A Windows 2000 domain must be upgraded to the Windows Server 2003 schema to support some of the new features in a Windows Server 2003 PKI. These features include:
■ Support for version 2 certificate templates. The Windows Server 2003 schema includes the definition of the version 2 certificate template object. Version 2 certificate templates allow customization of certificate content.
■ Support for delta certificate revocation lists (CRLs). A delta CRL contains the certificates revoked since the publication of the last base CRL. This object type and its corresponding attributes are added in the Windows Server 2003 schema.
■ Support for key archival and recovery. Properties of the CA object are extended by the Windows Server 2003 schema to allow the designation of a key recovery agent, which enables key archival and recovery at the CA.
■ Support for Cross Certification Authority certificates in Active Directory. Cross Certification Authority certificates are implemented when you renew a CA certificate. A Cross Certification Authority certificate defines a relationship between the previous CA certificate and the new CA certificate to allow Windows XP and newer operating systems to continue to build chains with the previous CA certificate.
■ Support for custom object identifiers (OIDs) and OID name resolution in Active Directory. The schema extensions add support for defining custom application policy and certificate policy OIDs in Active Directory and issued certificates. In addition, if a certificate contains an OID, the OID is resolved to meaningful text based on the OID definition in Active Directory.
Once the current schema is modified to prevent attribute mangling, you can upgrade to the Windows Server 2003 schema using the following procedure:
1. Log on locally at the schema operations master as a member of the Schema Admins and Enterprise Admins groups.
2. In the console tree, right-click Active Directory Schema and click Operations Master.
3. In the Change Schema Master dialog box, select the The Schema May Be Modified On This Domain Controller check box and click OK.
4. Insert the Windows Server 2003, Enterprise Edition, compact disc in the CD-ROM drive.
5. At a command prompt, type X:\i386\adprep.exe /forestprep (where X is the drive letter of the CD-ROM) and press ENTER.
6. When prompted, press C to continue with schema updates.
7. When modifications are complete, in the console tree, right-click Active Directory Schema and click Operations Master.
8. In the Change Schema Master dialog box, clear The Schema May Be Modified On This Domain Controller check box and click OK.
This procedure will update the schema from version 13 (Windows 2000) to version 30 (Windows Server 2003).
Note If you want to view the actual modifications made to the schema in detail, you can look at the schema update LDIF files in the \i386 folder of the Windows Server 2003, Enterprise Edition, compact disc. The files are named SCH##.ldf, where ## is a number between 14 and 30, representing the modifications made in each revision.
Once the update is complete, you must ensure that the modifications replicate fully to all domain controllers in the forest. You can view the replication status by using either the Replication Monitor (Replmon.exe) graphical tool or the Repad-min.exe command-line tool from Windows Support Tools.
Note Read the documentation on each of these tools for information on how to best ensure that replication completes for the schema modifications.
After modification of the schema is replicated to all domain controllers in the forest, you can prepare each domain to benefit from the Windows Server 2003 schema extensions. You can use the following procedure to prepare each domain in the forest:
1. Log on locally at the infrastructure master in the domain as a member of the Domain Admins group.
2. Insert the Windows Server 2003, Enterprise Edition, compact disc in the CD-ROM drive.
3. At a command prompt, type X:\i386\adprep /domainprep (where X is the drive letter of the CD-ROM) and press ENTER.
4. Repeat the process for every domain in the forest.
Note It is not necessary to run adprep /domainprep to install a Windows Server 2003 enterprise CA in the forest.
Was this article helpful?