Upgrading Active Directory 2000 to 2003

Before driving into a blog about the upgrade process, you may need to cover the key concepts first. If you know these, scroll to Part 1.

Date: 2008-04-19

Active Directory Intro

Active Directory is a fundamental part of the Microsoft Windows server operating system, plays a major role in managing and organising network resources within a Windows-NT Domain or Forest.It provides a structured and hierarchical database for the storage and management of information about network objects, including users, computers, groups, and more.

Key Active Directory Concepts

Objects: In the realm of Active Directory, every element is an object, be it users, computers, groups, or organisational units (OUs). Each object possesses attributes that define its characteristics.

Domains: Domains serve as logical groupings of objects within a network. They facilitate resource management and policy enforcement within a defined scope.

Trees: Multiple domains can be organised into a hierarchical structure known as a tree. Domains within a tree share a common schema and global catalogue.

Forests: A forest encompasses one or more trees, with each tree maintaining its own unique namespace. Forests establish administrative and security boundaries; but can stretch across to access, or share, some items from the global catalogue (names of distribution groups for example).

Domain Controller: A domain controller (DC) is a server equipped to run Active Directory services. It is responsible for user authentication, directory data storage, and security policy enforcement.

Flexible Single Master Operations (FSMO) roles: are specialised functions designated to specific domain controllers within an Active Directory forest. During the Windows NT era, there were only FSMO roles were essential:

FSMO Role breakdown

Schema Master: The Schema Master oversees the maintenance and replication of changes made to the Active Directory schema. It ensures consistency in schema modifications, such as the addition of new attributes or object classes, throughout the forest.

Domain Naming Master: The Domain Naming Master regulates the addition and removal of domains within the forest. It guarantees the uniqueness of domain names across the entire forest.

RID Master (Relative Identifier): The RID Master assigns unique security identifiers (SIDs) to objects within a domain. Although all domain controllers can create new objects, the RID Master ensures that SIDs remain distinct.

PDC Emulator (Primary Domain Controller): In the context of Windows 2000, the PDC Emulator ensures compatibility with older Windows NT systems. It manages password changes and maintains time synchronisation, across a single domain.

Infrastructure Master: The Infrastructure Master updates object references in a domain when objects undergo movements or changes in name. It ensures the accuracy of cross-domain object references.

Each FSMO role serves a crucial purpose in the functioning and integrity of the Active Directory forest. Proper management and transition of these roles are vital for maintaining a robust directory service.

Part 1: Upgrading to Windows Server 2003

Before you begin, ensure you have a full backup of your Windows 2000 Active Directory and system state. Additionally, it's a good idea to review Microsoft's documentation for detailed requirements and considerations.

Step 1: Prepare the Environment

1) Verify that your Windows 2000 domain is in good health by running dcdiag and netdiag commands. The /q switch prevents showing all the information events; and the /e switch tests all DCs in the enterprise/forest. Additionally /v gives a verbose output.

Get any errors? Investigate them, fix them, wait 24 hours, and re-test.

2) Make sure your hardware and existing servers meet the requirements for Windows Server 2003.

Step 2: Prepare the Schema

1) Insert the Windows Server 2003 installation CD or ISO.
2) Open a command prompt and navigate to the CMPNENTS\R2\ADPREP directory on the installation media
3) Run the following three commands:
adprep /forestprep
adprep /domainprep
adprep /domainprep /gpprep

Get any errors? Investigate them, fix them, wait 24 hours, and re-test.

2) Make sure your hardware and existing servers meet the requirements for Windows Server 2003.

Step 3: Promote your Windows Server 2003 as a Domain Controller

1) Insert the Windows Server 2003 installation CD or ISO.
2) Launch "Manage your Server" wizard, and select "Add or remote a role"
3) Choose "Domain Controller (Active Directory)", and continue with the wizard.
4) During the last couple of tabs, select "Additinoal domain controller for an existing domain".
5) You might be prompted to select a domain controller to replicate from; choose one on the same site/subnet (to save time).
6) Select the domain-name you are upgading. Click finish

Go and put the kettle on ... this might take a while..

TIP: If your server is restarted, and the "manage your server" wizard is closed/concluded. You can access this 'dc promotion' using:
start > run and type "dcpromo" and press enter.

Step 4: Run the Active Directory Installation Wizard

1) Open the "Active Directory Installation Wizard.
2) Follow the wizard's instructions, including providing the credentials of a user with administrative privileges in the Windows 2000 domain.
3) When prompted to select a replication source, choose a Windows 2000 domain controller.
4) Complete the wizard, and Windows Server 2003 will be promoted to a domain controller.

Step 5: Transfer FSMO Roles

Transferring FSMO roles can be done several ways:

Double check you are a member of Domain Admins before proceeding

1) Launch Active Directory Users and Computers
2) At the top of the console, select the domain name, and right click > choose Change domain controller.... Select one of your new Windows 2003 servers. Click OK.
3) Right-click on the domain-name, once more, and choose Operations Masters.

You can now toggle between tabe, and initiate a role transfer for the RID Master, PDC Emulator and Infrastructure Master roles.
4) Close ADUC once complete.

