MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
This KB helps avoiding common mistakes while upgrading their system.
A common problem while upgrading a Windows 2000 domain to Windows 2003 can be avoided easily by using some basic steps. In addition there should be some roll back option, that can help you to recover from failure in a short time.
Before you "run" and upgrade system to Windows 2003 domain there some considerations that must be take:
1. Do you have satisfying disk space that will allow you to complete the upgrade process? 2. Do you have Windows 2000 Service Pack 4 on all the domain controllers and Exchange Servers?
3. Do you have Exchange 2000 / Share Point 2001/2003 / Services for Unix 2 in yours domain/forest? - Some application like these aren't support by Windows 2003 servers, and should be upgraded to new version or move them to alternative server.
4. Do you have to fix Active Directory schema? You can read and find information on this issue in:
5. Do you have some third party software/hardware that dosen't support by Windows 2003? You can read and find information on this issue in:
6. Do you upgrade the application to that latest service pack? Some application that reside in the domain may needed to be upgraded to the latest service pack as recommended by the application vendor. 7. Do you have legacy operating system or/and UNIX/Linux operating system? You can read and find information on this issue in:
8. Do you have some disaster recovery plan? Do you have full system backup (dont forget to test the backup data). 9. Do you have the "Active Directory restore mode" password? Witohut this password you can't restore active driectroy from the latest backup. 10. Do you need to enable Windows 2000 Scehma update? - Windows 2000 Schema should be configure to allow Schema update. 11. Do you have the correct version of Windows 2003? You cant install active directory on "Web Server" edition or upgrade "Windows 2000 Advanced Server" to "Windows 2003 Server" (you will need "Windows 2003 Enterprise" edition). Also, usually you cant upgrade OEM Versions of NT4/2000 to Windows 2003 or use Windows 2003 OEM version as upgrade version :
12. If you plan to upgrade your Windows 2000 forest to Windows 2003, please take care of upgrading your ADC to the Exchange 2003 version before raising the functional level of the forest, because if you don’t, you will have problems with older ADC being unable to handle correctly Linked Value Replication on group membership.
13. Do yours system have correct DNS Infrastructure? Do the serves and clients configure to use the correct DNS servers? (I find out that some users configure there servers to use external DNS/ISP servers and not local DNS servers). Also, using single-label DNS names may required some configurations changes:
14. You can't upgrade from SBS 2000 to regular Windows 2003 domain. However, you can upgrade SBS 2000 to SBS 2003, or to Windows 2003 domain by using export/import migration process. 15. Do you have Read permission (at least) for all GPO's in the Domain? (If Domain Admin group wouldn't have this permission, GPO upgrade will fail - usually in ADPREP /Domainprep step) 16. Do you need to open some ports in the company firewall/router?
17. Did you move Exchange Enterprise Servers Group and Exchange Domain Servers Group to another container?
18. Did you install the Windows 2003 on multihomed computer?
19. Did you used InetOrgPerson object in the domain?
20. If you like to upgrade Small Business Server Domain Environment to regular Windows 2003 Domain, read:
21. Install WINS server and configure the clients to use it. Although most people think that there is no need to use WINS server in the network, there may be some situations that you might need to use NetBIOS name resolution in your network:
22. If you like to migrate to Windows 2003 R2 Domain, please consider the migration in two stages: a. Migration from NT/2000 Domain to Windows 2003 Domain b. Migration from Windows 2003 Domain to Windows 2003 R2 Domain.
Note: There no technical limitation to migrate directlly to Windows 2003 R2 Domain, but using this two stages allow you to reduce the project risk, allow faster rollback and facilitate troubleshooting.
