This

whitepaper encompasses some of the experiences I had with upgrading a application development teams server environment from

Windows 2000 to Windows 2003.  The paper

will include the basic processes I followed in terms of documenting and managing

application testing and some of the pre/post installation issues.

Consider using paper as a first-cut template for your own upgrade process. 

The following upgrade is not applicable for domain controllers that manage your

entire network, always involve your server administrator(s) in the process if

this is the case.

Initial Planning

Timeframe & Resources

Upgrades

will occur after 5.30pm on

the dates below.  Estimated upgrade time

is 2hrs, with 1hr of pre and post-installation steps.  No user can login during the upgrade process. 

Licensing

This

section outlines the hosts, the upgrade version, associated cost and the

license key.  This is purely for

documentation purposes and assumes the invoices have been finalized and media

is available.  Take into consideration the hardware and OS edition you are

installing on and the support maximums in terms of CPU, Memory etc and the

feature set supported.  Management must be informed and kept "in the loop"

with the decisions made.

MDAC (Before/After Images)

Download

the MDAC tester from Microsoft at:

    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q307/2/55.ASP&NoWebContent=1

or

search for Microsoft support document# 307255

Application Testing

Application

testing will encompass any hosted application on the upgraded server(s).  The testing strategies have been divided up

for each application with simple check-lists outlined in this section.  The key success factors here are:

1. Resource

   commitment from the development manager to complete and document the testing

   matrix

2. Commitment from the developers in terms of allocating 2hrs (initial

   maximum) to any “strange” application behavior experienced after the upgrade.

3. Tests

   are repeatable and can be replicated with little effort

4. 3rd

   parties (i.e.. those on the receiving end of

   web-services, provide data files for subsequent loading, or receive files via

   http or ftp) are actively included in the test schedule.

Always

refer to your production system as a last resort to reconfirm settings and

application behavior.  It is not

uncommon that the DEV and TEST environments have never worked as expected and

the developers just take it for granted until they go live into production.

Utility/Misc Applications and Technologies

The key

technology focus, at a broad sense is as follows (your servers will differ of

course):

1. CDO

   Messaging 

2. SimpleCDO.dll

   – custom written emailer in COM

3. COM+

   components and related security settings

4. COM

   components and related security settings

5. INI

   file utilization (read/write)

6. Registry

   read/write functionality

7. Computer

   Associated

8. Open Ingres Listener
9. Crystal Reports 8.0
10. Including

    service startup on system reboot

11. Cognos versions:
12. server-ip  – v7.0.708 (series 7 MR 1)
13. server-ip – v7.1.168 (series 7 MR 2)
14. server-ip – v7.0.708 (series 7 MR 1)
15. For

    low level version details:

16. <dir>\cer2\cmplst.txt;

    on 201 it's F:\Cognos\cer3\cmplst.txt; and on 6.22 it's

    E:\Cognos\cer2\cmplst.txt

17. ASP

    Upload v3

18. JMail (SMTP CDO emailer)
19. SQLXML (v3.0

    SP1 - SQL Web Services)

20. MDAC

    related issues (ADO,

    OLEDB connectivity)

21. XMLHTTP

    calls

22. MS

    XML-DOM (v3.0, v4.0)

23. Soap

    Toolkit (v2.0

    SP2, v3.0)

24. Veritas

    Backup Exec

25. TRIM

    (document management system) API (trim\tsapi.exe) - v4.3.302

{application name or identifier}

The

following matrix is used for each identified application.  The system architect, analyst or senior AP

will build on the matrix, identifying the key components to be tested.  The key here is to touch (at least once) core

technologies utilized by the application to support the business.

This

matrix should be coupled with a thorough project plan.   Consider

estimated timings and a mini-project plan if the applications are large and

complex.  Do you have pre-defined test beds?

Installation Process and Issues

What .Net Framework is Installed?

