Beruflich Dokumente
Kultur Dokumente
Upgrading
Windows 2000 Domains
to Windows Server 2003
Domains
Upgrading your network operating system from Microsoft® Windows® 2000 to Windows® Server 2003 requires
minimal network configuration and typically has a low impact on user operations. The upgrade process is
straightforward, efficient, and allows your organization to take advantage of the improved security that is
offered by Windows Server 2003.
In This Chapter
Overview of Upgrading Your Windows 2000 Domains to Windows Server 2003 Domains
........................................................................................................................... .100
Planning to Upgrade Windows 2000 Domains to Windows Server 2003 Domains108
Completing Pre-Upgrade Tasks.................................................................... ........117
Upgrading Windows 2000 Domains to Windows Server 2003 Domains...............127
Completing Post-Upgrade Tasks.................................................... ......................136
Additional Resources.............................................................................. .............140
Related Information
• For more information about designing the Active Directory® directory service logical structure
and the DNS infrastructure needed to support Active Directory, see “Designing the Active
Directory Logical Structure” in this book.
• For more information about Active Directory functional levels, see “Enabling Advanced
Windows Server 2003 Active Directory Features ” in this book.
• For more information about upgrading from Microsoft® Windows NT® version 4.0 to Windows
Server 2003 Active Directory, see “Upgrading Windows NT 4.0 Domains to Windows
Server 2003 Active Directory” in this book.
• For more information about deploying a DNS infrastructure for name resolution on your
network, see “Deploying DNS ” in Deploying Network Services of this kit.
100 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
Note
For a list of the job aids that are available to assist you in upgrading
from Windows 2000 Server to Windows Server 2003, see “Additional
Resources” later in this chapter.
Note
Changes made by Adprep.exe do not affect the functioning of
Windows NT 4.0–based or Windows 2000–based domain controllers.
For more information about using Adprep.exe to prepare your environment, see “Prepare Your Infrastructure for
Upgrade” later in this chapter.
For example, you can use application directory partitions to store DNS data on Windows Server 2003–based
domain controllers. DNS-specific application directory partitions are automatically created in the forest and in
each domain when the DNS service is installed on new or upgraded Windows Server 2003–based domain
controllers. If application directory partition creation fails during Active Directory installation, DNS attempts to
create the partitions again every time that the service starts.
Note
The creation and deletion of application directory partitions, including
the default DNS application directory partitions, requires that the
domain naming master role holder reside on a Windows Server 2003–
based domain controller.
The following DNS-specific application directory partitions are created during Active Directory installation:
• ForestDnsZones — A forest-wide application directory partition shared by all DNS servers in
the same forest
• DomainDnsZones — Domain-wide application directory partitions for each DNS server in the
same domain
SRV resource records
A Windows Server 2003–based domain controller’s Net Logon service uses dynamic updates to register SRV
resource records in the DNS database, as described in “A DNS RR for specifying the location of services (DNS
SRV).” For more information about this draft, see the Internet Engineering Task Force (IETF) web page. This
SRV record is used to map the name of a service, such as the Lightweight Directory Access Protocol (LDAP)
service, to the DNS computer name of a server that offers that service. In a Windows Server 2003 network, an
LDAP resource record locates a domain controller. A workstation that is logging on to a Windows Server 2003
domain queries DNS for SRV records in the general form:
_Service._Protocol.DnsDomainName
where Service is the service requested, Protocol is the protocol requested, and DnsDomainName is the fully
qualified DNS name of the Active Directory domain.
Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server
by querying DNS for a record of the form:
_ldap._tcp.DnsDomainName
Note
The service and protocol strings require an underscore (_) prefix to
prevent potential collisions with existing names in the namespace.
104 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
This format is applicable for implementations of LDAP servers other than Windows Server 2003–based domain
controllers and also possible implementations of LDAP directory services that employ Global Catalog servers
other than servers running Windows Server 2003.
_msdcs.domain_name subdomain
This Microsoft-specific subdomain allows location of domain controllers that have Windows Server 2003–
specific roles in the domain, as well as the location by globally unique identifier (GUID) when a domain has
been renamed.
