You must update the Active Directory schema before performing the following actions:
Adding a Windows Server 2003 or Windows Server 2003 R2 domain controller to an existing Windows 2000 forest or domain Adding a Windows Server 2003 R2 domain controller to an existing Windows Server 2003 forest or domain
This section discusses how
to test Active Directory before updating the schema, as well as how to
update the forest schema, verify the update, and update the domain
schema for each domain in which you want to install Windows Server 2003
or Windows Server 2003 R2 domain controllers.
Important
If you use any
third-party Active Directory applications or have made any custom
changes to the Active Directory schema, verify that they are compatible
with the Windows Server 2003 or Windows Server 2003 R2 schema revision
levels before updating the forest schema. This is rarely a problem, but
it is nearly impossible to undo a schema update once it has propagated,
so it’s best to err on the side of caution.
Testing Active Directory Functionality in Active Directory Domains
Perform the
following actions before updating the Active Directory schema, adding
any Windows Server 2003 domain controllers to an existing Windows 2000
Active Directory domain, or upgrading any Windows 2000 domain
controllers in the domain to Windows Server 2003:
Verify that all
domain controllers in the domain have Netlogon and Sysvol shares by
using Dcdiag.exe from the Windows Support Tools. To do so, open a
command prompt window, switch to the folder storing Dcdiag.exe, and then
type dcdiag /e /test:frssysvol. All domain controllers should pass the tests. If
you see the error message “There are errors after the SYSVOL has been
shared”, try restarting the File Replication Service on the affected
domain controller, check the File Replication Service log in Event
Viewer for any additional errors, and then rerun Dcdiag.exe. View the operations master roles in the forest by using the dcdiag /test:FSMO-CHECK
command, and transfer any operation master roles that reside on
nonexistent or unhealthy domain controllers to healthy domain
controllers. Verify
replication using the Windows Server 2003 version of Repadmin.exe on a
Windows XP or Windows Server 2003 member server in the forest. To do so,
open a command prompt window, switch to the folder storing
Repadmin.exe, and then type repadmin /replsum /bysrc /bydest /sort:delta. All
domain controllers should show 0 in the Fails column, and the largest
deltas should be less than or roughly equal to the replication frequency
on the site links used by the domain controllers for replication. The
default replication frequency between sites is 180 minutes; you can
change this setting by using the Active Directory Sites And Services MMC
snap-in. Use
the Group Policy Verification Tool (Gpotool.exe) to verify proper Group
Policy functioning on domain controllers. You can download Gpotool.exe
from the Windows 2000 Server Resource Kit at http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp.
Updating the Active Directory Forest Schema
You must update the
Active Directory schema before you can add a Windows Server 2003 or
Windows Server 2003 R2 domain controller to a Windows 2000 Active
Directory forest, or add a Windows Server 2003 R2 domain controller to a
Windows Server 2003 Active Directory forest. This also applies to
domain controllers upgraded to Windows Server 2003 or Windows Server
2003 R2.
To prepare a forest for
Windows Server 2003 or Windows Server 2003 R2 domain controllers, use
the following procedure to update the schema in your test lab. This is
an important step because you cannot undo a forest schema update. After
testing the schema updates, use the procedure in your production
network.
1. | Update
all Windows 2000 domain controllers and servers running Exchange Server
2000 or later to Windows 2000 Service Pack 4 or later.
Domains with more than 10 domain controllers consume additional
network bandwidth during replication unless all domain controllers are
running Windows 2000 with Service Pack 3 or later. See Microsoft
Knowledge Base Article 331161 at http://support.microsoft.com
for more information about this and other issues with Windows 2000
domain controllers running service pack revisions earlier than Service
Pack 4.
Important
If you have
implemented the Exchange Server 2000 schema changes in the forest prior
to updating the forest schema to Windows Server 2003 or Windows Server
2003 R2 levels, you must perform a special schema update to prevent
Adprep from mangling attributes. See Microsoft Knowledge Base Article
325379 at http://support.microsoft.com
for information about how to prep the schema and for help with fixing
mangled attributes. You can safely update the schema for Exchange Server
2000 after updating the forest schema to Windows Server 2003 or Windows
Server 2003 R2 level.
| 2. | Identify
the servers with the schema master and infrastructure master roles, and
install the appropriate version of the Windows Support Tools on the
schema master.
