Section 2.4. Upgrading Previous and Existing Installations

2.4. Upgrading Previous and Existing Installations

Most organizations and businesses have extensive investments in previous versions of server operating systems. In this section, I'll cover issues you'll run into when upgrading from Windows NT and Windows 2000 to Windows Server 2003.

2.4.1. Upgrading Windows NT

A lot of companies are jumping the sinking NT shipend of life for the NT Workstation product was mid-2003 and NT Server's death is fast approaching as welland so it's highly possible you have some machines running NT that are worth upgrading. It's remarkably easy to upgrade any type of Windows NT installationbe it a primary domain controller (PDC), a backup domain controller (BDC), or a regular member serverto Windows Server 2003. Microsoft has taken great pains to ensure the upgrade to Windows Server 2003 is as painless as possible. The installation procedure follows a clean install reasonably closely, and in fact requires less hands-on work. The program doesn't prompt you at all after the inception of the installation, and at the beginning, you're asked only for the CD Key and to acknowledge any compatibility issues.

NT upgraders should, however, note the following points:

The Windows NT installation must be running Service Pack 5 or greater. You can download the most recent update, Service Pack 6a, from http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp. Other acceptable Windows NT versions include NT Terminal Server Edition with SP5 or later, and NT Server Enterprise Edition, also with SP5 or later.
Little to no reconfiguration is required with an upgrade installation because existing users, settings, groups, rights, and permissions are saved and automatically applied during the upgrade process. You also don't need to remove files or reinstall applications with an operating system version upgrade.
Before the upgrade, you should evaluate the hardware on which Windows Server 2003 will run. Does it require an upgrade based on the minimum or recommended hardware requirements covered earlier in this chapter?
On a machine that's a candidate for Windows Server 2003, insert the Windows Server 2003 CD and run winnt32.exe with the /checkupgradeonly switch. (If you don't have AutoRun disabled, the splash screen that pops up will allow you to run the upgrade tester directly from therewithout the need for a command prompt.) This will present a report to you with issues that the Setup program detects which might cause problems with an upgrade to Windows Server 2003.
In an environment with domain controllers running both Windows NT and Windows 2000, it's highly recommended that you upgrade the Windows NT domain controllers as soon as possible. You get better security for your client-to-server transmissions and you can take full advantage of Active Directory features that I'll discuss in Chapter 5.

The upgrade procedure for an NT domain, although relatively straightforward, is involved. First, you must choose the first server to upgrade in your Windows NT domain. As you upgrade different machines, depending on their existing role in the domain, features and capabilities become available with Windows Server 2003 on the upgraded machine.

In particular, upgrading an NT PDC enables all the included Active Directory features, as well as the other capabilities inherent in any Windows Server 2003 server, such as improved Routing and Remote Access service features, no matter the role. Note that you can upgrade Windows NT member servers at any time during your migration plan. Most migration plans specify that member servers are last on the list to receive the upgrade. However, regardless of the order, when you begin upgrading NT domain controllers to Windows Server 2003, you must upgrade the PDC before any other domain controller machines.

Chapter 5 contains quite a bit of detailed information on moving from NT to Windows Server 2003. It's a complex procedure that deserves an in-depth discussion.

As well, if you have a member server functioning as a remote access server (RAS) machine, you should upgrade it to Windows Server 2003 before the last domain controller is upgraded. The RAS machine has certain security requirements that are incompatible between the different operating system versions. This means that if you have only one domain controller in your domain, you need to upgrade your RAS machine before beginning any domain controller upgrades.

Regarding storage, you might want to examine the following disk issues before upgrading.

Partition sizes

On machines upgrading from NT to Windows Server 2003, ensure that the system partition of each machine has plenty of disk space. This is especially true of domain controllers because converting a SAM database to an Active Directory database full of the latter's capabilities can increase the SAM's size by as much as 10 times.

Filesystems

Domain controllers require their system partitions to be formatted with the NTFS filesystem. Although as a general procedure I recommend formatting all partitions on all server machines with NTFS, you are not required to do so unless the machine in question is a domain controller.

Volume, mirror, and stripe sets

Upgrading to Windows Server 2003 Enterprise Edition from NT on a system with volume, mirror, or stripe sets (including stripe sets with parity) which were created under NT requires some modifications of those sets. Because Windows Server 2003 includes new dynamic disk technologies, support for older enhanced disk features has been removedand this is indeed a change from Windows 2000. You will need to do the following before you upgrade to Windows Server 2003 from NT, depending on your current disk situation.

