4. Upgrading a Windows 2000 Server Active Directory Forest
In
many cases, the Windows 2000 environment that will be migrated includes
one or many Active Directory domains and forests. Because Active
Directory is one of the most important portions of a Microsoft network,
it is also one of the most important areas to focus on in a migration
process. In addition, many of the improvements made to Windows Server
2003 are directly related to Active Directory, making it even more
appealing to migrate this portion of an environment.
Because
Exchange 2007 requires the active forest to be at a Windows Server 2003
functional level, the organization needs to proceed with the steps to
migrate to Windows 2003. As a benefit, in addition to getting a forest
that is ready to support Exchange 2007, the following additional
functionality is available with a Windows Server 2003 forest:
Domain Rename Capability—
Windows Server 2003 Active Directory supports the renaming of either
the NetBIOS name or the Lightweight Directory Access Protocol (LDAP)/DNS
name of an Active Directory domain. The Active Directory rename tool
can be used for this purpose, but only in domains that have completely
upgraded to Windows Server 2003 domain controllers.
Cross-Forest Transitive Trusts—
Windows Server 2003 now supports the implementation of transitive
trusts that can be established between separate Active Directory
forests. Windows 2000 supported only explicit cross-forest trusts, and
the trust structure did not allow for permissions to flow between
separate domains in a forest. This limitation has been lifted in
Windows Server 2003.
Universal Group Caching—
One of the main structural limitations of Active Directory was the need
to establish very “chatty” global catalog servers in every site
established in a replication topology, or run the risk of extremely
slow client logon times and directory queries. Windows Server 2003
enables remote domain controllers to cache universal group memberships
for users so that each logon request does not require the use of a
local global catalog server.
Inter-Site Topology Generator (ISTG) Improvements—
The ISTG in Windows Server 2003 has been improved to support
configurations with extremely large numbers of sites. In addition, the
time required to determine site topology has been noticeably improved
through the use of a more efficient ISTG algorithm.
Multivalued Attribute Replication Improvements—
In Windows 2000, if a universal group changed its membership from 5,000
users to 5,001 users, the entire group membership had to be
rereplicated across the entire forest. Windows Server 2003 addresses
this problem and allows incremental membership changes to be replicated.
Lingering Objects (Zombies) Detection—
Domain controllers that have been out of service for a longer period of
time than the Time to Live (TTL) of a deleted object could
theoretically “resurrect” those objects, forcing them to come back to
life as zombies, or lingering objects. Windows Server 2003 properly
identifies these zombies and prevents them from being replicated to
other domain controllers.
AD-Integrated DNS Zones in Application Partition—
Replication of DNS zones has been improved in Windows Server 2003 by
storing AD-integrated zones in the application partition of a forest,
thus limiting their need to be replicated to all domain controllers and
reducing network traffic.
4.1 Migrating Domain Controllers
When
planning a migration of the Active Directory environment, it is
considered wise to make a plan to upgrade all domain controllers in an
environment to Windows Server 2003. Unlike with member servers, the
full benefits of the Active Directory improvements in Windows Server
2003 and the ability to install Exchange 2007 in the forest are not
fully realized until the entire environment is “Windows Server 2003
functional.”
The domain controllers can either be directly upgraded
to Windows Server 2003 or replaced by newly introduced Windows Server
2003 domain controllers. The decision to upgrade an existing server
largely depends on the hardware of the server in question. The rule of
thumb is, if the hardware will support Windows Server 2003 now and for
the next 2 to 3 years, a server can be directly upgraded. If this is
not the case, using new hardware for the migration is preferable.
Note
A
combined approach can be and is quite commonly used to support a
scenario in which some hardware is current but other hardware is
out-of-date and will be replaced. Either way, the decisions applied to
a proper project plan can help to ensure the success of the migration.
4.2 Upgrading the AD Schema Using adprep
The
introduction of Windows Server 2003 domain controllers into a Windows
2000 Active Directory requires that the core AD database component, the
schema, be updated to support the increased functionality. In addition,
several other security changes need to be made to prepare a forest for
inclusion of Windows Server 2003. The Windows Server 2003 CD includes a
command-line utility called adprep that will extend the schema to include the extensions required and modify security as needed. Adprep requires that both forestprep and domainprep be run before the first Windows Server 2003 domain controller can be added.
The Active Directory schema in Windows 2000 is composed of 1,006 attributes, by default, as shown in Figure 3. After running adprep forestprep, the schema will be extended to include additional attributes that support Windows Server 2003 functionality.
Note
Windows
Server 2003 R2 contains additional schema updates, above and beyond the
additions that the RTM version of Windows Server 2003 introduced. If adprep
is run from a server running R2, the schema will be extended to include
not only the 2003 enhancements, but the R2 ones as well.
The adprep utility must be run from the Windows Server 2003 CD or copied from its location in the \i386 folder. The adprep/forestprep operation can be run on the server that holds the Schema Master Operations Master (OM) role by following these steps:
1. | On the Schema Master domain controller, choose Start, Run, type cmd in the Open text box, and click OK to open a command prompt.
|
2. | Enter the Windows Server 2003 CD into the CD drive.
|
3. | Where D: is the drive letter for the CD drive, type in D:\i386\adprep/forestprep, and press Enter.
|
4. | Upon
verification that all domain controllers in the AD forest are at
Windows 2000 Server Service Pack 2 or greater, type C at the prompt and
press Enter.
|
5. | The forestprep
procedure extends the Windows 2000 AD schema. After the schema is
extended, it is replicated to all domain controllers in the forest.
Finally, close the command prompt window.
|
After this step is accomplished, the domainprep procedure must be run.
The adprep /domainprep
operation must be run once in every domain in a forest. It must be
physically invoked on the server that holds the Operations Master (OM)
role. The steps for executing the domainprep procedure are as follows:
1. | On the Operations Master domain controller, open a command prompt (choose Start, Run, type cmd, and press Enter).
|
2. | Enter the Windows Server 2003 CD into the CD drive.
|
3. | Where D:\ is the CD drive, type D:\i386\adprep/ domainprep and press Enter.
|
4. | Type exit to close the command prompt window.
|
After the forestprep and domainprep
operations are run, the Active Directory forest will be ready for the
introduction or upgrade of Windows Server 2003 domain controllers. The
schema is extended and includes support for application partitions and
other enhancements. The process of upgrading the domain controllers to
Windows Server 2003 can then commence.
Note
Any previous extensions made to a Windows 2000 schema, such as those made with Exchange 2000/2003, are not affected by the adprep procedure. This procedure simply adds additional attributes and does not change those that currently exist.
