Upgrade domain controllers to windows 2003

**karubin** · March 10th, 2005, 07:45 PM

Hi,

I have a windows 2000 domain controller. And I have a windows 2003 as memeber server at this moment. I want to change the domain controller to windows 2003. I read the article from microsoft:

http://support.microsoft.com/default...en-us%3B325379

Anyone try to do that sucessfully? anything I need to concern? Please give me some idea.

thanks

**predator** · March 12th, 2005, 10:18 AM

I have done several updates. You just need to not have 95 and NT clients on the network. 98 and above work fine, of course XP works best.

**Ya_know** · March 12th, 2005, 11:47 PM

Originally Posted by predator

I have done several updates. You just need to not have 95 and NT clients on the network. 98 and above work fine, of course XP works best.

Actually, there's a DSClient offered by Microsoft that will let the dinosaors play...the 98 one works on 95 just fine...and the NT one works without a hitch.

How to install the Active Directory client extension

**karubin** · March 15th, 2005, 08:51 PM

Hi,

I read the acticle once again.
http://support.microsoft.com/default...b;en-us;325379

So if I have a windows 2000 domain controller and a windows 2003 member server. I need to run adprep /forestprep and adprep /domainprep on windows 2000 server? After completed successfully, can i just use the Active Directory Installation Wizard on 2003 for adding the Additional Domain Controller for an existing domain?

Now, I am using the DNS server on windows 2000. Do I need to install the DNS server on 2003 after I change it to a domain controller?

thanks

**Green_Eyed** · March 16th, 2005, 04:32 PM

1. So if I have a windows 2000 domain controller and a windows 2003 member server. I need to run adprep /forestprep and adprep /domainprep on windows 2000 server? Yes, you have to prep your forest and domain to run a W2K3 DC.

2. After completed successfully, can i just use the Active Directory Installation Wizard on 2003 for adding the Additional Domain Controller for an existing domain? Yes, run dcpromo on your W2K3 member server.

Do you know how to confirm there were no errors running adprep?

3. Now, I am using the DNS server on windows 2000. Do I need to install the DNS server on 2003 after I change it to a domain controller? You can either install, configure and test DNS before you promote that server, or you will be prompted to install it as part of the promotion process. I recommend getting it running before you promote it. But that's personal preference.

**karubin** · March 16th, 2005, 06:17 PM

thanks for your reply

can u tell me how to confirm there were no errors running adprep?

thanks a lot

**karubin** · March 17th, 2005, 09:23 PM

Hi,

When I add windows 2003 as domain controllers, it takes very long time during the replication. It stay in the on of the object. I got following error message from the Directory service event log:

Another domain controller (DC) has attempted to replicate into this DC an object which is not present in the local Active Directory database. The object may have been deleted and already garbage collected (a tombstone lifetime or more has past since the object was deleted) on this DC. The attribute set included in the update request is not sufficient to create the object. The object will be re-requested with a full attribute set and re-created on this DC.

Source DC (Transport-specific network address):
nt-xxxx.xxxx.com.au
Object:
CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=com,DC=au
Object GUID:
69b6db88-9e3e-4344-8e36-774ca5e4e0d9
Directory partition:
CN=Configuration,DC=xxx,DC=com,DC=au
Destination highest property USN:
0
User Action:
Verify the continued desire for the existence of this object. To discontinue re-creation of future similar objects, the following registry key should be created.

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parame ters\Strict Replication Consistency

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

"xxxx" is my domain name.
Anyone know what's the problem?

And I got the error on the System log:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And error on Application log:
Attempt to determine whether user and machine accounts are in the same forest failed (The interface is unknown. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Please Help

**antioed** · March 29th, 2005, 04:11 PM

I would work on those time errors first. Do you have a server set to be the time server for the domain? If not, then set one up - research it on Google if you don't know how. Consistent time sync is integral for AD to work properly.

Originally Posted by karubin

Another domain controller (DC) has attempted to replicate into this DC an object which is not present in the local Active Directory database. The object may have been deleted and already garbage collected (a tombstone lifetime or more has past since the object was deleted) on this DC. The attribute set included in the update request is not sufficient to create the object. The object will be re-requested with a full attribute set and re-created on this DC.

As you probably know, when an object is improperly removed or orphaned from the domain you will be left with the GUID for that object in AD since it can no longer enumerate the friendly name.

Example: Server: \\scratchy is known to AD as: 69b6db88-9e3e-4344-8e36-774ca5e4e0d9

...in the example a server that was named scratchy had a GUID in AD: 69b6db88-9e3e-4344-8e36-774ca5e4e0d9

So when an object gets orphaned from AD you are left with the GUID only.

You probably know more about why this you're getting this error than we would. Have you deleted anything from Active Directory or renamed any DC in the past? For instance, if you simply rename a DC without first using DCPromo to properly demote the server of the DC role I believe you could get a message like this since AD will hold a record for that object even though it's long gone. If that is the case then you might be able to use the fix metadata context of the NTDSutil on the 2000 machine to clean up AD and once the issues with syncing time are resolved try replication again: http://support.microsoft.com/kb/216498

The error message is just indicating that it couldn't get a full set of attributes for an old object - it doesn't say the object's friendly name, it just gives the GUID and says that it's old and has been deleted so hopefully you know your Active Directory well enough to know what is causing this. I've been in a similar situation before of having to recover a domain controller, under the same name, that became orphaned because of a hardware crash and I had to use metadata cleanup to rectify the issue. In that case I obviously knew the name of my DC and was able to purge it from AD before re-configuring the DC back in AD.

**Green_Eyed** · March 30th, 2005, 01:14 PM

•Run one-time operation adprep command from the \i386 folder of the Windows Server 2003 media on the domain controller that hosts the schema operation master (FSMO) of the forest: adprep /forestprep The Windows Server 2003 adprep /forestprep command adds the following features: Improved default security descriptors for object classes, New user and group attributes, and New Schema objects and attributes like inetOrgPerson. To run adprep, the adprep /forestprep command requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups. The adprep /domainprep command requires a user account that is a member of the Domain Admins group in the targeted domain.
•The forestprep operation must complete and replicate to the infrastructure master of your domain before you can run adprep /domainprep in that domain.
•Verify that the adprep/ forestprep command successfully ran on the schema operations master. To do so, from the console of the schema operations master, verify the following items:
• The adprep/ forestprep command completed without error
• The CN=windows2003update object is written under CN=ForestUpdates,CN=Configuration,DC=forest_root_d omain. Record the value of the Revision attribute.
• (Optional) The schema version incremented to version 30. To do so, see ObjectVersion attribute under CN=Schema,CN=Configuration,DC=forest_root_domain.
• Run one-time operation adprep /domainprep on the infrastructure operations master domain controller of your domain in the forest that will host new Windows Server 2003 domain controller. The adprep /domainprep command verifies that the changes from forestprep have replicated in the domain partition and then makes its own changes to the domain partition and group policies in the Sysvol share. These modifications cause a full synchronization of files in that directory tree.
• Verify that domainprep completed successfully. To do so, verify the following items:
• The adprep/ domainprep command completed without error.
• The CN=Windows2003Update,CN=DomainUpdates,CN=System,DC =dn path of domain you are upgrading exists

_______________________________________