You are the administrator for a mid-sized company that consists of window 2000 a

Question

You are the administrator for a mid-sized company that consists of window 2000 and windows server 2003 domain controllers. Your plan is eventually upgrade all domain controllers to Windows Server 2003. The five sites you have are not fully routed and therefore there have been some problems with regard to replicating Active Directory data. You know your budget will not allow you to add additional links or purchase additional equipment. What can you do to improve the efficiency of replications within in your network?

Explanation / Answer

Upgrading Windows 2000 domain controllers to Windows Server 2003 The Windows Server 2003 adprep command that you run from the I386 folder of the Windows Server 2003 media prepares a Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers. The Windows Server 2003 adprep /forestprep command adds the following features: Improved default security descriptors for object classes New user and group attributes New Schema objects and attributes like inetOrgPerson The adprep utility supports two command-line arguments: adprep /forestprep: Runs forest upgrade operations. adprep /domainprep: Runs domain upgrade operations. The adprep /forestprep command is a one-time operation performed on the schema operation master (FSMO) of the forest. The forestprep operation must complete and replicate to the infrastructure master of each domain before you can run adprep /domainprep in that domain. The adprep /domainprep command is a one-time operation that you run on the infrastructure operations master domain controller of each domain in the forest that will host new or upgraded Windows Server 2003 domain controllers. The adprep /domainprep command verifies that the changes from forestprep have replicated in the domain partition and then makes its own changes to the domain partition and group policies in the Sysvol share. You cannot perform either of the following actions unless the /forestprep and the /domainprep operations have completed and replicated to all the domain controllers in that domain: Upgrade the Windows 2000 domain controllers to Windows Server 2003 domain controllers by using Winnt32.exe. Note: You can upgrade the Windows 2000 member servers and computers to Windows Server 2003 member computers whenever you want. Promote new Windows Server 2003 domain controllers into the domain by using Dcpromo.exe. The domain that hosts the schema operations master is the only domain where you must run both adprep /forestprep and adprep /domainprep. In all other domains, you only have to run adprep /domainprep. The adprep /forestprep and the adprep /domainprep commands do not add attributes to the global catalog partial attribute set or cause a full synchronization of the global catalog. The RTM version of adprep /domainprep does cause a full sync of the Policies folder in the Sysvol tree. Even if you run forestprep and domainprep several times, completed operations are performed only one time. After the changes from adprep /forestprep and adprep /domainprep completely replicate, you can upgrade the Windows 2000 domain controllers to Windows Server 2003 by running Winnt32.exe from the I386 folder of the Windows Server 2003 media. Also, you can add new Windows Server 2003 domain controllers to the domain by using Dcpromo.exe. Upgrading the forest with the adprep /forestprep command To prepare a Windows 2000 forest and domains to accept Windows Server 2003 domain controllers, follow these steps first in a lab environment, then in a production environment: Make sure that you have completed all the operations in the "Forest Inventory" phase with special attention to the following items: You have created system state backups. All the Windows 2000 domain controllers in the forest have installed all the appropriate hotfixes and service packs. End-to-end replication of Active Directory is occurring throughout the forest FRS replicates the file system policy correctly throughout each domain. Log on to the console of the schema operations master with an account that is a member of the Schema Admins security group. Verify that the schema FSMO has performed inbound replication of the schema partition by typing the following at a Windows NT command prompt: repadmin /showreps (repadmin is installed by the SupportTools folder of Active Directory.) Early Microsoft documentation recommends that you isolate the schema operations master on a private network before you run adprep /forestprep. Real-world experience suggests that this step is not necessary and may cause a schema operations master to reject schema changes when it is restarted on a private network. Run adprep on the schema operations master. To do so, click Start, click Run, type cmd, and then click OK. On the schema operations master, type the following command X:I386dprep /forestprep where X:I386 is the path of the Windows