Common mistakes when upgrading a Windows 2000 Domain to a Windows 2003 Domain

A common problem while upgrading a Windows 2000 domain to Windows 2003 can be avoided easily by using some basic steps. In addition there should be some roll back options, to allow you to recover from failure quickly.

The upgrade procedure: http://support.microsoft.com/?kbid=325379
Best practices: http://technet2.microsoft.com/WindowsServer/en/Library/5d85f43e-b757-4ba1-ac38-aa49f4c45fdf1033.mspx
Upgrade checklist: http://technet2.microsoft.com/WindowsServer/en/Library/37d7a3eb-3c83-4fe6-9d7d-1974d410f9531033.mspx
Solution Accelerator for Domain Server Consolidation and Migration: Windows NT 4.0 to Windows Server 2003: http://www.microsoft.com/downloads/details.aspx?FamilyID=51047540-d6fe-4ca2-9975-e831acb66239&DisplayLang=en

Before you "run" and upgrade system to Windows 2003 domain there some considerations that must be take:
 
1. Do you have satisfactory disk space to allow you to complete the upgrade process?
http://technet2.microsoft.com/WindowsServer/en/Library/d38133ce-dc8e-4817-92a5-a5d37727abb11033.mspx
2. Do you have Windows 2000 Service Pack 4 on all the domain controllers and Exchange Servers?
http://support.microsoft.com/default.aspx?scid=kb;en-us;331161
3. Do you have Exchange 2000 / Share Point 2001/2003 / Services for Unix 2 in yours domain/forest? - Some applications like these are not supported by Windows 2003 servers and should be upgraded to new versions or move them to alternative servers.
http://support.microsoft.com/default.aspx?scid=kb;en-us;821732
4. Do you have to fix Active Directory schema? You can read and find information on this issue in:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649
5. Do you have any third party software/hardware that is not supported by Windows 2003?
You can read and find information on this issue in: http://www.microsoft.com/whdc/hcl/default.mspx
6. Have you upgraded the application to the latest service pack? Some applications that reside in the domain may need to be upgraded to the latest service pack as recommended by the application vendor.
7. Do you have any legacy operating systems or/and UNIX/Linux operating system? You can read and find information on this issue in:
http://support.microsoft.com/default.aspx?scid=kb;[LN];555038
8. Do you have a disaster recovery plan? Do you have full system backups (don't forget to test the backup data)?
9. Do you have the "Active Directory restore mode" password? Without this password you can't restore active directory from the latest backup.
10. Do you need to enable Windows 2000 Schema update? - Windows 2000 Schema should be configured to allow Schema update.
http://support.microsoft.com/?kbid=285172
11. Do you have the correct version of Windows 2003? You cannnot install active directory on "Web Server" edition or upgrade "Windows 2000 Advanced Server" to "Windows 2003 Server" (you will need "Windows 2003 Enterprise" edition).
Also, usually you can't upgrade OEM Versions of NT4/2000 to Windows 2003 or use Windows 2003 OEM version as upgrade version :
http://support.microsoft.com/default.aspx?scid=kb;en-us;823762
12. If you plan to upgrade your Windows 2000 forest to Windows 2003, take care to upgrade your ADC to the Exchange 2003 version before raising the functional level of the forest because if you don’t you will have problems with the older ADC being unable to handle correctly Linked Value Replication on group membership (Exchange Service Packs contain ADC).
http://support.microsoft.com/default.aspx?scid=kb;en-us;825916
http://support.microsoft.com/default.aspx?scid=kb;en-us;823601
13. Does your system have a correct DNS infrastructure? Are the servers and clients configured to use the correct DNS servers?
(I find out that some users configure their servers to use external DNS [ISP servers] and not local DNS servers).
Also, using single-label DNS names may required some configurations changes:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684
14. You can't upgrade from SBS 2000 to regular Windows 2003 domain. However, you can upgrade SBS 2000 to SBS 2003 or to Windows 2003 domain by using export/import migration process. 
15. Do you have Read permission (at least) for all GPO's in the Domain? (If Domain Admin group doesn't have this permission GPO upgrade will fail - usually in ADPREP /Domainprep step) 
16. Do you need to open any ports in the company firewall/router?
(Archive only available) http://web.archive.org/web/20040414170145/http://support.microsoft.com/?kbid=289241
How to enable IPSec traffic through a firewall: http://support.microsoft.com/kb/233256/en-us
17. Did you move Exchange Enterprise Servers Group and Exchange Domain Servers Group to another container?
http://support.microsoft.com/default.aspx?scid=kb;en-us;260914
18. Did you install Windows 2003 on a multi-homed computer?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832478
19. Did you use the InetOrgPerson object in the domain?
http://support.microsoft.com/default.aspx?scid=kb;en-us;307998
20. If you need to upgrade Small Business Server Domain Environment to regular Windows 2003 Domain, read:
http://support.microsoft.com/default.aspx?scid=kb;[LN];555073
21. Install WINS server and configure the clients to use it. Although most people think that there is no need to use WINS server in the network, there may be some situations that you might need to use NetBIOS name resolution in your network:
http://support.microsoft.com/default.aspx?scid=837391
22. If you need to migrate to Windows 2003 R2 Domain, consider the migration in two stages:
a. Migration from NT/2000 Domain to Windows 2003 Domain
b. Migration from Windows 2003 Domain to Windows 2003 R2 Domain.
 
