Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers

Before you run the adprep /forestprep command, Microsoft recommends that you install certain hotfixes and service packs on any Microsoft Windows 2000-based domain controllers. The hotfixes and service packs are listed in this article.

The Adprep.exe utility is located in the I386 folder of your Windows Server 2003 installation media. The Adprep.exe utility prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers.

The Adprep.exe utility operations include the addition of:

• Improved default security descriptors for object classes.
• Changes in group memberships.
• New directory objects that programs require.

The goal of the Windows Server 2003 Forest Upgrade and Windows Server 2003 Domain Upgrade utility is to add schema changes and permission objects in Active Directory so that they are secure and interoperate with newly-installed Windows Server 2003 domain controllers.

Windows 2000 domain controllers that replicate in changes from the adprep /forestprep command are vulnerable to the following three issues.

Vulnerability: Schema Additions Delete Columns from the Database and Domain Controllers Cannot Be Started

• Issue:
  
  A rare but fatal timing problem during large schema updates such as Adprep.exe can cause the bulk deletion of critical objects from Active Directory on Windows 2000 domain controllers. Affected domain controllers cannot start. These domain controllers must be restored or reinstalled.
• For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  303077

  (http://support.microsoft.com/kb/303077/ )

  SP 2 Hotfixes recommended before making schema changes in Active Directory forests
  
  
  
• Threat:
  
  The installation of a hotfix or service pack that avoids this vulnerability is mandatory for all Windows 2000 domain controllers in the forest before you run the adprep /forestprep command. Do not put domain controllers, the domain, or the forest at risk by running the adprep /forestprep command without having the appropriate fixes installed on every domain controller in the forest.
• Preventative fix:
  • Service Pack: Windows 2000 Service Pack 2 (SP2) or later
  • Hotfix in article 303077
  • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
    

    Version        Date
    --------------------------
    5.0.2195.2864  Feb-05-2001

Vulnerability: Inefficient Replication of Schema Changes Consumes Network Bandwidth

• Issue:
  
  There is a performance problem. The introduction of schema changes is not replicated efficiently between domain controllers in the forest. This problem causes the consumption of additional network bandwidth.
• For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  300642

  (http://support.microsoft.com/kb/300642/ )

  Schema modification results in schema mismatch Event 1203 message
• Threat:
  
  Install the appropriate service pack or hotfix that prevents this problem if you have more than 10 domain controllers in the forest or cannot tolerate the use of additional network bandwidth across network links that connect domain controllers in the forest. This fix is optional for forests with a small number of domain controllers that are connected by high-speed links.
• Preventative fix:
  • Service pack: Windows 2000 Service Pack 3 (SP3) or later
  • Hotfix in article 300642
  • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
    

    Version        Date
    --------------------------
    5.0.2195.3673  Jun-04-2001

Vulnerability: Active Directory Replication Is Delayed During the Index-Rebuilding Process

• Issue:
  
  Active Directory replication is delayed as new attributes that are added by the adprep /forestprep command are indexed and the schema cache is updated. The delay is a function of the number of indexed attributes that are being added to Active Directory and the size of the Active Directory database. You can estimate the replication delay with the following formula:
  
  
  (number of indexed attributes * database size in GB) / 50 = the replication delay in hours
  
  
  For example, the adprep /forestprep command adds five new indexed attributes, so a domain controller with a 15-GB database will have a 1.5-hour replication delay.
• For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  307219

  (http://support.microsoft.com/kb/307219/ )

  Replication stops after Active Directory schema update
• Threat:
  
  Install this fix if:
  • It takes less time to install the preventative hotfix or service pack than to wait for the reindexing operation to complete.
  • Active Directory replication delays cannot be tolerated in your environment.
  You can skip this step for domain controllers with a small number of objects.
• Preventative fix:
  • Service Pack: Windows 2000 SP3 or later
  • Hotfix in article 307219
  • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
    

    Version        Date
    --------------------------
    5.0.2195.4464  Oct-09-2001

Guiding Principles

• There are individual hotfixes that mitigate all three vulnerabilities on domain controllers that are running Windows 2000 Service Pack 1 (SP1) or later. Therefore, do not deploy a service pack in your forest solely to use the adprep /forestprep command.
• Supplement the existing service pack revision that is installed on domain controllers in your forest with a newer Ntdsa.dll hotfix that prevents the schema-deletion issue or the two performance problems that apply to your forest.
• On domain controllers with Windows 2000 SP1 installed, you must install a version of the Ntdsa.dll file that prevents the schema-delete vulnerability. To do this, do one of the following:
  • Install an appropriate Ntdsa.dll hotfix. For best results, install a recent, well-tested Ntdsa.dll file that resolves the schema delete and the two performance vulnerabilities. The following are examples of such hotfixes:
    
    
    321933

    (http://support.microsoft.com/kb/321933/ )

    Services are not listed in the Security Configuration and Analysis snap-in
  • Install Windows 2000 SP2 or later.
• Domain controllers with Windows 2000 SP2 installed are not vulnerable to the schema-delete problem. If you have a small number of domain controllers or objects in Active Directory, no additional fixes are required. Administrators with either a large number of domain controllers or large databases can do one of the following:
  • Install an appropriate Ntdsa.dll hotfix. For best results, install a recent, well-tested Ntdsa.dll hotfix that resolves the two performance vulnerabilities. The following is an example of such a hotfix:
    
    
    321933

    (http://support.microsoft.com/kb/321933/ )

    Services are not listed in the Security Configuration and Analysis snap-in
  • Install Windows 2000 SP3 or later.
• Domain controllers with Windows 2000 SP3 installed are protected from the schema deletion and both performance vulnerabilities.

Windows 2000 SP3 Advantages and Issues

Windows 2000 domain controllers must have Windows 2000 SP2 for the Active Directory installation Wizard (Dcpromo.exe) to source Active Directory from Windows Server 2003 domain controllers that are hosting program partitions. If your environment is already running Windows 2000 SP2, keep that version and do not change it. If you are standardized on Windows 2000 SP1 and anticipate the addition of a Windows 2000 domain controller to a forest that contains Windows 2000 and Windows Server 2003 domain controllers, evaluate and consider deploying Windows 2000 SP3.

When Windows 2000 domain controllers have SP3 installed, it is easier to remotely administer Windows 2000 domain controllers from computers that are running Microsoft Windows XP Professional or Windows 2003 Server by using the Windows Server 2003 ADMINPAK. For more information about the LDAP signing requirements when Active Directory administration tools are run on computers that are running Microsoft Windows XP Professional or Windows 2003 Server computers that are focused on Windows 2000 computers, see the following article:
Consider adding the following post-SP3 hotfixes on domain controllers that are running Windows 2000 SP3. To do this, do one of the following:

• Manually add relevant fixes to each domain controller.
• Slipstream all or selected hotfixes to your Windows 2000 SP3 installation media or share point.
• Slipstream all or selected hotfixes to your installation media or installation share point that contains the Windows 2000 base operating system plus Windows 2000 SP3. If you do this, newly-installed domain controllers avoid known issues.

These fixes are particularly important to Windows 2000 SP3 computers that are running the Terminal and DNS services.