******************************************************************** Windows Upgrade Compatibility ******************************************************************** the Windows 2000 Active Directory | Internet Information Services | Microsoft Windows

******************************************************************** Windows Upgrade Compatibility ******************************************************************** The Windows 2000 Active Directory forest and domain need to be prepared for Windows

.NET ====================================================================== Setup has detected that the Active Directory forest and domain need to be prepared for Windows.NET Server 2003. Description: -The forest and domains are prepared by using the adprep command on the schema operations master and infrastructure operations master, respectively. -This domain controller is the schema operations master. -To prepare the Active Directory forest and domains, perform the following procedures in the order provided. To prepare an Active Directory forest for Windows.NET Server 2003: 1. To exit Setup, click Next, click Finish, and then click Exit. 2. At a command prompt, change to the \I386 directory on the installation media and then type: adprep /forestprep When prompted, type �C�, and then press ENTER to begin forest preparation, or type any other key, and then press ENTER to cancel. 3. After the forest preparation data has replicated throughout the forest, prepare the domains for Windows.NET Server 2003 as described below. The domain preparation operation must be performed on the infrastructure operations master of each domain in the forest. To prepare an Active Directory domain for Windows.NET Server 2003: 1. On the domain controller holding the infrastructure operations master role, insert or connect to the installation media. 2. If the splash screen opens, click Exit. 3. At a command prompt, change to the \I386 directory on the installation media, and then type: adprep /domainprep If the command is run on a domain controller other than the current operations master, the name of the current operations master is displayed. In this case, repeat steps 1 through 3 on the current operations master. 4. After the domain preparation data has replicated throughout the domain, upgrade the domain controller by running Windows.NET Server 2003 Setup (I386\winnt32.exe on the installation media). Notes: -You cannot upgrade domain controllers in a forest without first preparing the forest and domains by using adprep on the schema and infrastructure operations masters, respectively. -Depending on the replication schedule for your organization, the time it takes to propagate preparation data will vary. IIS World Wide Web Publishing Service (W3SVC) will be disabled during upgrade

============================================================================= IIS World Wide Web Publishing Service (WWW service) Is Disabled During Upgrade To protect your server from attacks by malicious users, the World Wide Web Publishing Service (WWW service) will be disabled during upgrade. Microsoft� Windows� 2000 Server installs Internet Information Services (IIS) by default, and requires administrators to secure IIS to prevent attacks. The IIS Lockdown Wizard has not been run on this Windows 2000 server. If you do not want to allow the WWW service to be disabled, you must download and run the IIS Lockdown Wizard, or add the override registry key. Otherwise, you may continue with the upgrade and re-enable the WWW service after the upgrade has completed. Important: If you use the World Wide Web Publishing Service (WWW service), we strongly recommend that you run the IIS Lockdown Wizard before upgrading to a product in the Windows.NET Server 2003 family. The IIS lockdown Wizard will help secure your computer by disabling or removing unnecessary features that are present in your Windows 2000 Server installation. These features would otherwise have remained on your machine after upgrading, leaving your server vulnerable to attacks. Using the IIS Lockdown Wizard instead of using the override registry key or re-enabling the WWW service after installation allows you to fine-tune the level of security to your particular needs. When upgrading to a member of the Windows.Net Server 2003 family, the WWW service will NOT be disabled if any of the following conditions are present: -You have already run the IIS Lockdown Wizard on your Windows 2000 server before starting the upgrade process. The IIS Lockdown Wizard reduces surface attack by disabling unnecessary features, and it allows you to decide which features to enable for your site. The IIS Lockdown Wizard is available at IIS Lockdown Tool (http://go.microsoft.com/fwlink/?LinkId=8599). -The registry key RetainW3SVCStatus has been added to the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC. Under RetainW3SVCStatus you can add any value and then assign a DWORD value to it. For example, you can create the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\RetainW3SVCStatus\do_no t_disable with the DWORD value of 1. -In the unattended install case, an entry �DisableWebServiceOnUpgrade = false� exists in the unattended install script. After the upgrade is completed, you can enable the WWW service using either IIS Manager or the Services snap-in. To start the World Wide Web Publishing Service after upgrade In IIS Manager:

From the Start menu, point to Administrative Tools, and click Internet Information Services (IIS) Manager. Expand the local computer, and then expand the Web Sites folder. Right-click the Web site you want to start, and click Start. Click Yes to enable the WWW service and start the Web site. In the Services snap-in: Click Start, point to Administrative Tools, and click Services. In the list of services, right-click World Wide Web Publishing Service, and then click Properties. On the General tab, in the Startup type list, click Automatic, and then click OK. In the list of services, right-click World Wide Web Publishing Service, and then click Start. Windows 2000 Administration Tools ================================= Setup has detected Windows 2000 Administration Tools on your computer. Windows 2000 Administration Tools are incompatible with Windows.NET Server 2003 family operating systems. Do one of the following: *) Cancel this upgrade, uninstall Windows 2000 Administration Tools, and then restart the upgrade. *) Complete this upgrade, and then install Windows.NET 2003 Administration Tools Pack by running the adminpak.msi Windows Installer package file. Adminpak.msi is located in the \i386 directory of your Windows.NET Server 2003 compact disc. For more information about Windows.NET 2003 Administration Tools Pack installation requirements, see Microsoft Knowledge Base article Q304718 or visit http://www.microsoft.com To remotely administer Server Services and Applications from a computer running Windows XP Professional or Windows.NET Server 2003, use Remote Desktop. For a list of software supported by the Windows.NET Server 2003 family operating systems or Windows XP, see the list of compatible software on the Microsoft Web site at http:// go.microsoft.com/fwlink/?LinkId=9946. Fax Services ============ This version of Windows Fax will be installed as part of this upgrade, since an existing operating system Fax component is currently installed on this computer. If you do not plan to use Fax, then for best security practice it is recommended that you uninstall it after the upgrade. You can remove the Fax component using Add or Remove Programs, Add\Remove Windows Components in the Control Panel. For a list of software supported by this version of Windows, see the Microsoft Windows Compatibility List at http://go.microsoft.com/fwlink/?LinkId=9946. Windows 95 and Windows NT 4.0 interoperability issues (Read Details!) ===================================================================== Windows 95 and Windows NT 4.0 interoperability issues. SUMMARY Windows.NET Server 2003 Domain Controllers implement default security settings that help prevent

Domain Controller communications from being hijacked or otherwise tampered with. Certain downlevel machines are not capable of meeting these security requirements and thus cannot communicate with.NET Domain Controllers without administrative intervention. Affected machines include Windows for Workgroups, Windows 95 machines that do not have the DS client pack installed, and Windows NT 4.0 machines prior to Service Pack 4. SMB SIGNING By default, Windows.NET Server 2003 Domain Controllers require that all clients digitally sign SMB-based communications. The SMB protocol is used to provide file sharing, print sharing, various remote administration functions, and logon authentication for some downlevel clients. Windows for Workgroups, Windows 95 machines without the DS Client Pack, and Windows NT 4.0 machines prior to Service Pack 3 are not capable of performing SMB signing and therefore cannot connect to.NET Domain Controllers by default. If such clients cannot be upgraded to a current operating system or upgraded to meet the minimum requirements described above, then the SMB signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO on the domain controllers OU: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always) Detailed instructions on how to modify this setting are provided below. Warning: Disabling this security setting exposes all of your Domain Controller communications to �man in the middle� types of attacks. Therefore it is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x sub-directory of the Windows 2000 Server CD. SECURE CHANNEL SIGNING By default, Windows.NET Server 2003 Domain Controllers require that all secure channel communications be either signed or encrypted. Secure channels are used by Windows NT-based machines for communications between domain members and domain controllers as well as between domain controllers that have a trust relationship. Windows NT 4.0 machines prior to Service Pack 4 are not capable of signing or encrypting secure channel communications. If Windows NT 4.0 machines prior to SP4 must join this domain, or this domain must trust other domains that contain pre-SP4 Domain Controllers, then the secure channel signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Digitally encrypt or sign secure channel data (always) Detailed instructions on how to modify this setting are provided below. Warning: Disabling this security setting exposes secure channel communications to

�man in the middle� types of attacks. Therefore it is highly recommended that you upgrade your Windows NT 4.0 machines rather than disabling this security setting. MODIFYING THE DEFAULT DOMAIN CONTROLLER GPO To ensure all domain controllers are enforcing the same SMB and secure channel signing requirements, define the corresponding security settings in the Default Domain Controller GPO as follows: 1. Log on to a machine that has the Active Directory Users and Computers Snap-in installed. 2. Start �> Run �> DSA.MSC 3. Expand the Domain that contains your.NET Domain Controllers. 4. Right-click on the Domain Controllers OU and then click Properties. 5. Click the Group Policy tab, select the �Default Domain Controller Policy�, and then click Edit. 6. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options 7. In the result pane, double click the security option you want to modify. For example, Microsoft Network Server: Digitally sign communications (always) or Domain Member: Digitally encrypt or sign secure channel data (always). 8. Check the �Define this policy setting� box. 9. Disable or Enable the security setting as desired and select OK. WinZip 6.3-8.0 ============== WinZip 6.3-8.0 has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Nico Mak Computing. WinZip Computing, Inc. Web site: http://www.winzip.com WinZip 6.3-8.0 ============== WinZip 6.3-8.0 has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Nico Mak Computing. WinZip Computing, Inc. Web site: http://www.winzip.com *****************************************************************************

Sign up to vote on this title
UsefulNot useful