Home » categories » Information Technologies

Adding Windows 2003 Domain Controllers to a Windows 2000 Active Directory

Submitted by AnalogDuck on Mon, 2004-11-22 20:52. | | |

Microsoft documents the process of adding a 2K3 server to a 2K domain here. You would think it would be as easy as running dcpromo from the newly added Windows Server 2003 system(s), but you'd be wrong. This is not always a simple straight-forward task. The following things should be kept in mind:

  • You need to have a healthy Active Directory. Much probing should be done beforehand to ensure this is the case.
  • If you have installed Exchange 2000 into the domain, then you need to patch Active Directory with a script so that when you prepare the forest schema with 
    adprep /forestprep
    it doesn't get "mangled" (in Microsoft's own words). The script is simple enough to run, if you know the extra clues that Microsoft fails to provide in the above article.
  • You have to prepare the forest and the domain prior to promoting the first Windows Server 2003 system. You also need to check through the Active Directory schema to ensure that all went well.


In addition, there are the following considerations which Microsoft's article above doesn't bother to mention:

  • The need to enable schema changes. Neither the LDAP patch nor the /forestprep will succeed without this step.
  • How to connect to the Schema Operations Master with the Active Directory Schema MMC snap-in. After opening the snap-in as outlayed in the article (you must register a .dll file prior to accessing it), you must click on the + in the left pane console tree, next to Active Directory Schema after a moment the tree will expand. You are now connected to the Schema server and may right-click on Active Directory Schema to access the Change Schema Master page. Oddly, if you don't click the + prior to viewing the Change Schema Master page of the Active Directory Schema, you will get an error which states that the server is offline, and the properties page will also incorrectly display that no AD servers are currently holding the schema master operations role. This can be quite disconcerting, to say the least, and may lead you down the wrong path of troubleshooting, as it did me.
  • How to enable schema changes. Right-click Active Directory Schema and select Change Schema Master. Click to select the Schema may be modified on this Domain Controller check box. Click OK, and then exit the console. Oddly, this checkbox doesn't seem to exist on the new 2003 server I have installed and transfered the schema FSMO role to.
  • That the DC=X must be filled in on the supplied InetOrgPersonPrevent.ldf script which patches Windows 2000 Active Directories which have already been extended with the Exchange 2000 setup.exe /forestprep. Thankfully there are another set of LDAP actions required and documented later in the article which do explain the need in regards to them. After careful scrutiny of the LDAP gobbledygook, I noticed the similarities between the two sets of required actions. (Fortunate for me, because there's no proceeding at all without making the change. The script will fail to run entirely. The error I received reads something like: 

    C:\Documents and Settings\Administrator.VSC1>ldifde -i -f inetorgpersonprevent.l
df -v -c DC=VSCLA1 "dc=VSystemComposite,dc=com"
Connecting to "VSCLA1.VSystemComposite.com"
Logging in as current user using SSPI
Importing directory from file "inetorgpersonprevent.ldf"
Loading entries
1: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X

Add error on line 1: Referral
The server side error is "A referral was returned from the server."
0 entries modified successfully.
An error has occurred in the program

  • Note that the InetOrgPersonPrevent.ldf script will still fail even after schema changes are enabled unless you open the MMC snap-in for Active Directory Schema and click the +. After enabling schema modifications on the server, I thought it a good idea to reboot the system as I had made a number of changes and even applied patches to the OS since the last boot. The last thing I want to do is run a script that would modify the Active Directory and have the server do something altogether unexpected. So, thinking safety first, I rebootedUpon logging back in, I attempted to run the InetOrgPersonPrevent.ldf script, and I received this error: 

    C:\Documents and Settings\Administrator.VSC1>ldifde -i -f inetorgpersonprevent.l
df -v -c DC=VSCLA1 "dc=VSystemComposite,dc=com"
Connecting to "VSCLA1.VSystemComposite.com"
Logging in as current user using SSPI
Importing directory from file "inetorgpersonprevent.ldf"
Loading entries
1: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=VSystemComposite,DC=c
om

Add error on line 1: Unwilling To Perform
The server side error is "Schema update is not allowed on this DC. Either the re
gistry key is not set or the DC is not the schema FSMO Role Owner."
0 entries modified successfully.
An error has occurred in the program


    This was resolved by opening the MMC snap-in for Active Directory Schema, connecting to the server and tyring the script again.


I also came across some articles on MCSE World that gave good coverage of the preparation involved, complete with screen shots and thorough coverage/screen captures of addressing the Exchange 2000 / Windows Server 2003 directory incompatibility issues.

» AnalogDuck's blog | printer friendly version