��к�

Select the product you need help with

�Ըա�û�Ѻ��蹵�ǤǺ�� Windows 2000 �Ѻ Windows Server 2003

��Ţ�� (Article ID): 325379 - ��Ե�ѳ��Ǣ�ͧ㹺��

��ԡ��ʹ٢�ͨӡѴ��Ѻ�Դ�ͺ�ͧ KB ��¤��

��ԡ��ʴ��¤��е鹩�Ѻ��ѧ��§��ҧ�ѹ

��·�� | �غ��

��͸Ժ��Ըա�û�Ѻ��蹵�ǤǺ��ͧ Microsoft Windows 2000 �Ѻ Windows Server 2003 ��Ըա��ǤǺ�� Windows Server 2003 ��ѧ�� Windows 2000 ��Ѻ��ǡѺ�Ըա�û�Ѻ��蹵�ǤǺ�� Windows Server 2008 �� Windows Server 2008 R2 ��价��䫵��仹��ͧ Microsoft:

http://technet.microsoft.com/en-us/library/ee522994 (WS.10) .aspx #

(http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx#)

��Ѻ仴�ҹ�� | ��ʹ��

�Թ��Ҥ��ѧ��п��ʵ�

��͹��س��Ѻ��蹵�ǤǺ�� Windows 2000 �Ѻ Windows Server 2003 �� ͹��س��ǤǺ�� Windows Server 2003 ��ҡѺ�� Windows 2000 �ӵ��鹵͹��ҹ��:

�Թ��Ҥ��ѧ��繵��Ҷ֧��Ѿ�ҡ��ʵ��ǤǺ�� Windows Server 2003 ��Ѻ��ҡѹ��Ѻ��ŧ��ͪ�� smb:

��ǤǺ�� Windows Server 2003 ��Դ��ҹ SMB 㹡��繪��㹹�º�¡��ѡ�Ҥ��ʹ��·�ͧ�� Ǩ�ͺ�� ͹��͢��·��ⷤ�� SMB/CIFS ��Ҷ֧��ѹ��ͧ��ʵ��ǤǺ�� Windows Server 2003 ��ö��˹�� ͻ�Ѻ��ʹѺʹع��ŧ��ͪ�� smb ��繡�ê��Ǥ��Ǩ��ö �Դŧ��ͪ�� SMB �� ö�Դ��Ѻ��ا ��ͨ� ��͹��ö�١��Ѻ��к��Ժѵԡ��ʹѺʹع��ŧ��ͪ�� smb ��Ѻ��ǡѺ�Ըա��¡��ԡ��ŧ��ͪ�� smb �� "��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb"��ǹ��͹��¢ͧ��鹵͹��

Ἱ��ô��Թ��

��¡�õ��仹��ʴ�Ἱ��ô��Թ��Ѻ��ͧ��͹�� SMB ��Ѻ��:
- Microsoft Windows Server 2003, Microsoft Windows XP Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional �� Microsoft Windows 98
  
  ��ô��Թ��÷��
- Microsoft Windows NT 4.0
  
  ��õԴ�� Service Pack 3 ��蹷�� (Service Pack 6A �й�) 㹡�� Windows NT 4.0 ��Ҷ֧��Сͺ��¤�� Windows Server 2003 �Դ��ա�Ը�˹�觤�� Ǥ��ǧҹ SMB 㹡��繪��ͺ��ǤǺ�� Windows Server 2003 ��Ѻ��ǡѺ�Ըա��¡��ԡ��ŧ��ͪ�� smb �� "��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb"��ǹ��͹��¢ͧ��鹵͹��
- Microsoft Windows 95
  
  �Դ�� Windows 9x�ź�ԡ��á�� Windows 95 ��繡�ê��Ǥ��ǻԴ��ҹ SMB 㹡��繪��ͺ��ǤǺ�� Windows Server 2003 Win9 ��x��繵��ԡ��á��շ��躹�մ�� Windows 2000 ��ҧ�á�� add-on �ͧ��繵��١᷹�� Win9 ��û�Ѻ��اx��繵��ԡ��á�� Ѻ��ǡѺ�Ըա��¡��ԡ��ŧ��ͪ�� smb �� "��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb"��ǹ��͹��¢ͧ��鹵͹��
- ��繵�ͧ��͢�� Microsoft ��Ѻ��ͧ��͹�� MS-DOS ��м��Ѵ�� LAN �ͧ Microsoft
  
  ��繵��͢��¢ͧ Microsoft ��Ѻ MS-DOS ��繵�ͧ��͢�� 2.x ��Ѵ�� LAN Microsoft �Ҩ�١��Ҷ֧��Ѿ�ҡâͧ��͢�� ʹѧ��Ҩ�١��Ѻ��ͻ�մ�ʡ��Ѻ��äѴ�͡��к��Ժѵԡ�� ҡ��á��շ��ѹ��ǹ˹�觢ͧ��鹵͹��õԴ��駫Ϳ�� 繵��ҹ��ʹѺʹع��ŧ��ͪ�� smb ��Ըա�õԴ��駡��ͧ ��ͻԴ��ҹ��ŧ��ͪ�� smb ��Ѻ��ǡѺ�Ըա��¡��ԡ��ŧ��ͪ�� smb �� "��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb"��ǹ��͹��¢ͧ��鹵͹��
- ��繵�ͧ macintosh
  
  ��繵�ҧ Macintosh ��ͪ�� SMB 㹡��к��ҡѹ�� Ш��Ѻ��ͤ��ʴ��ͼԴ��Ҵ��仹��;ǡ�Ҿ��͡Ѻ��Ѿ�ҡ��͢��:
  -�Դ��Ҵ-36 I/O
  �Դ��駡�û�Ѻ��ا�Ϳ�� ԩй�� Դ SMB ��ա��繪��ͺ��ǤǺ�� Windows Server 2003 ��Ѻ��ǡѺ�Ըա��¡��ԡ��ŧ��ͪ�� smb �� "��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb"��ǹ��͹��¢ͧ��鹵͹��
- ��繵� SMB �� ͧ��ѷ��
  
  ��͹�� SMB �� ҧ��ҧ��ʹѺʹع��ŧ��ͪ�� smb ��֡�Ҽ��ԡ�� SMB ��ʹ�� 蹷��Ѻ��ا�� ԩй�� Դ SMB ��ա��繪��ͺ��ǤǺ�� Windows Server 2003
��͵�ͧ��ûԴ��ҹ��ŧ��ͪ�� smb

�ҡ��Ѻ��ا�Ϳ��ö�Դ��駵�ǤǺ��Ѻ�š�з�� Windows 95, Windows NT 4.0 ��繵�� Դ��駡�͹��йӢͧ Windows Server 2003 ��ԡ�� SMB ��繪��͢�͡�˹�㹹�º�¡��騹��Ҥس��ö��Ѻ��Դ��ҹ��Ǥ�� Ѻ��ا�Ϳ��ͧ��繵�

You can disable SMB service signing in the following node of Default Domain Controllers policy on the domain controllers organizational unit:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)
If domain controllers are not located in the domain controller's organizational unit, you must link the default domain controller's Group Policy object (GPO) to all organizational units that host Windows 2000 or Windows Server 2003 domain controllers. Or, you can configure SMB service signing in a GPO that is linked to those organizational units.
Inventory the domain controllers that are in the domain and in the forest:
1. Make sure that all the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs.
  