To facilitate location of Windows Server 2003–based domain controllers, the Net Logon service in addition to
the standard _Service._Protocol.DnsDomainName format records , also registers SRV records that identify the
well-known server-type pseudonyms “dc” (domain controller), “gc” (Global Catalog), “pdc” (primary domain
controller), and “domains” (GUID) as prefixes in the _msdcs.domain_name subdomain. To accommodate
locating domain controllers by server type or by GUID (abbreviated “dctype”), Windows Server 2003–based
domain controllers register SRV records in the following form in the _msdcs.domain_name subdomain:
_Service._Protocol.DcType._msdcs.DnsDomainName
_msdcs.forest_root_domain subdomain
The _msdcs.forest_root_domain subdomain stores forest-wide resource records that are of interest to clients and
domain controllers from all parts of the forest. For example, all domain controllers in the forest register
CNAME and LDAP, Kerberos, and GC SRV resource records in the msdcs.forest_root_domain subdomain. The
CNAME resource records are used by the replication system to locate replication partners and the GC SRV
resource records are used by clients to lookup global catalog servers.
For any two domain controllers to replicate with each other, including two domain controllers from the same
domain, they must be able to look up forest-wide locator records. For a newly created domain controller to
participate in replication, it must be able to register its forest-wide records in DNS, and other domain controllers
must be able to look up these records. Therefore, the DNS servers that are authoritative for the
_msdcs.forest_root_domain subdomain needs to be available for replication and global catalog lookups.
For this reason, it is recommended that you create a separate _msdcs.forest_root_domain zone and define its
replication scope so that it is replicated to all DNS servers in the forest. For more information about creating a
separate _msdcs.forest_root_domain zone, see KB article 817470. To find this article, see the Microsoft
Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Some organizations running Windows 2000 Active Directory already created an _msdcs.forest_root_domain to
help clients locate domain controllers more efficiently. If an _msdcs.forest_root_domain already exists in your
Windows 2000 environment, then it is recommended that you move the zone to the ForestDnsZones application
directory partition after all domain controllers in the forest are running Windows Server 2003. In addition, for
each domain in the forest, move the _msdcs.domain_name zone to the DomainDnsZones application directory
partition for that domain.
Additional Resources 105
Moving the Active Directory–integrated DNS zones into the domain and forest-wide application directory
partitions provides the following benefits:
• Because the forest-wide application directory partition can replicate outside a specified domain,
and because moving the _msdcs.forest_root_domain into the forest-wide application directory
partition replicates it to all domain controllers in the forest that are running the DNS service,
you do not have to use DNS zone transfer to replicate the zone file information to DNS servers
outside the domain.
• Domain-wide replication can be targeted to minimize replication traffic because administrators
can specify which of the domain controllers running the DNS service receive the DNS zone
data.
• Forest-wide replication can be targeted to minimize replication traffic because DNS data is no
longer replicated to the global catalog.
• DNS records located on global catalog servers in the forest are removed, minimizing the
amount of information replicated with the global catalog.
For more information about using application directory partitions to store DNS data, see “Use DNS Application
Directory Partitions” later in this chapter.
Important
Do not modify the default 300/30 intrasite replication frequency on
Windows 2000 domain controllers. Instead, upgrade your
Windows 2000 domain to Windows Server 2003 and raise the forest
functional level to Windows Server 2003 to take advantage of the 15/3
intrasite replication frequency.
Planning to Upgrade
Windows 2000 Domains to
Windows Server 2003 Domains
Planning to upgrade your Windows 2000 environment to Windows Server 2003 Active Directory involves
completing the tasks and procedures that are shown in Figure 9.2.
Figure 9.2 Planning to Upgrade Windows 2000 Domains to
Windows Server 2003 Domains
Additional Resources 109
Table 9.1 shows the credentials that are required to upgrade servers, depending on the domain membership of
the servers.
Table 9.1 Credentials Required to Upgrade Servers to Windows Server 2003
Domain Member Domain Member
Controller in Server in Controller in Server in
Credential
Forest Root Forest Root Regional Regional
Domain Domain Domain Domain
Enterprise
Admins in forest
root domain
Domain Admins
in forest root
domain
Builtin\Administr
ators in forest
root domain
Domain Admins
in regional
domain
Builtin\Administr
ators in regional
domain
You also need to ensure that the administrator who is upgrading the domain controllers has the following rights:
• Backup files and directories (SE_BACKUP_NAME)
• Modify firmware environment values (SE_SYSTEM_ENVIRONMENT_NAME)
• Restore files and directories (SE_RESTORE_NAME)
• Shut down the system (SE_SHUTDOWN_NAME)
The setup program cannot run properly if these rights are not defined, or if they are disabled by a domain Group
Policy setting on the computer.
To verify if user rights assignments are disabled by a domain Group Policy
setting
1. In the Run dialog box, type mmc, and then click OK.
2. Click File, and then click Add/Remove snap-in.
3. In the Add/Remove snap-in dialog box, click Add.
4. In the Available Standalone snap-ins dialog box, select Group Policy, and then click Add.
5. At the Welcome to the Group Policy Wizard screen, verify that Local Computer appears in the
Group Policy Object: box, and then click Finish.
Additional Resources 111
6. Close the Add/Remove snap-in dialog box and the Add Standalone snap-in dialog box.
7. In the Console Root, navigate to the Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment folder.
8. In the details pane, verify that the user who will perform the upgrade is a member in one of the
groups that has the necessary rights assigned. The policies are named identically to the user
rights listed above.
Assign the appropriate credentials in advance to allow both testing and deployment to proceed without
unexpected security delays.
Note
This order for upgrading or installing Windows Server 2003 domain
controllers is a recommendation only. It is safe to upgrade the domain
controllers holding the domain naming master and PDC emulator roles
at any time in the upgrade process.
Use a domain controller documentation table to document information about each domain controller in the
forest. For a worksheet to assist you in documenting your domain controller information, see “Windows 2000
Domain Controller Documentation” (DSSUPWN_2.doc) on the Windows Server 2003 Deployment Kit
companion CD (or see “Windows 2000 Domain Controller Documentation” on the Web at
http://www.microsoft.com/reskit).
Figure 9.4 shows an example of a completed domain controller documentation table for Contoso.
114 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
Table 9.3 Tools and Logs Used to Test Domain Upgrade Procedures
Tool / Log File Description Location
Repadmin.exe Checks replication consistency Windows Server 2003
and monitors both inbound and operating system CD in
outbound replication partners. the Support\Tools
Displays replication status of folder.
inbound replication partners and
directory partitions.
Dcdiag.exe Diagnoses the state of domain Windows Server 2003
controllers in a forest or operating system CD in
enterprise, tests for successful the Support\Tools
Active Directory connectivity and folder.
functionality, and returns the
results as passed or failed.
Netdiag.exe Diagnoses networking and Windows Server 2003
connectivity problems by operating system CD in
performing a series of tests to the Support\Tools
determine the state of your folder.
network client and whether it is
functional.
Nltest.exe Queries and checks the status of Windows Server 2003
trusts and can forcibly shut operating system CD in
down domain controllers. the Support\Tools
folder.
Dnscmd.exe Provides the properties of DNS Windows Server 2003
servers, zones, and resource operating system CD in
records. the Support\Tools
folder.
Adprep Log Provides a detailed progress %systemroot%\System3
report of the forest and domain 2\Debug\Adprep folder.
preparation process.
Dcpromoui.log Provides a detailed progress %systemroot%\Debug
and report of the Active Directory folder.
Dcpromo.log installation. Includes information
regarding replication and
services in addition to applicable
error messages.
Adsiedit.exe A Microsoft Management Windows Server 2003
Console (MMC) snap-in that acts operating system CD in
as a low-level editor for Active the Support\Tools
Directory and allows you to view, folder.
add, delete, and move objects
and attributes within the
directory.
For more information about Windows Support Tools, in Help and Support Center for Windows Server 2003,
click Tools, and then click Windows Support Tools.
116 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
Create a test matrix that meets your needs, based on the services that you require to support your environment.