Windows

2003 comes with framework versions:

• v1.0.3705
• v1.1.4322

system root\microsoft.net\framework

On

install of VS.Net 2003, consider n:\setup\Setup.exe /NO_BSLN_CHECK to bypass

pre-installation checks if there are issues related to the framework version.

Pre-installation steps

Pre-upgrade

steps:

• Standard

  or enterprise

  • We

    can not upgrade from win2k AS to win3k enterprise ed

  • We

    really only need standard, but are now restricted with the supported upgrades

• Review relnotes.htm on \docs dir of the cd-rom
• Server

  and device licensing (access keys)

• Free

  disk space

  • %systemroot% - 1.5Gb (although you can get

    away with 750Mb)

• System

  and application level backups

  • Completed

    without error, and off to tape

• Ensure

  SP2 windows 2000 at a minimum has been installed before the upgrade

• Application

  checking tool (low level 32bit or 16bit apps with API calls)

  • Act30pkg.exe
  • Run

    application compatibility checking tool

• Compatibility

  administrator tool

• Appverifier.exe
• AD

  checks

  • d:\i386\winnt32

    /checkupgradeonly

  • d:is location of cd-rom

Installation

issues / other:

• Retain

  native mode during installation

  • Upgrade

    the forest to “windows 2003” mode once all domain servers are win2003 upgraded

• AD

  Installation Wizard

  • Anonymous

    logon group and everyone security groups

• Add

  to “pre-windows 2000” compatibly access

• Active

  Directory

  • Run adprep on the schema ops master before upgrade
    • Adprep /forestprep  
      • Debug or diagnose errors via dcdiag.exe
      • Verify command via event viewer
    • Adprep /domainprep
      • Debug or diagnose errors via dcdiag.exe
      • Verify command via event viewer
  • Use

    the command dcdiag to assist in resolving issues

    • Dcdiag.exe,

      one of the tools available from the 

      \Support\Tools folder on the Setup CD

Post Upgrade

• IIS

  Settings

  • Run IIS Manager
    • Properties

      of Server, ensure “enable direct metabase edit” is

      selected

• IIS

  Metabase Edit (metabase.xml)

  changes

  • %systemroot%\system32\inetsrv\
  • AspEnableParentPaths="TRUE"
• IIS

  Security lockdown checks

  • Dynamic

    Content

    • Set

      under “Web Service Extensions” folder in IIS

      • Enable ASP
      • Enable Indexing Service
      • Enable WebDav
      • Visual Interdev 6.0
  • Verify

    STARS WebDav for online template editing

    • Corpsys\trs\correspondence
    • Corpsys\trs\documents\
    • Corpsys\stars\repdocuments\
      • Ensure read/write privs minimum @ NTFS
      • Ensure read/write privs minimum @ IIS VD
• IIS

  UNC Path Mappings

  • May

    get errors in IIS manager for UNC mapped virtual directories.  May show connection errors and list no files,

    but the VD may still be fine.  Only way

    to test is via the application.  This is

    a deficiency with IIS manager and its connecting user verses the UNC path user.

• Check

  and fix - trusts between servers

  • Between

    X and Y domains (list them and the base properties)

  • http://support.microsoft.com/?kbid=816465
  • Requires LSN Support
• Open

  Event Viewer and check the system log for errors or unexpected events, namely

  related to active directory

Pre and Post Installation - Potential Issues

The following list of items is random, and will of course differ in your

environment.  Here I list a range of

issues we faced before and after the upgrade.  

Add more or remove as required to complete your “FAQ” for server upgrades.  You may find this list grows as you move

between servers.

COGNOS (error on adprep /forestprep)

http://groups.google.com.au/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=dea93867.0307111450.3445aded%40posting.google.com&rnum=1&prev=/groups%3Fq%3DAdd%2Berror%2Bon%2Bline%2B333:%2BUnwilling%2BTo%2BPerform%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3Ddea93867.0307111450.3445aded%2540posting.google.com%26rnum%3D1

It

turns out that our problem is caused by Cognos

Access Manager. Access Manager has an option to store it's

information AD, which is how the person who set it up installed it (the other

option is Netscape Directory Server, which comes with the product). When set up

this way, it adds some schema extensions to AD.

Sure.

The issue is in sch18.ldf. if you were to open up

ldif.err.18 in system32 you'd find the error as well. I believe in your case

they are defining PreferredLanguage with the wrong

OID. If you look in your schema you'll probably see PreferredLanguage

with an attributeID= 1.2.840.114050.1.1.1.1.90 (aka an OID). That's not a valid OID to be using there.

You'd have to rename the existing preferredLanguage adminDsiplayName,lDAPDisplayName,

RDN, etc. to not be preferredLanguage. Maybe name it CognosPreferredLanguage or something.

NOTE: This very well might break your application. I haven't a

clue what doing this might break. You definitely, without a doubt, before doing

anything else, need to check with the software vendor on this first.

Patch is on maintenance release

1 of Version2 (ads_update.exe, 25Kb). 

Run before attempting /forestprep again.

Indexing Service

Indexing

service 3.0 is retained from Windows 2000, no problems/changed noted in Windows

2003 documentation

WebDav Authentication

There is a strange change in authentication with webdav enabled web sites.  

The application we run under Windows 2000 has these properties:

• mywebsite (port

  80 – via SSL)

  • /myapp  (virtual dir – basic authentication)
  • /mywebdav (virtual dir – webdav

    enabled – integrated security)

In this particular case, the user logins via a

standard .asp in /myapp, the asp has a small vbscript to open word and a document in

/mywebdav/mydoc.doc, in Windows 2000 with the above authentication properties,

we are only prompted once for authentication, that being basic

authentication for the /myapp, and this

authentication flows through in the webdav virtual

directory.  (note

– if we use basic authentication on /mywebdav, you

will be promoted again to login to this resource, integrated resolves this

issue).

In Windows 2003, you will be prompted for basic

authentication to /myapp (this is fine), BUT, on

trying to access the webdav virtual directory, you

will be prompted to an integrated security login then another basic authentication screen (that’s right – 3

logins!).  This is a nasty experience for

the end user to deal with. 

Therefore, after the upgrade, change the /mywebdav authentication property to basic authentication (matching /myapp),

unfortunately the user is still prompted to login (yet again) but only for the

first time.  Of course, using anonymous

access of the webdav directory will not prompt you

but is pointless in terms of security.

Session Variable Issues

With the advent of IIS6 and worker processors,

session variables are now problematic for non .Net applications (as these can

utilise a managed session state server/database).  Session state variables are NOT shared

amongst worker process threads in web gardens, as such, your application will

find session variables previously declared on login (for example), suddenly disappear all together and seemingly

randomly.  This is based on two possible

IIS 6 settings:

• Web

  garden settings

Open the “application pools” folder.  Select the pool in which your website/virtual

directory is having issues with and right click for properties.  Under the performance

tab, reduce the value for web garden

to one.  Re-start the application

pool.

• Worker

  process recycling

Open the “application pools” folder. 

Select the pool in which your website/virtual directory is having issues

with and right click for properties. 

Under the recycling tab,

verify the values for recycle worker process, recycle worker processor (# requests),

recycle worker processor (at this time). 

Invalid or unrealistic settings here will directly affect application

and session variables for incoming user requests.

Websites of interest related to this:

http://www.iisfaq.com/default.aspx?View=A560&P=1

http://groups.google.com.au/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=e1LFXLZHDHA.672%40TK2MSFTNGP12.phx.gbl&rnum=1&prev=/groups%3Fq%3Dsession%2Bobjects%2Biis%2B6%2Bproblems%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De1LFXLZHDHA.672%2540TK2MSFTNGP12.phx.gbl%26rnum%3D1

RPC Services

Ensure

these services are running:

• Remote Procedure Call
• Remote Procedure Call Locator

Enable Network DCOM & DTC

Start,

control panel, add

remove programs,add/remove windows components,

application server (select details button), check

box “enable network com+ access” and “enable network dtc

access”

Also read: http://support.microsoft.com/default.aspx?scid=kb;en-us;817064

SIDs

You run this at the command

prompt. You need the NETDOM util from the resource

kit.

