Before you can introduce Windows Server 2008 domain controllers into existing Windows 2000 or Windows Server 2003 domains, you must prepare the forest and domains with the ADPREP utility. ADPREP.exe is a command-line tool that extends the Active Directory schema, and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.
Note: ADPREP was also available in Windows Server 2003 and Windows Server 2003 R2. In Windows Server 2008, ADPREP follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003 or Windows Server 2003 R2. Please read my "Windows 2003 ADPREP" article for more information on that.
ADPREP.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the 'sources'adprep folder.
When you run it, it must be run ADPREP from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Where should I run ADPREP?
ADPREP /forestprep must be run on the Schema Master of a forest and under the credentials of someone in the Schema Admins and Enterprise Admins groups.
ADPREP /domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.
Important: Since at the time of running ADPREP you still do not have any Windows Server 2008 Domain Controllers, it should be made clear that these commands MUST be run on EXISTING Windows 2000 or Windows Server 2003 Domain Controllers. That is why you MUST make sure you keep a copy of the 32-bit version of the Windows Server 2008 installation DVD. You cannot use the 64-bit version of the installation media to run ADPREP on 32-bit versions of Windows 2000/2003. Because Windows Server 2008 installation media is 64-bit by default, remember to request the 32-bit version when you get your copy. In case you don't have the 32-bit version available, you can also use the evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, so just download the file from Microsoft's website, and use it to run ADPREP on your 32-bit Windows 2000/2003 DCs.
What does ADPREP do?
Before running ADPREP, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.
ADPREP /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2008. You can view the schema extensions by looking at the .ldf files in the 'sources'adprep directory on the Windows Server 2008 DVD. These files contain LDIF entries for adding and modifying new and existing classes and attributes.
ADPREP /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.
Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
You can view detailed output of the ADPREP command by looking at the log files in the %Systemroot%'system32'debug'adprep'logs directory. Each time ADPREP is executed, a new log file is generated that contains the actions taken during that particular invocation. The log files are named based on the time and date ADPREP was run.
Once you've run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2008 or installing new Windows Server 2008 domain controllers.
Running ADPREP
In order to run ADPREP, insert the DVD media of Windows Server 2008 into the DVD drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master of a forest.
Lamer note: You can use a network path or even copy the files locally to the server if you don't have a DVD drive on your DC…
If you're prompted to install Windows Server 2008, do NOT install it. Close the window instead.
Browse to the 'sources'adprep directory.
Open a Command Prompt window (Click Start > Run > CMD > Enter), and drag the ADPREP.exe file to the Command Prompt window.
Lamer note: If you can't drag 'n drop, you can simply type the path… duh…
In the Command Prompt window, type the following command:
adprep /forestprep
In order to prevent accidental running of the command, you must press the "C" key on your keyboard, then press Enter. Command will begin to load a bunch of LDIF files containing all the necessary changes to the existing AD and Schema. Process will take a few moments.
When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all the changes throughout the entire forest BEFORE proceeding to the next step.
Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep
Unlike the /forestprep action which takes some time, the /domainprep action is almost instantaneous.
Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not Windows NT 4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is not the case, you'll get this error:
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep
Switch your domain to Native mode or above, then repeat the operation.
Again, make sure you let the existing Domain Controllers replicate all the changes throughout the domain BEFORE proceeding to the next step.
Repeat the /domainprep action for each domain in the forest that requires new Windows Server 2008 Domain Controllers.
Windows 2000 Domain Notes
When upgrading Windows 2000 domains, an additional command must be run before installing the first Windows Server 2008 DC.
Go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep /gpprep
This command performs similar updates as domainprep. However, this command also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. In Active Directory environments that run Microsoft Windows® 2000, this command performs updates during off-peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing Group Policy objects (GPOs). This command is also available on Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.
Windows 2003 Domain and first RODC Notes
In Windows Server 2008, a new Domain Controller installation option is available, called Read Only domain Controller. I will not go into detail about RODCs in this article (search my site for more information about RODCs), however, in order to enable the installation of the first RODC in an existing Windows Server 2003 Active Directory forest, where you have already added at least one Windows Server 2008 regular DC, you must run the following command:
adprep /rodcprep
This command updates permissions on application directory partitions to enable replication of the partitions to RODCs. This operation runs remotely; it contacts the infrastructure master in each domain to update the permissions. You need to run this command only once in the forest. You can run this command on any computer in the forest. You must be a member of the Enterprise Admins group to run this command.
You are now ready to introduce your first Windows Server 2008 Domain Controller. Read my "Installing Active Directory on Windows Server 2008" article for more information on that.
No comments:
Post a Comment