Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers

Article translations Article translations
Article ID: 331161
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

On This Page

Summary

Before you run the adprep /forestprep command, Microsoft recommends that you install certain hotfixes and service packs on any Microsoft Windows 2000-based domain controllers. The hotfixes and service packs are listed in this article.

More information

The Adprep.exe utility is located in the I386 folder of your Windows Server 2003 installation media. The Adprep.exe utility prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers.

The Adprep.exe utility operations include the addition of:
  • Improved default security descriptors for object classes.
  • Changes in group memberships.
  • New directory objects that programs require.
The goal of the Windows Server 2003 Forest Upgrade and Windows Server 2003 Domain Upgrade utility is to add schema changes and permission objects in Active Directory so that they are secure and interoperate with newly-installed Windows Server 2003 domain controllers.

Windows 2000 domain controllers that replicate in changes from the adprep /forestprep command are vulnerable to the following three issues.

Vulnerability: Schema Additions Delete Columns from the Database and Domain Controllers Cannot Be Started

  • Issue:

    A rare but fatal timing problem during large schema updates such as Adprep.exe can cause the bulk deletion of critical objects from Active Directory on Windows 2000 domain controllers. Affected domain controllers cannot start. These domain controllers must be restored or reinstalled.
  • For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    303077 SP 2 Hotfixes recommended before making schema changes in Active Directory forests


  • Threat:

    The installation of a hotfix or service pack that avoids this vulnerability is mandatory for all Windows 2000 domain controllers in the forest before you run the adprep /forestprep command. Do not put domain controllers, the domain, or the forest at risk by running the adprep /forestprep command without having the appropriate fixes installed on every domain controller in the forest.
  • Preventative fix:
    • Service Pack: Windows 2000 Service Pack 2 (SP2) or later
    • Hotfix in article 303077
    • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
      Version        Date
      --------------------------
      5.0.2195.2864  Feb-05-2001

Vulnerability: Inefficient Replication of Schema Changes Consumes Network Bandwidth

  • Issue:

    There is a performance problem. The introduction of schema changes is not replicated efficiently between domain controllers in the forest. This problem causes the consumption of additional network bandwidth.
  • For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    300642 Schema modification results in schema mismatch Event 1203 message
  • Threat:

    Install the appropriate service pack or hotfix that prevents this problem if you have more than 10 domain controllers in the forest or cannot tolerate the use of additional network bandwidth across network links that connect domain controllers in the forest. This fix is optional for forests with a small number of domain controllers that are connected by high-speed links.
  • Preventative fix:
    • Service pack: Windows 2000 Service Pack 3 (SP3) or later
    • Hotfix in article 300642
    • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
      Version        Date
      --------------------------
      5.0.2195.3673  Jun-04-2001

Vulnerability: Active Directory Replication Is Delayed During the Index-Rebuilding Process

  • Issue:

    Active Directory replication is delayed as new attributes that are added by the adprep /forestprep command are indexed and the schema cache is updated. The delay is a function of the number of indexed attributes that are being added to Active Directory and the size of the Active Directory database. You can estimate the replication delay with the following formula:

    (number of indexed attributes * database size in GB) / 50 = the replication delay in hours


    For example, the adprep /forestprep command adds five new indexed attributes, so a domain controller with a 15-GB database will have a 1.5-hour replication delay.
  • For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
    307219 Replication stops after Active Directory schema update
  • Threat:

    Install this fix if:
    • It takes less time to install the preventative hotfix or service pack than to wait for the reindexing operation to complete.
    • Active Directory replication delays cannot be tolerated in your environment.
    You can skip this step for domain controllers with a small number of objects.
  • Preventative fix:
    • Service Pack: Windows 2000 SP3 or later
    • Hotfix in article 307219
    • File version information: Versions of the Ntdsa.dll file whose version and date stamp is equal to or greater than the following:
      Version        Date
      --------------------------
      5.0.2195.4464  Oct-09-2001