Server 2003 installation media. This command runs the forest-wide schema upgrade. Note Events with event ID 1153 that are logged in the Directory Service event log, such as the sample that follows, can be ignored: Event Type : Error Event Source : NTDS General Event Category: Internal Processing Event ID : 1153 Date: MM/DD/YYYY Time: HH:MM:SS AM|PM User : Everyone Computer : Description: Class identifier 655562 (class name msWMI-MergeablePolicyTemplate) has an invalid superclass 655560. Inheritance ignored. Verify that the adprep /forestprep command successfully ran on the schema operations master. To do so, from the console of the schema operations master, verify the following items: The adprep /forestprep command completed without error. The CN=Windows2003Update object is written under CN=ForestUpdates,CN=Configuration,DC=forest_root_domain. Record the value of the Revision attribute. (Optional) The schema version incremented to version 30. To do so, see the ObjectVersion attribute under CN=Schema,CN=Configuration,DC=forest_root_domain. If adprep /forestprep does not run, verify the following items: The fully qualified path for Adprep.exe located in the I386 folder of the installation media was specified when adprep ran. To do so, type the following command: x:i386dprep /forestprep where x is the drive that hosts the installation media. The logged on user who runs adprep has membership to the Schema Admins security group. To verify this, use the whoami /all command. If adprep still does not work, view the Adprep.log file in the %systemroot%System32DebugAdprepLogsLatest_log folder. If you disabled outbound replication on the schema operations master in step 4, enable replication so that the schema changes that were made by adprep /forestprep can propagate. To do this, following these steps: Click Start, click Run, type cmd, and then click OK. Type the following, and then press ENTER: repadmin /options -DISABLE_OUTBOUND_REPL Verify that the adprep /forestprep changes have replicated on all the domain controllers in the forest. It is useful to monitor the following attributes: Incrementing the schema version The CN=Windows2003Update, CN=ForestUpdates,CN=Configuration,DC=forest_root_domain or CN=Operations,CN=DomainUpdates,CN=System,DC=forest_root_domain and the operations GUIDs under it have replicated in. Search for new schema classes, objects, attributes, or other changes that adprep /forestprep adds, such as inetOrgPerson. View the SchXX.ldf files (where XX is a number between 14 and 30) in the %systemroot%System32 folder to determine what objects and attributes there should be. For example, inetOrgPerson is defined in Sch18.ldf. Look for mangled LDAPDisplayNames. If Exchange 2000 was installed before you ran the Windows Server 2003 adprep /forestprep command, see the following article in the Microsoft Knowledge Base: 314649 Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers If you find mangled names, go to Scenario 3 of the same article. Log on to the console of the schema operations master with an account that is a member of the Schema Admins group security group of the forest that hosts the schema operations master. Upgrading the domain with the adprep /domainprep command Run adprep /domainprep after the /forestprep changes fully replicate to the infrastructure master domain controller in each domain that will host Windows Server 2003 domain controllers. To do so, follow these steps: Identify the infrastructure master domain controller in the domain you are upgrading, and then log on with an account that is a member of the Domain Admins security group in the domain you are upgrading. Note: The enterprise administrator may not be a member of the Domain Admins security group in child domains of the forest. Run adprep /domainprep on the Infrastructure master. To do so, click Start, click Run, type cmd, and then on the Infrastructure master type the following command: X:I386dprep /domainprep where X:I386 is the path of the Windows Server 2003 installation media. This command runs domain-wide changes in the target domain. Note: The adprep /domainprep command modifies files permissions in the Sysvol share. These modifications cause a full synchronization of files in that directory tree. Verify that domainprep completed successfully. To do so, verify the following items: The adprep /domainprep command completed without error. The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading exists If adprep /domainprep does not run, verify the following items: The logged on user who runs adprep has membership to the Domain Admins security group in the domain being you are upgrading. To do so, use the whoami /all command. The fully qualified path for Adprep.exe located in the I386 directory of the installation media was specified when you ran adprep. To do so, at a command prompt type the following command: x:i386dprep /forestprep where x is the drive that hosts the