Upgrading from Windows 2000 Active Directory domain controllers to Windows Server 2003

First, run the following command on the Schema FSMO domain controller with the credentials of an account that is in both the Enterprise Admins and Schema Admins groups:

> adprep /forestprep

After the updates from /forestprep have replicated throughout the forest, run the following command on the Infrastructure FSMO domain controller in each domain with the credentials of an account in the Domain Admins group:

> adprep /domainprep

If the updates from /forestprep have not replicated to at least the Infrastructure FSMO servers in each domain, an error will be returned when running /domainprep. To debug any problems you encounter, see the ADPrep log files located at %SystemRoot%\System32\Debug\Adprep\Logs.

adprep can be found in the \i386 directory on the Windows Server 2003 CD. The tool relies on several files in that directory, so you cannot simply copy that file out to a server and run it. You must run it either from a CD or from a location where the entire directory has been copied.

To determine if adprep /domainprep completed, check for the existence of the following object, where is the distinguished name of the domain:

cn=Windows2003Update,cn=DomainUpdates,cn=System,

To determine if adprep /forestprep completed, check for the existence of the following object, where is the distinguished name of the forest root domain:

cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,

The adprep command prepares a Windows 2000 forest and domains for Windows Server 2003. Both /forestprep and /domainprep must be run before you can upgrade any domain controllers to Windows Server 2003 or install new Windows Server 2003 domain controllers.

The adprep command serves a similar function to the Exchange 2000 setup /forestprep and /domainprep commands, which prepare an Active Directory forest and domains for Exchange 2000. The adprep /forestprep command extends the schema and modifies some default security descriptors, which is why it must run on the Schema FSMO domain controller and under the credentials of someone in both the Schema Admins and Enterprise Admins groups. In addition, the adprep /forestprep and /domainprep commands add new objects throughout the forest, many of which are necessary for new features supported in Windows Server 2003 Active Directory.

If you’ve installed Exchange 2000 or Services For Unix 2.0 in your forest prior to running adprep, there are schema conflicts with the adprep schema extensions that you’ll need to fix first. MS KB 325379 and 314649 have a detailed list of compatibility issues and resolutions.

One of the nice features of adprep is it stores its progress in Active Directory. For /domainprep, a container with a distinguished name of cn=DomainUpdates,cn=Sys-tem, is created that has child object containers cn=Operations and cn=Windows2003Update. After adprep completes a task, such as extending the schema, it creates an object under the cn=Operations container to signify its completion. Each object has a GUID for its name, which represents some internal operation for adprep. For /domainprep, 52 of these objects are created. After all of the operations have completed successfully, the cn=Windows2003Update object is created to indicate /domainprep has completed.

For /forestprep, a container with the distinguished name of cn=ForestUp-dates,cn=Configuration, is created with child object containers cn=Operations and cn=Windows2003Update. The same principles apply as for /domainprep except that there are 36 operation objects stored within the cn=Operations container. After /forestprep completes, the cn=Windows2003Update object will be created that marks the successful completion of /forestprep.