  Microsoft recommends that all the Windows 2000 domain controllers run the Windows 2000 Service Pack 4 (SP4) or later operating systems. If you cannot fully deploy Windows 2000 SP4 or later, all the Windows 2000 domain controllers��have an Ntdsa.dll file whose date stamp and version is later than June 4th, 2001 and 5.0.2195.3673.��Ѻ�� ԡ��Ţ��仹�� ʹٺ��㹰ҹ��ͧ Microsoft::
  331161
  (http://support.microsoft.com/kb/331161/ )
  Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers
  By default, Active Directory administrative tools on Windows 2000 SP4, Windows XP, and Windows Server 2003 client computers use Lightweight Directory Access Protocol (LDAP) signing. If such computers use (or fall back to) NTLM authentication when they remotely administer Windows 2000 domain controllers, the connection will not work. To resolve this behavior, remotely administered domain controllers should have a minimum of Windows 2000 SP3 installed. Otherwise you should turn off LDAP signing on the clients that run the administration tools.For more information about LDAP, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  325465
  (http://support.microsoft.com/kb/325465/ )
  Windows 2000 domain controllers require Service Pack 3 or later when using Windows Server 2003 administration tools
  The following scenarios use NTLM authentication:
  - You administer Windows 2000 domain controllers that are located in an external forest connected by an NTLM (non-Kerberos) trust.
  - You focus Microsoft Management Console (MMC) snap-ins against a specific domain controller that is referenced by its IP address. For example, you click��÷ӧҹ��ԡ��¡��, and then type the following command:
    dsa.msc /server=ipaddress
  To determine the operating system and the service pack revision level of Active Directory domain controllers in an Active Directory domain, install the Windows Server 2003 version of Repadmin.exe on a Windows XP Professional or Windows Server 2003 member computer in the forest, and then run the followingrepadmincommand against a domain controller in each domain in the forest:
  >repadmin /showattrname of the domain controller that is in the target domainncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack
  
  DN: CN=NA-DC-01,organizational unit=Domain Controllers,DC=company,DC=com
  1> operatingSystem: Windows Server 2003
  1> operatingSystemVersion: 5.2 (3718)
  DN: CN=NA-DC-02,organizational unit=Domain Controllers,DC=company,DC=com
  1> operatingSystem: Windows 2000 Server
  1> operatingSystemVersion: 5.0 (2195)
  1> operatingSystemServicePack: Service Pack 1
  ��˵�:: The domain controller's attributes do not track the installation of individual hotfixes.
2. Verify the end-to-end Active Directory replication throughout the forest.
  
  Verify that each domain controller in the upgraded forest replicates all its locally held naming contexts with its partners consistently with the schedule that site links or connection objects define. Use the Windows Server 2003 version of Repadmin.exe on a Windows XP- or Windows Server 2003-based member computer in the forest with the following arguments:
  REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTA <-output formatted to fit on page DestDC largest delta fails/total %% error NA-DC-01 13d.21h:10m:10s 97 / 143 67 (8240) There is no such object... NA-DC-02 13d.04h:11m:07s 180 / 763 23 (8524) The DSA operation... NA-DC-03 12d.03h:54m:41s 5 / 5 100 (8524) The DSA operation...
  ��ǤǺ��㹿��ʵ��ͧ�ӫ�� Active Directory ��բ�ͼԴ��Ҵ ��Ф��㹤�� "�ŵ��˭��ش" �ͧ��Ѿ�� repadmin ��ҡ�ҡ��Ҥ��ͧ��÷�Ẻ��ͧ��§䫵��ʹ��ͧ�ѹ��ѵ�ط��ͷ�� µ�ǤǺ��·ҧ��˹�
  
  ��䢢�ͼԴ��Ҵ��÷�Ẻ��ͧ��ҧ��ǤǺ��ա��㹡�â�� replicate 㹹��¡�� Tombstone ��ء��ҹ (TSL) �ӹǹ�ѹ�� (�¤�� 60 �ѹ) ��ö�ӡ�è��ͧẺ�ӧҹ �س�Ҩ��ͧ��úѧ�Ѻ��ա��Ŵ�дѺ��ǤǺ�� ͡�ҡ��ʵ� �� Ntdsutil��ҧ��Ҵҵ�� ͹��ҹ�鹡�Ѻ��㹿��ʵ� �س��ö�� demotion �� forceful ��ͺѹ�֡��õԴ��к��Ժѵԡ��ҧ � ��躹��ǤǺ�� orphaned��Ѻ��ǡѺ�Ըա��ҵ�ǤǺ�� Windows 2000 orphaned �ҡ��ͧ��ͧ ��ԡ��Ţ��仹��ʹٺ��㹰ҹ��ͧ Microsoft:
  216498
  (http://support.microsoft.com/kb/216498/ )
  How to remove data in Active Directory after an unsuccessful domain controller demotion
  Take this action only as a last resort to recover the installation of the operating system and the installed programs. You will lose unreplicated objects and attributes on orphaned domain controllers including users, computers, trust relationships, their passwords, groups and group memberships.
  
  Be careful when you try to resolve replication errors on domain controllers that have not replicated inbound changes for a particular Active Directory partition for greater thantombstonelifetimenumber of days. When you do so, you may reanimate objects that were deleted on one domain controller but for which direct or transitive replication partners never received the deletion in the previous 60 days.
  
  Consider removing any lingering objects that reside on domain controllers that have not performed inbound replication in the last 60 days. Alternatively, you can forcefully demote domain controllers that have not performed any inbound replication on a given partition in tombstone lifetime number of days and remove their remaining metadata from the Active Directory forest by using Ntdsutil and other utilities. Contact your support provider or Microsoft PSS for additional help.
3. Verify that the contents of the Sysvol share are consistent.
  
  Verify that the file system portion of group policy is consistent. You can use Gpotool.exe from the Resource Kit to determine whether there are inconsistencies in policies across a domain. Use Healthcheck from the Windows Server 2003 support tools to determine whether the Sysvol share replica sets function correctly in each domain.
  
  If the contents of the Sysvol share are inconsistent, resolve all the inconsistencies.
4. Use Dcdiag.exe from the support tools to verify that all the domain controllers have shared Netlogon and Sysvol shares. To do so, type the following command at a command prompt:
  DCDIAG.EXE /e /test:frssysvol
5. Inventory the operations roles.
  
  The schema and infrastructure operations masters are used to introduce forest and domain-wide schema changes to the forest and its domains that are made by the Windows Server 2003adprep��ö��ª�� Verify that the domain controller that hosts the schema role and infrastructure role for each domain in the forest reside on live domain controllers and that each role owner has performed inbound replication over all partitions since they were last restarted.
  
  ��кǹ��DCDIAG /test:FSMOCHECKcommand can be used to view forest-wide and domain-wide operational roles. Operations master roles that reside on non-existent domain controllers should be seized to a healthy domain controller by using NTDSUTIL. Roles that reside on unhealthy domain controllers should be transferred if possible. Otherwise, they should be seized. ��кǹ��NETDOM QUERY FSMOcommand does not identify FSMO roles that reside on deleted domain controllers.
  