Guiding Principles

  • There are individual hotfixes that mitigate all three vulnerabilities on domain controllers that are running Windows 2000 Service Pack 1 (SP1) or later. Therefore, do not deploy a service pack in your forest solely to use the adprep /forestprep command.
  • Supplement the existing service pack revision that is installed on domain controllers in your forest with a newer Ntdsa.dll hotfix that prevents the schema-deletion issue or the two performance problems that apply to your forest.
  • On domain controllers with Windows 2000 SP1 installed, you must install a version of the Ntdsa.dll file that prevents the schema-delete vulnerability. To do this, do one of the following:
    • Install an appropriate Ntdsa.dll hotfix. For best results, install a recent, well-tested Ntdsa.dll file that resolves the schema delete and the two performance vulnerabilities. The following are examples of such hotfixes:

      321933 Services are not listed in the Security Configuration and Analysis snap-in
    • Install Windows 2000 SP2 or later.
  • Domain controllers with Windows 2000 SP2 installed are not vulnerable to the schema-delete problem. If you have a small number of domain controllers or objects in Active Directory, no additional fixes are required. Administrators with either a large number of domain controllers or large databases can do one of the following:
    • Install an appropriate Ntdsa.dll hotfix. For best results, install a recent, well-tested Ntdsa.dll hotfix that resolves the two performance vulnerabilities. The following is an example of such a hotfix:

      321933 Services are not listed in the Security Configuration and Analysis snap-in
    • Install Windows 2000 SP3 or later.
  • Domain controllers with Windows 2000 SP3 installed are protected from the schema deletion and both performance vulnerabilities.

Windows 2000 SP3 Advantages and Issues

Windows 2000 domain controllers must have Windows 2000 SP2 for the Active Directory installation Wizard (Dcpromo.exe) to source Active Directory from Windows Server 2003 domain controllers that are hosting program partitions. If your environment is already running Windows 2000 SP2, keep that version and do not change it. If you are standardized on Windows 2000 SP1 and anticipate the addition of a Windows 2000 domain controller to a forest that contains Windows 2000 and Windows Server 2003 domain controllers, evaluate and consider deploying Windows 2000 SP3.

When Windows 2000 domain controllers have SP3 installed, it is easier to remotely administer Windows 2000 domain controllers from computers that are running Microsoft Windows XP Professional or Windows 2003 Server by using the Windows Server 2003 ADMINPAK. For more information about the LDAP signing requirements when Active Directory administration tools are run on computers that are running Microsoft Windows XP Professional or Windows 2003 Server computers that are focused on Windows 2000 computers, see the following article:
325465 Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools
Consider adding the following post-SP3 hotfixes on domain controllers that are running Windows 2000 SP3. To do this, do one of the following:
  • Manually add relevant fixes to each domain controller.
  • Slipstream all or selected hotfixes to your Windows 2000 SP3 installation media or share point.
  • Slipstream all or selected hotfixes to your installation media or installation share point that contains the Windows 2000 base operating system plus Windows 2000 SP3. If you do this, newly-installed domain controllers avoid known issues.
These fixes are particularly important to Windows 2000 SP3 computers that are running the Terminal and DNS services.
328020 Redirected printing through a Terminal Services session may not work with Windows 2000 SP3
328894 First character of each line is missing when you print with the generic printer driver
324906 Cannot start an Office program after you install Service Pack 3 (SP3) for Windows 2000
329170 MS02-070: Flaw in SMB signing may permit Group Policy to be modified
321733 Error message when you write a file to a server from a Windows XP-based or a Windows 2000-based computer: "Delayed Write Failed"
326798 Some Windows 2000 SMB redirector hotfixes may cause a conflict with SP3 for Windows 2000
329405 DNS name resolution does not work for users who are not administrators
304653 The serial number is decremented in DNS when you reboot the computer

Properties

Article ID: 331161 - Last Review: June 19, 2014 - Revision: 17.0
Keywords: 
kbinfo KB331161

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com