Prepare Your Infrastructure for Upgrade
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Preparing your infrastructure for upgrade involves resolving any Active Directory schema compatibility issues, such as issues that might occur with Microsoft® Exchange 2000 and Services for UNIX 2.0, and then running Adprep.exe to prepare the forest and domains for the upgrade. Before you upgrade the first Windows 2000–based domain controller to Windows Server 2003 Active Directory, you must use Adprep.exe to:
Run adprep /forestprep once on the schema master to prepare the forest.
Run adprep /domainprep once on the infrastructure master in each domain in which you plan to place a Windows Server 2003–based domain controller.
If you are using the version of Adprep.exe that is included with Windows Server 2003 Service Pack 1 (SP1), run adprep /domainprep /gpprep on the infrastructure master in each domain in which you plan to place a Windows Server 2003–based domain controller. For more information about this new adprep.exe switch, see Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1.
When you are upgrading the operating system on a Windows 2000–based domain controller to Windows Server 2003, Setup (Winnt32.exe) verifies that the forest and domain have been prepared. If you have not prepared the forest and the domain in which the domain controller will be a member, or if the changes have not fully replicated, Winnt32.exe fails, the upgrade terminates, and you are notified that you must run Adprep.exe /forestprep in the forest and Adprep.exe /domainprep in the target domain.
- You can run Adprep.exe multiple times, but it performs actions only once. For example, Adprep.exe does not adjust access control lists (ACLs) each time you run the command.
You must prepare your infrastructure before using the Active Directory Installation Wizard to install Active Directory on a Windows Server 2003–based member server. The Active Directory installation fails if the wizard detects that the forest and domain have not been prepared.
- Adprep.exe is the only supported method of upgrading the Windows 2000 Active Directory schema to Windows Server 2003. Attempting to use any other script or tool for this purpose can cause problems with the schema and is not supported by Microsoft.
To prepare your Windows 2000 Active Directory forest and domain for the upgrade to Windows Server 2003 Active Directory, Adprep.exe performs the following tasks:
Updates the Active Directory schema.
- Changes that are made to the global catalog by Adprep.exe do not cause a full synchronization of the global catalog because the partial attribute set is not changed.
Improves default security descriptors.
Upgrades display specifiers.
Adjusts access control lists on Active Directory objects and on files in the SYSVOL shared folder to allow domain controller access.
In versions of Windows earlier than Windows Server 2003, including the Everyone security identifier (SID) on an ACL or group membership allows authenticated users, guest users, and anyone with an anonymous logon to gain access to many resources. Windows 2000–based domain controllers also use anonymous access to gain control of some Active Directory objects and files. In Windows Server 2003, the Everyone group no longer contains the anonymous users group, thus restricting domain controller access to particular objects. Adprep.exe adjusts the ACLs on these objects so that domain controllers can still access them.
In the updated version of adprep.exe, this change is performed by the new adprep /domainprep /gpprep switch. For more information about this new adprep.exe switch, see Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1.
Creates new objects that are used by applications such as COM+ and Windows Management Instrumentation (WMI).
Creates new containers in Active Directory that are used to verify that the preparation was successful.
You can run Adprep.exe only at the command line.
Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1
In the original release version of Windows Server 2003, one of the operations that is performed by the adprep /domainprep command adds more restrictive security descriptors to all Group Policy objects (GPOs) in the SYSVOL shared resource. When you modify the permissions on all the GPOs in the SYSVOL tree, the NT File Replication Service (NTFRS) on the originating domain controller must send all the GPOs to all the other domain controllers in that domain, which causes an increase in volume of replication. If you have a large number of domain controllers or a large number of GPOs in the SYSVOL tree, you must assess the potential impact that this replication traffic will have on your network. If you determine that your network will be affected negatively, you can use the adprep /domainprep /gpprep switch separately from the adprep /domainprep switch to modify the permissions in the SYSVOL shared resource during nonpeak hours when network bandwidth is optimal.
The updated version of Adprep.exe supports the following commands and enhancements. These enhancements help administrators upgrade successfully to Windows Server 2003.