  Verify that the schema master and each infrastructure master has performed inbound replication of Active Directory since last booted. Inbound replication can be verified by using theREPADMIN /SHOWREPSDCNAME�� DCNAMEis the NetBIOS computer name or the fully qualified computer name of a domain controller.For more information about operations masters and their placement, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  197132
  (http://support.microsoft.com/kb/197132/ )
  Windows 2000 Active Directory FSMO roles
  223346
  (http://support.microsoft.com/kb/223346/ )
  FSMO placement and optimization on Active Directory domain controllers
6. EventLog Review
  
  Examine the event logs on all the domain controllers for problematic events. The event logs must not contain serious event messages that indicate a problem with any of the following processes and components:
  physical connectivity
  network connectivity
  name registration
  name resolution
  �Ѻ�ͧ��١��ͧ
  ��º�¡��
  security policy
  disk subsystem
  ��ҧ
  topology
  replication engine
7. Disk Space Inventory
  
  The volume that hosts the Active Directory database file, Ntds.dit, must have free space equal to at least 15-20% of the Ntds.dit file size. The volume that hosts the Active Directory log file must also have free space equal to at least 15-20% of the Ntds.dit file size. For additional information about how to free up additional disk space, see the "Domain Controllers Without Sufficient Disk Space" section of this article.
8. DNS Scavenging (Optional)
  
  Enable DNS Scavenging at 7-day intervals for all DNS servers in the forest. For best results, perform this operation 61 or more days before you upgrade the operating system. This provides the DNS scavenging daemon sufficient time to garbage-collect the aged DNS objects when an offline defragmentation is performed on the Ntds.dit file.
9. Disable the DLT Server Service (Optional)
  
  The DLT Server service is disabled on new and upgraded installations of Windows Server 2003 domain controllers. If distributed link tracking is not used, you can disable the DLT Server service on your Windows 2000 domain controllers and begin deleting DLT objects from each domain in the forest. For additional information, see the "Microsoft Recommendations for distributed link tracking" section of the following article in the Microsoft Knowledge Base:
  312403
  (http://support.microsoft.com/kb/312403/ )
  Distributed Link Tracking on Windows-based domain controllers
10. System State Backup
  
  Make a system state backup of at least two domain controllers in every domain in the forest. You can use the backup to recover all the domains in the forest if the upgrade does not work.

Microsoft Exchange 2000 in Windows 2000 forests

��˵�

If Exchange 2000 Server is installed, or will be installed, in a Windows 2000 forest, read this section before you run the Windows Server 2003adprep /forestprep��
If Microsoft Exchange Server 2003 schema changes will be installed, go to the "Overview: Upgrading Windows 2000 domain controllers to Windows Server 2003" section before you run the Windows Server 2003adprep��

The Exchange 2000 schema defines threeinetOrgPersonattributes with non-Request for Comment (RFC)-compliant LDAPDisplayNames:houseIdentifier,secretary��labeledURI.

The Windows 2000 inetOrgPerson Kit and the Windows Server 2003adprepcommand define RFC-complaint versions of the same three attributes with identical LDAPDisplayNames as the non-RFC-compliant versions.

When the Windows Server 2003adprep /forestprepcommand is run without corrective scripts in a forest that contains Windows 2000 and Exchange 2000 schema changes, the LDAPDisplayNames for thehouseIdentifier,labeledURI��secretaryattributes become mangled. An attribute becomes �mangled� if "Dup" or other unique characters are added to the beginning of the conflicted attribute name so that objects and attributes in the directory have unique names.

Active Directory forests are not vulnerable to mangled LDAPDisplayNames for these attributes in the following cases:

If you run the Windows Server 2003adprep /forestprepcommand in a forest that contains the Windows 2000 schema before you add the Exchange 2000 schema.
�ҡ�س�Դ�� schema Exchange 2000 㹿��ʵ��١ ��ҧ�� Windows Server 2003 ��ǤǺ��յ�ǤǺ��á㹿��ʵ�
��Ҥس�� inetOrgPerson Windows 2000 Kit ��ʵ� ��Сͺ��ҧ�ͧ Windows 2000 ��Шҡ�� س�Դ��駡��¹�ŧ schema �ͧ Exchange 2000 ��Шҡ�� س��¡�� Windows Server 2003adprep /forestprep��
��Ҥس��ö�� schema �ͧ Exchange 2000 㹿��ʵ� Windows 2000 �� ѹ /forestprep Exchange 2003 ��͹��¡�� /forestprep adprep Windows Server 2003

�͵��Ժ�ǵ� mangled ��Դ�� Windows 2000 㹡óյ��仹��:

��Ҥس�� Exchange 2000 ��蹹��labeledURI��кǹ��houseIdentifier��secretary�͵��Ժ�ǵ��ÿ��ʵ� Windows 2000 ��͹��س�Դ�� inetOrgPerson Windows 2000 Kit
�س�� Exchange 2000 ��蹹��labeledURI��кǹ��houseIdentifier��secretary�͵��Ժ�ǵ��ÿ��ʵ� Windows 2000 ��͹��س��¡�� Windows Server 2003adprep /forestprep�� ա��ѹʤ�Ի��ҧ��á

�ӵ��Ἱ��ô��Թ��Ѻ��ʶҹ��ó��:

ʶҹ��ó�� 1: ��¹�ŧ schema �ͧ Exchange 2000 ��ѧ�ҡ��س��¡�� /forestprep adprep Windows Server 2003

��ҡ��¹�ŧ schema �ͧ Exchange 2000 ��ö�й��Ϳ��ʵ� Windows 2000 �ͧ�س��ѧ�ҡ�� Windows Server 2003adprep /forestprep�ա��¡�� ҧ��١��ͧ � "�Ҿ��: ��Ѻ��蹵�ǤǺ�� Windows 2000 �Ѻ Windows Server 2003"��ǹ

ʶҹ��ó�� 2: ��¹�ŧ schema �ͧ Exchange 2000 �ж١�Դ��駡�͹�� /forestprep adprep �ͧ Windows Server 2003

��ҡ��¹�ŧ schema �ͧ Exchange 2000 ��١�Դ�� س��¡�� Windows Server 2003adprep /forestprep�� Ԩ�ó�Ἱ��ô��Թ��õ��仹��:

��к��͹�Ţͧ��ͧ�� schema ��ѡ��ô��Թ�� ͤ�ҷ��Ҫԡ�ͧ��ѡ�Ҥ��ʹ�� domain Admins ��ҧ
��ԡ��÷ӧҹ��ԡ��¡����:notepad.exe㹡��OPEN��ͧ ��Ǥ�ԡ��ŧ.
��äѴ�͡��ͤ��仹��֧�ѵ��ѧ��ͷ��ѧ " schemaUpdateNow: 1 " ��ѧ�蹨��ѹ�֡
dn: CN = ms - Exch - �� - �� CN =ẺἹ CN =��õ�駤�Ҥ͹�ԡ DC = X
changetype: ��Ѻ��¹
᷹: LDAPDisplayName
LDAPDisplayName: msExchAssistantName
-

dn: CN = ms - Exch - LabeledURI, CN =ẺἹ CN =��õ�駤�Ҥ͹�ԡ DC = X
changetype: ��Ѻ��¹
᷹: LDAPDisplayName
LDAPDisplayName: msExchLabeledURI
-

dn: CN = ms - Exch - ��ҹ-��Ǻ觪�� CN =ẺἹ CN =��õ�駤�Ҥ͹�ԡ DC = X
changetype: ��Ѻ��¹
᷹: LDAPDisplayName
LDAPDisplayName: msExchHouseIdentifier
-

dn::
changetype: ��Ѻ��¹
��: schemaUpdateNow
schemaUpdateNow: 1
-
�׹�ѹ�� վ�鹷��ҧ��͹��¢ͧ��к�÷Ѵ
㹡����:�� ԡ�ѹ�֡. 㹡���ѹ�֡����ͧ��ͺ��ͧ �ӵ��鹵͹��ҹ��:
1. 㹡������ͧ ��仹��:
  \%userprofile%\InetOrgPersonPrevent.ldf
2. 㹡���ѹ�֡�繪�Դ��ͧ ��ԡ��.
3. 㹡������ͧ ��ԡunicode.
4. ��ԡ�ѹ�֡.
5. �͡�ҡ Notepad
��¡��ʤ�Ի�� InetOrgPersonPrevent.ldf
1. ��ԡ��÷ӧҹ��ԡ��¡����:cmd㹡��OPEN��ͧ ��Ǥ�ԡ��ŧ.
2. ˹�Ҩ;��Ѻ�� 仹�� С� enter:
  �մ���%%
3. ��觵��仹��
  c:\documents �� settings\%username%>ldifde -i -f inetorgpersonprevent.ldf - v - c DC = X "��鹷ҧ�ͧ��Ѻ��ҡ�ͧ��ʵ�"
  ��˵��ҡó�:
  - DC = X �� Ҥ� case-sensitive
  - ��鹷ҧ�ͧ��Ѻ��ѡ��ͧ��ѭ��С��
  ��ҧ�� ҡó��Ѻ��ʵ� Active Directory ��ҡ�ͧ��ʵ�� TAILSPINTOYS.COM:
  c:\documents �� settings\administrator > ldifde -i -f inetorgpersonprevent.ldf - v - c DC = X " dc = tailspintoys, dc = com "
  ��˵�:�س�Ҩ��ͧ��¹�ŧ��
  ͹حҵ��û�Ѻ��ا schema
  ��ʵ�իѺ��ҡ�س��Ѻ��ͤ��ʴ��ͤ��ʴ��ͼԴ��Ҵ��仹��:
  ��Ѻ��ا schema ��Ѻ͹حҵ�� DC ��ͧ�ҡ��ա�õ�駤��ը�ʷ�դ�� DC ��ҧ��Ңͧ��ҷ�ͧ FSMO
  ��Ѻ��ǡѺ�Ըա��¹��¢ͧ�ը�ʷ�չ�� ԡ��Ţ��仹��ʹٺ��㹰ҹ��ͧ Microsoft:
  285172
  (http://support.microsoft.com/kb/285172/ )
  ��Ѻ��ا schema ��ͧ��¹��Ҷ֧ schema � Active Directory
��Ǩ�ͺ�� LDAPDisplayNames ��Ѻ�� CN = ms - Exch - �� - �� CN = ms LabeledURI - Exch- �� CN =�͵��Ժ�ǵ� ms-Exch-��ҹ��Ǻ觪��㹺�Ժ��õ�駪��ҧ�� ҡ�� msExchAssistantName, msExchLabeledURI �� msExchHouseIdentifier ��͹��س��¡�� Windows Server 2003adprep /forestprep��
� "�Ҿ��: ��Ѻ��蹵�ǤǺ�� Windows 2000 �Ѻ Windows Server 2003"��ǹ��÷ӧҹ��adprep /forestprep��/domainprep��

ʶҹ��ó�� 3: �� forestprep Windows Server 2003 �١�ѹ��ͧ inetOrgPersonFix �á��ѧ�ӧҹ��

�ҡ�س��¡�� Windows Server 2003adprep /forestprep��㹿��ʵ�ͧ Windows 2000 ��Сͺ�� Exchange 2000 schema ��¹ �͵��Ժ�ǵ� LDAPDisplayName ��ѺhouseIdentifier,secretary��labeledURI�С�� mangled ��͵�ͧ��кت�� mangled �� Ldp.exe ��ͤ��͵��Ժ�ǵ��Ѻ�š�з�:

�Դ�� Ldp.exe �ҡ�� Support\Tools �� Microsoft Windows 2000 �� Windows Server 2003
�� Ldp.exe �ҡ��ǤǺ��ͤ��Ҫԡ㹿��ʵ�
1. 㹡������ ԡ������:��Դ��ҧ�� ͧ389㹡������ͧ ��Ǥ�ԡ��ŧ.
2. 㹡������ ԡ�١��ͧ��ҧ ��Шҡ�� ԡ��ŧ.
�ѹ�֡��鹷ҧ�ͧ��ͷ��ᵡ��ҧ��Ѻ�͵��Ժ�ǵ� SchemaNamingContext ��ҧ�� Ѻ��ǤǺ��㹿��ʵ� CORP.ADATUM.COM ��鹷ҧ�ͧ��ͷ��ᵡ��ҧ�Ҩ CN =ẺἹ CN =��õ�駤�Ҥ͹�ԡ DC =��ҧ DC =��ѷ DC = com ��
㹡����¡���� ԡ��.
��õ�駤�ҵ��仹��͵�駤�Ҥ͹�ԡ����ͧ��ͺ:
- �ҹ DN: Ẻ��鹪��ͷ��ᵡ��ҧ�ͧ schema ��Ժ��õ�駪��ͷ��к��㹢�鹵͹�� 3
- ��ǡ�ͧ: (ldapdisplayname = dup *)
- �ͺࢵ:: �ӴѺ��
mangledhouseIdentifier,secretary��labeledURI�͵��Ժ�ǵ��͵��Ժ�ǵ� LDAPDisplayName ��¡Ѻ�ٻẺ��仹��:
LDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d
LDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f
LDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef
�� LDAPDisplayNames ��ѺlabeledURI,secretary��houseIdentifier�١ mangled 㹢�鹵͹�� 6 ��¡��ʤ�Ի�� InetOrgPersonFix.ldf 2003 Server Windows ��á��׹ �� "Upgrading Windows 2000 domain controllers with Winnt32.exe"��ǹ
1. Create a folder named %Systemdrive%\IOP, and then extract the InetOrgPersonFix.ldf file to this folder.
2. ˹�Ҩ;��Ѻ�� cd %systemdrive%\iop.
3. Extract the InetOrgPersonFix.ldf file from the Support.cab file that is located in the Support\Tools folder of the Windows Server 2003 installation media.
4. From the console of the schema operations master, load the InetOrgPersonFix.ldf file by using Ldifde.exe to correct theLdapDisplayName�س�ѡɳТͧͧ��Сͺ��houseIdentifier,secretary��labeledURIattributes. To do so, type the following command, where <x> is a case-sensitive constant and <dn path="" for="" forest="" root="" domain=""> is the domain name path for the root domain of the forest: </dn></x>
  C:\IOP>ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "��鹷ҧ�ͧ��Ѻ��ҡ�ͧ��ʵ�"
  ��˵��ҡó�:
  - DC = X �� Ҥ� case-sensitive
  - ��鹷ҧ�ͧ��Ѻ��ҡ�ͧ��ʵ��ͧ��ѭ��С��
��Ǩ�ͺ�� houseIdentifier,secretary��labeledURI�͵��Ժ�ǵ�㹺�Ժ��õ�駪��ҧ�� "mangled" ��͹��س�Դ�� Exchange 2000

��Ѻ��ǡѺ��Ѵ��駢ͧ schema ��Ǣ�ͧ�Ѻ��ԡ��Ѻ UNIX �� 2.0 ��ԡ��Ţ��仹��ʹٺ��㹰ҹ��ͧ Microsoft:

293783

(http://support.microsoft.com/kb/293783/ )

��ö��Ѻ��ͧ Windows 2000 �Ѻ Windows Server 2003 �� Windows Services ��Ѻ UNIX 2.0 ��Դ��

�Ҿ��: ��Ѻ��蹵�ǤǺ�� Windows 2000 �Ѻ Windows Server 2003

Windows Server 2003adprep��觷��س��¡��ҡ�� \I386 �� Windows Server 2003 �� ʵ� Windows 2000 ��Тͧ��Ѻ��ǤǺ�� Windows Server 2003 Windows Server 2003adprep /forestprep��ѡɳС�÷ӧҹ��仹��:

��Ǻ͡�ѡɳТͧ��ѡ�Ҥ��ʹ��鹡�û�Ѻ��ا��Ѻ��ʢͧ�ѵ��
��С��س�ѡɳ��
�ѵ��ẺἹ��͵��Ժ�ǵ��ͧ inetOrgPerson