Break any mirror sets: Before running Setup, simply break the mirror. It's wise to back up the filesystem first, but the mirror-breaking procedure will not erase any data on either drive.
For all other media sets, back up any data on the set, and then delete the set: Before running Setup, you'll need to back up any data on the set, and then delete the set. The backup step is crucial in this case because deleting the set also will delete any data on the drives. When Setup is complete, you can replicate your existing disk configuration using native Windows Server 2003 tools and restore any data required.

For more information on native Windows Server 2003 tools to replicate your existing NT fault-tolerant functionality, consult Chapter 12.

2.4.1.1 Evaluating NT-based Windows Server 2003 interoperability issues

As with any complex upgrade, issues exist concerning interoperating with the various operating system revisions, levels, and versions that currently reside on your network.

Windows Server 2003 domain controllers by default digitally sign network communications and verify the authenticity of parties to a transaction. These settings help prevent communications between machines from being hijacked or otherwise interrupted. Certain older operating systems are not capable of meeting these security requirements, at least by default, and as a result are unable to interact with Windows Server 2003 domain controllers. Such operating systems are Windows for Workgroups, Windows 9x machines without the Directory Services client pack, and Windows NT 4.0 machines prior to Service Pack 4.

Windows Server 2003 domain controllers by default require all clients to digitally sign their server message block (SMB) communications. The SMB protocol allows Windows systems to share files and printers, and enables various remote administration functions, as well as logon authentication over a network. If your clients are running one of the operating systems mentioned in the previous paragraph and upgrading them to a later revision is not an option, you'll need to turn off the SMB signing requirement by disabling the following security policy in the Default Domain Controller GPO on the Domain Controllers OU:

 Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Microsoft Network Server:  Digitally sign communications (always)

If you are certain you want to disable secure signing, follow these steps:

Log on to a machine that has the Active Directory Users and Computers snap-in installed.
Click Start, then click Run..., and enter DSA.MSC into the Open box and click OK.
Expand the domain that contains your domain controller machines by clicking its icon.
Right-click the Domain Controllers organizational unit and then click Properties.
Click the Group Policy tab, select Default Domain Controller Policy, and then click Edit.
Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and Security Options.
In the result pane, double-click the security option you want to modify, as indicated previously.
Check the Define this policy setting checkbox.
Disable or enable the security setting, as desired, and click OK.

Additionally, Windows Server 2003 domain controllers similarly require that all secure channel communications be either signed or encrypted. Secure channels are encrypted tunnels of communication through which Windows-based machines interact with other domain members and controllers, as well as among domain controllers that have a trust relationship. Windows NT 4.0 machines prior to Service Pack 4 are not capable of signing or encrypting secure channel communications. If NT 4.0 machines at a revision earlier than SP4 must participate in a domain, or if a domain must trust other domains that contain pre-SP4 domain controller machines, you can remove the secure channel signing requirement by disabling the following security policy in the Default Domain Controller GPO:

Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain Member:  Digitally encrypt or sign secure channel data (always)

You risk exposing your domain controller transmissions to so-called "man in the middle" attacks by disabling these security settings. Therefore, it is highly recommended that you upgrade your clients instead of disabling this security setting. You can obtain the DS Client Pack, necessary for Windows 9x clients to perform SMB signing, from the \clients\win9x subdirectory of the Windows server CD.

If you are certain you want to disable secure channel signing and encryption, follow the steps outlined in the section immediately previous.

2.4.2. Upgrading Windows 2000 Server

Upgrading from Windows 2000 to Windows Server 2003 is straightforward. You simply insert the CD, perform the in-place upgrade, and wait for Setup to process some data. Then, out comes your Windows Server 2003 server. You might think this section is ridiculously short, but in reality, 2000 Server and Windows Server 2003 are so alike that upgrades to the base operating system are really simple, almost akin to applying a service pack. (If you involve Active Directory, the process becomes a little more complicated than that, but I'll discuss those issues in Chapter 5.)

The only key to an even smoother installation is to ensure that your 2000 Server system is configured exactly as you want it before the upgrade, and that all third-party software installed on the system, be it application software or drivers, is compatible with Windows Server 2003. It can be a nasty surprise to launch the newly upgraded system and see a blue screen before ever logging on. To do this, on a machine that's a candidate for Windows Server 2003, insert the Windows Server 2003 CD and run winnt32.exe with the /checkupgradeonly switch (or, as mentioned before, select Check System Compatibility from the CD splash screen if you don't have AutoRun disabled). This will present a report to you with issues that the Setup program detects might cause problems with an upgrade to Windows Server 2003.

Other than those issues, Windows 2000 Server to Windows Server 2003 migrations are simplicity defined.