Active Directory Shortcuts

Migrating old Windows NT domain-based networks to Windows 2000 Active Directory was an experience many network administrators would like to forget. Fortunately, the next step — migrating to Windows Server 2003 — is a lot easier.

Still, make sure that you've located your backups and verified that they work, lest you paint yourself into a corner with no way out. Have backups of at least two domain controllers in every domain of your Windows 2000 forest before you start. These should be full backups that include the System State, on these machines since that's where Active Directory actually resides. You can also create additional backups during the migration as extra insurance. Also, be sure to check the patch level on your Windows 2000 domain controllers; if they don't have the latest service packs and hot fixes, apply them now. Anything less than Service Pack 4 will cause problems.

Though they are a lot easier than they have been, Active Directory migrations are not trivial, so here are a few tips to help keep you on track:

1) Test your current environment

Upgrading a sick domain won't work. Common signs of a sick domain include replication failure, Group Policy settings not being applied, logon scripts failing to run and unusually long logon delays for clients. There are numerous tools available to check the health of your Windows 2000 domain controllers before upgrading them to Windows Server 2003. For example, Dcdiag.exe should be used to verify the presence of SYSVOL shares on your domain controllers, to verify whether the NetLogon service is running on them and to perform other domain controller health checks. Repadmin.exe, another useful tool, should be used to verify that the Active Directory replication is working properly within your domain. Other tools, such as Netdom.exe and Gpotool.exe, are also useful, so learn how these tools work and be sure to use them. Checking the event logs on your domain controllers is another good way to identify problems.

>> Figure 1: Using repadmin.exe to troubleshoot Active Directory replication problems. [click to view screenshot]

>> Figure 2: Using gpotool.exe to verify Group Policy Object consistency. [click to view screenshot]

2) Verify free disk space

Simple things can cause big headaches if you're not careful. Do your domain controllers have enough free disk space to do the upgrade? The disk volume where Ntds.dit resides needs at least 20 percent free space for the upgrade to succeed. Be conservative — make sure you've got much more space available. If you lack sufficient space, you might be able to free up more by deleting any temporary files, unused user profiles, or memory dump files on your volume. Or you could do an offline de-fragmentation of Ntds.dit to try and reclaim additional space.

>> Figure 3: Using ntdsutil.exe to perform an offline defragmentation of the Active Directory database. [click to view screenshot]

3) Prepare your schema

The heart of Active Directory is the schema, which defines all the objects that the directory can store. If you don't prepare your schema beforehand, you'll get errors during migration such as: "The operation failed because a schema validation check failed" or "The version of the Active Directory schema of the source forest is not compatible with the version of the Active Directory on this computer." Even worse, you could end up with a mangled schema that may be unrecoverable — unless you're willing to spend hours on the phone with Microsoft Product Support Services and pay big bucks for it.

Schema upgrades can be straightforward. Start by running the "adprep /forestprep" command on your schema master and "adprep /domainprep" on your infrastructure master before you upgrade your first Windows 2000 domain controller or promote your first Windows Server 2003 member server. But if you have Exchange 2000 deployed in your Windows 2000 forest, it's going to be trickier. Consult article 325379 in the Knowledge Base on Microsoft TechNet and match your Exchange environment to the scenarios listed there before going any further.

Use the latest version of adprep.exe and forest.prep to exploit their enhanced error checking and reporting capabilities. This means the Windows Server 2003 Service Pack 1 for normal upgrades or the Windows Server 2003 R2 version if you're planning on moving directly to R2. Be sure to give the schema changes time to replicate across your forest before continuing with the upgrade.

To safeguard schema upgrades, Rodney Buike, a Microsoft MVP and Senior Network Administrator for Monarch Industries Ltd. in Winnipeg, Canada, recommends putting a new server online as a DC and transferring the Schema Master FSMO role to this new DC. Then disconnect the DC from the network and run adprep on it. If forestprep successfully completes, plug it back into the network so the changes can replicate, then disconnect it again to run domainprep, and when successful plug it back into the network. This prevents a failed forestprep or domainprep from killing your AD schema.

4) Migrate your domains

Once your forest and domains are prepared, go ahead and migrate them. There are two ways to do this: You can simply upgrade your existing domain controllers by running Winn32.exe. Or if you have the extra hardware, you can install new Windows Server 2003 machines, promote them to domain controllers, allow them time to replicate, transfer FSMO roles and then decommission your old controllers. Either way works fine; and both have advantages and disadvantages with regard to cost, time and effort.

If you choose to upgrade, be sure to start with your PDC emulators in each domain and the domain naming master in your forest root domain so you can create the necessary security principles and DNS partitions. Use the "/checkupgradeonly" switch first when you run Winnt32.exe to identify any compatibility issues that might affect the upgrade. Upgrade your PDC emulators and domain naming master first, then proceed with the rest.