Migrating from Win2k DC's to Win2k3 DC's; ADPrep question

Discussion in 'Server Migration' started by sketchy, May 18, 2005.

  1. sketchy

    sketchy Guest

    Hello everyone,

    I'm planning to move my domain controller responsibilities from two
    antiquated Win2k DC's to some new servers that will be running Win2k3, then
    retiring the two old boxes. I've been reading up as much as I can on this,
    but do have a question inre to the ADPREP commands that I need to run.

    The documentation states that one needs to run ADPREP /FORESTPREP then
    ADPREP /DOMAINPREP before proceeding further. It states that you should only
    run this once however, implying that bad things happen if you do this more
    than once. The problem is that I believe I ran these same commands when I
    upgraded my Exchange 2000 serer to Exchange 2003 (It's still running Windows
    2000), but can't remember for sure. Is there a command or a switch to the
    ADPREP command that will allow me to check to see if my schema has already
    been updated?
     
    sketchy, May 18, 2005
    #1
    1. Advertisements

  2. Hello,

    Thanks for your post.

    I understand you want to know how to check if you have run the ADPREP
    command. If I have misunderstood, please feel free to let me know.

    Based on my experience, Exchange 2k3 cannot be installed on win2k server.
    If it is an in-place upgrade, you need to upgrade win2k to win2k3 first and
    then upgrade Exchange.

    If it is not a in-place upgrade, you need to install win2k3 member server
    in a new machine, on old win2k server, run adprep/forestprep to extend
    win2k schema to win2k3, then promote win2k3 member to be a DC.

    Run exchange forestprep, then install Exchange 2k3 on the new win2k3 server.

    Also You mentioned that you may have run ADPREP command when you upgraded
    Exchange 2000 serer to Exchange 2003. When upgrading Exchange, the
    commands you have run from Exchange 2003 media only for Exchange and it is
    only extend the Exchange schema. Therefore, when upgrading Win2k3, you
    must run adprep command from \I386 folder of the Windows Server 2003 media
    and this prepares for a Windows 2000 forest and its domains for the
    addition of Windows Server 2003 domain controllers and extends the Win2k3
    schema.

    The schema and infrastructure operations masters are used to introduce
    forest and domain-wide schema changes to the forest and its domains that
    are made by the Windows Server 2003 adprep utility.

    Please refer to the following KB article and pay more attention to the
    content related to adprep in this article:

    How to upgrade Windows 2000 domain controllers to Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;325379

    Also, if you want to check if the adprep command has been run before, you
    can check ADprep.log file in the
    C:\WINNT\system32\debug\adprep\logs\20040617142836 directory for more
    information.

    HTH!

    Thanks & Regards

    Amanda Wang [MSFT]

    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================================

    --------------------
     
    Amanda Wang [MSFT], May 19, 2005
    #2
    1. Advertisements

  3. sketchy

    sketchy Guest

    Let my try to clarify my position.

    First, with regards to exchange (but getting off the subject of my original
    question). Running Exchange 2003 on and Windows 2000 server is the ONLY way
    to do an in-place upgrade of an exchange server. E2k will not run on an
    Windows 2003 server. More info on this subject can be found at:
    http://support.microsoft.com/?kbid=321648

    The ONLY reason I mentioned anything about my exchange box (a seperate Win2k
    member server running E2k3 that is and has been running perfectly) is the
    process of running ADPREP. So in other words, let us forget about the
    ellement of the Exchange server. ...I simply wanted to know if what I ran
    already extended the schema for the Win2k3 AD in general. (I am still
    looking for the specific documentation that guided me on this).

    Based off of your response though, it sounds like I should plan on running
    the ADPREP commands anyway. ...I looked for the log file that you suggested
    on the domain controllers, and could not find them, so it's probably safest
    to go ahead and run it.

    Thank you for your assistance on this. Much appreciated.

    --
    Sketchy


     
    sketchy, May 19, 2005
    #3
  4. Hello,

    Thanks for your update and the information is helpful.

    I have read the Q321648 article carefully and verify you are right if it is
    an in place upgrade.

    However, we strongly recommend you use not in place upgrade for security
    purpose. When you try to upgrade Windows 2000 DC to Windows 2003 while
    Exchange 2000 is installed. Under this circumstance, actually we suggest
    you first upgrade Exchange and run Exchange 2003 setup /forestprep to
    extend Windows 2000 AD and then we don't need to run Windows 2003 adprep
    any more.

