Microsoft KB Archive/811272

= How to perform a rolling upgrade of a Windows 2003 RC2-based cluster server to the release version of Windows Server 2003 =

Article ID: 811272

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
When a node joins an existing server cluster, the cluster service performs a version check to make sure that the node that is joining has a version of the operating system that is compatible with the rest of the cluster nodes. The check makes sure that only validated and supported configurations run in a mixed-version environment during a rolling upgrade. The checks are based on major operating system versions such as Windows NT 4.0 and Windows 2000. The rules that the cluster service implements do not cover upgrades from release candidate to release candidate.

Microsoft supports and validates rolling upgrades from Windows Server 2003 RC1 or RC2 to the release version of Windows Server 2003 (Windows Server 2003 RTM). However, you must first turn off the version check feature. For more information about how to do this, see the &quot;More Information&quot; section.

To reduce the chance that a rogue program compromises the cluster, the default cluster security descriptor that controls access to the cluster configuration and management APIs has been changed from the Windows Server 2003 RC1 and RC2 releases. If you upgrade the operating system to Windows Server 2003 RTM, you do not fix the security descriptor automatically. To make sure that the cluster is as secure as possible, manually fix the cluster security descriptor.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To turn off the version check feature, follow these steps:  On the node that you are not upgrading, start the Computer Management console. Click Services and Applications. Click Service in the left pane, and then double-click Cluster Service. Click Stop to stop the Cluster service Using Registry Editor, set the cluster service startup parameters to ignore version checking  Start Registry Editor. Locate the following registry key:

</li> Add a new DWORD value. To do so, right-click the Parameters key, click New, click DWORD, and then type NoVersionCheck .</li> Set the NoVersionCheck value to 1 .</li></ol> </li> Restart the Cluster service from the Computer Management console from step 4</li> Upgrade the other node from Windows Server 2003 RC1 or Windows Server RC2 to Windows Server 2003 RTM.

Note: After you upgrade the node, the Cluster service does not start. You receive the following error event message in the event log:

Event ID: 1071

Source: ClusSvc

Description: Cluster node  attempted to join but was refused. The error code was 5075.

For more information, see Help and Support Center at http://support.microsoft.com

If you use the command net helpmsg 5075, you can see that this event log error corresponds to the following message:

The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.

</li> Use Registry Editor to set the cluster service startup parameters to ignore version checking on the node that you upgraded in the previous step. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> Start Registry Editor.</li> Locate, and then click the following key in the registry:

</li> Right-click the Parameters key, click New, click DWORD, and then type NoVersionCheck .</li> Set the NoVersionCheck value to 1</li></ol> </li> Start the Computer Management console on the node that you upgraded in the previous step, and then click Services and Applications.</li> Click Service in the left pane, and then double-click Cluster Service.</li> Click Start to start the Cluster service. The upgraded node joins the cluster.

Repeat steps 7 through 11 on all cluster nodes to upgrade them to Windows Server 2003 RTM.</li> After you update all the nodes, delete the registry key on all the nodes in the cluster. Use Registry Editor to remove the  key on each node. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> Start Registry Editor.</li> Locate the following key in the registry:

</li> <li>Right-click the NoVersionCheck value, and then click Delete.</li></ol>

The cluster service now checks the versions until it is restarted (deleting the  key is not dynamic). You can select when to restart the cluster service. However, until you restart the cluster service, nodes that use other versions of the Windows operating system may join the cluster.</li></ol>

Fixing the cluster security descriptor
In Windows Server 2003 RC1 and RC2, the following accounts and groups are present in the cluster security descriptor:
 * Local Administrators group
 * SYSTEM
 * SERVICE

To check the current cluster security descriptor, follow these steps:
 * 1) On one node in the cluster, start Cluster Administrator.
 * 2) Right-click the cluster name in the left navigation pane, and then click Properties.
 * 3) Click the Security tab.

The current contents of the cluster security descriptor appear.

The SERVICE security ID is granted to all accounts that are given the “run as service” right. By default, this may include many services that do not have to have access to the cluster. Because of security changes in Windows Server 2003, the Microsoft Transaction Coordinator (MSDTC) service now runs under the Network Service account, therefore you must add the Network Service security ID to the cluster security descriptor to make sure that the MSDTC service works correctly in the cluster. The cluster security descriptor must contain the following accounts and groups:
 * Local Administrators group
 * SYSTEM
 * SERVICE

To fix the cluster security descriptor after the upgrade to Windows Server 2003, type the following commands at a command prompt (press ENTER after each command):

Cluster /prop Security=NETWORKSERVICE,grant,f:security

Cluster /prop Security=SERVICE,revoke:security