So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP)

Hi all, Rob Newhouse here and today I am talking about upgrading your domain to Windows Server 2008 and what you may see in the process, plus a couple of tips to make your transition a smooth one.

This post will show the proper use of ADPREP and what to expect when you are running it.

ADPREP is broken down into four stages with Windows Server 2008, instead of the two that most of you may be familiar with when you upgraded to Windows Server 2003. The four steps include Forest Preparation, Domain Preparation, Group Policy Preparation and Read-Only Domain Controller (RODC) Preparation (which you have to run if you want to add a RODC to your environment). You will use ADPREP.exe to perform all of these steps.

clip_image002

Preparing to Run ADPREP /forestprep

ADPREP /forestprep makes modifications to the schema. In order to successfully run it you should:

  1. Have a good system state backup for every domain controller in your forest, or at the very least a good system state backup for one domain controller for each domain in the forest.
  2. Be logged on as a user that belongs to the Domain Admin, Schema Admin and Enterprise Admin groups in the forest root domain.
  3. Ensure that you are running Windows 2000 SP4 or later on all domain controllers in the forest.
  4. You must run ADPREP /forestprep on your schema master.
  5. If you are running Exchange 2000 in your environment refer to KB article 325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003.
  6. Ensure replication is working throughout the entire forest, including that all domain controllers are up and running and that the schema master has been up long enough for a complete replication cycle to happen for the Schema partition.

So let’s go through all these preparatory steps in detail

  1. First you should perform a system state backup on all of your domain controllers using either Windows Backup (NTBackup) or a third-party backup tool. This step is necessary if you find that your schema is incompatible and you need to roll back to a previous state.

  2. Next, check to see if your account has the appropriate group memberships. Open Active Directory Users and Computers, right-click the account you are using to do the upgrade and choose Properties. Select the Member Of tab. If you do not see Domain Admins, Enterprise Admins and Schema Admins, add the ones you are missing. Log off and back on, then run whoami /groups in a command prompt to verify the groups are in your security token.

    clip_image004

  3. ADPREP /forestprep will check to see if you are running at least Windows 2000 SP4. If you have Windows 2000 domain controllers in your environment you should upgrade them all to SP4. You can download SP4 from here - Windows 2000 Service Pack 4 for IT professionals.

  4. Next, check to see if you are logged on to your schema master. There are two ways to accomplish this. One is to run regsvr32 schmmgmt.dll so you can load the Active Directory Schema snap-in. Open a new MMC and add Active Directory Schema. Right-click on the words Active Directory Schema and choose Operations Master.

    clip_image006

    clip_image008

    clip_image010

    Another alternative is to run netdom query fsmo from a command prompt. Netdom is part of the Windows Server 2003 Support Tools.

    clip_image012

  5. There are known issues with upgrading a Windows 2000 domain with Exchange 2000 running in the environment. There are different scenarios with different steps in KB article 325379 to address problems that have been encountered in the upgrade process. You will be performing one of the scenarios regardless. It is just a matter of which scenario you will have to perform.

  6. The final verification is to check and make sure replication is working. To do this install the Windows Server 2003 Support Tools if you do not have them already installed. Run repadmin /showreps from a command prompt.

    clip_image014

    You are looking for Last attempt @ date\time was successful. Any errors should be addressed before attempting to run ADPREP /forestprep.

    NOTE: ADPREP /forestprep will only check to see if replication is working on your schema master. It will not check the replication status of all DCs in your environment. Repadmin /showreps will only check the DC that you focus it on. In order to check the entire environment you will want to run repadmin /replsum. This command will give you the status of your entire environment. You will want to fix any errors you have with replication prior to running ADPREP /forestprep.