    Why we suggest to do so? The reason is that Windows Server 2003 adprep
    /forestprep Command will Cause Mangled Attributes in Windows 2000 Forests
    That Contain Exchange 2000 Servers. Fore the current situation, you have
    upgraded Exchange 2k to 2k3 on Windows 2k server. Therefore, please read
    the following article carefully and verify the scenarios in it:

    314649 Windows Server 2003 adprep /forestprep Command Causes Mangled
    Attributes
    http://support.microsoft.com/?id=314649

    For further questions related Exchange, please contact
    Microsoft.public.exchange2000 newsgroup to get the most qualified support
    on it.

    Meanwhile, you want to know if you have extended the schema for the Win2k3
    AD in general.

    If there is no ADPREP.LOG file in the
    %systemroot%\system32\debug\adprep\logs\<latest log> directory that means
    you haven't run it before.

    HTH!

    Thanks & Regards

    Amanda Wang [MSFT]

    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================================

    --------------------
     
    Amanda Wang [MSFT], May 20, 2005
    #4
  5. sketchy

    sketchy Guest

    Thank you Amanda for the helpfull article, and the thorough response.

    Once again, I hope to clarify the situation, as the answer you give leaves
    me with the impression that you think we have a different configuration than
    we actually do. We do not have any exchange 2000 servers whatsoever. We had
    at one time, but ran the upgrade as instructed, which I believe included
    working with adprep, which was the reason for my original question.

    Current environtment:

    Win2k server (DC, WINS, DNS, etc.)
    Win2k server (DC, WINS, DNS, etc.)
    Win2k server (member server, SQL 2000)
    Win2k server (member server, Exchange 2003, not 2000)

    The two new Win2k3 machines will replace the first two machines listed, then
    those will be retired.

    The article addresses problems with mangled attributes for forests with
    Exchange 2000 servers. What I will have to investigate is if the this is
    still in effect on a member server that was adprepped and upgraded to
    Exchange 2003 running on Win2k. If you have any insight on this, let me know.

    Yes, I agree with you that ideally, it would be wonderfull to build
    everything in a pristine condition. Unfortunately I didn't have the choice
    at that time. This is actually why I'm choosing to go with a non-in-place
    upgrade for my domain controllers. Granted, the AD schema will be moved over
    to the new boxes, but hopefully, the fact that there will be two new DC's
    with clean builds will hopefully make my life a little easier.

    Regardless, do you suggest that I run the adprep /forestprep and /domainprep
    from the Windows Server 2003 CD? I'd hate to run it only to find out I used
    an old version.

    --
    Sketchy


     
    sketchy, May 20, 2005
    #5
  6. Hello,

    I'm very glad to hear from you again.

    Thanks for your introduction of your current enviroment and let me know
    your concern more clearly.

    You are right to install Exchange on member server instead of DC and it
    will avoid many limitations.

    Before running the adprep /forestprep and /domainprep commands from the
    Windows Server 2003 CD, we need to confirm the following things in Q314649
    article:

    Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the
    Windows Server 2003 adprep /forestprep Command
    If Exchange 2000 schema changes have already been installed, but you have
    not run the adprep /forestprep command in Windows Server 2003, consider the
    following action plan: 1. Log on to the console of the schema operations
    master by using an account that is a member of the schema administrators
    enterprise administrators groups.
    2. Enable Schema Updates on the schema master. For additional information
    about how to permit updates to the Active Directory schema, click the
    following article number to view the article in the Microsoft Knowledge
    Base:
    285172 Schema Updates Require Write Access to Schema in Active Directory
    3. Click Start, click Run, type notepad.exe, and then click OK.
    4. Copy the following text that appears between [start copy here] and [end
    copy here] (including the trailing "-" characters), and then paste this
    text into Notepad.

    [start copy here]
    dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace: lDAPDisplayName
    lDAPDisplayName: msExchAssistantName
    -

    dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace: lDAPDisplayName
    lDAPDisplayName: msExchLabeledURI
    -

    dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
    changetype: Modify
    replace: lDAPDisplayName
    lDAPDisplayName: msExchHouseIdentifier
    -

    dn:
    changetype: Modify
    add: schemaUpdateNow
    schemaUpdateNow: 1
    -
    [end copy here]
    5. Save the contents of the Notepad file as
    %systemdrive%\IOP\Inetorgpersonprevent.ldf (where %systemdrive% is the
    logical drive that is hosting the Windows 2000 operating system and \IOP is
    a folder that you create in the Save dialog box of Notepad. Quit Notepad.
    6. Run the InetOrgPersonPrevent.ldf script: a. Click Start, click Run,
    type cmd, and then click OK.
    b. At a command prompt, type :
    cd %systemdrive%\iop
    and then press ENTER.
    c. Type the following command:
    ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dn path for forest root
    domain"
    where X is a case-sensitive constant and dn path for forest root domain is
    the domain name path for the root domain of the forest enclosed in
    quotation marks ("dc=corp,dc=tailspintoys,dc=com") is the domain name path
    for the root domain of the forest. (Include the quotation marks.) Press
    ENTER.

