Skip to main content

Prepare your Domain for the Windows Server 2008 R2 Domain Controller

Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.



ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system.
Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2.
What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:
  • Updating the Active Directory schema
  • Updating security descriptors
  • Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
  • Creating new objects, as needed
  • Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks:
Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required.
Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).
First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment.
You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?).
Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. You can also use an MSDN or Technet ISO image, if you have a subscription to one of them.
If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor).
Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.
Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
To perform this procedure, you must use an account that has membership in all of the following groups:
  • Enterprise Admins
  • Schema Admins
  • Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.
Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.
In the Command Prompt window, type the following command:
adprep /forestprep
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
When completed, you will receive a success message.
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain
Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
In the Command Prompt window, type the following command:
adprep /domainprep
Process will take less than a second.
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error:
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed.
If you're running a Windows 2000 Active Directory domain, you must also the following command:
adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.


Labels:

Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this
Read more

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s
Read more

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N
Read more