C:\netdom trust

ppl2kdv /domain:training /quarantine:no /usero:domainadmin

/passwordo:domainadminpassword

I had to do this when I

upgraded my DC's and some issues with SASS domain came up.

The long answer is that

Windows 2000 and Windows Server 2003 protect resources with ACL's (Access Controll Lists), and ACL is essentially a list of Security

Identifiers (SIDs)and lists

of access rights that are granted to that security principal. SIDs are

relative to a domain. The SID of a user or group from a domain is

always based on the SID of the domain, and uniquely identifies the user or

group. ACLs are placed on a resource to indicate

which users and groups are permitted to access the resource, and what level of

access the users and groups are allowed. When a user attempts to access the

resource, Windows compares the list of SIDs in the

ACL to the list of SIDs that identify the user and

his or her group memberships, and grants or denies access as it should.. Pretty straight forward...

When a user logs on to a

domain, the user's account SID and group membership SIDs

are determined by a domain controller in the user's account domain. The SID of

the trusted domain, the relative ID (RID) of the user's account, the RID of the

user's primary group, and the SIDs of all other group

memberships are combined into an authorization data structure and passed to the

requesting computer. If the authenticating domain controller is running Windows

2000 or Windows Server 2003, it also checks to determine if the user has any SIDs in his or her SIDHistory attribute

and includes those SIDs in the authorization data.

If the computer that is

requesting user authentication is in a different domain from the user's

account, authentication occurs by using a the trust

During authentication, the computer in the trusting domain accepts the

authorization data that is provided by the trusted domain controller. There is

no way for the computer that is requesting authentication to determine the

validity of the authorization information, so it accepts the data as accurate based

on the existence of the trust relationship.

SID filtering blocks

Windows 2000 and Windows Server 2003 transitive trust. If a quarantined domain

is located in the trust path between two domains, users from domains on the

other side of the quarantined domain cannot access resources in the

quarantining domain.

Microsoft recommends that

you don't use SID filtering between domains in the same

forest because it disrupts the default trust and authentication behavior of a

forest, including intra-forest replication, and is likely to lead to problems

with programs.

Active Directory GUI

Open the “Active Directory Users and Computers”

GUI.  At the top node, right click

properties à view

à advanced features ticked.

Backup Exec

This version of Backup Exec relies on drivers that

might not be compatible with this version of Windows. Updated drivers are

available from http://seer.support.veritas.com/docs/242074.htm. Contact VERITAS for more details(Web site:

http://support.veritas.com).

Winzip 6.3-8.0

WinZip 6.3-8.0 has a known compatibility issue with

this version of Windows. For an update that is compatible with this version of

Windows, contact Nico Mak

Computing. Contact Information: WinZip Computing, Inc. Web site: http://www.winzip.com.

IIS Security Enhancer (server)

If Internet Explorer

Enhanced Security Configuration is enabled on your server, you may find it

necessary to use the default Internet Explorer security settings of

Windows 2000.

1. Open Control Panel, click Add or Remove

   Programs, and then click Add/Remove Windows Components.

2. Select Internet Explorer Enhanced Security

   Configuration, click the check box to clear the selection, and then

   click OK.

3. Click Next and then

   click Finish.

4. Restart Internet Explorer to apply the changes.

Important

• When you restore Windows 2000 security settings for

  Internet Explorer, you also restore the lists of Trusted

  sites and Local intranet sites that were in effect at the time Internet

  Explorer Enhanced Security Configuration was applied.

• Applying the Windows 2000 default Internet

  Explorer security settings increases your server's exposure to potential

  attacks from malicious Web-based content.

IIS 5/6 Isolation Mode

To configure IIS

for worker process isolation mode (IIS 6)

1. In IIS Manager, expand the local

   computer, right-click Web Sites, and then click Properties.