��кǹ��adprep��ö��ª��ʹѺʹع��÷Ѵ��觷��ͧ:

adprep /forestprep: ��Թ��û�Ѻ��蹿��ʵ�ӧҹ
adprep /domainprep: ��㹡�û�Ѻ��蹡�ô��Թ�ҹ��ӧҹ

��кǹ��adprep /forestprep��觶١��Թ��ä��Ƿ��Թ��Ἱ��ô��Թ�ҹ��ѡ (FSMO) �ͧ��ʵ� ��кǹ��forestprep��ͧ��ó� ��зӫ�ӡ��ҧἹ��ѡ�ͧ�ç��ҧ��鹰ҹ�ͧ��͹��س��ö��¡��ô��Թ��adprep /domainprep��

��кǹ��adprep /domainprep��觶١��Թ��ä��Ƿ��س��¡�麹��ǤǺ��ѡ��ô��Թ�ҹ�ç��ҧ��鹰ҹ�ͧ��㹿��ʵ��ʵ�͹�� Windows Server 2003 �� ô ��кǹ��adprep /domainprep��觵�Ǩ�ͺ��¹�ŧ�ҡforestprep�ա�è��ͧẺ㹾��Ԫѹ�ͧ�� Шҡ�� ¹�ŧ�ͧ�س�ͧ��ѧ��Ԫѹ��С��º�� Sysvol ��ѹ

�س��ö��ҧ��ҧ˹�觢ͧ��ô��Թ��õ��仹��͡�ҡ��/forestprep��/domainprep��ô��Թ��ó� ��С�è��ͧẺ��ѧ��ǤǺ��:

��û�Ѻ��蹵�ǤǺ��ͧ Windows 2000 �Ѻ��ǤǺ�� Windows Server 2003 �� Winnt32.exe

��˵�:: �س��ö��Ѻ��Ҫԡ�ͧ Windows 2000 ��Ф��ѧ��Ҫԡ�ͧ Windows Server 2003 ��㴡� ��س��ͧ��
��͹��ǤǺ�� Windows Server 2003 ��ŧ�� Dcpromo.exe

��ʵ��ͧ�� schema ��ѡ��ô��Թ�� ҹ�鹷��س��ͧ�ѹ��ͧ��ҧadprep /forestprep��adprep /domainprep. �� س��§��ͧ��¡��adprep /domainprep.

��кǹ��adprep /forestprep��adprep /domainprep��͵��Ժ�ǵ��äس�ѡɳкҧ��ǹ�ͧ�絵��͡��ǹ��ҧ��駤�� ͷ��ëԧ��ͧ�絵��͡��ǹ��ҧ The RTM version ofadprep /domainprepdoes cause a full sync of the \Policies folder in the Sysvol tree. Even if you runforestprep��domainprepseveral times, completed operations are performed only one time.

After the changes fromadprep /forestprep��adprep /domainprepcompletely replicate, you can upgrade the Windows 2000 domain controllers to Windows Server 2003 by running Winnt32.exe from the \I386 folder of the Windows Server 2003 media. Also, you can add new Windows Server 2003 domain controllers to the domain by using Dcpromo.exe.

Upgrading the forest with the adprep /forestprep command

To prepare a Windows 2000 forest and domains to accept Windows Server 2003 domain controllers, follow these steps first in a lab environment, then in a production environment:

Make sure that you have completed all the operations in the "Forest Inventory" phase with special attention to the following items:
1. You have created system state backups.
2. All the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs.
3. End-to-end replication of Active Directory is occurring throughout the forest
4. FRS replicates the file system policy correctly throughout each domain.
Log on to the console of the schema operations master with an account that is a member of the Schema Admins security group.
Verify that the schema FSMO has performed inbound replication of the schema partition by typing the following at a Windows NT command prompt:
repadmin /showreps
(repadminis installed by the Support\Tools folder of Active Directory.)
Early Microsoft documentation recommends that you isolate the schema operations master on a private network before you runadprep /forestprep. Real-world experience suggests that this step is not necessary and may cause a schema operations master to reject schema changes when it is restarted on a private network. If you want to isolate schema additions that were made byadprep, Microsoft recommends that you temporarily disable outbound replication of Active Directory with therepadmin��ö��ª��÷Ѵ�� To do this, following these steps:
1. ��ԡ��÷ӧҹ��ԡ��¡����:cmd�� ԡ��ŧ.
2. Type the following, and then press ENTER:
  repadmin /options +DISABLE_OUTBOUND_REPL
��¡��adprepon the schema operations master. ��͵�ͧ��÷��蹹�� ԡ��÷ӧҹ��ԡ��¡����:cmd�� ԡ��ŧ. On the schema operations master, type the following command
X:\I386\adprep /forestprep
��:X:\I386\is the path of the Windows Server 2003 installation media. This command runs the forest-wide schema upgrade.

��˵�:Events with event ID 1153 that are logged in the Directory Service event log, such as the sample that follows, can be ignored:
Event Type : Error
Event Source : NTDS General
Event Category: Internal Processing
Event ID : 1153
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User : Everyone Computer :<some dc=""></some>
Description: Class identifier 655562 (class name msWMI-MergeablePolicyTemplate) has an invalid superclass 655560. Inheritance ignored.
��Ǩ�ͺ�� adprep /forestprepcommand successfully ran on the schema operations master. To do so, from the console of the schema operations master, verify the following items:
- ��кǹ��adprep /forestprepcommand completed without error.
- The CN=Windows2003Update object is written under CN=ForestUpdates,CN=Configuration,DC=forest_root_domain. Record the value of the Revision attribute.
- (Optional) The schema version incremented to version 30. To do so, see the ObjectVersion attribute under CN=Schema,CN=Configuration,DC=forest_root_domain.
��adprep /forestprepdoes not run, verify the following items:
- The fully qualified path for Adprep.exe located in the \I386 folder of the installation media was specified whenadprepran. To do so, type the following command:
  x:\i386\adprep /forestprep
  ��:xis the drive that hosts the installation media.
- The logged on user who runsadprephas membership to the Schema Admins security group. To verify this, use thewhoami /all��
- ��adprepstill does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log��
If you disabled outbound replication on the schema operations master in step 4, enable replication so that the schema changes that were made byadprep /forestprepcan propagate. To do this, following these steps:
1. ��ԡ��÷ӧҹ��ԡ��¡����:cmd�� ԡ��ŧ.
2. ��仹�� С� enter:
  repadmin /options - DISABLE_OUTBOUND_REPL
��Ǩ�ͺ�� adprep /forestprep�ա�è��ͧẺ��¹�ŧ��ǤǺ��㹿��ʵ� �繻��ª��㹡�õ�Ǩ�ͺ�͵��Ժ�ǵ��仹��:
1. incrementing ��蹢ͧ schema
2. �� CN = Windows2003Update, CN = ForestUpdates, CN =��õ�駤�Ҥ͹�ԡ DC =forest_root_domain�� CN =��ô��Թ�� CN = DomainUpdates, CN =�к� DC =forest_root_domain��ա�è��ͧẺ guid �ͧ�ҹ��
3. ��Ѻ��ʢͧ schema �� ѵ�� ͵��Ժ�ǵ� �� ¹�ŧ��adprep /forestprep�� inetOrgPerson �١�� Schxx.ldf �� (��xx�繵��Ţ��ҧ 14 �֧ 30) � %systemroot%\System32 � ��С�˹��觷��ѵ�� Фس�ѡɳ��è� ��ҧ�� inetOrgPerson �١��˹�� Sch18.ldf
�Ҥ�� LDAPDisplayNames mangled

