Hotfixes to install before you run adprep /Forestprep on a Windows 2000 domain controller to prepare the Forest and domains for the addition of Windows Server 2003-based domain controllers (331161)
The information in this article applies to:
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
This article was previously published under Q331161 SUMMARY Before you run the adprep
/forestprep command, Microsoft recommends that you install certain
hotfixes and service packs on any Microsoft Windows 2000-based domain controllers. The hotfixes
and service packs are listed in this article.MORE INFORMATIONThe Adprep.exe utility is located in the I386 folder of your
Windows Server 2003 installation media. The Adprep.exe utility prepares a
Windows 2000 forest and its domains for the addition of Windows Server 2003
domain controllers. The Adprep.exe utility operations include the
addition of:
- Improved default security descriptors for object
classes.
- Changes in group memberships.
- New directory objects that programs require.
The goal of the Windows Server 2003 Forest Upgrade and Windows
Server 2003 Domain Upgrade utility is to add schema changes and permission
objects in Active Directory so that they are secure and interoperate with
newly-installed Windows Server 2003 domain controllers. Windows 2000
domain controllers that replicate in changes from the adprep
/forestprep command are vulnerable to the following three issues. Vulnerability: Schema Additions Delete Columns from the Database and Domain Controllers Cannot Be Started- Issue:
A rare but fatal timing problem during
large schema updates such as Adprep.exe can cause the bulk deletion of critical
objects from Active Directory on Windows 2000 domain controllers. Affected
domain controllers cannot start. These domain controllers must be restored or
reinstalled. -
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
303077
SP 2 Hotfixes recommended before making schema changes in Active Directory forests
- Threat:
The installation of a hotfix or service
pack that avoids this vulnerability is mandatory for all Windows 2000 domain
controllers in the forest before you run the adprep
/forestprep command. Do not put domain controllers, the domain, or
the forest at risk by running the adprep /forestprep
command without having the appropriate fixes installed on every domain
controller in the forest. - Preventative fix:
- Service Pack: Windows 2000 Service Pack 2 (SP2) or
later
- Hotfix in article 303077
- File version information: Versions of the Ntdsa.dll
file whose version and date stamp is equal to or greater than the following:
Version Date
--------------------------
5.0.2195.2864 Feb-05-2001
Vulnerability: Inefficient Replication of Schema Changes Consumes Network Bandwidth- Issue:
There is a performance problem. The
introduction of schema changes is not replicated efficiently between domain
controllers in the forest. This problem causes the consumption of additional
network bandwidth. -
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
300642
Schema modification results in schema mismatch Event 1203 message
- Threat:
Install the appropriate service pack or
hotfix that prevents this problem if you have more than 10 domain controllers
in the forest or cannot tolerate the use of additional network bandwidth across
network links that connect domain controllers in the forest. This fix is
optional for forests with a small number of domain controllers that are
connected by high-speed links. - Preventative fix:
- Service pack: Windows 2000 Service Pack 3 (SP3) or
later
- Hotfix in article 300642
- File version information: Versions of the Ntdsa.dll
file whose version and date stamp is equal to or greater than the
following:
Version Date
--------------------------
5.0.2195.3673 Jun-04-2001
Vulnerability: Active Directory Replication Is Delayed During the Index-Rebuilding Process- Issue:
Active Directory replication is delayed as
new attributes that are added by the adprep /forestprep
command are indexed and the schema cache is updated. The delay is a function of
the number of indexed attributes that are being added to Active Directory and
the size of the Active Directory database. You can estimate the replication
delay with the following formula:
(number of indexed attributes * database size in GB) / 50 = the replication delay in hours
For example, the adprep
/forestprep command adds five new indexed attributes, so a domain
controller with a 15-GB database will have a 1.5-hour replication
delay. -
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
307219
Replication stops after Active Directory schema update
- Threat:
Install this fix if:
- It takes less time to install the preventative hotfix
or service pack than to wait for the reindexing operation to
complete.
- Active Directory replication delays cannot be tolerated
in your environment.
You can skip this step for domain controllers with a small
number of objects. - Preventative fix:
- Service Pack: Windows 2000 SP3 or later
- Hotfix in article 307219
- File version information: Versions of the Ntdsa.dll
file whose version and date stamp is equal to or greater than the
following:
Version Date
--------------------------
5.0.2195.4464 Oct-09-2001
Guiding Principles- There are individual hotfixes that mitigate all three
vulnerabilities on domain controllers that are running Windows 2000 Service
Pack 1 (SP1) or later. Therefore, do not deploy a service pack in your forest
solely to use the adprep /forestprep command.
- Supplement the existing service pack revision that is
installed on domain controllers in your forest with a newer Ntdsa.dll hotfix
that prevents the schema-deletion issue or the two performance problems that
apply to your forest.
- On domain controllers with Windows 2000 SP1 installed, you
must install a version of the Ntdsa.dll file that prevents the schema-delete
vulnerability. To do this, do one of the following:
- Install an appropriate Ntdsa.dll hotfix. For best
results, install a recent, well-tested Ntdsa.dll file that resolves the schema
delete and the two performance vulnerabilities. The following are examples of
such hotfixes:
321933 Services are not listed in the Security Configuration and Analysis snap-in
- Install Windows 2000 SP2 or later.
- Domain controllers with Windows 2000 SP2 installed are not
vulnerable to the schema-delete problem. If you have a small number of domain
controllers or objects in Active Directory, no additional fixes are required.
Administrators with either a large number of domain controllers or large
databases can do one of the following:
- Install an appropriate Ntdsa.dll hotfix. For best
results, install a recent, well-tested Ntdsa.dll hotfix that resolves the two
performance vulnerabilities. The following is an example of such a
hotfix:
321933 Services are not listed in the Security Configuration and Analysis snap-in
- Install Windows 2000 SP3 or later.
- Domain controllers with Windows 2000 SP3 installed are
protected from the schema deletion and both performance vulnerabilities.
Windows 2000 SP3 Advantages and Issues Windows 2000 domain controllers must have Windows 2000 SP2 for
the Active Directory installation Wizard (Dcpromo.exe) to source Active
Directory from Windows Server 2003 domain controllers that are hosting program
partitions. If your environment is already running Windows 2000 SP2, keep that
version and do not change it. If you are standardized on Windows 2000 SP1 and
anticipate the addition of a Windows 2000 domain controller to a forest that
contains Windows 2000 and Windows Server 2003 domain controllers, evaluate and
consider deploying Windows 2000 SP3. When Windows 2000 domain
controllers have SP3 installed, it is easier to remotely administer Windows
2000 domain controllers from computers that are running Microsoft Windows XP
Professional or Windows 2003 Server by using the Windows Server 2003 ADMINPAK.
For more information about the LDAP signing requirements when Active Directory
administration tools are run on computers that are running Microsoft Windows XP
Professional or Windows 2003 Server computers that are focused on Windows 2000
computers, see the following article: 325465 Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools
Consider adding the following post-SP3 hotfixes on
domain controllers that are running Windows 2000 SP3. To do this, do one of the
following:
- Manually add relevant fixes to each domain
controller.
- Slipstream all or selected hotfixes to your Windows 2000
SP3 installation media or share point.
- Slipstream all or selected hotfixes to your installation
media or installation share point that contains the Windows 2000 base operating
system plus Windows 2000 SP3. If you do this, newly-installed domain
controllers avoid known issues.
These fixes are particularly important to Windows 2000
SP3 computers that are running the Terminal and DNS services.
328020 Redirected printing through a Terminal Services session may not work with Windows 2000 SP3
328894 First character of each line is missing when you print with the generic printer driver
324906 Cannot start an Office program after you install Service Pack 3 (SP3) for Windows 2000
329170 MS02-070: Flaw in SMB signing may permit Group Policy to be modified
321733 "Delayed Write Failed" error message when you write a file to a server
326798 Some Windows 2000 SMB redirector hotfixes may cause a conflict with SP3 for Windows 2000
329405 DNS name resolution does not work for users who are not administrators
304653 The serial number is decremented in DNS when you reboot the computer
| Modification Type: | Major | Last Reviewed: | 11/11/2004 |
|---|
| Keywords: | kbinfo KB331161 |
|---|
|