The adprep /forestprep command performs the same operations as it does in the original version of Windows Server 2003. The syntax of this command is unchanged. Enhancements include better error message handling in configurations that prevent the adprep /forestprep command from running successfully.
The adprep /domainprep command performs the same operations as it does in the original version of Windows Server 2003. However, the updated command does not modify permissions on GPOs unless the new /gpprep switch is used.
After you run the updated adprep /domainprep command, you receive the following message:
The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running “adprep.exe /domainprep /gpprep” on the DC that holds the infrastructure operations master role. This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the domain controllers in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group Policy Objects.
adprep /domainprep /gpprep
The functionality of the adprep domainprep /gpprep command depends on the state of the domain. If the updated adprep /domainprep command has not been run, this command is the functional equivalent of the adprep /domainprep command in the original version of Windows Server 2003.
If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the SYSVOL shared resource.
The new cross-domain planning functionality for Group Policy, Resultant Set of Policy (RSOP) Planning Mode, requires file system and Active Directory permissions to be updated for existing GPOs. You can enable this functionality anytime by running adprep.exe /domainprep /gpprep on the domain controller that holds the infrastructure operations master role. For more information about RSoP functionality, see "RSoP Overview" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=48185.
Resolve Adprep.exe Compatibility Problems with Exchange 2000
When you prepare the forest by using the Active Directory Preparation tool in a Windows 2000 forest containing the Exchange 2000 schema, the LDAP display names of the three Windows Server 2003 InetOrgPerson attributes Secretary, labeledURI, and houseIdentifier conflict with the non-RFC-compliant versions added by Exchange 2000. On the domain controller that receives the Windows Server 2003 schema updates, the lDAPDisplayName attributes for the Exchange 2000 definitions of these attributes are modified to prevent a conflict. When the changes are replicated in Active Directory, however, the additional domain controllers inadvertently detect the changes as a schema collision because duplicate names are present.
When Active Directory detects a duplicate name, it modifies the name of one of the objects by adding "Dup" and some unique characters to the beginning of the name. For example, the Secretary, labeledURI, and houseIdentifier name collisions appear similar to the following:
lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d lDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f lDAPDisplayName: DUP-houseIdentifier-e7c5d1bd-a422-4b9e-b4db-ecad2b6839cf
If you are already running Exchange 2000, you need to run the fixup script found in article 314649, "ADPREP Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers." To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
If you have not yet deployed Exchange 2000 in your environment, you can avoid name collisions by preparing the Active Directory forest by using adprep /forestprep to create the initial definition of the Secretary, labeledURI, and houseIdentifier attributes before installing Exchange 2000. Specifically, you can avoid LDAP display name collision problems by doing one of the following:
Run the Active Directory Preparation tool in a Windows 2000 forest before you install Exchange 2000.
Add Exchange 2000 to an existing Windows Server 2003 forest.
For more information about schema collisions between Exchange 2000 and Windows Server 2003, see article 314649, "ADPREP Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers," and article 325379 "How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003" in the Microsoft Knowledge Base. To find these articles, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Resolve Adprep.exe Compatibility Problems with Services for UNIX 2.0
Adprep.exe prepares the forest or domain with the schema attribute CN=uid, which is compliant with RFC 2307 for use by the Server for Network Information System (NIS) component of Services for UNIX. However, in Services for UNIX 2.0, the Server for NIS component uses a different attribute schema: CN-uid,CN=msSFUName. This discrepancy can cause the upgrade to Windows Server 2003 to fail. To solve this problem, either upgrade to Windows Services for UNIX 3.0 or install the Q293783_sfu_2_x86_en.exe hotfix.
To resolve Server for NIS compatibility issues with Windows Server 2003
Run Q293783_sfu_2_x86_en.exe on the domain controller that holds schema master role.
Review the Hotfix.txt file that is included with the hotfix for installation specifics.
Verify end-to-end Active Directory replication of the schema throughout the forest.
For more information about Services for UNIX 2.0 application compatibility issues and the hotfix installation file, see article 293783, "Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows Services for UNIX 2.0 Installed" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Prepare the Forest for the Upgrade
Before preparing the forest for the upgrade, use your preferred monitoring tool to verify that replication is functioning properly. Changes that are made by Adprep.exe must replicate for the upgrade process to succeed; therefore, if domain controllers are not replicating properly, the upgrade preparation process will fail.
