Preparing for an upgrade to Active Directory is not a trivial task. However, if you prepare for the upgrade properly, you will be able to take advantage of a
newer Active Directory infrastructure that will support Windows 2008 domain controllers which will provide you with additional benefits such as
auditing enhancements, fine-grained password policies, read-only domain controllers, restartable Active Directory domain services, and an Active
Directory database mounting tool. In Windows 2008, the Active Directory service is now called Active Directory Domain Services (AD DS), formerly
known as Active Directory Directory Services.
There are a few steps that you must take in order to prepare and upgrade your existing Active Directory Forest to support new Windows 2008 domain
controllers. Before you can add AD DS to a server that is running Windows Server 2008 or Windows Server 2008 R2 in an existing Active Directory
environment, you must prepare the environment by running Adprep.exe. Adprep.exe is a command-line tool that is included on the installation disk
of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you
can add a domain controller that runs that version of Windows Server that is later than the latest version that is running in your current
environment. In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2,
Adprep.exe is located in the /support/adprep folder.
When you run Adprep.exe, various operations will be performed to prepare the domain for the newer version of Windows Server that will run on
your domain controllers. Some of the operations include:
- Upgrade the Active Directory schema
- Upgrade security descriptors
- Upgrade access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
- Creating new objects, as needed
- Creating new containers, as needed
Active Directory Upgrade Process
The first step is to prepare your Active Directory forest. Log into the domain controller in the root domain that is currently holding the
Flexible Single Master Operations (FSMO) role of "Schema Master". If you are not sure which computer holds the FSMO roles, you can type the
following command at a command prompt on a computer on which you have Netdom.exe installed.
netdom query FSMO
Make sure that you can log on to the schema master with an account that has sufficient credentials to run Adprep.exe.
You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema
master, which is, by default, the forest root domain.
Once you log on to the server holding this role, run the following command at a command prompt.
This command only needs to be run once in the forest. If any domain controllers in the forest are running Windows 2000 Server, they
must be running Service Pack 4 (SP4). Antivirus software can sometimes interfere with this command. You may want to temporarily disable the
antivirus service from running on the Schema Master until the process has been completed. After the domain controllers in the forest have
successfully completed replication, you can continue on to the next step. The objectVersion attribute will be set to 44 or 47 depending on if you
ran adprep /forestPrep for Windows 2008/2008 R2, respectively. This can be verified using ADSIEdit under the Schema, Configuration object.
The next step is to run Adprep.exe in each domain, while logged on to the domain controller holding the Operations Master FSMO role.
This command is only run on that server. You do not run this command on each domain controller. You must be logged into that server as a
Domain Admin. One of these two commands should be run.
Adprep.exe /domainPrep /gpPrep
If you already ran the /gpPrep parameter for Windows Server 2003, you do not need to run it again for Windows Server 2008
or Windows Server 2008 R2. This command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL
shared folder. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support
Resultant Set of Policy (RSOP) functionality for site-based policy.
The final step is optional, but should be considered. This step is required if you plan on installing one or more Read-Only Domain Controllers
(RODC) in the forest. The command is as follows:
This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the
partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the
security descriptor for each application directory partition on the infrastructure master for that partition.
This command is run once for the entire forest. It can be run from any computer. This command performs operations remotely.
For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master
for each application directory partition and each domain partition must be accessible. If you already ran this command for Windows Server 2008,
you do not need to run it again for Windows Server 2008 R2. You must be logged into the computer as an Enterprise Admin.
Recommended Books & Training Resources