For a worksheet to assist you in documenting your test matrix, see “Windows 2000 Upgrade Test Matrix”
(DSSUPWN_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see “Windows 2000
Upgrade Test Matrix” on the Web at http://www.microsoft.com/reskit).
Figure 9.5 shows an example of a completed upgrade test matrix.
Figure 9.5 Example of a Windows 2000 Upgrade Test Matrix
Additional Resources 117
Note
When administering Windows 2000–based domain controllers from a
computer running Windows XP Professional or Windows Server 2003,
you might experience interoperability problems with the Windows
Server 2003 administrative tools unless your Windows 2000–based
domain controllers are running Windows 2000 SP3 or later. Some
Windows Server 2003 Active Directory administrative tools sign and
encrypt all LDAP traffic. Computers running Windows 2000 SP3 or later
can interpret the signed and encrypted LDAP traffic.
Note
The repadmin /showattr command does not show any hotfixes that
might be installed on a domain controller.
Upgrade domain controllers to the appropriate service pack as needed. For more information about
recommended hotfixes to use with Service Pack 2, see article 331161, “List of Fixes to Use on Windows 2000
Domain Controllers Before You Run the Adprep/Forestprep Command” in the Microsoft Knowledge Base. To
find this article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
Important
Store backup media in a secure off-site location designated by, and
accessible to, the upgrade team before you begin the upgrade process.
• Windows 2000–based computers running Remote Installation Services (RIS) might cause errors
in a Windows Server 2003 Active Directory domain.
When using Windows 2000 RIS server in your Windows Server 2003 Active Directory Domain,
you might receive the following error when using the Client Installation Wizard (CIW):
"Unable to create or Modify Computer account"
Error: 00004E4F
This error occurs because Windows Server 2003 creates machine account objects differently
from Windows 2000. To prevent this error from occurring when creating machine accounts,
configure the Windows 2000–based RIS servers in your environment to point to a domain
controller running Windows 2000. This is done by adding the DefaultServer registry parameter
to the Windows 2000 RIS servers.
For more information about configuring optional registry parameters for the Boot Information
Negotiation Layer (BINL) service, see article 235979, “Optional Registry Parameters for the
BINL Service” in the Microsoft Knowledge Base. To find this article, see the Microsoft
Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
You must remove the Windows 2000 Administration Tools Pack before upgrading to Windows
Server 2003. For more information about Windows 2000 administration tools and upgrade
issues, see article 304718, “Administering Windows 2000–Based Computers Using
Windows XP Professional–Based Clients,” in the Microsoft Knowledge Base. To find this
article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
To identify potential upgrade and compatibility problems
• At the command line, connect to the I386 directory located at your installation source and type
the following command:
winnt32 /checkupgradeonly
When you are upgrading the operating system on a Windows 2000–based domain controller to Windows
Server 2003, Setup (Winnt32.exe) verifies that the forest and domain have been prepared. If you have not
prepared the forest and the domain in which the domain controller will be a member, or if the changes have not
fully replicated, Winnt32.exe fails, the upgrade terminates, and you are notified that you must run Adprep.exe
/forestprep in the forest and Adprep.exe /domainprep in the target domain.
Note
You can run Adprep.exe multiple times, but it performs actions only
once. For example, Adprep.exe does not adjust access control lists
(ACLs) each time you run the command.
You must prepare your infrastructure before using the Active Directory Installation Wizard to install Active
Directory on a Windows Server 2003–based member server. The Active Directory installation fails if the wizard
detects that the forest and domain have not been prepared.
Caution
Adprep.exe is the only supported method of upgrading the
Windows 2000 Active Directory schema to Windows Server 2003.
Attempting to use any other script or tool for this purpose can cause
problems with the schema and is not supported by Microsoft.
To prepare your Windows 2000 Active Directory forest and domain for the upgrade to Windows Server 2003
Active Directory, Adprep.exe performs the following tasks:
• Updates the Active Directory schema.
Note
Changes that are made to the global catalog by Adprep.exe do not
cause a full synchronization of the global catalog because the partial
attribute set is not changed.
• Creates new objects that are used by applications such as COM+ and Windows Management
Instrumentation (WMI).
• Creates new containers in Active Directory that are used to verify that the preparation was
successful.
You can run Adprep.exe only at the command line.
If you are already running Exchange 2000, you need to run the fixup script found in article 31469, “ADPREP
Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers.” To find
this article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
If you have not yet deployed Exchange 2000 in your environment, you can avoid name collisions by preparing
the Active Directory forest by using adprep /forestprep to create the initial definition of the Secretary,
labeledURI, and houseIdentifier attributes before installing Exchange 2000. Specifically, you can avoid LDAP
display name collision problems by doing one of the following:
• Run the Active Directory Preparation tool in a Windows 2000 forest before you install
Exchange 2000.
• Add Exchange 2000 to an existing Windows Server 2003 forest.
For more information about schema collisions between Exchange 2000 and Windows Server 2003, see article
314649, “ADPREP Command Causes Mangled Attributes in Windows 2000 Forests That Contain
Exchange 2000 Servers,” and article 325379 “How to Upgrade Windows 2000 Domain Controllers to Windows
Server 2003” in the Microsoft Knowledge Base. To find these articles, see the Microsoft Knowledge Base link
on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Additional Resources 123
Important
Adsiedit.exe is one of the Windows 2000 support tools, which is still
installed on the computer at this point in the domain upgrade process.
If you have removed the Windows 2000 support tools, you can reinstall
them from the Support\Tools folder on the Windows 2000 operating
system CD. For more information about Adsiedit.exe, in Help and
Support Center for Windows Server 2003, click Tools, and then click
Windows Support Tools.
2. Expand the Configuration container and verify that CN=ForestUpdates has been created.
3. Expand CN=ForestUpdates and verify that CN=Windows2003Upgrade is present.
4. Examine the Event Log for any event messages that indicate that the domain controller is not
functioning properly.
Additional Resources 125
5. Verify that the changes that Adprep.exe made to the schema operations master are being
replicated to all other the domain controllers in the forest.
Successful replication is necessary when preparing an entire forest for Active Directory upgrade
because you can prepare a domain controller by using the adprep /domainprep command only
if it has received the changes made by the adprep /forestprep command. Attempting to
upgrade a domain controller that has not received the changes generates an error message.
Allow enough time for the changes to replicate to all domains in the forest.
Tip
Adprep.exe creates a log file each time it runs that can help you
troubleshoot errors. The log file documents each step of the forest
preparation process. Each Adprep.exe log file is located in a subfolder
in the %systemroot%\System32\Debug\Adprep folder. Each subfolder
is stamped with the date and time when Adprep.exe was run.
Although preparing the forest root domain for upgrade is not a difficult or unsafe procedure, you can take the
schema master offline as a precautionary measure to protect the Active Directory schema from corruption. If a
problem occurs while the computer is offline, use the following steps to recover:
1. Ensure that the corrupted schema operations master is not connected to the production
environment.
2. From a functional domain controller in the forest root domain, seize the schema master
operations role.
3. Use the Repadmin.exe tool to verify that the new schema operations master is replicating
successfully within the domain.
4. Perform a new Windows 2000 operating system installation on the corrupted computer.
126 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
After adprep /domainprep has finished, verify that all operations have completed successfully.
To verify that the Active Directory Preparation tool has completed all operations
successfully
• Using Adsiedit.exe, expand the Domain container, and then go to DC=domainname,DC=com,
CN=System, CN=DomainUpdates. Verify that CN=Windows2003Upgrade is present.
–or–
In Active Directory Users and Computers, from the View menu, select Advanced Features.
Expand the System container, go to the DomainUpdates container, and then expand it. Verify
that the Windows2003Upgrade container is present.
If you receive an error message, do one of the following, based on the error message text:
• Run the adprep /forestprep command.
• Wait for replication to complete.
• Troubleshoot replication.
Additional Resources 127
Windows Server 2003–based domain controllers can be introduced in your environment by either installing
Active Directory on a Windows Server 2003–based member server by using the Active Directory Installation
Wizard or by upgrading the operating system of an existing Windows 2000–based domain controller. Refer to
your domain controller documentation table, and follow the upgrade order determined earlier in the planning
process. For more information about the order in which to upgrade your domain controllers, see “Determine
Domain Controller Upgrade Order” earlier in this chapter.
Note
Before you attempt to upgrade a domain controller in another domain
to Windows Server 2003 Active Directory, remember that you must first
run the adprep /domainprep command on the infrastructure master
role holder in that domain. Run adprep /forestprep only once in the
forest root domain, and run adprep /domainprep once in each domain
in the forest in which you plan to locate a Windows Server 2003-based
domain controller.
– or –
Open Administrative Tools, and then click Configure Your Server Wizard. Select Domain
Controller (Active Directory) to configure your domain controller. After the Configure Your
Server Wizard finishes, the Active Directory Installation Wizard begins.
After the first Windows Server 2003–based domain controller has been deployed, you can install Active
Directory on additional domain controllers by installing from media, a new installation feature of Windows
Server 2003. Installing from media allows you to pre-populate Active Directory with System State data backed
up from an existing Windows Server 2003–based domain controller. This backup can be present on local CD,
DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory
information by reducing the amount of data that is replicated over the network. Installing from media is most
beneficial in environments with very large domains or for installing new domain controllers that are connected
by a slow network link.
To install Active Directory on a Windows Server 2003–based member server from
media
• In the Run dialog box, type dcpromo /adv, and then click OK.
The wizard prompts you to choose a network share or a backup as the installation source. If you are installing
from backup files, you must identify the location of the files. If the domain controller from which you restored
the System State data was a global catalog, you will have the option to make this new domain controller a global
catalog. The wizard will then proceed with the installation.
Table 9.4 lists information for installing Active Directory on a Windows Server 2003–based member server, in
addition to sample data for installing Active Directory on an additional domain controller in the existing
Contoso forest. Contoso will install Active Directory from a Windows Server 2003, Enterprise Edition CD by
using the dcpromo command.
130 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
Table 9.4 Installing Active Directory on Windows Server 2003–Based Member Servers
Wizard Page or
Action Example
Dialog Box
Domain Controller Select Additional domain controller
Type for an existing domain.
Network Credentials Type the user name and password of
an account with sufficient privileges
to install Active Directory on this
computer, and the fully qualified
domain name of the domain in which
the computer will become an
additional domain controller.
Additional Domain Type the full DNS name of the forest Concorp.contoso.
Controller root domain. com
Database and Log Type the folder locations specified Database folder:
Folders by your design. C:\Windows\NTDS
Log folder:
D:\Logs
Shared System Confirm or type the location C:\Windows\SYSV
Volume specified by your design. OL
Directory Service In the Password and Confirm
Restore Mode password boxes, type any strong
Administration password.
Password
Verify that all information on the Summary page is accurate, and then click Finish. After Active Directory is
installed, you will be prompted to restart the computer. The installation will not be complete until the computer
restarts.
After you install Active Directory on the Windows 2003–based member server, allow sufficient time for
replication to occur and other domain controllers to synchronize with the new domain controller.
For more information about installing and removing Active Directory, see the Directory Services Guide of the
Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
http://www.microsoft.com/reskit).
Additional Resources 131
Important
Be aware that by modifying these policies you are weakening the
default security policies in your environment. However, this is
necessary to ensure that some clients running earlier versions of
Windows will be able to access domain resources. After all clients in
your environment are running versions of Windows that support SMB
packet and secure channel signing, you can re-enable these security
policies to increase security. It is recommended that you upgrade your
Windows–based clients as soon as possible.
In order to increase security, Windows Server 2003–based domain controllers require by default that clients
attempting to authenticate to them use SMB packet and secure channel signing. Clients running Windows 95 or
Windows NT 4.0 with Service Pack 2 (SP2) and earlier without the Directory Service Client Pack do not
support SMB packet signing and will not be able to log on or access domain resources on the network. Clients
running Windows NT 4.0 with Service Pack 3 (SP3) and earlier do not support secure channel signing and will
not be able to establish communications with a domain controller in their domain.
The most secure way to enable these clients to logon and access domain resources on the network is to apply the
appropriate service pack or the Directory Service Client Pack. If you cannot apply the most recent service pack
or the Directory Service Client Pack, configure all Windows Server 2003–based domain controllers to not
require SMB packet signing or secure channel signing by disabling the following settings in the Default Domain
Controllers Policy:
• Microsoft network server: Digitally sign communications (always)
• Domain member: Digitally encrypt or sign secure channel data (always)
Back up the Default Domain Controllers Policy Group Policy object before modifying it. Use the Group Policy
Management Console (GPMC) to back up the Group Policy object so that it can be restored if necessary. The
Group Policy Management Console (GPMC) is a tool that permits you to manage Group Policy for multiple
domains and sites in one or more forests. GPMC is the recommended method for managing Group Policy;
however this chapter does not assume that you are using GPMC for security policy management and
deployment.
GPMC is not included with Windows Server 2003. To obtain GPMC, see the Group Policy Management
Console (GPMC) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Additional Resources 133
Note
Modifying these settings in the Domain Controllers container will
change the Default Domain Controllers Policy. Policy changes made
here will be replicated to all other domain controllers in the domain, so
you only need to modify these policies one time to affect the Default
Domain Controllers Policy on all domain controllers.
For more information about SMB packet signing and secure channel signing, see “Background Information for
Upgrading Windows 2000 Domains to Windows Server 2003 Domains” earlier in this chapter.
For more information about security policies, see “Security options: Security Setting Descriptions” in Help and
Support Center for Windows Server 2003.
For more information about managing and deploying security policies and the Group Policy Management
Console (GPMC), see “Deploying Security Policy” in Designing a Managed Environment in this kit.
134 Chapter 9 Upgrading Windows 2000 Domains to Windows Server 2003 Domains
Note
To download the GPMC, see the Group Policy Management Console
link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
For more information about using GPMC for deploying Group Policy, see “Designing a Group Policy
Infrastructure” in Designing a Managed Environment in this kit.
Additional Resources 135
Important
Raising the domain and forest functional levels to Windows
Server 2003 is a nonreversible task and prohibits the addition of
Windows NT 4.0–based or Windows 2000–based domain controllers to
the environment. Any existing Windows NT 4.0 or Windows 2000–
based domain controllers in the environment will no longer function.
Before raising functional levels to take advantage of advanced
Windows Server 2003 features, ensure that you will never need to
install domain controllers running Windows NT 4.0 or Windows 2000 in
your environment.
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to
Windows Server 2003. To do this, right-click Active Directory Domains and Trusts in Active Directory
Domains and Trusts, and select Raise Forest Functional Level. This allows you to take advantage of all
Windows Server 2003 forest-level features.
Note
You can only raise the functional level of the forest to Windows
Server 2003 if all domains are set to the Windows 2000 native
functional level or higher.
For more information about enabling functional levels after upgrading from a Windows 2000 environment and
the features available at the Windows Server 2003 domain and forest functional levels, see “Enabling Advanced
Windows Server 2003 Active Directory Features” in this book.
Move the DNS zones that you want to replicate to all DNS servers in the forest to the forest-wide DNS
application directory partition, ForestDnsZones. For each domain in the forest, move the DNS zones that you
want to replicate to all DNS servers in the domain to the domain-wide DNS application directory partition,
DomainDnsZones.
Important
Before you attempt to move DNS data to an application directory
partition, make sure that the domain naming master is hosted on a
Windows Server 2003–based domain controller.
If there is an existing _msdcs.forest_root_domain zone on your DNS server, move it to the ForestDnsZones
application directory partition.
If the _msdcs.forest_root_domain zone is not present as a separate zone on your DNS server, you do not need to
perform this procedure because the DNS data that is stored in the _msdcs.forest_root_domain is moved with the
forest root domain zone to the domain-wide application directory partition, DomainDnsZones.
Note
For more information about DNS and application directory partitions,
see “Background Information for Upgrading Windows 2000 Domains to
Windows Server 2003 Domains” earlier in this chapter.
