By now, you've heard a lot about Windows Server 2003 and the advantages it might hold for your Active Directory (AD) infrastructure. If you've looked at the product documentation, you've probably discovered that the Windows 2000–to–Windows 2003 domain controller (DC) upgrade process is straightforward. But you might not realize that before you can upgrade to a Windows 2003 AD infrastructure, you need to use the Adprep utility to prepare your Win2K AD forest schema and structure.
The Adprep process appears to be straightforward. The utility has two options: Forestprep, which you run once for the forest, and Domainprep, which you run once in each domain. Although executing the process doesn't take long, you need to make sure that you fully understand the utility's prerequisites and prepare for its effects because Adprep has a permanent impact on the entire forest.
Adprep Prerequisites
As with any major system change, you should review the Microsoft Knowledge Base for any information related to Adprep that didn't make it into the product documentation. For example, the Microsoft article "Hotfixes to Install on Windows 2000 Domain Controllers Before Running Adprep /Forestprep" (http://support.microsoft.com/?kbid=331161) details which service pack level and hotfixes you should have in place before you run the utility. Essentially, you should have at least Win2K Service Pack 2 (SP2) installed on your DCs. If you have a lot of DCs or a large AD database (the article doesn't define large), you should install SP3 because it contains a fix that makes indexing for new attributes an operation that has little impact on a DC's performance. Because SP4 is the current service pack, this requirement shouldn't present a problem.
Even though the schema upgrade is a well-understood process with few failures, it's also irreversible. After you execute Forestprep and its changes have replicated to your forest, performing an authoritative restore of your entire AD infrastructure is the only way to back out. Before you run a large schema upgrade, make sure your AD infrastructure is healthy. You should have system-state backups of at least two DCs in each domain, and you should have tested the backup restores. If you have a large AD database (C:\%systemroot%\ntds\ntds.dit), you should have backups of every DC; a restore from tape is faster than replicating and rebuilding the database. The Microsoft article "How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003" (http:// support.microsoft.com/?kbid=325379) provides up-to-date details about upgrading your Win2K DCs to Windows 2003 and discusses auditing your domains for down-level clients and making sure your DCs are at the correct software level. If you run or intend to run Microsoft Exchange 2000 Server in your forest, check out the article's discussion about how Forestprep redefines three non–Internet Engineering Task Force (IETF) Request for Comments (RFC)–compliant attributes: houseIdentifier, secretary, and labeledURI. If you've already run the Win2K InetOrPerson Kit, you shouldn't have a problem. If you haven't and you run Forestprep, you might mangle the attributes. Therefore, before you run Adprep, run a Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file that fixes the Exchange schema problems. See "How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003" for details.
Another little-known consideration of the DC upgrade is that it disables the Distributed Link Tracking Server service, a service that pairs with the Distributed Link Tracking Client service to track links (e.g., shortcuts) as files move on a computer or among computers. Microsoft recommends that you disable the service on DCs (do so now; you don't have to wait until you install Windows 2003) to reduce replication overhead and delete the Distributed Link Tracking tables in AD to reduce database size. See the Microsoft article "Distributed Link Tracking on Windows-Based Domain Controllers" (http://support.microsoft.com/?kbid=312403) for details.
Forestprep Execution and Console Output
To run Forestprep, log on to the forest's schema master console with an account that's a member of both the Enterprise Admins and Schema Admins groups. By default, the schema master is the first DC in the forest. You can identify the schema operations master by running the Netdom Query FSMO command (from the Microsoft Windows 2000 Resource Kit).
Although you could separate adprep.exe and its required files, prestaging the entire \i386 folder to a temporary folder on the schema master and all infrastructure masters is easier and lets you locally execute the Forestprep and Domainprep commands. The Forestprep command is simple:
adprep /forestprep
After giving you a warning about the need to upgrade all your DCs to at least Win2K SP2, Forestprep gives you the following prompt to make sure you've installed Win2K SP2 or later:
[User Action]
Previous
Register
