Chapter 2: Upgrading to Windows Server 2003 Active Directory

PDC Offline Operations

During the process of upgrading the operating system on the primary domain controller (PDC) from Windows NT 4.0 to Windows Server 2003 and installing Active Directory, client operations such as logon and resource access will continue to function because these services are provided by backup domain controllers. However, because the PDC is offline during most phases of the upgrade process, typically between one and three hours, operations that require data to be written to the domain will not succeed. For example, users will not be able to change their passwords and administrators will not be able to create, delete, or unlock user accounts. Administrative tools, such as User Manager for Domains or Server Manager, can be used only in read-only mode on backup domain controllers in the domain. In addition, you will not be able to create new objects, such as users and groups, while the PDC is offline.

Client Authentication

If your organization includes client computers that are running Microsoft Windows 2000 or Windows XP operating systems in the domain, it is recommended that you upgrade all Windows NT 4.0 “based domain controllers as quickly as possible. This is because all Windows 2000 and Windows XP clients will only use Windows Server 2003 domain controllers for logon after you upgrade the PDC.

Service Compatibility

Until you upgrade all workstations and servers to Windows 2000 or later, continue to run your environment in the pre-Windows 2000 compatible access mode. This mode allows services that run in the context of the Local System account, such as Remote Access Services (RAS), to operate properly. To enable the pre- Windows 2000 compatible access mode, you can do one of the following:

• While installing Active Directory on the upgraded Windows NT 4.0 PDC, on the Permissions page of the Active Directory Installation wizard, select Permissions compatible with pre-Windows 2000 Server operating systems .

  “ or “

• Add the Everyone group and the Anonymous Logon group to the Pre-Windows 2000 Compatible Access built-in group by using Active Directory Users and Computers or the command line.

  To add the Everyone group to the Pre-Windows 2000 Compatible Access Group by using the command line, at the command line, type

    net localgroup "Pre-Windows 2000 Compatible Access" Everyone   /add  

  To add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access Group by using the command line, at the command line, type

    net localgroup "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /add  

  Note	After this update to the Pre-Windows 2000 Compatible Access group replicates, you must restart the Server service on all domain controllers.

After you upgrade all RAS servers, and when you no longer need backward compatibility with operating systems earlier than Windows 2000, remove the Everyone group and the Anonymous Logon group from the Pre- Windows 2000 Compatible Access built-in group. For more information about removing the Everyone group and the Anonymous Logon group from the Pre- Windows 2000 Compatible Access group, see Eliminate Anonymous Connections to Domain Controllers later in this chapter.

WINS and DHCP Services

If you have WINS or DHCP running on a domain controller, you need to consider the effect of the upgrade on these services. Both WINS and DHCP are designed to upgrade their databases automatically when you upgrade from Windows NT 4.0 to Windows Server 2003, so you do not need to perform any additional steps to upgrade these services after you upgrade the operating system. However, after you install Active Directory, you must authorize your Windows Server 2003 “based DHCP servers in Active Directory before they will continue to lease IP addresses. For more information about authorizing DHCP servers in Active Directory, see Authorize the DHCP Service later in this chapter.

After you upgrade the server operating system to Windows Server 2003, test the WINS and DHCP services to ensure that performance meets the appropriate standards. If performance is not satisfactory, you can migrate the services to a different computer. For more information about migrating WINS and DHCP services to a different computer, see Upgrading and Migrating WINS and DHCP Servers to Windows Server 2003 in this book.

LAN Manager Replication Service and File Replication Service

During the upgrade process, for a period of time one or more domain controllers might be running Windows Server 2003 while others are still running Windows NT 4.0. Windows Server 2003 and Windows NT 4.0 domain controllers use different file replication services. If you have files that are replicated between domain controllers, such as logon scripts, you will need to manage them separately.

SMB Packet Signing

SMB packet signing is a security mechanism that protects the data integrity of SMB traffic between client computers and servers, and prevents man-in-the- middle attacks by providing a form of mutual authentication. This is done by placing a digital security signature into each SMB packet, which is then verified by the receiving party. Server-side SMB signing is required by default on Windows Server 2003 “based domain controllers, which means that all clients are required to have SMB packet signing enabled.

Clients running Windows NT 4.0 with Service Pack 2 or earlier, and clients running the Microsoft Windows 95 operating system without the Directory Service Client Pack, do not support SMB packet signing. These clients will not be able to authenticate to a Windows Server 2003 “based domain controller. To ensure successful authentication, upgrade these clients to a later version of the operating system or Service Pack. However, if you cannot upgrade your clients, you can allow them to be authenticated by configuring SMB packet signing on all Windows Server 2003 “based domain controllers so that SMB packet signing is preferred but not required.

For more information about SMB packet signing, see Microsoft network server: Digitally sign communications (always) in Help and Support Center for Windows Server 2003.

For more information about configuring SMB packet signing on Windows Server 2003 “based domain controllers, see Modify Security Policies later in this chapter.

For more information about the Directory Services Client Pack, see article 323466, Availability of the Directory Services Client Update for Windows 95 and Windows 98 in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Secure Channel Signing and Encryption

When a computer becomes a member of a domain, a computer account is created. Each time the computer starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to ensure secure communications between a domain member and a domain controller for its domain. Secure channel signing is required by default on Windows Server 2003 “based domain controllers, which means that all clients must enable secure channel signing and encryption.

Clients running Windows NT 4.0 with Service Pack 3 or earlier installed do not support secure channel signing. These clients will not be able to establish communications with a Windows Server 2003 “based domain controller. To ensure successful communication, upgrade these clients to a later version of the operating system or Service Pack. However, if you cannot upgrade your clients, you must disable secure channel signing on all Windows Server 2003 “based domain controllers so that the traffic passing through the secure channel is not required to be signed or encrypted.

For more information about secure channel signing, see Domain member: Digitally encrypt or sign secure channel data (always) in Help and Support Center for Windows Server 2003.

For more information about configuring secure channel signing on Windows Server 2003 “based domain controllers, see Modify Security Policies later in this chapter.