2003 CA in 2000 Domain

James · Aug 29, 2008

We are planning on moving our CA server to Windows 2003. We currently have
a Windows 2000 based domain.
I have gone ahead and done this in a test environment, and am getting a
bunch of error messages in event veiewer on the new 2003 CA.

My understanding is that I need to run adprep, and forest prep on our 2000
domain controller, to bring it up to the 2003 level. Is this correct? Will
this harm anything, if we don't actually upgrade our domain controllers to
windows 2003?

Meinolf Weber · Aug 29, 2008

Hello James,

See here:
http://support.microsoft.com/kb/298138

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

James · Aug 29, 2008

Yeah, thanks I have reviewed that. That is the method I used, but am now
getting error messages from certificate services. I am thinking its because
my domain is running at the 2000 level and the Certificate authority is
2003. Will running adprep solve this issue?

Meinolf Weber · Aug 31, 2008

Hello James,

Please post the complete errors from the event viewer.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Meinolf Weber · Aug 31, 2008

Hello James,

Before you implement - Windows 2003 CA, Windows 2003 Cluster, Exchange 2003
configure at least one DC as Windows 2003 DC and GC and configure Windows
2003 CA, Windows 2003 Cluster, Exchange 2003 to use this server as default
logon server.

From:
http://support.microsoft.com/kb/555040

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Jorge de Almeida Pinto [MVP - DS] · Sep 3, 2008

to introduce a w2k3 CA in a w2k AD domain, you need to extend the AD schema.

you need to at least execute ADPREP /FORESTPREP
DOMAINPREP is not required for W2K3 CAs, only Forestprep

However, because yuo are upgrading your AD from schema version to schema
version 30 or 31 (R2) you may need to pay some attention to, amongst others,
mangled attributes if you have Exchange 2000. have a look at the folloing
post for more info:
http://blogs.dirteam.com/blogs/jorg...E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Paul Bergson [MVP-DS] · Sep 4, 2008

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

James said:
Yeah, thanks I have reviewed that. That is the method I used, but am now
getting error messages from certificate services. I am thinking its
because my domain is running at the 2000 level and the Certificate
authority is 2003. Will running adprep solve this issue?

As far as I know you can't run 2003 certificate services in a 2000 domain or
on a Windows 2000 server.

This should have been posted in the security Newsgroup and I have included
them in on this response. The PKI experts are in this NewsGroup.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

James · Sep 4, 2008

Thanks, so its safe to run the forestprep from the Windows 2003 R2 Disk in
our Windows 2000 domain? We are running exchange 2003, and will be moving
our CA to a Windows 2003 Server.
We won't be upgrading our DC to Windows 20003 any time soon. So we should
be ok doing this then?

"Jorge de Almeida Pinto [MVP - DS]"

Brian Komar \(MVP\) · Sep 5, 2008

You can run a Windows Server 2003 PKI in a Windows 2000 domain, as long as
the Schema is updated to the Windows Server 2003 schema (to add the v2
certificate template object and attributes).
We deployed this at several customers circa 2003.
Brian

Jorge de Almeida Pinto [MVP - DS] · Sep 8, 2008

have a look at the post on my blog and pay special attention to the info
that concerns upgrading the AD schema

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

James said:
Thanks, so its safe to run the forestprep from the Windows 2003 R2 Disk in
our Windows 2000 domain? We are running exchange 2003, and will be moving
our CA to a Windows 2003 Server.
We won't be upgrading our DC to Windows 20003 any time soon. So we should
be ok doing this then?

"Jorge de Almeida Pinto [MVP - DS]"

to introduce a w2k3 CA in a w2k AD domain, you need to extend the AD
schema.

you need to at least execute ADPREP /FORESTPREP
DOMAINPREP is not required for W2K3 CAs, only Forestprep

However, because yuo are upgrading your AD from schema version to schema
version 30 or 31 (R2) you may need to pay some attention to, amongst
others, mangled attributes if you have Exchange 2000. have a look at the
folloing post for more info:
http://blogs.dirteam.com/blogs/jorg...E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Click to expand...

Paul Bergson [MVP-DS] · Sep 9, 2008

Thanks Brian, I knew it best to be posted in the security Newsgroup

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Native 2003 Domain to 2008 Native Domain	2	Sep 25, 2008
Adding a 2003 server to windows 2000 domain	8	Dec 4, 2008
adding a Windows 2003 server and promote to DC in Windows 2000 AD/Domain	4	Apr 25, 2007
Adprep and promoting our first 2003 DC	1	Aug 2, 2006
Adding 2003 server Backup Domain Controller to 2000 Domain	7	Nov 15, 2007
Server's migration	1	Apr 13, 2007
Windows 2000 to windows 2003	5	Nov 11, 2005
Adding 2003 server to 2000 Domain	2	Aug 14, 2005

2003 CA in 2000 Domain

James

Meinolf Weber

James

Meinolf Weber

Meinolf Weber

Jorge de Almeida Pinto [MVP - DS]

Paul Bergson [MVP-DS]

James

Brian Komar \(MVP\)

Jorge de Almeida Pinto [MVP - DS]

Paul Bergson [MVP-DS]

Ask a Question

Similar Threads