Note
If you’re updating a
Window 2000 Active Directory forest to support Windows Server 2003
domain controllers, update the schema to the Windows Server 2003 R2
revision, even if you don’t plan to immediately use Windows Server 2003
R2 domain controllers. This eliminates the hassle of updating the schema
a second time when you decide to deploy Windows Server 2003 R2 domain
controllers.
| 3. | On the server designated the schema master, use the Run As feature to open a command prompt window on the schema master using an account
that belongs to the Enterprise Admins and Schema Admins groups (or has
delegated authority). Or log on to the server using an account that
belongs to the Enterprise Admins and Schema Admins groups (or has
delegated authority), and open a command prompt window.
| 4. | Switch to the folder in which you installed the Windows Support Tools, and run the repadmin /showreps
command to verify that the last inbound replication succeeded. If the
last replication failed, troubleshoot replication before proceeding.
| 5. | Temporarily disable outbound Active Directory replication by typing repadmin /options +DISABLE_OUTBOUND_REPL.
| 6. | Switch to the folder in which Adprep.exe is located.
To update the forest schema to Windows Server 2003 R2 level, use
the Adprep.exe file located in the \Cmpnents\R2\Adprep folder of the
Windows Server 2003 R2 Disc 2 CD-ROM.
Best Practices
Use either the
Windows Server 2003 R2 version of Adprep.exe (to upgrade the forest
schema to Windows Server 2003 R2 level) or the Windows Server 2003
Service Pack 1 version of Adprep.exe (to upgrade the forest schema to
Windows Server 2003 level). These versions of Adprep.exe offer increased
error checking and reporting, and provide more control over updating
the domain schema. The Windows Server 2003 Service Pack 1 version of
Adprep.exe is located in the \i386 or \amd64 folder of the Windows
Server 2003 with Service Pack 1 CD, and is available for download from
Microsoft Product Support Services via Microsoft Knowledge Base Article
324392 at http://support.microsoft.com.
| 7. | Type adprep /forestprep, and watch for any error messages.
| 8. | If
the schema upgrade completed successfully and without errors (see the
next section for information about how you can verify that the update
proceeded properly), switch to the folder in which you installed the
Windows Support Tools, and type repadmin /options -DISABLE_OUTBOUND_REPL
to enable outbound replication of the schema master to the network.
Then update the schema in each domain in which you want to install
Windows Server 2003 or Windows Server 2003 R2 domain controllers.
Otherwise, follow the instructions provided by the error
messages, if possible, or restore from backup and research the problem
before trying again.
|
Verifying the Forest Schema Update
To verify that the schema update operation succeeded for the forest, perform the following steps:
1. | Check the system log in Event Viewer for any errors. (You can safely ignore errors with event ID 1153.)
| 2. | Install
the Windows Support Tools and then use the Dcdiag.exe command from the
Windows Support Tools to verify Active Directory functionality. (Ignore
any replication errors—the server is disconnected from the network.)
To do so, click Start, choose All Programs, Windows Support Tools, Command Prompt and then type Dcidiag in the command prompt window.
| 3. | Open ADSI Edit from the Windows Support Tools.
To do so, click Start, choose All Programs, Windows Support Tools, Command Prompt and then type Adsiedit.msc in the command prompt window.
| 4. | In the ADSI Edit window under the Configuration node, navigate to CN=Configuration,DC=forest_root_domain, where forest_root_domain is the DNS name of the forest root domain, and then navigate to CN=ForestUpdates.
| 5. | Right-click the CN=Windows2003Update object (shown in Figure 1),
choose Properties from the shortcut menu, and then view the value for
the Revision attribute (or property in Windows 2000). The value should
read 9 after updating the forest schema for Windows Server 2003 or
Windows Server 2003 R2. (See Table 1 for a listing of schema revision numbers.)