After verifying successful replication, use the adprep /forestprep command to prepare the forest for the upgrade.
To prepare the Active Directory forest for the upgrade
In the forest root domain, log on to the domain controller that holds the schema master role with an account that is a member of the Schema Admins security group.
Verify that the schema operations master has performed inbound replication of the schema directory partition by typing the following at a command prompt:
- repadmin /showreps
A previous release of this documentation suggested that you take the schema master offline before running adprep /forestprep as a precautionary measure to protect the Active Directory schema from corruption. It has since been determined that this is not necessary and might cause a schema operations master to reject schema changes when it is restarted on a private network.
Insert the Windows Server 2003 operating system CD, or connect to the network installation shared folder, and then locate and open the I386 folder. On the schema operations master, type the following command at the command line:
The following warning appears:
ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. For more information about preparing your forest and domain see KB article Q331161 at http://support.microsoft.com. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any key and press ENTER to quit.
You can either continue with the preparation process or quit and install SP2. It is recommended that you install SP2 or later on all Windows 2000–based domain controllers before continuing.
After adprep /forestprep has finished, verify that all operations have completed successfully.
To verify that the Active Directory Preparation tool has completed all operations successfully
At the command line, type:
- Adsiedit.exe is one of the Windows 2000 support tools, which is still installed on the computer at this point in the domain upgrade process. If you have removed the Windows 2000 support tools, you can reinstall them from the Support\Tools folder on the Windows 2000 operating system CD. For more information about Adsiedit.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Install Windows Support Tools.
Expand the Configuration container and verify that CN=ForestUpdates has been created.
Expand CN=ForestUpdates and verify that CN=Windows2003Update is present.
Examine the Event Log for any event messages that indicate that the domain controller is not functioning properly.
Verify that the changes that Adprep.exe made to the schema operations master are being replicated to all other the domain controllers in the forest.
Successful replication is necessary when preparing an entire forest for Active Directory upgrade because you can prepare a domain controller by using the adprep /domainprep command only if it has received the changes made by the adprep /forestprep command. Attempting to upgrade a domain controller that has not received the changes generates an error message. Allow enough time for the changes to replicate to all domains in the forest.
- Adprep.exe creates a log file each time it runs that can help you troubleshoot errors. The log file documents each step of the forest preparation process. Each Adprep.exe log file is located in a subfolder in the %systemroot%\System32\Debug\Adprep folder. Each subfolder is stamped with the date and time when Adprep.exe was run.
Prepare the Domain for Upgrade
After you prepare the forest for the upgrade, you must also prepare each domain in which you plan to operate a Windows Server 2003–based domain controller.
To prepare the Active Directory domain for upgrade
Log on to the infrastructure master by using Domain Admins credentials.
Insert the Windows Server 2003 operating system CD, or connect to the network installation shared folder, and then locate and open the I386 folder. At the command line, type:
After adprep /domainprep has finished, verify that all operations have completed successfully.
If you are upgrading to Windows Server 2003 with SP1 or you have the updated version of adprep.exe, use the adprep /domainprep /gpprep switch at the command line to prepare the domain for upgrade. This command will cause a full synchronization of the SYSVOL folder. Therefore, if you are concerned about the impact of the large-scale replication, you can run adprep /domainprep to prepare the domain and then run adprep /domainprep /gpprep to synchronize the GPOs in the SYSVOL folder at a later time, when network bandwidth permits.
To verify that the Active Directory Preparation tool has completed all operations successfully
Using Adsiedit.exe, expand the Domain container, and then go to DC=domainname,DC=com,CN=System,CN=DomainUpdates. Verify that CN=Windows2003Update is present.
In Active Directory Users and Computers, from the View menu, select Advanced Features. Expand the System container, go to the DomainUpdates container, and then expand it. Verify that the Windows2003Update container is present.
If you receive an error message, do one of the following, based on the error message text:
Run the adprep /forestprep command.
Wait for replication to complete.