installation media. If adprep still does not work, view the Adprep.log file in the %systemroot%System32DebugAdprepLogsLatest_log folder. Verify that the adprep /domainprep changes have replicated. To do so, for the remaining domain controllers in the domain, verify the following items: The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=dn path of domain you are upgrading object exists and the value for the Revision attribute matches the value of the same attribute on the infrastructure master of the domain. (Optional) Look for objects, attributes or access control list (ACL) changes that adprep /domainprep added. Repeat steps 1-4 on the infrastructure master of the remaining domains in bulk or as you add or upgrade DC's in those domains to Windows Server 2003. Now you can promote new Windows Server 2003 computers into the forest by using DCPROMO. Or, you can upgrade existing Windows 2000 domain controllers to Windows Server 2003 by using WINNT32.EXE. Back to the top | Give Feedback Upgrading Windows 2000 domain controllers by using Winnt32.exe After the changes from /forestprep and /domainprep completely replicate and you have made a decision about security interoperability with earlier-version clients, you can upgrade Windows 2000 domain controllers to Windows Server 2003 and add new Windows Server 2003 domain controllers to the domain. The following computers must be among the first domain controllers that run Windows Server 2003 in the forest in each domain: The domain naming master in the forest so that you can create default DNS program partitions. The primary domain controller of the forest root domain so that the enterprise-wide security principals that Windows Server 2003's forestprep adds become visible in the ACL editor. The primary domain controller in each non-root domain so that you can create new domain-specific Windows 2003 security principals. To do so, use WINNT32 to upgrade existing domain controllers that host the operational role you want. Or, transfer the role to a newly-promoted Windows Server 2003 domain controller. Perform the following steps for each Windows 2000 domain controller that you upgrade to Windows Server 2003 with WINNT32 and for each Windows Server 2003 workgroup or member computer that you promote: Before you use WINNT32 to upgrade Windows 2000 member computers and domain controllers, remove Windows 2000 Administration Tools. To do so, use the Add/Remove Programs tool in Control Panel. (Windows 2000 upgrades only.) Install any hotfix files or other fixes that either Microsoft or the administrator determines is important. Check each domain controller for possible upgrade issues. To do so, run the following command from the I386 folder of the installation media: winnt32.exe /checkupgradeonly Resolve any issues that the compatibility check identifies. Run WINNT32.EXE from the I386 folder of the installation media, and the restart the upgraded 2003 domain controller. Lower the security settings for earlier-version clients as required. If Windows NT 4.0 clients do not have NT 4.0 SP6 or Windows 95 clients do not have the directory service client installed, disable SMB Service signing on the Default Domain Controllers policy on the Domain Controllers organizational unit, and then link this policy to all organizational units that host domain controllers. Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft Network Server: Digitally sign communications (always) Verify the health of the upgrade using the following data points: The upgrade completed successfully. The hotfixes that you added to the installation successfully replaced the original binaries. Inbound and outbound replication of Active Directory is occurring for all naming contexts held by the domain controller. The Netlogon and Sysvol shares exist. The event log indicates that the domain controller and its services are healthy. Note: You may receive the following event message after you upgrade: Event Type: Error Event Source: NTDS Backup Event Category: Backup Event ID: 1913 Date: Date Time: HH:MM:SSAM|PM User: N/A Computer: computername Description: Internal error: The Active Directory backup and restore operation encountered an unexpected error. Backup or restore will not succeed until this is corrected. You can safely ignore this event message. Install the Windows Server 2003 Administration Tools (Windows 2000 upgrades and Windows Server 2003 non-domain controllers only). Adminpak.msi is in the I386 folder of the Windows Server 2003 CD-ROM. Windows Server 2003 media contains updated support tools in the SupportToolsSuptools.msi file. Make sure that you reinstall this file. Make new backups of at least the first two Windows 2000 domain controllers that you upgraded to Windows Server 2003 in each domain in the forest. Locate the backups of the Windows 2000 computers that you upgraded to Windows Server 2003 in locked storage so you do not accidentally use them to restore a