Preparing Your Active Directory Infrastructure for 2008

Tuesday, October 18, 2011

Preparing for an upgrade to Active Directory is not a trivial task. However, if you prepare for the upgrade properly, you will be able to take advantage of a newer Active Directory infrastructure that will support Windows 2008 domain controllers which will provide you with additional benefits such as auditing enhancements, fine-grained password policies, read-only domain controllers, restartable Active Directory domain services, and an Active Directory database mounting tool. In Windows 2008, the Active Directory service is now called Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services.

There are a few steps that you must take in order to prepare and upgrade your existing Active Directory Forest to support new Windows 2008 domain controllers. Before you can add AD DS to a server that is running Windows Server 2008 or Windows Server 2008 R2 in an existing Active Directory environment, you must prepare the environment by running Adprep.exe. Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server that is later than the latest version that is running in your current environment. In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.

When you run Adprep.exe, various operations will be performed to prepare the domain for the newer version of Windows Server that will run on your domain controllers. Some of the operations include:

  • Upgrade the Active Directory schema
  • Upgrade security descriptors
  • Upgrade access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
  • Creating new objects, as needed
  • Creating new containers, as needed

Active Directory Upgrade Process

The first step is to prepare your Active Directory forest. Log into the domain controller in the root domain that is currently holding the Flexible Single Master Operations (FSMO) role of "Schema Master". If you are not sure which computer holds the FSMO roles, you can type the following command at a command prompt on a computer on which you have Netdom.exe installed.

netdom query FSMO

Make sure that you can log on to the schema master with an account that has sufficient credentials to run Adprep.exe. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

Once you log on to the server holding this role, run the following command at a command prompt.

Adprep.exe /forestPrep

This command only needs to be run once in the forest. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). Antivirus software can sometimes interfere with this command. You may want to temporarily disable the antivirus service from running on the Schema Master until the process has been completed. After the domain controllers in the forest have successfully completed replication, you can continue on to the next step. The objectVersion attribute will be set to 44 or 47 depending on if you ran adprep /forestPrep for Windows 2008/2008 R2, respectively. This can be verified using ADSIEdit under the Schema, Configuration object.

The next step is to run Adprep.exe in each domain, while logged on to the domain controller holding the Operations Master FSMO role. This command is only run on that server. You do not run this command on each domain controller. You must be logged into that server as a Domain Admin. One of these two commands should be run.

Adprep.exe /domainPrep
Adprep.exe /domainPrep /gpPrep

If you already ran the /gpPrep parameter for Windows Server 2003, you do not need to run it again for Windows Server 2008 or Windows Server 2008 R2. This command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy.

The final step is optional, but should be considered. This step is required if you plan on installing one or more Read-Only Domain Controllers (RODC) in the forest. The command is as follows:

Adprep.exe /rodcPrep

This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the security descriptor for each application directory partition on the infrastructure master for that partition.

This command is run once for the entire forest. It can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible. If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. You must be logged into the computer as an Enterprise Admin.

Did you find the page informational and useful? Share it using one of your favorite social sites.

Recommended Books & Training Resources

Windows Server 2008 R2 Unleashed MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647