How to add a Windows Server 2003 Domain Controller to a Winodws 2000 Active Directory ® Environment
Windows 2003 enables many new important features that were not possible in Windows 2000 / NT domains. Security Descriptors are stored more efficiently (reducing replication by up to 40%), schema extensions can be removed, and Domain Controllers (and even entire domains!) can be renamed. Although, adding a single 2003 DC alone will not provide the above benefits, we do need to start somewhere.
To allow a Windows 2003 Domain Controller (DC) to be a controller for a Windows 2000 Active Directory domain, you must first extend the schema. For those who have set up Exchange 2000, extending the schema may be a familiar task as ADPrep, which is the application used to extend the schema, will be used with its /forestprep and /domainprep switches.
MS States that running ADPrep in a Windows 2000 Forest that contains Exchange 2000 Servers can cause "Mangled" atttibutes.
Fusion 13 was unable to reproduce this issue in our test Windows 2000 / Exchange 2000 environment; however, please read MS Knowledge Base article 314649 if your Forest contains an Exchange 2000 Server.
To add a Windows Server 2003 DC to your Windows 2000 domain, follow the steps below:
Is running ADPrep Absolutely Necessary?
What Happens if ADPrep is Not Run?
It is required that ADPrep is run on windows 2000 Active Directory environments before a Windows Server 2003 domain controller may be added. If DCPromo is run on a 2003 server before ADPrep is run, a simple and descriptive error message is displayed. The error message states that ADPrep must be run to perpare the current forest; else, the version of Active Directory running in the forest is not compatible with Windows Server 2003.
Prepare Active Directory (Extend the AD Schema)
Load the new DC-to-be with Windows Server 2003. This load is very similar to a standard Windows 2000 installation, with the interface found in Windows XP ®. Apply and hotfixes / patches to your new windows 2003 machine per MS Knowledge Base Article 331161.
Update all Domain Controllers. It's reccomended that DC's have Service Pack 3 applied (with hotfixes); a level of Service Pack 2 is required. Check MS KB Article 331161 (http://support.microsoft.com/default.aspx?scid=kb;en-us;331161) for more information
Run Diagnostic Tests. If any errors are detected, fix and rerun the Diagnostic Test.
Run DCDiag with the command "dcdiag /s:<:DomainController> /n:<:DomainName> /v /f:C:\diags\dcdiag.log" (without the quotes) where C:\diags is where you would like to store the log files
Run NetDiag with the command "netdiag /v > C:\diags\netdiag.log" (without the quotes) where C:\diags is where you would like to store the log files
Note: to run the above tests, you will need to install the Windows 2000 Support tools from the Windows 2000 Server CD-ROM (<CD-ROM>:\Support\Tools\SETUP.exe).
Extend the Schema at the Forest Level
Unplug the Schema Master from the domain. Do not plug the Schema Master back into the network until Step 5. The Schema Extension needs to be performed on the Schema Master while it is offline. For help on finding which computer is the Schema Master, and more information on the FSMO Roles, visit ***link to FSMO info***
Insert the Windows Server 2003 cd into the now offline Windows 2000 Schema Master. Open a command prompt. From the <CD-ROM>\i386 directory, run the command "adprep /forestprep". This command will update the schema at the forest level, and will only need to be run once per forest. To view the output of the "ADPrep /forestprep" command, and resulting extension, click ***View ADPrep Output***.
Plug the Schema Master back into the network. Before further steps may be completed, the Schema Master must replicate the changes to all other DC's. Wait at least 15 minutes where the entire forest is a small, local network with only one domain; wait as long as 24 hours for large forest where domains exist between slow WAN links.
Insert the Windows 2003 cd into the Infrastructure Master. For help on finding which computer is the Infrastructure Master, and more information on the FSMO Roles, visit ***link to FSMO info***
Open a command prompt. From the <CD-ROM>\i386 directory, run the command "adprep /domainprep". This command will update the schema at the domain level, and will need to be run on the Infrastructure Master in each domain. To view the output of the "ADPrep /domainprep" command, and resulting extension, click ***View ADPrep Output***.
Before further steps may be completed, the Schema Master must replicate the changes to all other DC's. Wait at least 15 minutes where the entire forest is a small, local network with only one domain; wait as long as 24 hours for large forest where domains exist between slow WAN links.
Run Diagnostic Tests. If any errors are detected, fix and rerun the Diagnostic Test.
Run DCDiag with the command "dcdiag /s:<:DomainController> /n:<:DomainName> /v /f:C:\diags\dcdiag.log" (without the quotes) where C:\diags is where you would like to store the log files
Run NetDiag with the command "netdiag /v > C:\diags\netdiag.log" (without the quotes) where C:\diags is where you would like to store the log files
Note: to run the above tests, you will need to install the Windows 2000 Support tools from the Windows 2000 Server CD-ROM (<CD-ROM>:\Support\Tools\SETUP.exe).
Promote the Windows Server 2003 ® Domain Controller
Run DCPromo. On the Windows Server 2003 ® box, Click Start > Run type "dcpromo" (without the quotes).
If Terminal Services ® is installed, you will receive a message that only Administrators will be able to logon via TS unless Group Policy is changed. Click OK.
The Active Directory Installation Wizard will start. Click Next.
Ensure that the "Operating System Compatibility" is sufficient. Click Next.
Select "Additional domain controller for and existing domain". Click Next
Enter the Username, Password, and Domain for an account that has permissions to add Domain Controllers to the domain.
Ensure the domain name in the "Domain name:" field is correct. Click Next,
The default location for the Database and Log folders is "C:\WINDOWS\NTDS" on systems where C:\ is the system drive. Although it is not neccessary, for performance and recoverability, you may wish to change these values. Click Next.
The default location for the SYSVOL folder is "C:\WINDOWS\SYSVOL" on systems where C:\ is the system drive. Although it is not neccessary, due to performance and recoverability, you may wish to change these values. Click Next.
Enter a Restore Mode Administrator password. This password will only be needed when starting the server in Directory Services Restore Mode. Click Next.
Ensure all settings are correct, Click Next when you are prepared to begin Active Directory ® installation on your Windows 2003 Server (our graphic below depicts a default AD Installation).
Active Directory will begin installation, and the animated Active Directory Installation graphic will appear.
Active Directory installation can take as short as 10 minutes for very small domains, or considerable longer for larger ones. When Active Directory installation is complete, the Completing Installation Wizard Graphic will be displayed. Click Finish.
The Server will need to be rebooted before Active Directory installation is complete. Click "Restart Now" to reboot the new Domain Controller.
Suggested Resources
Get 'em while they're cheap.
Title
Windows 2000 Active Directory
Publisher
New Riders
Description
Avoid problems, find solutions, and receive fist-hand advice. New Riders helps you get the most of Active Directory's potential.
ISBN
0735708703
Price Discount
50%
Title
Understanding and Designing Your Active Directory Infrastructure
Publisher
Sams
Description
Design, Implementation, Installation, Interaction and more. Sams provides a wealth of AD information.
ISBN
0672321858
Price Discount
50%
Title
Windows 2000 Active Directory Black Book
Publisher
Coriolis
Description
Active Directory subsystem, lookup protocols, security, auditing, and integration.
Fusion 13 has taken painstaking effort to ensure the validity of its data;
however, the information contained in this document is provided without warranty.
The data presented is offered simply as a suggestion.
Fusion 13 can in no way be held responsible for how these suggestions are implemented in any environment.