To change the replication scope of the domain-wide DNS zone by using a DNS
application directory partition
1. On a domain controller that hosts a DNS server in the particular domain, open the DNS snap-in,
right-click the DNS zone that uses the fully qualified domain name of the Active Directory
domain, and then click Properties.
2. Click the Change button next to Replication: All domain controllers in the Active Directory
domain.
3. Click To all DNS servers in the Active Directory domain domainname.
To change the replication scope of the _msdcs.forest_root_domain DNS zone by
using a DNS application directory partition
1. On a domain controller that hosts a DNS server in the forest root domain, open the DNS snap-
in, right-click the _msdcs.forest_root_domain DNS zone, and then click Properties.
2. Click the Change button next to Replication: All domain controllers in the Active Directory
domain.
3. Click To all DNS servers in the Active Directory forest forestname.
For more information about creating, enlisting in, and removing application directory partitions, see Help and
Support Center for Windows Server 2003. For more information about creating a DNS design for Active
Directory, see “Designing the Active Directory Logical Structure” in this book.
Additional Resources 139
Important
The CN=Users and CN=Computers containers are computer-protected
objects. For backward compatibility reasons, you cannot (and must not)
remove them. However, you can rename these objects.
In Windows Server 2003 Active Directory, when the domain functional level has been raised to Windows
Server 2003, you can redirect the default CN=Users and CN=Computers containers to organizational units that
you specify so that each can support Group Policy, making them easier to manage.
To redirect the Users container
1. In Active Directory Users and Computers, create an organizational unit container to which you
will redirect user created with earlier versions of user interface and command-line management
tools.
2. At the command line, change to the System32 folder by typing:
cd %systemroot%\system32
3. At the %systemroot%\System32 folder, type the following, where newuserou is the name of the
new user OU and domainname is the name of the domain:
redirusr ou=newuserou,DC=domainname,dc=com
3. At the %systemroot%\System32 folder, type the following, where newcomputerou is the name
of the new computer OU and domainname is the name of the domain:
redircmp ou=newcomputerou,DC=domainname,dc=com
For more information about creating an organizational unit design, see “Designing the Active Directory Logical
Structure” in this book.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Enabling Advanced Windows Server 2003 Active Directory Features” in this book for more
information about advanced Active Directory features and how they are related to functional
levels.
• “Designing the Active Directory Logical Structure” in this book.
• “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
• “Deploying DNS” in Deploying Network Services of this kit for more information about
deploying DNS to support name resolution on your network.
• The Active Directory Branch Office Planning Guide link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
Additional Resources 141
Related Tools
• Adsiedit.exe
The ADSIEdit.exe tool is an MMC snap-in that you can use to edit objects in the Active
Directory database. For more information about ADSIEdit.exe, in Help and Support Center for
Windows Server 2003, click Tools, and then click Windows Support Tools.
• Repadmin.exe
The Repadmin.exe tool can be used to administer replication between domain controllers in
Active Directory. For information about how to use the Repadmin.exe tool, in Help and Support
Center for Windows Server 2003, click Tools, and then click Windows Support Tools.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only check box.
• “Active Directory” in Help and Support Center for Windows Server 2003.
• “Installing and Upgrading the Operating System” in Help and Support Center for Windows
Server 2003 for more information about Active Directory preparation and the Active Directory
Preparation tool (Adprep.exe).
• “Managing Core Network Services” in Help and Support Center for Windows Server 2003 for
more information about application directory partitions.
Related Job Aids
• “Pre-Upgrade Task Checklist” (DSSUPWN_1.doc) on the Windows Server 2003 Deployment
Kit companion CD (or see “Pre-Upgrade Task Checklist” on the Web at
http://www.microsoft.com/reskit).
• “Windows 2000 Domain Controller Documentation” (DSSUPWN_2.doc) on the Windows
Server 2003 Deployment Kit companion CD (or see “Windows 2000 Domain Controller
Documentation” on the Web at http://www.microsoft.com/reskit).
• “Windows 2000 Upgrade Test Matrix” (DSSUPWN_3.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Windows 2000 Upgrade Test Matrix” on the Web at
http://www.microsoft.com/reskit).