Table 1. Schema revision and version levels| | Schema Revision | Schema Version (ObjectVersion) |
|---|
| Windows 2000 | (none) | 13 | | Windows Server 2003 | 9 | 30 | | Windows Server 2003 R2 | 9 | 31 |
| 6. | Under the Schema node of ADSI Edit, right-click the CN=Schema,CN=Configuration,DC=forest_root_domain object, where forest_root_domain is the DNS name of the forest root domain, and then choose Properties from the shortcut menu.
| 7. | View the value for the objectVersion attribute (or property in Windows 2000), as shown in Figure 2. The value should read 31 after updating the forest schema for Windows Server 2003 R2. (See Table 6-3 for a listing of schema version numbers.)
|
Note
Adprep.exe stores its log files in the SYSTEMROOT\System32\Debug\Adprep\Logs folder.
Updating the Active Directory Domain Schema
To
prepare a domain for Windows Server 2003 or Windows Server 2003 R2
domain controllers, you must update the domain schema to the Windows
Server 2003 or Windows Server 2003 R2 levels. Use the following
procedure on each domain before adding Windows Server 2003 or Windows
Server 2003 R2 domain controllers to the domain:
1. | If
you recently updated the forest schema and different computers perform
the infrastructure master role and schema master role, wait for Active
Directory to replicate the changes to the infrastructure master. Wait 15
minutes if the infrastructure master is in the same site; half a day or
a day if it’s in another site.
If your domain controllers are running Windows 2000 Server with
Service Pack 2 or earlier, the adprep /forestprep command delays
replication. (See Microsoft Knowledge Base Article 331161 at http://support.microsoft.com for more information.)
| 2. | Open
a command prompt window on the infrastructure master using an account
that belongs to the Domain Admins or Enterprise Admins group (or has
delegated authority).
| 3. | Temporarily disable outbound Active Directory replication by typing repadmin /options +DISABLE_OUTBOUND_REPL.
| 4. | Switch to the folder in which Adprep.exe is located.
To update the forest schema to Windows Server 2003 R2 level, use
the Adprep.exe file located in the \Cmpnents\R2\Adprep folder of the
Windows Server 2003 R2 Disc 2 CD-ROM.
Best Practices
Use either the
Windows Server 2003 R2 version of Adprep.exe (to upgrade the schema to
Windows Server 2003 R2 level) or the Windows Server 2003 Service Pack 1
version of Adprep.exe (to upgrade the schema to Windows Server 2003
level). These versions of Adprep.exe offer increased error checking and
reporting, and they provide more control over updating the domain
schema. The Windows Server 2003 Service Pack 1 version of Adprep.exe is
located in the \i386 or \amd64 folder of the Windows Server 2003 with
Service Pack 1 CD, and is available for download at http://support.microsoft.com via Microsoft Knowledge Base Article 324392.
| 5. | Type adprep /domainprep, and watch for any error messages.
| 6. | Confirm that Adprep upgraded the schema properly by doing the following:
- Use Dcdiag from the Windows Support Tools.
- Check the system log in Event Viewer for any errors.
- Check the Adprep.exe log files in the systemroot\System32\Debug\Adprep\Logs folder.
| 7. | If
the domain preparation completed without errors, switch to the folder
in which you installed the Windows Support Tools, and type repadmin /options -DISABLE_OUTBOUND_REPL
to enable outbound replication of the schema master to the network.
Otherwise, follow the instructions provided by the error messages, if
possible, or restore from backup and research the problem before trying
again. Do not proceed until you can confirm that the domain was prepared
properly.
| 8. | Find
a time when the network is quiet enough to synchronize all Group Policy
Objects (GPOs) between all domain controllers on the domain, and then
type adprep /domainprep /gpprep and watch for any error messages.
This step ensures that Resultant Set of Policy (RSoP) works properly with site-based GPOs.
| 9. | Wait
for the changes to replicate to other domain controllers before
upgrading any domain controllers to Windows Server 2003 or Windows
Server 2003 R2. Allow at least 15 minutes. If there are domain
controllers in remote sites, allow half a day or a day.
Note
A domain can
run indefinitely after performing this procedure without the need to
upgrade any domain controllers to Windows Server 2003 or Windows Server
2003 R2, though there are no benefits to doing so.
|
|
