed Exchange 2000/2003, its recommended to run Policytest.exe utility before the upgrade:
        http://support.microsoft.com/default.aspx?scid=kb;en-us;281537&FR=1&PA=1&SD=HSCH
20. Read: HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller
                http://support.microsoft.com/default.aspx?scid=kb;en-us;326209
                HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
                http://support.microsoft.com/default.aspx?scid=kb;en-us;325851
                How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows Server 2003
                http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
                Active Directory Migration Tool v3.0
                http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
                How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
                http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
                Upgrading to Windows Small Business Server 2003
                http://www.microsoft.com/WindowsServer2003/sbs/upgrade/default.mspx
                Domain Migration Cookbook
                http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp1.mspx
                Windows Server 2003 PKI Operations Guide
                http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
21. If the upgrade process need to take more then a few hours, consider to change the domain configuration to eliminate
          Overloading on the First Domain Controller.
          How to Prevent Overloading on the First Domain Controller During Domain Upgrade
          http://support.microsoft.com/?kbid=298713
22. Review the new settings of Windows 2003 Service Pack 1:
            http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx
         Note: New functiobility was added to Windows 2003 Service Pack 1. Skiping this stage may limited
                  the server functiobility and the correct forest and domain opertional.
23. Review "ADPREP /domainprep /gpprep" command functions and use.
        http://support.microsoft.com/default.aspx?scid=kb;en-us;324392&FR=1&PA=1&SD=HSCH
24. Verity that you use account that own "Delegation Privilege" right.
       http://support.microsoft.com/?kbid=232070
25. If you need to move computers accounts to a new domain, disable "Offline Folder" use on the local computers.
        After the migration, you can enable it again.
 
And if something goes wrong?
 
1. If you follow the process that I described in the "Before you "run" and upgrade system to Windows 2003..." section in this
     article, a roll back should take no more then 30 minutes.
2. If you didnt follow the process that I describe in the "Before you "run" and upgrade system to Windows 2003..." section in this
     article , a roll back may take a long time, and may require in worse situations reinstall the Windows 2000 domain.
 
Please follow these short instructions:
 
1. Please check if you log on with user that have satisfying permissions to upgrade the Schema and the system.
2. Check that you enable schema changes - and reapply ADPREP /Forestprep and ADPREP /Domainprep commands.
3. Consider to use ADMT2/ADMT3 to migrate users from Windows 2000 domain to the new Windows 2003 domain (in a new forest).
     You can read and find information on this issue in:
     http://www.microsoft.com/usa/presentations/Windows2003DeploymentScenarios.ppt
4. Follow the the instructions bellow if you unable to successfully run adprep /domainprep on Windows 2000 Domainp:
    http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;555055
5. Consider to call to Microsoft local support center.
 
Post checklist:
 
How to Verify That SRV DNS Records Have Been Created for a Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;816587
 
How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816106
 
Virus Scanning Recommendations on a Windows 2000 or on a Windows Server 2003 Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
 
Operations That Are Performed by the Adprep.exe Utility When You Add a Windows Server 2003 Domain Controller to a Windows 2000 Domain or Forest
http://support.microsoft.com/default.aspx?scid=kb;en-us;309628
 
Known issues:
 
KCC Error Event 1567 Occurs When You Install DNS on a Windows Server 2003-Based Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;813484
The Default Domain Controller Security Policy Icon and the Domain Security Policy Icon Do Not Work When You Upgrade to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828291
Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;811961
Cluster Service Does Not Start After You Upgrade to Windows Server 2003, Enterprise
http://support.microsoft.com/default.aspx?scid=kb;en-us;812877
A terminal server no longer runs in application mode after you upgrade the terminal server to Windows Small Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828056
Exchange 2000 Recipient Update Service does not replicate changes successfully in forest functional level 1 or 2 in Windows Server 2003 Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;831809
Inter-Forest Trust Appears as "External" or "Unknown"
http://support.microsoft.com/default.aspx?scid=kb;en-us;311484
"Microsoft Windows Has Detected Software That Is Not Completely Installed on Your Computer" Message When You Upgrade a Windows 2000 Server-Based Computer to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;820277
Firewall Clients Cannot Connect to the Internet After You Upgrade an ISA Server to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816533
ERR3:7075 Failed to change domain affiliation, hr=800706fb" error when the Active Directory Migration Tool version 2 is run in test mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;828261
Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in Windows Server 2003 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;300532
Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;219059
"The current DC is not in the domain controller's OU" error message when you run the Dcdiag tool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;833436
Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/default.aspx?kbid=817433
Problems logging on to a Windows 2000-based server or a Windows 2003-based server
http://support.microsoft.com/default.aspx?kbid=272594
The Recipient Update Service does not update objects correctly when Exchange 2000 Server is running in a Windows Server 2003 forest
http://support.microsoft.com/default.aspx?scid=kb;EN-US;873059
NDR Message appear after reply to old email after mailbox migration
http://support.microsoft.com/default.aspx?scid=kb;en-us;555197
Out of memory error messages when you try to save files
http://support.microsoft.com/?kbid=830265
You Experience Slow File Server Performance and Delays Occur When You Work With Files That Are Located on a File Server
http://support.microsoft.com/kb/822219
Error message when you prepare an Active Directory forest for Exchange Server 2003: "Extending the schema in Active Directory failed"
http://support.microsoft.com/kb/917682/en-us
 
 
 

 
Windows Server 2003 Upgrade Paths
http://support.microsoft.com/default.aspx?kbid=810613
 
Windows 2003 Deployment Scenarios
http://www.microsoft.com/usa/presentations/Windows2003DeploymentScenarios.ppt
 
What's New in Windows Server 2003 R2
http://www.microsoft.com/windowsserver2003/r2/whatsnewinr2.mspx
 
Common Mistakes When Upgrading Exchange 5.5/2000 To a Exchange 2003
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;555262
 
.NET Enterprise Servers Online Books
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/net/onlinebooks/default.asp
 
HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
 
ADMT v3 Migration Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=d99ef770-3bbb-4b9e-a8bc-01e9f7ef7342&DisplayLang=en
 
Exchange Migration and Upgrade Resources
http://www.microsoft.com/exchange/techinfo/interop/default.asp