2. Click the Service tab, clear the

   Run WWW service in IIS 5.0 isolation mode check box, and then click

   OK.

3. To start the WWW service, click Yes.

If the switch to worker process

isolation mode is successful, a folder named Application Pools appears

in the IIS Manager listing for your local computer. You can always

determine which isolation mode IIS is running by the presence (worker process

isolation mode) or absence (IIS 5.0 isolation mode) of the Application Pools

folder.

IIS Utility Components

IIS utility components not installed: Ad

Rotator, Browser Capabilities, Content Linker, Content Rotator, Counters,

Logging Utility, My Info, Page Counter, Status, and tools are not installed

with IIS 6.0. However, if you upgrade your Web server from a previous version

of IIS, the utility components are not removed. You can obtain copies of the

utility component DLL files from the IIS 6.0 Resource Kit.

CDONTS (emails)

The

Windows Server 2003 family does not

support Active Server Pages that use the mail object Collaboration Data Objects

for Windows NT Server (CDONTS.dll) if you perform a new installation. The

Windows Server 2003 family includes Collaborative Data Objects for Windows 2000

(CDOSYS.dll), which replaces CDONTS.dll.

SQLXML and IIS 6.0 Isolation Modes

You

cannot run SQLXML (XML support for Microsoft SQL Server 2000 databases)

and

Universal Description, Discovery, and Integration (UDDI) Services on the same

computer because SQLXML requires

Internet Information Services (IIS) 5.0 isolation mode and UDDI Services

requires IIS 6.0 worker process isolation mode.

After

testing our websites have not experience any issues with SP3 of SQLXML and its

IIS integration.

WWW Service Startup Check

You can

enable and start the WWW service by using the Services snap-in:

1. Click Start, point to Administrative Tools,

   and then click Services.

2. In the list of

   services, right-click World Wide Web Publishing Service, and then click

   Properties.

3. On the General tab, in the Startup type list, click Automatic, and then click OK.
4. In the list of services, right-click World

   Wide Web Publishing Service, and then click Start.

UNC paths

Users

will not be able to run executable files from Universal Naming Convention (UNC)

shared folders until you or the users have added the shared computer to the

Local intranet security zone in Internet Explorer.

ASP file caching

To disable ASP file caching

• Open IIS Manager.
• Right-click <ComputerName>,

  where <ComputerName> is the name of

  your computer, and then click Properties.

• Click Edit to edit the WWW Service Master

  Properties.

• On the Home Directory tab, click Configuration.
• On the Process Options tab, select the Do

  not cache ASP files option.

• Click Apply, and then click OK to save

  your changes.

• Restart IIS.
• To disable static file

  caching

• Add the following value to the registry:
• HKLM\System\CurrentControlSet\Services\Inetinfo\Parameters

• DisableMemoryCache: REG_DWORD: 1
• You need to restart the server for this setting to

  take effect.

Warning   Using Registry

Editor incorrectly can cause serious problems that may require you to reinstall

your operating system. Microsoft cannot guarantee that problems resulting from

the incorrect use of Registry Editor can be solved. Use the Registry Editor at

your own risk.

For more

information on how to disable the static file and ASP template caches, see this

Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;en-us;250925&sd=tech.

MSDTC Transaction Security

Verify

allowable transactions within MSDTC (right click properties from the MSTDC

root):

Closing Thoughts

The upgrade process is relatively painless with thorough planning.  I do

not run clusters or replication which have their own issues, steps and process

to follow in order to be successful first time around.  Probably the

biggest pain was MSDTC and remote debugging for the developers.  This took

sometime to resolve as the error messages where typically unfriendly.  The

OS itself has been rock solid from day one and IIS performance impressive. 

I would highly recommend Windows 2003 and the features  that come with it.

Finally,  remember to backup everything you can before the upgrade

and test the backups before progressing.  The rollback is far from

simple.