Note: There are no technical limitations migrating directly to Windows 2003 R2 Domain, but using the two stage approach allows you to reduce the project risk, allow faster rollback and facilitate troubleshooting.

I found some nice tips that can save time and may help you in the upgrade process:
 
1. Move all FSMO roles to one domain controller and configure all the DC's as GC's.
2. Move the domain controller from step 1 to unique VLAN that will be isolated from the regular network.
3. Backup the domain controller from step 1 by using backup tape backup, and some image utility.
4. After running ADPREP /Forestprep check that Windows 2003 schema upgrade contains new 2003 forest attributes.
5. After running ADPREP /Domainprep check that Windows 2003 schema upgrade contains new 2003 domain attributes.
6. Disable any antivirus software on the software before the upgrade process.
7. Log on to the domain controller from step 1 with an account that is a member of: Enterprise Admin group, Domain Admin group, Schema Admin group - and if you have Exchange System in your organization - the account should be with Full Exchange Admin permission on the Exchange organization, administrative groups (sites in Exchange 5.5 environment), Exchange Servers (and in Exchange 5.5 environment - also full control on "Configuration" container).
8. Test this upgrade in a lab before implementing it on a production server.
9. Copy the I386 directory content from the Windows 2003 CD, to the local server hard disk.
10. Verify that all servers in the domain have the correct time zone and are configured to synchronize from the same server (usually this the PDC emulator).
11. Activate the new Windows 2003 Server before implementing any changes on the system.
12. If you add new a Windows 2003 server to the domain, make sure you configure the correct domain name and domain suffix.
13. Don't use forbidden characters in the domain or/and server name (etc *, _).
14. Before you implement - Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 configure at least one DC as Windows 2003 DC and GC, and configure Windows 2003 CA, Windows 2003 Cluster, Exchange 2003 to use this server as default logon server.
15. If you have a multi-domain hierarchy, upgrade first the forest root domain and only after this upgrade should you complete the rest of the forest.
16. If you have a multi-site hierarchy, let the changes of ADPREP command repliacte to all other sites. Verify that each DC upgrades its schema version before you install the Windows 2003 Server.
17. After running ADPREP command, open %systemroot%\system32\debug\adprep\logs\ADPrep.log, and see if there are error messages that might need to be resolved.
18. Read: How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2 article before beginning the migration.
http://support.microsoft.com/default.aspx?scid=kb;en-us;322970
"SIDHistory Could Not Be Updated Due to a Configuration or Permissions Problem" Error Message When You Use the ADMT Tool
http://support.microsoft.com/kb/835991/en-us
How to use a SID mapping file with the ADMT tool to perform a resource domain migration to Windows Server 2003
http://support.microsoft.com/kb/826896/en-us
After migrating SID History you receive: "you don't have permissions.." error:
http://www.mcse.ms/message2249994.html
19. If you are installing Exchange 2000/2003, it's recommended to run Policytest.exe utility before the upgrade:
http://support.microsoft.com/default.aspx?scid=kb;en-us;281537&FR=1&PA=1&SD=HSCH
20. Read: HOW TO: Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;326209
HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
http://support.microsoft.com/kb/832221/en-us
http://support.microsoft.com/?kbid=260871
How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
Active Directory Migration Tool v3.0 (Download)
http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en
How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;325379
Upgrading to Windows Small Business Server 2003
http://www.microsoft.com/WindowsServer2003/sbs/upgrade/default.mspx
Domain Migration Cookbook
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookchp1.mspx
Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
21. If the upgrade process is expected to take more then a few hours, consider changing the domain configuration to eliminate overload on the First Domain Controller.
http://support.microsoft.com/?kbid=298713
22. Review the new settings of Windows 2003 Service Pack 1:
http://www.microsoft.com/technet/downloads/winsrvr/servicepacks/sp1/default.mspx
Note: New functionality was added to Windows 2003 Service Pack 1. Skipping this stage may limit server functionality and the forest and domain may not operate correctly.
23. Review "ADPREP /domainprep /gpprep" command functions and use.
http://support.microsoft.com/default.aspx?scid=kb;en-us;324392&FR=1&PA=1&SD=HSCH
24. Verify that you are using an account that has the "Delegation Privilege" right.
http://support.microsoft.com/?kbid=232070
25. If you need to move computers accounts to a new domain, disable "Offline Folder" use on the local computers. After the migration, you can enable it again.
 
