Inventory clients accessing resources in the domain hosting the Windows Server 2003 domain controller to determine whether they are compatible with SMB signatures:
Every Windows Server 2003 domain controller has SMB signing enabled in its local security policy. Ensure that all network clients that use SMB/CIFS protocol to access * * * files and printers in a domain hosting a Windows Server 2003 domain controller can be configured or upgraded to support SMB signing. If you cannot configure or upgrade, temporarily disable SMB signing until the update can be installed or the client can upgrade to an updated operating system that supports SMB signing. For information about how to disable SMB signing, see the section "Disable SMB signing" at the end of this step.
management plan
The following list shows the action plan of common SMB clients: Disable SMB signing.
If the software update cannot be installed on an affected domain controller running Windows 95 or Windows NT 4.0, or on other clients installed before the introduction of Windows Server 2003, temporarily disable the SMB service signing requirement in Group Policy until the updated client software can be deployed.
SMB service signing can be disabled in the following nodes of the default domain controller policy of the domain controller organizational unit:
Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ Microsoft Network Server: Digital Signature Communication (always).
If the domain controller is not in the organizational unit of the domain controller, the Group Policy Object (GPO) of the default domain controller must be linked to all organizational units hosting Windows 2000 or Windows Server 2003 domain controllers. Alternatively, SMB service signatures can be configured in GPOs linked to these organizational units.
Microsoft Windows Server 2003, Microsoft Windows XP Professional, Microsoft Windows 2000Server, Microsoft Windows 2000 Professional and Microsoft Windows 98.
No operation is required.
Microsoft Windows NT 4.0
For all Windows NT 4.0-based computers, if they want to access the domain containing Windows Server 2003-based computers, please install Service Pack 3 or later (Service Pack 6A is recommended). Alternatively, temporarily disable SMB signing on a Windows Server 2003 domain controller. For information about how to disable SMB signing, see the section "Disable SMB signing" at the end of this step.
Microsoft Windows 95
Install the Windows 9x directory service client on a Windows 95-based computer, or temporarily disable SMB signing on a Windows Server 2003 domain controller. The original Win9x directory service client is provided on the Windows 2000 Server CD. However, this client-side add-in has been replaced by an improved Win9x directory service client. For information about how to disable SMB signing, see the section "Disable SMB signing" at the end of this step.
Microsoft ms-dos network client and Microsoft LAN Manager client.
The Microsoft MS-DOS network client and the Microsoft LAN Manager 2.x network client can be used to provide access to network resources. They can also be used in combination with bootable floppy disks to copy operating system files and other files in the * * * shared directory on the file server as part of the software installation routine. These clients do not support SMB signing. Please use another installation method or disable SMB signing. For information about how to disable SMB signing, see the section "Disable SMB signing" at the end of this step.
Macintosh client
Some Macintosh clients are incompatible with SMB signatures, and when they try to connect to network resources, they receive the following error message:
-Error -36 inputs/outputs
Please install updated software (if provided). Otherwise, disable SMB signing on the Windows Server 2003 domain controller. For information about how to disable SMB signing, see the section "Disable SMB signing" at the end of this step.
Other third-party SME clients
Some third-party SMB clients do not support SMB signing. Please check with your SMB provider to see if there is an updated version. Otherwise, disable SMB signing on the Windows Server 2003 domain controller.
Inventory domain controllers in domains and forests:
Note: The properties of the domain controller do not track the installation of each patch separately.
Verify end-to-end Active Directory replication throughout the forest.
Verify that each domain controller in the upgraded forest always replicates all the naming contexts it controls locally and its partners according to the plan defined by the site link or connection object. Use Windows Server 2003 version of Repadmin.exe on Windows XP or Windows Server 2003-based member computers in the forest, and use the following parameters:
REPADMIN/repl sum/by src/BYDEST/SORT:DELTA & lt; -Failed to format the output to fit the tDC maximum increment of the page size/total%% errorna-DC-0113d.21h:10m:10s97/14367 (. Kloc-0/3d.04h:11m: 07s180/76323 (8524) DSA operation ... Na-DC-0312d.03h: 54m: 4/. ...
All domain controllers in the forest must securely replicate Active Directory, and the value in the Maximum Increment column in the repadmin output should not be significantly greater than the replication frequency on the corresponding site link or connection object used by a given target domain controller.
Resolve all replication errors between inbound domain controllers that cannot replicate in less than the logical deletion lifetime (TSL) (the default is 60 days). If replication is not possible, you may need to use the Ntdsutil metadata cleanup command to forcefully demote the domain controller, remove it from the forest, and then promote it back to the forest. Forced demotion can be used to save the operating system installation and programs on independent domain controllers. For more information about how to remove orphaned Windows 2000 domain controllers from a domain, click the following article number to view the article in the Microsoft Knowledge Base:
2 16498 how to delete the data in Active Directory after the domain controller failed to downgrade?
Only when there is no other way should this operation be taken to restore the installation of the operating system and installed programs. You will lose objects and attributes that are not replicated on the orphaned domain controller, including users, computers, trust relationships, passwords, groups, and group memberships.
Be careful when trying to resolve replication errors on domain controllers (inbound changes to a specific Active Directory partition have not been replicated for several days). When you do this, you can restore objects that have been deleted on the domain controller, but for these objects, the direct or transitive replication partner has never received the deletion in the first 60 days.
Consider deleting all deferred objects that reside on domain controllers that have not performed inbound replication in the past 60 days. Alternatively, you can forcibly demote a domain controller that has not performed any inbound replication on a given partition during tombstone lifetime, and use Ntdsutil and other utilities to delete its remaining metadata from the Active Directory forest. Please contact your support provider or Microsoft PSS for further assistance.
Verify that the content enjoyed by Sysvol *** is consistent.
Verify that the file system part of Group Policy is consistent. You can use the Gpotool.exe in the resource kit to determine whether there are inconsistencies in the policies of the entire domain. Use Healthcheck in the Windows Server 2003 support tool to determine whether the Sysvol *** shared replica set works properly in each domain.
If the content enjoyed by Sysvol *** is inconsistent, please resolve all the inconsistencies.
Use the Dcdiag.exe in the support tool to verify that all domain controllers have * * * Netlogon and Sysvol ***. To do this, type the following command at the command prompt:
DCDIAG.EXE/e/test:frssysvol
Inventory operation role.
The schema and structure operations master is used to introduce forest-wide and domain-wide schema changes into forests and their domains created by the Windows Server 2003 adprep utility. Verify that the domain controller hosting the schema and fabric roles of each domain in the forest resides on the active domain controller, and that each role owner has performed inbound replication on all partitions since the last restart.
The DCDIAG /test:FSMOCHECK command can be used to view forest-wide and domain-wide operational roles. The role of operation master residing on a nonexistent domain controller should be acquired by ordinary domain controllers by using NTDSUTIL. If possible, you should transfer roles that reside on unhealthy domain controllers. Otherwise, you should get them. The NETDOM QUERY FSMO command does not recognize the FSMO role that resides on the deleted domain controller.
Verify that the schema master and each schema master have performed inbound replication of Active Directory since the last startup. You can use the REPADMIN /SHOWREPS DCNAME command to verify inbound replication, where DCNAME is the NetBIOS computer name or the fully qualified computer name of the domain controller. For more information about the operation host and its location, click the following article number to view the article in the Microsoft Knowledge Base:
197132 windows 2000 active directory fsmo role
223346 placing and optimizing FSMO on Active Directory domain controllers
Event log view
Check the event logs of all domain controllers for problematic events. The event log must not contain critical event messages indicating problems with any of the following processes and components:
The free space on the volume hosting the Active Directory database file Ntds.dit must be at least equal to 15-20% of the file size of ntds.dit, and the free space on the volume hosting the Active Directory log file must also be at least equal to 15-20% of the file size of ntds.dit.. For more information on how to free up more disk space, please refer to the "Domain Controller with Insufficient Disk Space" section of this article.
DNS cleanup (optional)
Enable DNS cleanup for all DNS servers in the forest every 7 days. For best results, please do this 6 1 day or earlier before the operating system upgrade. In this way, when offline defragmentation is performed on the Ntds.dit file, enough time can be provided for the DNS cleanup daemon to garbage collect expired DNS objects.
Disable DLT server service (optional)
DLT server service is disabled in the new installation and upgrade installation of Windows Server 2003 domain controller. Instead of using distributed link tracking, you can disable the DLT server service on the Windows 2000 domain controller and start deleting DLT objects from every domain in the forest. For additional information, please refer to the "Microsoft Suggestions for Distributed Link Tracking" section in the following Microsoft Knowledge Base article: