Windows Server 2008 ADPREP

Before you can introduce Windows Server 2008 domain controllers into existing
Windows 2000 or Windows Server 2003 domains, you must prepare the forest and
domains with the ADPREP utility. ADPREP.exe is a command-line tool that extends the
Active Directory schema, and updates permissions as necessary to prepare a forest and
domain for a domain controller that runs the Windows Server 2008 operating system.

Note: ADPREP was also available in Windows Server 2003 and Windows Server 2003
R2. In Windows Server 2008, ADPREP follows the same logic and performs similar
tasks to prepare for the upgrade to Windows Server 2003 or Windows Server 2003 R2.
Please read my "Windows 2003 ADPREP" article for more information on that.

ADPREP.exe is a command-line tool that is available on the Windows Server 2008

installation disc in the 'sources'adprep folder.

When you run it, it must be run ADPREP from an elevated command prompt. To open
an elevated command prompt, click Start, right-click Command Prompt, and then click
Run as administrator.

Where should I run ADPREP?

ADPREP /forestprep must be run on the Schema Master of a forest and under the
credentials of someone in the Schema Admins and Enterprise Admins groups.

ADPREP /domainprep must be run on the Infrastructure Master of a domain and under
the credentials of someone in the Domain Admins group.

Important: Since at the time of running ADPREP you still do not have any Windows
Server 2008 Domain Controllers, it should be made clear that these commands MUST be
run on EXISTING Windows 2000 or Windows Server 2003 Domain Controllers. That is
why you MUST make sure you keep a copy of the 32-bit version of the Windows Server
2008 installation DVD. You cannot use the 64-bit version of the installation media to run
ADPREP on 32-bit versions of Windows 2000/2003. Because Windows Server 2008
installation media is 64-bit by default, remember to request the 32-bit version when you
get your copy. In case you don't have the 32-bit version available, you can also use the
evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, so
just download the file from Microsoft's website, and use it to run ADPREP on your 32-bit
Windows 2000/2003 DCs.

What does ADPREP do?

Before running ADPREP, all Windows 2000 Active Directory Domain Controllers in the
forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.
ADPREP /forestprep command extends the schema with quite a few new classes and
attributes. These new schema objects are necessary for the new features supported by
Windows Server 2008. You can view the schema extensions by looking at the .ldf files in
the 'sources'adprep directory on the Windows Server 2008 DVD. These files contain
LDIF entries for adding and modifying new and existing classes and attributes.

ADPREP /domainprep creates new containers and objects, modifies ACLs on some
objects, and changes the meaning of the Everyone security principal.

Before you can run ADPREP /domainprep, you must be sure that the updates from
/forestprep have replicated to all domain controllers in the forest.

You can view detailed output of the ADPREP command by looking at the log files in the
%Systemroot%'system32'debug'adprep'logs directory. Each time ADPREP is executed, a
new log file is generated that contains the actions taken during that particular invocation.
The log files are named based on the time and date ADPREP was run.

Once you’ve run both /forestprep and /domainprep and allowed time for the changes to
replicate to all domain controllers, you can then start upgrading your domain controllers
to Windows Server 2008 or installing new Windows Server 2008 domain controllers.

Running ADPREP

In order to run ADPREP, insert the DVD media of Windows Server 2008 into the DVD
drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the
Schema Master of a forest.

Lamer note: You can use a network path or even copy the files locally to the server if
you don't have a DVD drive on your DC…

If you're prompted to install Windows Server 2008, do NOT install it. Close the window
instead.
Browse to the 'sources'adprep directory.

Open a Command Prompt window (Click Start > Run > CMD > Enter), and drag the
ADPREP.exe file to the Command Prompt window.
Lamer note: If you can't drag 'n drop, you can simply type the path… duh…

In the Command Prompt window, type the following command:

adprep /forestprep

In order to prevent accidental running of the command, you must press the "C" key on
your keyboard, then press Enter. Command will begin to load a bunch of LDIF files
containing all the necessary changes to the existing AD and Schema. Process will take a
few moments.
When done, you'll be prompted. Make sure you let the existing Domain Controllers
replicate all the changes throughout the entire forest BEFORE proceeding to the next
step.
Next, go to the Infrastructure Master of each domain that you wish to upgrade and
insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the
instructions to open the Command Prompt window, and type:

adprep /domainprep

Unlike the /forestprep action which takes some time, the /domainprep action is almost
instantaneous.

Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not
Windows NT 4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is
not the case, you'll get this error:

Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep

Switch your domain to Native mode or above, then repeat the operation.
Again, make sure you let the existing Domain Controllers replicate all the changes
throughout the domain BEFORE proceeding to the next step.
Repeat the /domainprep action for each domain in the forest that requires new Windows
Server 2008 Domain Controllers.

Windows 2000 Domain Notes

When upgrading Windows 2000 domains, an additional command must be run before
installing the first Windows Server 2008 DC.

Go to the Infrastructure Master of each domain that you wish to upgrade and insert the
DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to
open the Command Prompt window, and type:

adprep /domainprep /gpprep

This command performs similar updates as domainprep. However, this command also
provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning
Mode functionality. In Active Directory environments that run Microsoft Windows®
2000, this command performs updates during off-peak hours. This minimizes replication
traffic that is created in those environments by updates to file system permissions and
Active Directory permissions on existing Group Policy objects (GPOs). This command is
also available on Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.

Windows 2003 Domain and first RODC Notes

In Windows Server 2008, a new Domain Controller installation option is available, called
Read Only domain Controller. I will not go into detail about RODCs in this article
(search my site for more information about RODCs), however, in order to enable the
installation of the first RODC in an existing Windows Server 2003 Active Directory
forest, where you have already added at least one Windows Server 2008 regular DC, you
must run the following command:

adprep /rodcprep

This command updates permissions on application directory partitions to enable

replication of the partitions to RODCs. This operation runs remotely; it contacts the
infrastructure master in each domain to update the permissions. You need to run this
command only once in the forest. You can run this command on any computer in the
forest. You must be a member of the Enterprise Admins group to run this command.

You are now ready to introduce your first Windows Server 2008 Domain Controller.
Read my "Installing Active Directory on Windows Server 2008" article for more
information on that.

Links

ADPREP http://technet.microsoft.com/en-us/library/cc731728.aspx
Download Windows Server 2008 Evaluation
http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx

Adprep
Updated: May 1, 2009

Applies To: Windows Server 2003,Windows Server 2003 R2,Windows Server 2003 with SP1,Windows
Server 2008

Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and
domain for a domain controller that runs the Windows Server® 2008 operating system.

Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the
\sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the
\support\adprep folder. You must run adprep from an elevated command prompt. To open an elevated
command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit
version runs by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version
(Adprep32.exe).

For more information about running Adprep.exe and how to resolve errors that can occur when you run it,
see Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

For examples of how this command can be used, see Examples.

For more information about running adprep /forestprep, see Prepare a Windows 2000 or
Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or
Windows Server 2008 R2 ( http://go.microsoft.com/fwlink/?LinkID=93242).

For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or
Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or
Windows Server 2008 R2 ( http://go.microsoft.com/fwlink/?LinkID=93243).

For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain
Controller ( http://go.microsoft.com/fwlink/?LinkID=93244).

Syntax

Copy Code
adprep {/forestprep | /domainprep | /domainprep /gpprep | /rodcprep
| /wssg | /silent }

Parameters

Parameter Description

/forestprep Prepares a forest for the introduction of a domain controller that runs Windows
Server 2008. You run this command only once in the forest. You must run this
command on the domain controller that holds the schema operations master role
(also known as flexible single master operations or FSMO) for the forest. You must
 be a member of all the following groups to run this command:

• The Enterprise Admins group

• The Schema Admins group

• The Domain Admins group of the domain that hosts the schema master

/domainprep Prepares a domain for the introduction of a domain controller that runs Windows
Server 2008. You run this command after the forestprep command finishes and
after the changes replicate to all the domain controllers in the forest.
Run this command in each domain where you plan to add a domain controller that
runs Windows Server 2008. You must run this command on the domain controller
that holds the infrastructure operations master role for the domain. You must be a
member of the Domain Admins group to run this command.

/ Performs similar updates as domainprep. However, this command also provides

domainprep / updates that are necessary to enable Resultant Set of Policy (RSOP) Planning
gpprep Mode functionality.
In Active Directory environments that run Microsoft Windows® 2000, this
command performs updates during off-peak hours. This minimizes replication
traffic that is created in those environments by updates to file system permissions
and Active Directory permissions on existing Group Policy objects (GPOs). This
command is also available on Microsoft Windows Server 2003 with Service Pack 1
(SP1) or later.
Run this command after the forestprep command finishes and after the changes
replicate to all domain controllers in the forest. You must run this command on the
infrastructure master for the domain. For more information about running this
command in Windows 2000 Active Directory environments, see Prepare Your
Infrastructure for Upgrade ( http://go.microsoft.com/fwlink/?LinkId=94798).

/rodcprep Updates permissions on application directory partitions to enable replication of the

partitions to read-only domain controllers (RODCs). This operation runs remotely;
it contacts the infrastructure master in each domain to update the permissions.
You need to run this command only once in the forest. However, you can rerun
this command any time if it fails to complete successfully because an
infrastructure master is not available. You can run this command on any computer
in the forest. You must be a member of the Enterprise Admins group to run this
command.

/wssg Returns an expanded set of exit codes, instead of just 0 (Success) and 1 (Failure).

/silent Specifies that no standard output is returned from an operation. This parameter
can be used only if /wssg is also used.

quit Returns to the prior menu.

Help Displays Help for this command.

? Displays Help for this command.

Remarks

• To prepare an existing Windows 2000 or Windows Server 2003 Active Directory environment for

a Windows Server 2008 domain controller, be sure to run the version of Adprep that is included
in the Windows Server 2008 installation media.
 • If you run Adprep on a domain controller running Windows 2000 Server, the domain controller

must be running Windows 2000 Server Service Pack 4 (SP4) or later.

• You can also perform verification steps before and after you run the adprep command to help

ensure that the operations complete successfully. For more information, see Steps for Extending
the Schema ( http://go.microsoft.com/fwlink/?LinkId=94799).

Exit Codes
The following table lists exit codes that Adprep can return after an operation completes.

Return Code Description

0 Success

1 Failure

2 Schema conflict error

3 FSMO role error

4 Connection error

5 Schema upgrade error

6 Unable to modify error

7 Server busy error

8 Permission error

9 Unable to initialize log file error

10 Not a domain controller

11 In nonnative mode

12 Need to run forest update first

13 Forest update already done

14 Domain update already done

15 GPO update already done

16 Forest update wait replication

Examples
The following example prepares a forest for a domain controller that runs Windows Server 2008:

Copy Code
adprep /forestprep
The following example prepares a domain for a domain controller that runs Windows Server 2008:

Copy Code
adprep /domainprep
The following example prepares a domain for an RODC:
Copy Code
adprep /rodcprep
Additional references
Command-Line Syntax Key

Install a new domain in an existing forest

When you install AD DS to create the first domain controller in a new domain, keep the following
considerations in mind:

• Before you create a new Windows Server 2008 or Windows Server 2008 R2 domain in a

Windows 2000 Server or Windows Server 2003 forest, you must prepare the forest for Windows
Server 2008 or Windows Server 2008 R2 by extending the schema (that is, by running
adprep /forestprep).

Note

In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation
DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.

• You must make domain functional level decisions that determine whether your domain can

contain domain controllers that run Windows 2000 Server, Windows Server 2003, Windows
Server 2008.

We recommend that you host the primary domain controller (PDC) emulator operations master role in the
forest root domain on a domain controller that runs Windows Server 2008.

For procedures to install a new domain, see Installing a New Child Domain.

Install a new domain controller in an existing domain

When you install a new Windows Server 2008 or Windows Server 2008 R2 domain controller in an existing
Windows 2000 Server or Windows Server 2003 domain, keep the following considerations in mind:

• If this domain controller is the first Windows Server 2008 or Windows Server 2008 R2 domain

controller in the forest, you must prepare the forest for Windows Server 2008 or Windows
Server 2008 R2 by extending the schema (that is, by running adprep /forestprep) on the
schema operations master if this has not already been done.

Note

In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation
DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.

• If this domain controller is the first Windows Server 2008 or Windows Server 2008 R2 domain

controller in a Windows 2000 Server domain, you must first prepare the domain by running
adprep /domainprep /gpprep on the infrastructure master.

Note

If you prepare a Windows Server 2003 domain by running adprep /domainprep /gpprep, you
can safely disregard the error message that indicates that domain updates were not necessary.
 • If this domain controller is the first Windows Server 2008 or Windows Server 2008 R2 domain

controller in a Windows Server 2003 domain, you must prepare the domain by running
adprep /domainprep on the infrastructure master.

• Before you can install an RODC in a Windows 2000 Server or Windows Server 2003 forest, you

must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any
computer in the forest. You can run it multiple times if necessary. If the operation is unable to
reach all the application partitions that must be updated to allow RODC installation, you receive a
message that says that not all application partitions have been updated. In this case, rerun the
adprep /rodcprep command.

• The first Windows Server 2008 or Windows Server 2008 R2 domain controller in an existing

Windows 2000 Server or Windows Server 2003 domain cannot be created as an RODC. After a
Windows Server 2008 or Windows Server 2008 R2 domain controller exists in the domain,
additional Windows Server 2008 or Windows Server 2008 R2 domain controllers can be created
as RODCs.

After you have prepared the forest and the domain, you can install AD DS to create a new Windows
Server 2008 or Windows Server 2008 R2 domain controller.

For procedures to install a new domain controller, see Installing an Additional Domain Controller.

Here is general steps for your reference:

====

1. Verify the new server's TCP/IP configuration has been pointed to the
current DNS server.

2. Make the new server become a member server of the current Windows Server
2000 domain first.

3. Upgrade the Windows Server 2000 forest schema to Windows Server 2008
schema with the "adprep /forestprep" command on old server.

Please run the "adprep.exe /forestprep" command from the Windows Server
2008 installation CD on the schema master. For example:

Drive:\CMPNENTS\R2\ADPREP\adprep.exe /forestprep

4. Upgrade the Windows 2000 domain schema with the "adprep /domainprep"
command on old server.

Drive:\CMPNENTS\R2\ADPREP\adprep.exe /domainprep

5. Run "dcpromo" on new server to promote it as an additional domain

controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory.

6. Verify the new server's TCP/IP configuration has been pointed to current
DNS server.
7. We suggested that you perform the DHCP database migration before
promoting it to a domain controller.

8. Export the DHCP database from the current DHCP server using the DHCP
Export Import utility (Dhcpexim.exe). You may migrate the DHCP database to
a Windows 2008 domain controller.

9. Install the DHCP server service on the new server that is running
Windows Server 2008 if necessary. Import the DHCP database to the new DHCP
server

10. Adjust DHCP scope settings to make them use the new DNS server.

11. Unauthorized the old DHCP server and Authorize the new DHCP server and
so that the new one can work normally within Active Directory.

12. Insert Windows Server 2008 Installation Disc in the new server.

13. Run "dcpromo" on new server to promote it as an additional domain

controller in existing Windows 2000 domain, afterwards you may verify the
installation of Active Directory.

14. Enable Global Catalog on new server and manually Check Replication
Topology and afterwards manually trigger replication (Replicate Now) to
synchronize Active Directory database between 2 replicas.

Please note: It will some time to replicate GC between DC, please wait some
time with patience.

15. Disable Global Catalog on DC2.

16. Verify that the old DNS Server Zone type is Active
Directory-Integrated. If not, please refer to:

How To: Convert DNS Primary Server to Active Directory Integrated

http://support.microsoft.com/kb/816101

Note: Active Directory Integrated-Zone is available only if DNS server is a

domain controller.

17. Install DNS component on new server and configure it as a new DNS
Server (Active Directory Integrated-Zone is preferred). All the DNS
configuration should be replicated to the new DNS server with Active
Directory Replication.

18. Make all the clients change TCP/IP configuration to point to new server
as DNS.

19. You may configure TCP/IP on all the clients, or adjust DHCP scope
settings to make them use the new DNS server.
20. It is a good practice to make the old DC offline for several days and
check whether everything works normally with the new server online. If so,
you may let the old DC online and run DCPROMO to demote it.