Transferring FSMO roles is not quite finished... still 2 more roles to go...

Double check you are a member of Enterprise Admins before proceeding.

5) Launch Active Directory Domains and Trusts
6) At the top of the console, select the domain name, and right click > choose Change domain controller.... Select one of your new Windows 2003 servers. Click OK.
7) Right-click on the domain-name, once more, and choose Operations Masters.

You can now initiate a role transfer (change button) for the Domain Naming Master role.

Last role.. Schema Master.. This one is a little more difficult.

Double check you are a member of Schema Admins before proceeding

8) Register the Schema Management Snap-In for MMC, using:
Start > Run > type "regsvr32 schmmgmt.dll" > OK
Click OK on the "registered" promot.
9) Launch the MMC application using:
Start > Run > type "mmc" > ok
10) From the top-left menu, select File > Add/Remove Snap-Ins.
Select "Active Directory Schema" > click OK.
11) Right click the Active Directory Schema icon (top-left inside the nativation window), select Change Domain Controller.... Select one of your new Windows 2003 servers. Click OK.
12) Right-click right-click the Active Directory Schema icon again and press Operation Masters.

You can now initiate a role transfer (change button) for the Schema Master role.

Errors transferring, or are the buttons grayed out?

TIP: Try checking you have switched your console to a new 2003 domain controller first.

TIP: Maybe double-check the permissions for the logged in user match this table; you might have to make the change, and come back in an hour! See table:

TIP: NTDSUTIL command that can support the TRANSFER or SIEZURE of these roles. The question mark is super helpful in this interactive application.

Step 6: Verify Replicas

Nice and simple. We just need to verify the LDAP replication partnerships IN/OUT. Depending on how complex your domain is, this should be pretty simple:
1) Just run the repladmin /replsum command

Recognize my server names? Feel free to drop a message – geeks unite!

I also had a three site setup, with a 2Mbps dial-up connection on one site; so AD Sites and Services had replication set to once-per-day, (hence the 24h entry to the left).

Step 7: Testing the environment

Testing the upgraded Active Directory environment is a crucial step to ensure everything is functioning as expected. This step includes:

Verifying user logins: Confirm that users can log in to the domain with their credentials without issues.
Testing group memberships: Check that users are members of the appropriate security and distribution groups.
Group Policy testing: Ensure that Group Policies are being applied correctly to user and computer objects.
DNS resolution: Confirm that DNS is resolving correctly and that all domain controllers are reachable.
Application and file access: Test critical applications and file access to make sure they work seamlessly.
Replication: Verify that replication between domain controllers is functioning without errors.
Backup and recovery testing: Perform backup and recovery tests to ensure you can recover data if needed.

I had problems with DNS. My new domain controllers were not recognised a namespace-servers for the domain; even though the domain was configured to be domain-integrated.

One to watch out for?

Step 8: Decommission the Windows 2000 Domain Controllers

After thoroughly testing the environment, you can safely decommission the Windows 2000 domain controllers. To do this, use the "DCPROMO" command to demote the Windows 2000 domain controllers to member servers.

This is essentially another `dcpromo` command, and ensure you demote the domain controller, not remove the entire domain!

Wait 24-48 hours

I would recommend wanting a 24-48 hours (or longer if you can) before proceeding, to ensure all products/services on the domain, all obtain new authentication tokens, issued by the new 2003 domain controllers.

Step 9: Raise the Domain and Forest Functional Level

Raising the domain functional level to Windows Server 2003 native mode is an essential step in taking full advantage of the advanced features and capabilities offered by the newer Active Directory version. This step ensures that your domain operates at the highest functional level available within the Windows Server 2003 environment. Here are the key points for this step:

Log in to the Windows Server 2003 domain controller with administrative credentials.
Open the "Active Directory Domains and Trusts" snap-in.
Right-click on the domain and select "Raise Domain Functional Level."
Choose the "Windows Server 2003" option and confirm the change.

Benefits of raising Domain Functional Levels

Most people don't underst and the value this brings. This includes:
- Forest-Trust options
- Domain Rename capabilities
- Reduced bandwidth with replication
- new read-only-domain-controller options
- improved scalability
- rename domain-controller options
- redirect LDAP containers
- recording of lastLogonTimestamps independant of replication

Step 10: Monitor and Maintain

Continuously monitor your Active Directory environment to ensure smooth operation. Checking event logs daily; dcdiag /e checks. Log and address all concerns.

Of course continue to regularly back up your Active Directory environment to protect against data loss.

Conclusion

Upgrading Active Directory from Windows 2000 to Windows Server 2003 is a vital step toward modernizing your organization's IT infrastructure. This process involves careful planning, transferring FSMO roles, thorough testing, decommissioning old domain controllers, and raising the domain functional level. It's essential to document each step, ensure permissions, and prioritize testing for a seamless transition.

This upgrade isn't just a technical change; it's an opportunity to enhance security and productivity. By following the steps and best practices outlined in this guide, you can successfully advance your Active Directory, aligning it with the demands of modern IT environments and maintaining a resilient and efficient infrastructure.

Page updated

Report abuse