Assign Appropriate Credentials

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Assign appropriate credentials to the users who are responsible for preparing the forest and domain for an Active Directory upgrade. The adprep /forestprep command requires a user account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups. The adprep /domainprep command requires a user account that is a member of the Domain Admins group in the targeted domain.

Additionally, the security context can affect the ability of an administrator to complete the upgrade from Windows 2000 to Windows Server 2003. Members of the Builtin\Administrators group can upgrade the operating system and install software on a computer. The following groups are members of the Builtin\Administrators group by default:

  • The Enterprise Admins group is a member of Builtin\Administrators in the forest root domain and in each regional domain in the forest.

  • The Domain Admins group is a member of Builtin\Administrators in their domain.

  • The Domain Admins group is a member of Builtin\Administrators on member servers in their domain.

Table 9.1 shows the credentials that are required to upgrade servers, depending on the domain membership of the servers.

Table 9.1   Credentials Required to Upgrade Servers to Windows Server 2003

Credential Domain Controller in Forest Root Domain Member Server in Forest Root Domain Domain Controller in Regional Domain Member Server in Regional Domain

Enterprise Admins in forest root domain

 Table Bullet

 

 Table Bullet

 

Domain Admins in forest root domain

 Table Bullet Table Bullet

 

 

Builtin\Administrators in forest root domain

 Table Bullet

 

 

 

Domain Admins in regional domain

 

 

 Table Bullet Table Bullet

Builtin\Administrators in regional domain

 

 

 Table Bullet

 

You also need to ensure that the administrator who is upgrading the domain controllers has the following rights:

  • Backup files and directories (SE_BACKUP_NAME)

  • Modify firmware environment values (SE_SYSTEM_ENVIRONMENT_NAME)

  • Restore files and directories (SE_RESTORE_NAME)

  • Shut down the system (SE_SHUTDOWN_NAME)

The setup program cannot run properly if these rights are not defined, or if they are disabled by a domain Group Policy setting on the computer.

To verify if user rights assignments are disabled by a domain Group Policy setting

  1. In the Run dialog box, type mmc, and then click OK.

  2. Click File, and then click Add/Remove snap-in.

  3. In the Add/Remove snap-in dialog box, click Add.

  4. In the Available Standalone snap-ins dialog box, select Group Policy, and then click Add.

  5. At the Welcome to the Group Policy Wizard screen, verify that Local Computer appears in the Group Policy Object box, and then click Finish.

  6. Close the Add/Remove snap-in dialog box and the Add Standalone snap-in dialog box.

  7. In the Console Root, navigate to the Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder.

  8. In the details pane, verify that the user who will perform the upgrade is a member in one of the groups that has the necessary rights assigned. The policies are named identically to the user rights listed above.

Assign the appropriate credentials in advance to allow both testing and deployment to proceed without unexpected security delays.