domain controller that now runs Windows Server 2003. (Optional) Perform an offline defragmentation of the Active Directory database on the domain controllers that you upgraded to Windows Server 2003 after the single instance store (SIS) has completed (Windows 2000 upgrades only). The SIS reviews existing permissions on objects stored in Active Directory, and then applies a more efficient security descriptor on those objects. The SIS starts automatically (identified by event 1953 in the directory service event log) when upgraded domain controllers first start the Windows Server 2003 operating system. You benefit from the improved security descriptor store only when you log an event ID 1966 event message in the directory service event log: Event Type: Information Event Source: NTDS SDPROP Event Category: Internal Processing Event ID: 1966 Date: MM/DD/YYYY Time: HH:MM:SS AM|PM User: NT AUTHORITYANONYMOUS LOGON Computer: Description: The security descriptor propagator has completed a full propagation pass. Allocated space (MB): XX Free space (MB): XX This may have increased free space in the Active Directory database. User Action: Consider defragmenting the database offline to reclaim the free space that may be available in the Active Directory database. For more information, see Help and Support Center at http://support.microsoft.com. This event message indicates that the single instance store operation has completed and serves as a queues the administrator to perform of offline defragmentation of the Ntds.dit using NTDSUTIL.EXE. The offline defragmentation can reduce the size of a Windows 2000 Ntds.dit file by up to 40%, improves Active Directory performance, and updates the pages in the database for more efficient storage of Link Valued attributes. For more information about how to defragment the Active Directory database, click the following article number to view the article in the Microsoft Knowledge Base: 232122 Performing offline defragmentation of the Active Directory database Investigate the DLT Server Service. Windows Server 2003 domain controllers disable the DLT Server service on fresh and upgrade installs. If Windows 2000 or Windows XP clients in your organization use the DLT Server service, use Group Policy to enable the DLT Server service on new or upgraded Windows Server 2003 domain controllers. Otherwise, incrementally delete distributed link tracking objects from Active Directory. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: 312403 Distributed Link Tracking on Windows-based domain controllers 315229 Text version of Dltpurge.vbs for Microsoft Knowledge Base article Q312403 If you bulk delete thousands of DLT objects or other objects, you may block replication because of a lack of version store. Wait tombstonelifetime number of days (by default, 60 days) after you delete the last DLT object and for garbage collection to complete, then use NTDSUTIL.EXE to perform an offline defragmentation of the Ntds.dit file. Configure the best practice organizational unit structure. Microsoft recommends that administrators actively deploy the best practice organizational unit structure in all the Active Directory domains, and after they upgrade or deploy Windows Server 2003 domain controllers in Windows Domain mode, redirect the default containers that earlier-version APIs use to create users, computers and groups to an organizational unit container that the administrator specifies. For additional information about the best practice organizational unit structure, view the "Creating an Organizational Unit Design" section of the "Best Practice Active Directory Design for Managing Windows Networks" white paper. To view the white paper, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/bb727085.aspx For more information about changing the default container where users, computers and groups that earlier-version APIs create are located, click the following article number to view the article in the Microsoft Knowledge Base: 324949 Redirecting the users and computers containers in Windows Server 2003 domains Repeat steps 1 through 10 as required for each new or upgraded Windows Server 2003 domain controller in the forest and step 11 (Best Practice organizational unit structure) for each Active Directory domain. In Summary: Upgrade Windows 2000 Domain controllers with WINNT32 (from the slipstreamed installation media if used) Verify the hotfixed files have been installed on the upgraded computers Install any required hotfixes not contained on installation media Verify the health on new or upgraded servers ( AD, FRS, Policy etc) Wait 24 hours after OS upgrade then offline defrag (optional) Start the DLT Service if you must, otherwise delete DLT objects using q312403 / q315229 post forest wide domainpreps Perform offline defrag 60+ days (tombstone lifetime and garbage collection # of days) after deleting DLT objects

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.