And if something goes wrong?
 
1. If you follow the process that I described in the "Before you "run" and upgrade system to Windows 2003..." section in this article, a roll back should take no more then 30 minutes.
2. If you didn't follow the process that I describe in the "Before you "run" and upgrade system to Windows 2003..." section in this article, a roll back may take a long time, and may require in worse situations reinstall the Windows 2000 domain.
 
Please follow these short instructions:
 
1. Please check if you log on with user that have satisfying permissions to upgrade the Schema and the system.
2. Check that you enable schema changes - and reapply ADPREP /Forestprep and ADPREP /Domainprep commands.
3. Consider to use ADMT2/ADMT3 to migrate users from Windows 2000 domain to the new Windows 2003 domain (in a new forest).
4. Follow the the instructions bellow if you unable to successfully run adprep /domainprep on Windows 2000 Domain:
http://support.microsoft.com/default.aspx?scid=kb;[LN];555055
5. Consider calling Microsoft.
 
Post checklist:
 
How to Verify That SRV DNS Records Have Been Created for a Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;816587
 
How to Verify an Active Directory Installation in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816106
 
Virus Scanning Recommendations on a Windows 2000 or on a Windows Server 2003 Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
 
Operations That Are Performed by the Adprep.exe Utility When You Add a Windows Server 2003 Domain Controller to a Windows 2000 Domain or Forest
http://support.microsoft.com/default.aspx?scid=kb;en-us;309628
 
Known issues:
 
KCC Error Event 1567 Occurs When You Install DNS on a Windows Server 2003-Based Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;813484
The Default Domain Controller Security Policy Icon and the Domain Security Policy Icon Do Not Work When You Upgrade to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828291
Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;811961
Cluster Service Does Not Start After You Upgrade to Windows Server 2003, Enterprise
http://support.microsoft.com/default.aspx?scid=kb;en-us;812877
A terminal server no longer runs in application mode after you upgrade the terminal server to Windows Small Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828056
Exchange 2000 Recipient Update Service does not replicate changes successfully in forest functional level 1 or 2 in Windows Server 2003 Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;831809
Inter-Forest Trust Appears as "External" or "Unknown"
http://support.microsoft.com/default.aspx?scid=kb;en-us;311484
"Microsoft Windows Has Detected Software That Is Not Completely Installed on Your Computer" Message When You Upgrade a Windows 2000 Server-Based Computer to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;820277
Firewall Clients Cannot Connect to the Internet After You Upgrade an ISA Server to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;816533
ERR3:7075 Failed to change domain affiliation, hr=800706fb" error when the Active Directory Migration Tool version 2 is run in test mode
http://support.microsoft.com/default.aspx?scid=kb;EN-US;828261
Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in Windows Server 2003 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;300532
Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;219059
"The current DC is not in the domain controller's OU" error message when you run the Dcdiag tool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;833436
Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/default.aspx?kbid=817433
Problems logging on to a Windows 2000-based server or a Windows 2003-based server
http://support.microsoft.com/default.aspx?kbid=272594
The Recipient Update Service does not update objects correctly when Exchange 2000 Server is running in a Windows Server 2003 forest
http://support.microsoft.com/default.aspx?scid=kb;EN-US;873059
NDR Message appear after reply to old email after mailbox migration
http://support.microsoft.com/default.aspx?scid=kb;en-us;555197
Out of memory error messages when you try to save files
http://support.microsoft.com/?kbid=830265
You Experience Slow File Server Performance and Delays Occur When You Work With Files That Are Located on a File Server
http://support.microsoft.com/kb/822219
 
 

 
Windows Server 2003 Upgrade Paths
http://support.microsoft.com/default.aspx?kbid=810613
 
Windows 2003 Deployment Kit (formerly known as resource kit)
http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx
 
What's New in Windows Server 2003 R2
http://www.microsoft.com/windowsserver2003/r2/whatsnewinr2.mspx
 
Common Mistakes When Upgrading Exchange 5.5/2000 To a Exchange 2003
http://support.microsoft.com/default.aspx?scid=kb;[LN];555262
 
.NET Enterprise Servers Online Books (no longer online at Microsoft)
http://web.archive.org/web/20041022002529/www.microsoft.com/technet/itsolutions/net/default.mspx
 
HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
 
Exchange Migration and Upgrade Resources
http://www.microsoft.com/technet/prodtechnol/exchange/2003/migrate.mspx

Microsoft File Server Migration Toolkit
http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx