Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Upgrade Windows 200 domain to 2003 1

Status
Not open for further replies.

vijmat

IS-IT--Management
Jun 19, 2001
100
US
I am in the process of upgrading our domain and servers to windows 2003 (from Windows 2000). Is there anything I have to be careful about. Is there any documentation out there on how to do it??

Thanks
vijmat
 
Are you upgrading from win2k, if so, I followed this information directly from the readme file on the win2003 disk.

---------------------------------------------------

********************************************************************

Windows Upgrade Compatibility

********************************************************************

The Windows 2000 Active Directory forest and domain need to be prepared for Windows Server 2003
===============================================================================================

Setup has detected that the Active Directory forest and domain need to be prepared for Windows Server 2003.

Description:
-The forest and domains are prepared by using the adprep command on the schema operations master and infrastructure operations master, respectively.
-This domain controller is the schema operations master.
-To prepare the Active Directory forest and domains, perform the following procedures in the order provided.

To prepare an Active Directory forest for Windows Server 2003:

1. To exit Setup, click Next, click Finish, and then click Exit.

2. At a command prompt, change to the \I386 directory on the installation media and then type:

adprep /forestprep

When prompted, type 'C', and then press ENTER to begin forest preparation, or type any other key, and then press ENTER to cancel.

3. After the forest preparation data has replicated throughout the forest, prepare the domains for Windows Server 2003 as described below. The domain preparation operation must be performed on the infrastructure operations master of each domain in the forest.


To prepare an Active Directory domain for Windows Server 2003:

1. On the domain controller holding the infrastructure operations master role, insert or connect to the installation media.

2. If the splash screen opens, click Exit.

3. At a command prompt, change to the \I386 directory on the installation media, and then type:

adprep /domainprep

If the command is run on a domain controller other than the current operations master, the name of the current operations master is displayed. In this case, repeat steps 1 through 3 on the current operations master.

4. After the domain preparation data has replicated throughout the domain, upgrade the domain controller by running Windows Server 2003 Setup (I386\winnt32.exe on the installation media).


Notes:
-You cannot upgrade domain controllers in a forest without first preparing the forest and domains by using adprep on the schema and infrastructure operations masters, respectively.
-Depending on the replication schedule for your organization, the time it takes to propagate preparation data will vary.


Windows server operating system no longer supports Admission Control Service (ACS). Before upgrading, you must uninstall ACS.
=============================================================================================================================

Windows server operating system no longer supports the Quality of Service (QoS) optional component, Admission Control Service (ACS). Setup cannot upgrade your computer if ACS is enabled. Please uninstall ACS, and then run Setup again. Only users with Administrator privileges can uninstall ACS.

Uninstalling ACS does not affect QoS functionality or prevent the installation of policy management systems provided by other vendors. Resource Reservation Protocol (RSVP) accepts other policy management systems that are in compliance with the defined, publicized standards.

To uninstall ACS:
1) In Control Panel, double-click Network Connections.
2) On the Advanced menu, click Optional Networking Components.
3) Double-click Networking Services.
4) Clear the QOS Admission Control Service option, and then click OK.
5) To uninstall ACS, click Next, and then click Finish.




IIS World Wide Web Publishing Service (W3SVC) will be disabled during upgrade
=============================================================================

IIS World Wide Web Publishing Service ( Is Disabled During Upgrade

To protect your server from attacks by malicious users, the World Wide Web Publishing Service ( will be disabled during upgrade. Microsoft® Windows® 2000 Server installs Internet Information Services (IIS) by default, and requires administrators to secure IIS to prevent attacks.

The IIS Lockdown Tool has not been run on this Windows 2000 server. If you do not want to allow the to be disabled, you must download and run the IIS Lockdown Tool, or add the override registry key. Otherwise, you can continue with the upgrade and re-enable the after the upgrade has completed.

Important: If you use the World Wide Web Publishing Service ( we strongly recommend that you run the IIS Lockdown Tool before upgrading to a product in the Windows Server 2003 family. The IIS Lockdown Tool will help secure your computer by disabling or removing unnecessary features that are present in your Windows 2000 Server installation. These features would otherwise have remained on your machine after upgrading, leaving your server vulnerable to attacks. Using the IIS Lockdown Tool instead of using the override registry key or re-enabling the after installation allows you to fine-tune the level of security to your particular needs.

When upgrading to a member of the Windows Server 2003 family, the will NOT be disabled if any of the following conditions are present:

- You have already run the IIS Lockdown Tool on your Windows 2000 Server before starting the upgrade process. The IIS Lockdown Tool reduces surface attack by disabling unnecessary features, and it allows you to decide which features to enable for your site. The IIS Lockdown Tool is available at IIS Lockdown Tool (- The registry key RetainW3SVCStatus has been added to the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC. Under RetainW3SVCStatus you can add any value and then assign a DWORD value to it. For example, you can create the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\RetainW3SVCStatus\do_not_disable with the DWORD value of 1.
- In the unattended install case, an entry "DisableWebServiceOnUpgrade = false" exists in the unattended install script.

After the upgrade is completed, you can enable the using either IIS Manager or the Services snap-in.

To start the after upgrade

In IIS Manager:

1. From the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand the local computer, expand the Web Sites folder, right-click the Web site you want to start, and then click Start.
3. Click Yes to enable the and start the Web site.