I found some nice tips that can save time and may help you in the upgrade process:
1. Move all FSMO roles to one domain controller and configure all the DC's as GC's. 2. Move the domain controller from step 1 to unique VLAN that will be isolated from the regular network. 3. Backup the domain controller from step 1 by using backup tape backup, and some image utility. 4. After running ADPREP /Forestprep check that Windows 2003 schema upgrade to contain new 2003 forest attributs. 5. After running ADPREP /Domainprep check that Windows 2003 schema upgrade to contain new 2003 domain attributs. 6. Disable any antivirus software on the software before the upgrade process. 7. Log on to the domain controller from step 1 with account that member of: Enterprise Admin group, Domain Admin group, Schema Admin group - and if you have Exchange System in your organization - the account should be with Full Exchange Admin permission on the Exchange organization, administrative groups (sites in Exchange 5.5 environment), Exchange Servers (and in Exchange 5.5 environment - also full control on "Configuration" container). 8. Test this upgrade in a lab before implement it on production server. 9. Copy the I386 directory content from the Windows 2003 cd rom, to the local server hard disk. 10. Verity that the all servers in the domain have the correct time zone and the configure to be synchronization from the same server (usually this the PDC emulator). 11. Activate the new Windows 2003 Server before implement any changes on the system. 12. If you add new Windows 2003 server to the domain, make sure to configure the correct domain name and domain suffix. 13. Don't use forbidden characters in the domain or/and server name (etc *, _). 14. Before you implement - Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 configure at least one DC as Windows 2003 DC and GC, and configure Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 to use this server as default logon server. 15. If you have multidomain hierarchy, upgrade first the forest root domain, and only after this upgrade complete, the rest of the forest. 16. If you have multisites hierarchy, let the changes of ADPREP command to repliacte to all other sites. Verify that each DC upgrade its schema version before you install the Windows 2003 Server. 17. After running ADPREP command, open %systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there are error messages that might need to be resolved. 18. Read: How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2 article before beggining the migration. 19. If you installed Exchange 2000/2003, its recommended to run Policytest.exe utility before the upgrade:
20. Read: HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller
HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows Server 2003 Active Directory Migration Tool v3.0
How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
Upgrading to Windows Small Business Server 2003
Domain Migration Cookbook
Windows Server 2003 PKI Operations Guide
21. If the upgrade process need to take more then a few hours, consider to change the domain configuration to eliminate Overloading on the First Domain Controller. How to Prevent Overloading on the First Domain Controller During Domain Upgrade
22. Review the new settings of Windows 2003 Service Pack 1:
Note: New functiobility was added to Windows 2003 Service Pack 1. Skiping this stage may limited the server functiobility and the correct forest and domain opertional. 23. Review "ADPREP /domainprep /gpprep" command functions and use.
24. Verity that you use account that own "Delegation Privilege" right.
25. If you need to move computers accounts to a new domain, disable "Offline Folder" use on the local computers. After the migration, you can enable it again.
And if something goes wrong?
1. If you follow the process that I described in the "Before you "run" and upgrade system to Windows 2003..." section in this article, a roll back should take no more then 30 minutes. 2. If you didnt follow the process that I describe in the "Before you "run" and upgrade system to Windows 2003..." section in this article , a roll back may take a long time, and may require in worse situations reinstall the Windows 2000 domain.
Please follow these short instructions:
1. Please check if you log on with user that have satisfying permissions to upgrade the Schema and the system. 2. Check that you enable schema changes - and reapply ADPREP /Forestprep and ADPREP /Domainprep commands. 3. Consider to use ADMT2/ADMT3 to migrate users from Windows 2000 domain to the new Windows 2003 domain (in a new forest). You can read and find information on this issue in:
4. Follow the the instructions bellow if you unable to successfully run adprep /domainprep on Windows 2000 Domainp:
5. Consider to call to Microsoft local support center.
How to Verify That SRV DNS Records Have Been Created for a Domain Controller
How to Verify an Active Directory Installation in Windows Server 2003
Virus Scanning Recommendations on a Windows 2000 or on a Windows Server 2003 Domain Controller
Operations That Are Performed by the Adprep.exe Utility When You Add a Windows Server 2003 Domain Controller to a Windows 2000 Domain or Forest
KCC Error Event 1567 Occurs When You Install DNS on a Windows Server 2003-Based Domain Controller
The Default Domain Controller Security Policy Icon and the Domain Security Policy Icon Do Not Work When You Upgrade to Windows Server 2003
Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller
Cluster Service Does Not Start After You Upgrade to Windows Server 2003, Enterprise
A terminal server no longer runs in application mode after you upgrade the terminal server to Windows Small Business Server 2003
Exchange 2000 Recipient Update Service does not replicate changes successfully in forest functional level 1 or 2 in Windows Server 2003 Active Directory
Inter-Forest Trust Appears as "External" or "Unknown"
"Microsoft Windows Has Detected Software That Is Not Completely Installed on Your Computer" Message When You Upgrade a Windows 2000 Server-Based Computer to Windows Server 2003
Firewall Clients Cannot Connect to the Internet After You Upgrade an ISA Server to Windows Server 2003
ERR3:7075 Failed to change domain affiliation, hr=800706fb" error when the Active Directory Migration Tool version 2 is run in test mode
Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in Windows Server 2003 Domain
Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain
"The current DC is not in the domain controller's OU" error message when you run the Dcdiag tool
Delegated permissions are not available and inheritance is automatically disabled
Problems logging on to a Windows 2000-based server or a Windows 2003-based server
The Recipient Update Service does not update objects correctly when Exchange 2000 Server is running in a Windows Server 2003 forest
NDR Message appear after reply to old email after mailbox migration
Out of memory error messages when you try to save files
You Experience Slow File Server Performance and Delays Occur When You Work With Files That Are Located on a File Server
Error message when you prepare an Active Directory forest for Exchange Server 2003: "Extending the schema in Active Directory failed"
Windows Server 2003 Upgrade Paths
Windows 2003 Deployment Scenarios
What's New in Windows Server 2003 R2
Common Mistakes When Upgrading Exchange 5.5/2000 To a Exchange 2003
.NET Enterprise Servers Online Books
HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003