��ա�õԴ�� Exchange 2000 ��͹�� س�ѹ Windows Server 2003adprep /forestprep�� ٺ��㹰ҹ��ͧ Microsoft ��仹��:
314649
(http://support.microsoft.com/kb/314649/ )
�� /forestprep adprep �ͧ windows Server 2003 ��Դ�͵��Ժ�ǵ� mangled � forests Windows 2000 ��Сͺ�� Exchange 2000
�ҡ�س�� mangled 价��ʶҹ��ó�� 3 �ͧ��ǡѹ
��к��͹�ŢͧἹ�ҹ��ѡ��ͤ�ҷ��Ҫԡ�ͧ��ѡ�Ҥ��ʹ��¡�� domain Admins Schema �ͧ��ʵ��ʵ��ͧ�� schema ��ѡ��ô��Թ�ҹ

��û�Ѻ�� դ�� /domainprep adprep

��¡��adprep /domainprep��ѧ�ҡ/forestprep��¹�ŧ��ӫ�ӵ�ǤǺ��ѡ�ͧ�ç��ҧ��鹰ҹ��ʵ��ǤǺ�� Windows Server 2003 ��ӵ��鹵͹��仹��:

�кص�ǤǺ��ѡ�ͧ�ç��ҧ��鹰ҹ��س��ѧ��Ѻ�� ͡�Թ ��ºѭ�ռ��Ҫԡ�ͧ��ѡ�Ҥ��ʹ�� Domain Admins ��س��ѧ��Ѻ��

��˵�:: ͧ��ü��к��Ҩ��Ҫԡ�ͧ�� Domain Admins ��ʹ��١�ͧ��ʵ�
��¡��adprep /domainprep㹵�Ẻ�ç��ҧ��鹰ҹ To do so, click Start, click Run, typecmd, and then on the Infrastructure master type the following command:
X:\I386\adprep /domainprep
where X:\I386\ is the path of the Windows Server 2003 installation media. This command runs domain-wide changes in the target domain.

��˵�:: Ẻadprep /domainprepcommand modifies files permissions in the Sysvol share. These modifications cause a full synchronization of files in that directory tree.
Verify thatdomainprepcompleted successfully. To do so, verify the following items:
- ��кǹ��adprep /domainprepcommand completed without error.
- The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgradingexists
��adprep /domainprepdoes not run, verify the following items:
- The logged on user who runsadprephas membership to the Domain Admins security group in the domain being you are upgrading. To do so, use thewhoami /all��
- The fully qualified path for Adprep.exe located in the \I386 directory of the installation media was specified when you ranadprep. To do so, at a command prompt type the following command:
  x:\i386\adprep /forestprep
  ��:xis the drive that hosts the installation media.
- ��adprepstill does not work, view the Adprep.log file in the %systemroot%\System32\Debug\Adprep\Logs\Latest_log��
��Ǩ�ͺ�� adprep /domainprepchanges have replicated. To do so, for the remaining domain controllers in the domain, verify the following items:
- The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgradingobject exists and the value for the Revision attribute matches the value of the same attribute on the infrastructure master of the domain.
- (Optional) Look for objects, attributes or access control list (ACL) changes thatadprep /domainprepadded.
Repeat steps 1-4 on the infrastructure master of the remaining domains in bulk or as you add or upgrade DC's in those domains to Windows Server 2003. Now you can promote new Windows Server 2003 computers into the forest by using DCPROMO. Or, you can upgrade existing Windows 2000 domain controllers to Windows Server 2003 by using WINNT32.EXE.

��Ѻ仴�ҹ�� | ��ʹ��

Upgrading Windows 2000 domain controllers by using Winnt32.exe

After the changes from/forestprep��/domainprepcompletely replicate and you have made a decision about security interoperability with earlier-version clients, you can upgrade Windows 2000 domain controllers to Windows Server 2003 and add new Windows Server 2003 domain controllers to the domain.

The following computers must be among the first domain controllers that run Windows Server 2003 in the forest in each domain:

The domain naming master in the forest so that you can create default DNS program partitions.
The primary domain controller of the forest root domain so that the enterprise-wide security principals that Windows Server 2003'sforestprepadds become visible in the ACL editor.
The primary domain controller in each non-root domain so that you can create new domain-specific Windows 2003 security principals.

To do so, use WINNT32 to upgrade existing domain controllers that host the operational role you want. Or, transfer the role to a newly-promoted Windows Server 2003 domain controller. Perform the following steps for each Windows 2000 domain controller that you upgrade to Windows Server 2003 with WINNT32 and for each Windows Server 2003 workgroup or member computer that you promote:

Before you use WINNT32 to upgrade Windows 2000 member computers and domain controllers, remove Windows 2000 Administration Tools. To do so, use the Add/Remove Programs tool in Control Panel. (Windows 2000 upgrades only.)
Install any hotfix files or other fixes that either Microsoft or the administrator determines is important.
Check each domain controller for possible upgrade issues. To do so, run the following command from the \I386 folder of the installation media:
winnt32.exe /checkupgradeonly
Resolve any issues that the compatibility check identifies.
Run WINNT32.EXE from the \I386 folder of the installation media, and the restart the upgraded 2003 domain controller.
Lower the security settings for earlier-version clients as required.

If Windows NT 4.0 clients do not have NT 4.0 SP6 or Windows 95 clients do not have the directory service client installed, disable SMB Service signing on the Default Domain Controllers policy on the Domain Controllers organizational unit, and then link this policy to all organizational units that host domain controllers.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)
Verify the health of the upgrade using the following data points:
- The upgrade completed successfully.
- The hotfixes that you added to the installation successfully replaced the original binaries.
- Inbound and outbound replication of Active Directory is occurring for all naming contexts held by the domain controller.
- The Netlogon and Sysvol shares exist.
- The event log indicates that the domain controller and its services are healthy.
  
  ��˵�:: You may receive the following event message after you upgrade:
  ��Դ�˵ء�ó�: ��ͼԴ��Ҵ
  Event Source: NTDS Backup
  Event Category: Backup
  Event ID: 1913
  �ѹ��:�ѹ��
  Time: HH:MM:SSAM|PM
  ��: n/a
  ��:computername
  ��͸Ժ��: ��ͼԴ��Ҵ��: The Active Directory 㹡��ͧ�� С�ä׹��Ҿ��ͼԴ��Ҵ��Ҵ�Դ�� ͧ��ͤ׹��Ҩ��稨��ҹ��١��
  �س��ö��鹢�ͤ��˵ء�ó��
�Դ��ͧ� Windows Server 2003 �Ѵ�� (��û�Ѻ�� Windows 2000 �� Windows Server 2003 �͹��ҹ��) Adminpak.msi �� \I386 ��ͧ�� Windows Server 2003 ��«մ�� Windows Server 2003 ��Сͺ��ͧ��ʹѺʹع��û�Ѻ��ا�� Support\Tools\Suptools.msi ��Ǩ�ͺ�� س��Դ��
�ӡ��ͧ��ͧ��¤͹�� Windows 2000 �ͧ��á��س��Ѻ�� Windows Server 2003 ��㹿��ʵ� ��ͧ�ͧ��ͧ Windows 2000 ��س��Ѻ��蹡�� Windows Server 2003 㹡��红��ŷ��١��͡��ͷ��س��ҹ��ͤ׹��ҵ�ǤǺ��ѹ Windows Server 2003 㹢�й��
(��): �ӡ�èѴ��§��Ẻ�Ϳ�Ź�ͧ�ҹ�� Active Directory 㹵�ǤǺ��س��Ѻ��蹡�� Windows Server 2003 ��ѧ�ҡ��Թ�ᵹ�� (SIS) ��ó�(��Ѻ Windows 2000 ��ҹ��)

