SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Upgrading to Windows 2003

By Chris Kempster,

This whitepaper encompasses some of the experiences I had with upgrading a application development teams server environment from Windows 2000 to Windows 2003.  The paper will include the basic processes I followed in terms of documenting and managing application testing and some of the pre/post installation issues.

Consider using paper as a first-cut template for your own upgrade process.  The following upgrade is not applicable for domain controllers that manage your entire network, always involve your server administrator(s) in the process if this is the case.

Initial Planning

Timeframe & Resources

Upgrades will occur after 5.30pm on the dates below.  Estimated upgrade time is 2hrs, with 1hr of pre and post-installation steps.  No user can login during the upgrade process. 

Server / Host

Planned Date





Staff initials for each resource



This section outlines the hosts, the upgrade version, associated cost and the license key.  This is purely for documentation purposes and assumes the invoices have been finalized and media is available.  Take into consideration the hardware and OS edition you are installing on and the support maximums in terms of CPU, Memory etc and the feature set supported.  Management must be informed and kept "in the loop" with the decisions made.


Server / Host

OS Edition


OS Product Key


Enterprise Etc










MDAC (Before/After Images)

Download the MDAC tester from Microsoft at:
or search for Microsoft support document# 307255

Server / Host

MDAC Before Upgrade

MDAC After Upgrade







Application Testing

Application testing will encompass any hosted application on the upgraded server(s).  The testing strategies have been divided up for each application with simple check-lists outlined in this section.  The key success factors here are:

  1. Resource commitment from the development manager to complete and document the testing matrix
  2. Commitment from the developers in terms of allocating 2hrs (initial maximum) to any “strange” application behavior experienced after the upgrade.
  3. Tests are repeatable and can be replicated with little effort
  4. 3rd parties (i.e.. those on the receiving end of web-services, provide data files for subsequent loading, or receive files via http or ftp) are actively included in the test schedule.

Always refer to your production system as a last resort to reconfirm settings and application behavior.  It is not uncommon that the DEV and TEST environments have never worked as expected and the developers just take it for granted until they go live into production.

Utility/Misc Applications and Technologies

The key technology focus, at a broad sense is as follows (your servers will differ of course):

  1. CDO Messaging 
  2. SimpleCDO.dll – custom written emailer in COM
  3. COM+ components and related security settings
  4. COM components and related security settings
  5. INI file utilization (read/write)
  6. Registry read/write functionality
  7. Computer Associated
  8. Open Ingres Listener
  9. Crystal Reports 8.0
  10. Including service startup on system reboot
  11. Cognos versions:
  12. server-ip  – v7.0.708 (series 7 MR 1)
  13. server-ip – v7.1.168 (series 7 MR 2)
  14. server-ip – v7.0.708 (series 7 MR 1)
  15. For low level version details:
  16. <dir>\cer2\cmplst.txt; on 201 it's F:\Cognos\cer3\cmplst.txt; and on 6.22 it's E:\Cognos\cer2\cmplst.txt
  17. ASP Upload v3
  18. JMail (SMTP CDO emailer)
  19. SQLXML (v3.0 SP1 - SQL Web Services)
  20. MDAC related issues (ADO, OLEDB connectivity)
  21. XMLHTTP calls
  22. MS XML-DOM (v3.0, v4.0)
  23. Soap Toolkit (v2.0 SP2, v3.0)
  24. Veritas Backup Exec
  25. TRIM (document management system) API (trim\tsapi.exe) - v4.3.302

{application name or identifier}

The following matrix is used for each identified application.  The system architect, analyst or senior AP will build on the matrix, identifying the key components to be tested.  The key here is to touch (at least once) core technologies utilized by the application to support the business.

This matrix should be coupled with a thorough project plan.   Consider estimated timings and a mini-project plan if the applications are large and complex.  Do you have pre-defined test beds?

Test Summary

Sub-App Name



Successful? / Issues?
















Installation Process and Issues

What .Net Framework is Installed?

Windows 2003 comes with framework versions:

  • v1.0.3705
  • v1.1.4322

system root\microsoft.net\framework

On install of VS.Net 2003, consider n:\setup\Setup.exe /NO_BSLN_CHECK to bypass pre-installation checks if there are issues related to the framework version.

Pre-installation steps

Pre-upgrade steps:

  • Standard or enterprise
    • We can not upgrade from win2k AS to win3k enterprise ed
    • We really only need standard, but are now restricted with the supported upgrades
  • Review relnotes.htm on \docs dir of the cd-rom
  • Server and device licensing (access keys)
  • Free disk space
    • %systemroot% - 1.5Gb (although you can get away with 750Mb)
  • System and application level backups
    • Completed without error, and off to tape
  • Ensure SP2 windows 2000 at a minimum has been installed before the upgrade
  • Application checking tool (low level 32bit or 16bit apps with API calls)
    • Act30pkg.exe
    • Run application compatibility checking tool
  • Compatibility administrator tool
  • Appverifier.exe
  • AD checks
    • d:\i386\winnt32 /checkupgradeonly
    • d:\ is location of cd-rom

Installation issues / other:

  • Retain native mode during installation
    • Upgrade the forest to “windows 2003” mode once all domain servers are win2003 upgraded
  • AD Installation Wizard
    • Anonymous logon group and everyone security groups
  • Add to “pre-windows 2000” compatibly access
  • Active Directory
    • Run adprep on the schema ops master before upgrade
      • Adprep /forestprep  
        • Debug or diagnose errors via dcdiag.exe
        • Verify command via event viewer
      • Adprep /domainprep
        • Debug or diagnose errors via dcdiag.exe
        • Verify command via event viewer
    • Use the command dcdiag to assist in resolving issues
      • Dcdiag.exe, one of the tools available from the  \Support\Tools folder on the Setup CD

Post Upgrade

  • IIS Settings
    • Run IIS Manager
      • Properties of Server, ensure “enable direct metabase edit” is selected
  • IIS Metabase Edit (metabase.xml) changes
    • %systemroot%\system32\inetsrv\
    • AspEnableParentPaths="TRUE"
  • IIS Security lockdown checks
    • Dynamic Content
      • Set under “Web Service Extensions” folder in IIS
        • Enable ASP
        • Enable Indexing Service
        • Enable WebDav
        • Visual Interdev 6.0
    • Verify STARS WebDav for online template editing
      • Corpsys\trs\correspondence
      • Corpsys\trs\documents\
      • Corpsys\stars\repdocuments\
        • Ensure read/write privs minimum @ NTFS
        • Ensure read/write privs minimum @ IIS VD
  • IIS UNC Path Mappings
    • May get errors in IIS manager for UNC mapped virtual directories.  May show connection errors and list no files, but the VD may still be fine.  Only way to test is via the application.  This is a deficiency with IIS manager and its connecting user verses the UNC path user.
  • Check and fix - trusts between servers
  • Open Event Viewer and check the system log for errors or unexpected events, namely related to active directory

Pre and Post Installation - Potential Issues

The following list of items is random, and will of course differ in your environment.  Here I list a range of issues we faced before and after the upgrade.   Add more or remove as required to complete your “FAQ” for server upgrades.  You may find this list grows as you move between servers.

COGNOS (error on adprep /forestprep)


It turns out that our problem is caused by Cognos Access Manager. Access Manager has an option to store it's information AD, which is how the person who set it up installed it (the other option is Netscape Directory Server, which comes with the product). When set up this way, it adds some schema extensions to AD.

Sure. The issue is in sch18.ldf. if you were to open up ldif.err.18 in system32 you'd find the error as well. I believe in your case they are defining PreferredLanguage with the wrong OID. If you look in your schema you'll probably see PreferredLanguage with an attributeID= 1.2.840.114050. (aka an OID). That's not a valid OID to be using there. You'd have to rename the existing preferredLanguage adminDsiplayName,lDAPDisplayName, RDN, etc. to not be preferredLanguage. Maybe name it CognosPreferredLanguage or something.

NOTE: This very well might break your application. I haven't a clue what doing this might break. You definitely, without a doubt, before doing anything else, need to check with the software vendor on this first.

Patch is on maintenance release 1 of Version2 (ads_update.exe, 25Kb).  Run before attempting /forestprep again.

Indexing Service

Indexing service 3.0 is retained from Windows 2000, no problems/changed noted in Windows 2003 documentation

WebDav Authentication

There is a strange change in authentication with webdav enabled web sites.   The application we run under Windows 2000 has these properties:

  • mywebsite (port 80 – via SSL)
    • /myapp  (virtual dir – basic authentication)
    • /mywebdav (virtual dir – webdav enabled – integrated security)

In this particular case, the user logins via a standard .asp in /myapp, the asp has a small vbscript to open word and a document in /mywebdav/mydoc.doc, in Windows 2000 with the above authentication properties, we are only prompted once for authentication, that being basic authentication for the /myapp, and this authentication flows through in the webdav virtual directory.  (note – if we use basic authentication on /mywebdav, you will be promoted again to login to this resource, integrated resolves this issue).

In Windows 2003, you will be prompted for basic authentication to /myapp (this is fine), BUT, on trying to access the webdav virtual directory, you will be prompted to an integrated security login then another basic authentication screen (that’s right – 3 logins!).  This is a nasty experience for the end user to deal with. 

Therefore, after the upgrade, change the /mywebdav authentication property to basic authentication (matching /myapp), unfortunately the user is still prompted to login (yet again) but only for the first time.  Of course, using anonymous access of the webdav directory will not prompt you but is pointless in terms of security.

Session Variable Issues

With the advent of IIS6 and worker processors, session variables are now problematic for non .Net applications (as these can utilise a managed session state server/database).  Session state variables are NOT shared amongst worker process threads in web gardens, as such, your application will find session variables previously declared on login (for example), suddenly disappear all together and seemingly randomly.  This is based on two possible IIS 6 settings:

  • Web garden settings

Open the “application pools” folder.  Select the pool in which your website/virtual directory is having issues with and right click for properties.  Under the performance tab, reduce the value for web garden to one.  Re-start the application pool.

  • Worker process recycling

Open the “application pools” folder.  Select the pool in which your website/virtual directory is having issues with and right click for properties.  Under the recycling tab, verify the values for recycle worker process, recycle worker processor (# requests), recycle worker processor (at this time).  Invalid or unrealistic settings here will directly affect application and session variables for incoming user requests.

Websites of interest related to this:



RPC Services

Ensure these services are running:

  • Remote Procedure Call
  • Remote Procedure Call Locator

Enable Network DCOM & DTC

Start, control panel, add remove programs,add/remove windows components, application server (select details button), check box “enable network com+ access” and “enable network dtc access”

Also read: http://support.microsoft.com/default.aspx?scid=kb;en-us;817064


You run this at the command prompt. You need the NETDOM util from the resource kit.

C:\netdom trust ppl2kdv /domain:training /quarantine:no /usero:domainadmin /passwordo:domainadminpassword

I had to do this when I upgraded my DC's and some issues with SASS domain came up.

The long answer is that Windows 2000 and Windows Server 2003 protect resources with ACL's (Access Controll Lists), and ACL is essentially a list of Security Identifiers (SIDs)and lists of access rights that are granted to that security principal. SIDs are relative to a domain. The SID of a user or group from a domain is always based on the SID of the domain, and uniquely identifies the user or group. ACLs are placed on a resource to indicate which users and groups are permitted to access the resource, and what level of access the users and groups are allowed. When a user attempts to access the resource, Windows compares the list of SIDs in the ACL to the list of SIDs that identify the user and his or her group memberships, and grants or denies access as it should.. Pretty straight forward...

When a user logs on to a domain, the user's account SID and group membership SIDs are determined by a domain controller in the user's account domain. The SID of the trusted domain, the relative ID (RID) of the user's account, the RID of the user's primary group, and the SIDs of all other group memberships are combined into an authorization data structure and passed to the requesting computer. If the authenticating domain controller is running Windows 2000 or Windows Server 2003, it also checks to determine if the user has any SIDs in his or her SIDHistory attribute and includes those SIDs in the authorization data.

If the computer that is requesting user authentication is in a different domain from the user's account, authentication occurs by using a the trust During authentication, the computer in the trusting domain accepts the authorization data that is provided by the trusted domain controller. There is no way for the computer that is requesting authentication to determine the validity of the authorization information, so it accepts the data as accurate based on the existence of the trust relationship.

SID filtering blocks Windows 2000 and Windows Server 2003 transitive trust. If a quarantined domain is located in the trust path between two domains, users from domains on the other side of the quarantined domain cannot access resources in the quarantining domain.

Microsoft recommends that you don't use SID filtering between domains in the same forest because it disrupts the default trust and authentication behavior of a forest, including intra-forest replication, and is likely to lead to problems with programs.

Active Directory GUI

Open the “Active Directory Users and Computers” GUI.  At the top node, right click properties à view à advanced features ticked.

Backup Exec

This version of Backup Exec relies on drivers that might not be compatible with this version of Windows. Updated drivers are available from http://seer.support.veritas.com/docs/242074.htm. Contact VERITAS for more details(Web site: http://support.veritas.com).

Winzip 6.3-8.0

WinZip 6.3-8.0 has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Nico Mak Computing. Contact Information: WinZip Computing, Inc. Web site: http://www.winzip.com.

IIS Security Enhancer (server)

If Internet Explorer Enhanced Security Configuration is enabled on your server, you may find it necessary to use the default Internet Explorer security settings of Windows 2000.

  1. Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
  2. Select Internet Explorer Enhanced Security Configuration, click the check box to clear the selection, and then click OK.
  3. Click Next and then click Finish.
  4. Restart Internet Explorer to apply the changes.


  • When you restore Windows 2000 security settings for Internet Explorer, you also restore the lists of Trusted sites and Local intranet sites that were in effect at the time Internet Explorer Enhanced Security Configuration was applied.
  • Applying the Windows 2000 default Internet Explorer security settings increases your server's exposure to potential attacks from malicious Web-based content.

IIS 5/6 Isolation Mode

To configure IIS for worker process isolation mode (IIS 6)

  1. In IIS Manager, expand the local computer, right-click Web Sites, and then click Properties.
  2. Click the Service tab, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.
  3. To start the WWW service, click Yes.

If the switch to worker process isolation mode is successful, a folder named Application Pools appears in the IIS Manager listing for your local computer. You can always determine which isolation mode IIS is running by the presence (worker process isolation mode) or absence (IIS 5.0 isolation mode) of the Application Pools folder.

IIS Utility Components

IIS utility components not installed: Ad Rotator, Browser Capabilities, Content Linker, Content Rotator, Counters, Logging Utility, My Info, Page Counter, Status, and tools are not installed with IIS 6.0. However, if you upgrade your Web server from a previous version of IIS, the utility components are not removed. You can obtain copies of the utility component DLL files from the IIS 6.0 Resource Kit.

CDONTS (emails)

The Windows Server 2003 family does not support Active Server Pages that use the mail object Collaboration Data Objects for Windows NT Server (CDONTS.dll) if you perform a new installation. The Windows Server 2003 family includes Collaborative Data Objects for Windows 2000 (CDOSYS.dll), which replaces CDONTS.dll.

SQLXML and IIS 6.0 Isolation Modes

You cannot run SQLXML (XML support for Microsoft SQL Server 2000 databases)

and Universal Description, Discovery, and Integration (UDDI) Services on the same computer because SQLXML requires Internet Information Services (IIS) 5.0 isolation mode and UDDI Services requires IIS 6.0 worker process isolation mode.

After testing our websites have not experience any issues with SP3 of SQLXML and its IIS integration.

WWW Service Startup Check

You can enable and start the WWW service by using the Services snap-in:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the list of services, right-click World Wide Web Publishing Service, and then click Properties.
  3. On the General tab, in the Startup type list, click Automatic, and then click OK.
  4. In the list of services, right-click World Wide Web Publishing Service, and then click Start.

UNC paths

Users will not be able to run executable files from Universal Naming Convention (UNC) shared folders until you or the users have added the shared computer to the Local intranet security zone in Internet Explorer.

ASP file caching

To disable ASP file caching

  • Open IIS Manager.
  • Right-click <ComputerName>, where <ComputerName> is the name of your computer, and then click Properties.
  • Click Edit to edit the WWW Service Master Properties.
  • On the Home Directory tab, click Configuration.
  • On the Process Options tab, select the Do not cache ASP files option.
  • Click Apply, and then click OK to save your changes.
  • Restart IIS.
  • To disable static file caching
  • Add the following value to the registry:
  • HKLM\System\CurrentControlSet\Services\Inetinfo\Parameters
  • DisableMemoryCache: REG_DWORD: 1
  • You need to restart the server for this setting to take effect.

Warning   Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use the Registry Editor at your own risk.

For more information on how to disable the static file and ASP template caches, see this Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;en-us;250925&sd=tech.

MSDTC Transaction Security

Verify allowable transactions within MSDTC (right click properties from the MSTDC root):

Closing Thoughts

The upgrade process is relatively painless with thorough planning.  I do not run clusters or replication which have their own issues, steps and process to follow in order to be successful first time around.  Probably the biggest pain was MSDTC and remote debugging for the developers.  This took sometime to resolve as the error messages where typically unfriendly.  The OS itself has been rock solid from day one and IIS performance impressive.  I would highly recommend Windows 2003 and the features  that come with it.

Finally,  remember to backup everything you can before the upgrade and test the backups before progressing.  The rollback is far from simple.



Total article views: 10876 | Views in the last 30 days: 2
Related Articles

windows application

VB6 Windows Application & .NET Application


Read Application Log(Windows) from SQL Server 2005

Read Application Log(Windows) from SQL Server 2005


Service Pack 1 for Windows Server 2008 R2 and Windows 7

Microsoft’s Brandon LeBlanc announced the upcoming availability of Service Pack 1 for Windows Server...


Using Windows Server Update Service - WSUS for SQL Server Service Pack and Hotfix distribution

Using Windows Server Update Service - WSUS for SQL Server Service Pack and Hotfix distribution


SQL Server Agent - "1% is not a valid win32 application"

when click the button "start" in SQL Server Agent services, error message appears.

sql server 7