Running ADPREP /forestprep

  1. Now you are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.
  2. Open a command prompt.
  3. Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.
  4. Change into the Sources\Adprep directory.
  5. Run ADPREP /forestprep.
  6. You will get a warning that you need to be running Windows 2000 SP4 or later.
  7. Type C and press Enter.
  8. You will see a series of updates from LDF files.
  9. If all goes well, you will see ADPREP successfully updated the forest-wide information.

clip_image016

clip_image018

Preparing to Run ADPREP /domainprep

After a successful completion of ADPREP /forestprep, you will be ready to run ADPREP /domainprep. ADPREP /domainprep must be run against each domain that you wish to upgrade.

Prerequisites

In order to run ADPREP /domainprep you should:

  1. Have successfully completed ADPREP /forestprep.
  2. Be a domain admin for the domain you are running it on.
  3. Be at Windows 2000 Native Mode Domain Functional level.
  4. Have access to the Infrastructure Master.
  5. Wait for the schema changes to replicate throughout the environment, or at least the Infrastructure Master must have the schema updates replicated to it.

Note: Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.

Running ADPREP /Domainprep

  1. Insert the Windows Server 2008 DVD.
    Open a command prompt.
  2. Change your drive letter to the DVD drive.
  3. Change your directory to Sources\Adprep.
  4. Run ADPREP /domainprep.

clip_image020

For a better understanding of what will occur running the ADPREP /Domainprep command, I have referenced the KB article Enhancements to ADPREP.exe in Windows Server 2003 Service Pack 1(Q324392). The More Information section describes the functionality post-Windows 2003 SP1, including the Windows 2008 ADPREP.

Preparing to Run ADPREP /domainprep /gpprep

ADPREP /domainPrep /gpprep only adds the inheritable access control entries on Group Policy objects in the Sysvol share. If you run it prior to running adprep /domainprep it will run both functions, first the domain prep and then the GP prep.

Prerequisites

In order to run ADPREP /domainprep /gpprep you should:

  1. Have completed the prerequisites for ADPREP /domainprep.

  2. Have Sysvol\Sysvol\Policies\{Default Domain and Default Domain Controller GPO guids} in place.

    a. In Windows Explorer Navigate to your Sysvol\Sysvol\Domain\Policies folder

    b. Verify the following GUIDs are inplace

    {31B2F340-016D-11D2-945F-00C04FB984F9}
    {6AC1786C-016F-11D2-945F-00C04FB984F9}

Note Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.

Running ADPREP /domainprep /gpprep

  1. Insert the Windows Server 2008 DVD.
  2. Open a command prompt.
  3. Change your drive letter to the DVD drive.
  4. Change your directory to Sources\Adprep.
  5. Run ADPREP /domainprep /gpprep.

clip_image022

ADPREP /domainprep /gpprep without running adprep /domainprep first.

clip_image024

ADPREP /domainprep /gpprep after running adprep /domainprep

Preparing to Run ADPREP /rodcprep

RODC’s (Read-Only Domain Controllers) are a cool new feature added in Windows Server 2008. The benefits of a RODC in certain domain configurations are well worth the effort of learning and implementing them. For more information on the benefits, see RODC Features on TechNet. If you intend to introduce them into your environment you will have to run ADPREP /rodcprep. This command prepares partitions in Active Directory so RODC’s can be used by adding security to the ForestDNS, DomainDNS, and Domain partitions.

Prerequisites

In order to run ADPREP /domainprep /rodcprep you should:

  1. Be a Domain Admin and Enterprise Admin.
  2. Be able to contact all Infrastructure Master role holders in the forest.

Note ADPREP /rodcprep will let you run without first running ADPREP /forestprep and ADPREP /domainprep, however it is not recommended.

Running ADPREP /rodcprep

  1. Insert the Windows Server 2008 DVD. 
  2. Open a command prompt.
  3. Change your drive letter to the DVD drive.
  4. Change your directory to Sources\Adprep.
  5. Run ADPREP /domainprep /rodcprep.

clip_image026

That concludes this post on running ADPREP. Running through the steps in order should eliminate many of the problems you might otherwise encounter.

- Rob Newhouse