SIS reviews �Է��躹�ѵ�ط��١�� Active Directory ��Шҡ�� Ǻ͡��ǡѺ��ʹ��ҧ�ջ��Է��Ҿ�ҡ��鹺��ѵ��ҹ�� SIS ��ѵ��ѵ� (��к� ��˵ء�ó� 1953 ��ѹ�֡�˵ء�ó�ͧ��ԡ��á��) ��͵�ǤǺ��ô��͹��к��Ժѵԡ�� Windows Server 2003 ��س��ª��ҡ��ҹ��Ǻ͡��ǡѺ��û�Ѻ��ا��ʹ��ͤس�ѹ�֡��ͤ��˵ء�ó� ID 1966 �˵ء�ó��ѹ�֡�˵ء�ó�ͧ��ԡ��á��ҹ��:
��Դ�˵ء�ó�: ��
��觷��Ңͧ�˵ء�ó�: SDPROP NTDS
��˵ء�ó�: ��û��ż��
��˵ء�ó�: 1966
�ѹ: ��/DD/��
��: HH:MM:SS AM|PM
��: ��к� AUTHORITY\ANONYMOUS NT
��:<computername></computername>
��͸Ժ��: propagator ��Ǻ͡��ǡѺ��ѡ�Ҥ��ʹ��·��ó��ͺ��
(MB) ��ͷ��ѹ��ǹ:
��ͷ��ҧ XX (MB): XX

��Ҩ��ͷ��ҧ㹰ҹ�� Active Directory
��ô��Թ��âͧ��: ��èѴ��§��Ţͧ�ҹ��Ẻ�Ϳ�Ź��ͷ��ҧ��Ҩ��ҹ㹰ҹ�� Active Directory 㹡�þԨ�ó� ��Ѻ�� ô�ٷ�� '�ٹ��ԡ�ê��Ը��' �� http://support.microsoft.com
��ͤ��˵ء�ó��觪�� ô��Թ��Թ�ᵹ��ó�� з�˹�ҷ��繤��繼��к��ʹ��Թ��âͧ��èѴ��§��Ẻ�Ϳ�Ź�ͧ Ntds.dit �� NTDSUTIL.EXE

�Ѵ��§��Ẻ�Ϳ�Ź��öŴ��Ҵ�ͧ�� Windows 2000 Ntds.dit �֧ 40% ��Ѻ��ا��Է��Ҿ��÷ӧҹ�ͧ Active Directory ��ྨ㹰ҹ��Ѻ��红��ŷ��ջ��Է��Ҿ�ҡ��鹢ͧ�͵��Ժ�ǵ��§��١�Ҥ�ҡ�û�Ѻ��ا��Ѻ��ǡѺ�Ըա�èѴ��§��á��շ��ҹ�ҹ�� ԡ��Ţ��仹��ʹٺ��㹰ҹ��ͧ Microsoft:
232122
(http://support.microsoft.com/kb/232122/ )
��ѧ�ӡ�èѴ��§��Ẻ�Ϳ�Ź�ͧ�ҹ�� Active Directory
��Ǩ�ͺ��ú�ԡ�� DLT ��ԡ�� DLT Server �� fresh �Դ��ҹ��ǤǺ�� windows Server 2003 ��С�õԴ��駡�û�Ѻ�� ͹�� Windows 2000 �� Windows XP �ͧ��âͧ�س��ԡ�� DLT Server �� Group Policy ��Դ��ҹ��ԡ�� DLT Server ��͹�� Windows Server 2003 �� ô �ԩй�� incrementally ź��§Ẻ��Ш�¡�õԴ��ѵ�بҡ Active Directory�ҡ��ͧ��÷�Һ�� ô��ԡ��Ţ��仹��ʹٺ�� Microsoft Knowledge Base::
312403
(http://support.microsoft.com/kb/312403/ )
��á�Ш�¡��§�Դ��ǤǺ�� Windows
315229
(http://support.microsoft.com/kb/315229/ )
��ͤ�� Dltpurge.vbs ��Ѻ��ҹ��ͧ Microsoft Q312403
��Ҥس�� bulk ź�Ѻ�ѹ DLT �ѵ��ѵ�� س�Ҩ��͡��è��ͧẺ��ͧ�ҡ��ա�èѴ��蹢ͧ ��ѡ��tombstonelifetime�ӹǹ�ѹ�� (�¤�� 60 �ѹ) ��ѧ �ҡ��سź�ѵ�� DLT ��ش �� Ѻ��š�ѹຨ��ó� �ҡ�� NTDSUTIL.EXE ��ͷӡ�èѴ��§��Ẻ�Ϳ�Ź�ͧ�� Ntds.dit
��õ�駤�Ҥ͹�ԡ�ç��ҧ˹��ͧ��Ըջ�ԺѵԷ��շ��ش Microsoft �й�� к��ѧ��ç��ҧ˹��ͧ��Ըջ�ԺѵԷ��շ��ش�� Active Directory �� ѧ�ҡ��л�Ѻ�� ͡�û�Ѻ��ǤǺ�� Windows Server 2003 �� Windows �� ¹��鹷ҧ�͹෹��鹷�� APIs ��ѹ��͹˹�ҹ��㹡��ҧ�� С��ѧ�͹෹��˹��ͧ��÷��кؼ��

��Ѻ��ǡѺ�ç��ҧ˹��ͧ��Ըջ�ԺѵԷ��շ��ش ��ǹ "��ҧ��ͧ��˹��͡" �ͧ�͡��÷ҧ෤�Ԥ�ͧ "��ͷ��շ��ش�֡ Active Directory �͡Ẻ��Ѻ��èѴ�� Windows ��" ��͵�ͧ��ô��͡��÷ҧ෤�Ԥ ��价��䫵��仹��ͧ Microsoft:
http://technet.microsoft.com/en-us/library/bb727085.aspx
(http://technet.microsoft.com/en-us/library/bb727085.aspx)
For more information about changing the default container where users, computers and groups that earlier-version APIs create are located, click the following article number to view the article in the Microsoft Knowledge Base:
324949
(http://support.microsoft.com/kb/324949/ )
Redirecting the users and computers containers in Windows Server 2003 domains
Repeat steps 1 through 10 as required for each new or upgraded Windows Server 2003 domain controller in the forest and step 11 (Best Practice organizational unit structure) for each Active Directory domain.