    7. Verify that the LDAPDisplaynames for the CN=ms-Exch-Assistant-Name, the
    CN=ms-Exch-LabeledURI, and the CN=ms-Exch-House-Identifier attributes in
    the schema naming context now appear as msExchAssistantName,
    msExchLabeledURI, and msExchHouseIdentifier before you run the Windows
    Server 2003 adprep /forestprep command.
    8. Run the adprep /forestprep command and the /domainprep command.

    Scenario 3: You Did Not Run InetOrgPersonfix Before You Ran the Windows
    Server 2003 adprep /forestprep Command
    If you run the Windows Server 2003 adprep /forestprep command in a Windows
    2000 forest that contains the Exchange 2000 schema changes, the
    LdapDisplayname attributes for houseIdentier, Secretary, and labeledURI
    become mangled. To identify mangled names, use Ldp.exe to locate the
    affected attributes: 1. Install Ldp.exe from the Support\Tools folder of
    the Windows 2000 or the Windows Server 2003 media.
    2. Start Ldp.exe from a domain controller or a member computer in the
    forest. a. On the Connection menu, click Connect, leave the Server box
    empty, type 389 in the Port box, and then click OK.
    b. On the Connection menu, click Bind, leave all the boxes empty, and then
    click OK.

    3. Record the distinguished name path for the SchemaNamingContext
    attribute.

    For example, for a domain controller in the CORP.ADATUM.COM forest, the
    distinguished name path would be
    CN=Schema,CN=Configuration,DC=corp,DC=adatum,DC=com.
    4. On the Browse menu, click Search.
    5. Configure the following settings: ? Base DN: Type the distinguished name
    path for the schema naming context that is identified in step 3.
    ? Filter: Type (ldapdisplayname=dup*).
    ? Scope: Click Subtree.

    6. Mangled HouseIdentifier, Secretary, and LabeledURI attributes have
    LDAPDisplayName attributes that are similar to the following format:
    lDAPDisplayName: DUP-labeledURI-9591bbd3-d2a6-4669-afda-48af7c35507d;
    lDAPDisplayName: DUP-secretary-c5a1240d-70c0-455c-9906-a4070602f85f
    lDAPDisplayName: DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef
    If the LDAP Display names for LabeledURI, Secretary and HouseIdentifier
    were mangled, run the Windows Server 2003 InetOrgPersonfix.ldf script to
    recover:a. Create a folder named %Systemdrive%\IOP, and then extract the
    InetOrgPersonfix.ldf file to this folder.
    b. At a command prompt, type cd %systemdrive%\iop, and then press ENTER.
    c. Extract the InetOrgPersonfix.ldf file from the Support.cab file that is
    located in the Support\Tools folder of the Windows Server 2003 installation
    media.
    d. From the console of the schema operations master, load the
    InetOrgPersonfix.ldf file by using Ldifde.exe to correct the
    LdapDisplayName attribute of the houseIdentifier, the Secretary, and the
    labeledURI attributes. To do this, type the following command, where X is a
    case-sensitive constant and dn path for forest root domain is the domain
    name path for the root domain of the forest wrapped in quotation marks:
    ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "dn path for forest root
    domain"

    7. Verify that the houseIdentifier, the Secretary, and the labeledURI
    attributes in the schema naming context are not mangled.
    8. Use Winnnt32.exe to upgrade the Windows 2000 domain controllers.

    After verified the above scenarios, don't hesitate to run adprep
    /forestprep and /domainprep from the Windows Server 2003 CD.

    After you have run these commands from Windows Server 2003 CD, please don't
    worry about the upgrade of this Win2k member server to Win 2k3 because this
    schema have been extended before.

    If you have any other questions or concerns related this issue, please feel
    free to let me know. I'm very gald to help you.

    Thanks & Regards

    Amanda Wang [MSFT]

    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================================

    --------------------
    <>
     
    Amanda Wang [MSFT], May 23, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.