In the Services snap-in:

1. From the Start menu, point to Administrative Tools, and then click Services.
2. In the list of services, right-click World Wide Web Publishing Service, and then click Properties.
3. On the General tab, in the Startup type list, click Automatic, and then click OK.
4. In the list of services, right-click World Wide Web Publishing Service, and then click Start.


HP JetDirect Port
=================

The port monitor HP JetDirect Port will no longer be available in the version of Microsoft Windows that you are installing, and the software associated with this port will no longer run after the upgrade. If you are using this port monitor, check to see if the device can support TCP/IP printing and change the configuration settings for each printer queue after setup has completed.

If you are unsure what protocol your devices support, visit the Hewlett-Packard Web site at for more information.

For a list of devices supported by this version of Windows, see the Microsoft Windows Compatibility List at

Windows Media Server 4.x
========================

This computer is running the Microsoft® Windows Media™ Services version 4. An updated version of Windows Media Services is integrated with Windows Server 2003, Standard Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, and it will replace your existing services. Most of the version 4 settings will be migrated or preserved during the upgrade; however, certain version 4 configurations are no longer supported, and you might need to review the configuration of Windows Media Services after the upgrade to ensure uninterrupted functionality.

Specifically, the On-Line Presentation Broadcast service that provides integration with Microsoft PowerPoint® and the Windows Media Multicast File Transfer Services are not migrated. Therefore, if you are running applications that require the On-Line Presentation Broadcast service or Windows Media Multicast File Transfer services, you should maintain at least one server in your organization that can run version 4.

For additional information pertaining to upgrading your existing version of Windows Media Services to the version contained within this version of Microsoft Windows, see KB article 305366 at


Fax Services
============

This version of Windows Fax will be installed as part of this upgrade, since an existing operating system Fax component is currently installed on this computer.

If you do not plan to use Fax, then for best security practice it is recommended that you uninstall it after the upgrade. You can remove the Fax component using Add or Remove Programs, Add\Remove Windows Components in the Control Panel.

For a list of software supported by this version of Windows, see the Microsoft Windows Compatibility List at

Windows 95 and Windows NT 4.0 interoperability issues (Read Details!)
=====================================================================

Windows 95 and Windows NT 4.0 interoperability issues.

SUMMARY
Windows Server 2003 Domain Controllers implement default security settings that help prevent Domain Controller communications from being hijacked or otherwise tampered with. Certain downlevel machines are not capable of meeting these security requirements and thus cannot communicate with Windows Server 2003 Domain Controllers without administrative intervention.

Affected machines include Windows for Workgroups, Windows 95 machines that do not have the DS client pack installed, Windows NT 4.0 machines prior to Service Pack 4, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier.

SMB SIGNING
By default, Windows Server 2003 Domain Controllers require that all clients digitally sign SMB-based communications. The SMB protocol is used to provide file sharing, print sharing, various remote administration functions, and logon authentication for some downlevel clients. Windows for Workgroups, Windows 95 machines without the DS Client Pack, Windows NT 4.0 machines prior to Service Pack 3, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier are not capable of performing SMB signing and therefore cannot connect to Windows Server 2003 Domain Controllers by default. If such clients cannot be upgraded to a current operating system or upgraded to meet the minimum requirements described above, then the SMB signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO on the domain controllers OU:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)

Detailed instructions on how to modify this setting are provided below.

Warning: Disabling this security setting exposes all of your Domain Controller communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x sub-directory of the Windows 2000 Server CD.

SECURE CHANNEL SIGNING
By default, Windows Server 2003 Domain Controllers require that all secure channel communications be either signed or encrypted. Secure channels are used by Windows NT-based machines for communications between domain members and domain controllers as well as between domain controllers that have a trust relationship. Windows NT 4.0 machines prior to Service Pack 4 are not capable of signing or encrypting secure channel communications. If Windows NT 4.0 machines prior to SP4 must join this domain, or this domain must trust other domains that contain pre-SP4 Domain Controllers, then the secure channel signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Digitally encrypt or sign secure channel data (always)

Detailed instructions on how to modify this setting are provided below.

Warning: Disabling this security setting exposes secure channel communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your Windows NT 4.0 machines rather than disabling this security setting.

MODIFYING THE DEFAULT DOMAIN CONTROLLER GPO
To ensure all domain controllers are enforcing the same SMB and secure channel signing requirements, define the corresponding security settings in the Default Domain Controller GPO as follows:
1. Log on to a machine that has the Active Directory Users and Computers Snap-in installed.
2. Start --> Run --> DSA.MSC
3. Expand the Domain that contains your Windows Server 2003 Domain Controllers.
4. Right-click on the Domain Controllers OU and then click Properties.
5. Click the Group Policy tab, select the "Default Domain Controller Policy", and then click Edit.
6. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options
7. In the result pane, double click the security option you want to modify. For example, Microsoft Network Server: Digitally sign communications (always) or Domain Member: Digitally encrypt or sign secure channel data (always).
8. Check the "Define this policy setting" box.
9. Disable or Enable the security setting as desired, and then select OK.



CD Recording Software
=====================

A driver is installed that causes stability problems with your system. This driver will be disabled. Please contact the driver manufacturer for an update that is compatible with this version of Windows.

Roxio, Inc. Web site:
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top