In Summary:
- Upgrade Windows 2000 Domain controllers with WINNT32 (from the slipstreamed installation media if used)
- Verify the hotfixed files have been installed on the upgraded computers
- Install any required hotfixes not contained on installation media
- Verify the health on new or upgraded servers ( AD, FRS, Policy etc)
- Wait 24 hours after OS upgrade then offline defrag (optional)
- Start the DLT Service if you must, otherwise delete DLT objects using q312403 / q315229 post forest wide domainpreps
- Perform offline defrag 60+ days (tombstone lifetime and garbage collection # of days) after deleting DLT objects

Dry-run upgrades in a lab environment

Before you upgrade Windows domain controllers to a production Windows 2000 domain, validate and refine your upgrade process in the lab. If the upgrade of a lab environment that accurately mirrors the production forest performs smoothly, you can expect similar results in production environments. For complex environments, the lab environment must mirror the production environment in the following areas:

��: computer type, memory size, page file placement, disk size, performance and raid configuration, BIOS and firmware revision levels
Software: client and server operating system versions, client and server applications, service pack versions, hotfixes, schema changes, security groups, group memberships, permissions, policy settings, object count type and location, version interoperability
Network infrastructure: WINS, DHCP, link speeds, available bandwidth
��Ŵ: Load simulators can simulate password changes, object creation, Active Directory replication, logon authentication and other events. The goal is not to reproduce the scale of the production environment. Instead, the goals are to discover the costs and frequency of common operations and to interpolate their effects (name queries, replication traffic, network bandwidth, and processor consumption) on the production environment based on your current and future requirements.
��èѴ��: tasks performed, tools used, operating systems used
��ô��Թ��: capacity, interoperability
Disk Space: Note the starting, peak and ending size of the operating system, Ntds.dit and Active Directory log files on global catalog and non-global catalog domain controllers in each domain after each of the following operations:
1. adprep /forestprep
2. adprep /domainprep
3. Upgrading Windows 2000 domain controllers to Windows Server 2003
4. Performing offline defragmentation after version upgrades

��ǡѺ��кǹ��û�Ѻ��Ф��Ѻ��͹�ͧ��Ҿ�Ǵ��Ѻ observation ��´��˹� pace ��дѺ��Ѵ��س��Ѻ��û�Ѻ��Ҿ�Ǵ��ü�Ե ��Ҿ�Ǵ�� յ�ǤǺ��ѵ�� Active Directory �ӹǹ��Ҵ��硷��ͼ�ҹ��ҹ�٧�ش��§��ǳ��ҧ (WAN) �ͧ��͢��Ҩ��Ѻ��§�� س�Ҩ��ͧ��Ѵ��ǡѺ��û�Ѻ��дѺͧ��÷�� ¡�âͧ��ǤǺ�� ¡�âͧ�ѹ Active Directory �ͧ�ͺ�硵� 㹡ó�� س�Ҩ��ͧ�ӡ�û�Ѻ��蹡�ü�ҹ��ѡ�ٵâͧ��ѻ��͹

��û�Ѻ�� "�ѹ Dry" ��Ҫվ��зӡ�ô��Թ��õ��仹��:

��÷Ӥ��ǡѺ workings inner �ͧ��кǹ��û�Ѻ��Ф��§��Ǣ�ͧ
�ʴ��鹷��ѭ��Ҩ�Դ��Ѻ��鹵͹��ҹ��Ҿ�Ǵ��÷ӧҹ�ͧ�س
��ͺ ��оѲ��Ἱ��Ŵ��͹㹡óշ��û�Ѻ��
��˹��дѺ�ͧ��´��й��Ѻ��кǹ��û�Ѻ��Ѻ��㹡�ü�Ե��

��ǤǺ�� վ�鹷��ҧ��ʡ��§��

��ǤǺ��վ�鹷��ҧ��ʡ��§�� 鹵͹��仹��ͷ��ҧ��ʡ캹�ÿ��ŷ��ʵ� Ntds.dit ��С��͡��:

ź��ҹ�� *.tmp ��Ǥ��Ƿ��Թ�� ͵�ͧ��÷��蹹�� (�� ENTER ��ѧ�ҡ��Ф��) ��仹��:
/d �մ��ÿ�\
del *.tmp /s
ź��ö��͹��˹��¤��ͼ�� ͵�ͧ��÷��蹹�� (�� ENTER ��ѧ�ҡ��Ф��) ��仹��:
/d �մ��ÿ�\
del *.dmp /s
�繡�ê��Ǥ��ź ��س��ö��Ҷ֧�ҡ�� ͵Դ��ҧ��´�� س��öź ��᷹�� ADMINPAK ��ͧ ��ʹѺʹع �� %systemroot%\System32\Dllcache
ź�� ͵�ͧ��÷��蹹�� ԡ��÷ӧҹ��ԡ��My Computer��ԡ�س��ѵ���ԡ������ ź��Ѻ�ѭ�ռ�� öź��ǹ��˹�� Ҩ�繺ѭ�պ�ԡ��
ź�ѭ�ѡɳ�� systemroot%\Symbols % ��͵�ͧ��÷��蹹�� 觵��仹��:
rd /s %systemroot%\symbols
��Ѻ��ѭ�ѡɳ�Ẻ�� ͢�Ҵ��硷�� Ҩ��Ѻ��ҳ 70 �.��亵�֧ 600 MB
�ӡ�èѴ��§��Ẻ�Ϳ�Ź� �Ѵ��§��Ẻ�Ϳ�Ź�ͧ�� Ntds.dit �Ҩ��鹷��ҧ ��ͧ��ͧ��ͧ��ҧ�ͧ�� DIT �Ѩ�غѹ�繡�ê��Ǥ�� defrag �ʶҹ��Ϳ�Ź� �� ҡ�� ͷ��ҧ��͢��·��ͷ��շ��ش��ͷӡ�èѴ��§��Ẻ�Ϳ�Ź� ��ѧ��ͷ��ʡ� incrementally ź�ѭ�ռ�� ѭ�դ�� ¹ DNS ��ѵ�� DLT �ҡ Active Directory

��˵�:: ��á��ҹ��öź�ѵ�بҡ�ҹ��Ũ��֧tombstonelifetime�ӹǹ�ѹ�� (�¤�� 60 �ѹ) �ա��觼�ҹ ��Ф��š�ѹຨ��ó� ��ҤسŴtombstonelifetime��͵�ͧ��ä�ҵ�ӡ��Ҩش��ش��è��÷�Ẻ��ͧ㹿��ʵ� �س�Ҩ��ʹ��ͧ�ѹ� Active Directory

��Ѻ仴�ҹ�� | ��ʹ��

��ҧ�ԧ

��Ѻ�� ԡ��Ţ��仹�� ʹٺ��㹰ҹ��ͧ Microsoft::

821076

(http://support.microsoft.com/kb/821076/ )

windows Server 2003 �Ը��Сͺ��¢��ǡѺ�Ըա�û�Ѻ��ا�� Windows 2000 ��١��ͧ

��Ѻ仴�ҹ�� | ��ʹ��

�س��ѵ�

��Ţ�� (Article ID): 325379 - ��Ǥ��ش��: 13 ��Ҥ� 2554 - Revision: 6.0

��Ѻ

Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Exchange 2000 Server Standard Edition
Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
Microsoft Windows Server 2003 R2 Datacenter Edition (64-Bit x86)
Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
Microsoft Windows Server 2003 R2 Standard Edition (64-Bit x86)

kbinfo kbmt KB325379 KbMtth

��¤��

��Ӥѭ: ��«Ϳ��Ŵ��¤��ͧ Microsoft ᷹��繹ѡ�ŷ��繺ؤ�� Microsoft �պ��¹ѡ��к��Ŵ��¤�� س��ö��Ҷ֧��㹰ҹ��ͧ�� Ңͧ�س�ͧ ��ҧ�á�� Ŵ��¤��Ҩ�բ�ͺ��ͧ ��Ҩ�բ�ͼԴ��Ҵ㹤��Ѿ�� ٻẺ��ҡó� ��ǡѺ�óշ��ǵ�ҧ�ҵԾٴ�Դ��;ٴ��Ңͧ�س Microsoft ��ǹ�Ѻ�Դ�ͺ��ͤ��Ҵ��͹ ��Դ��Ҵ��ͤ��·��Դ�ҡ��ҼԴ��Ҵ ��͡��麷�Ţͧ�١�� Microsoft �ա�û�Ѻ��ا�Ϳ��Ŵ��¤��繻�Ш�

��仹��繩�Ѻ��ѧ��ɢͧ��:325379

(http://support.microsoft.com/kb/325379/en-us/ )

��Ѻ仴�ҹ�� | ��ʹ��