Preparing for an upgrade to Active Directory is not a trivial task. However, if you prepare for the upgrade properly, you will be able to take advantage of a newer Active Directory infrastructure that will support Windows 2008 domain controllers.
It will provide you with additional benefits such as auditing enhancements, fine-grained password policies, read-only domain controllers, restartable Active Directory domain services, and an Active Directory database mounting tool. In Windows 2008, the Active Directory service is now called Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services.
There are a few steps that you must take in order to prepare and upgrade your existing Active Directory Forest to support new Windows 2008 domain controllers. Before you can add AD DS to a server that is running Windows Server 2008 or Windows Server 2008 R2 in an existing Active Directory environment, you must prepare the environment by running Adprep.exe
. Adprep.exe
is a command-line tool that is included on the installation disk of each version of Windows Server.
Adprep.exe
performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server that is later than the latest version that is running in your current environment.
In Windows Server 2008, Adprep.exe
is available in the /sources/adprep
folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe
is located in the /support/adprep
folder.
When you run Adprep.exe
, various operations will be performed to prepare the domain for the newer version of Windows Server that will run on your domain controllers. Some of the operations include:
- Upgrade the Active Directory schema
- Upgrade security descriptors
- Upgrade access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
- Creating new objects, as needed
- Creating new containers, as needed
Active Directory Upgrade Process
The first step is to prepare your Active Directory forest. Log in to the domain controller in the root domain that is currently holding the Flexible Single Master Operations (FSMO) role of “Schema Master”. If you are not sure which computer holds the FSMO roles, you can type the following command: netdom query FSMO
at a command prompt on a computer on which you have Netdom.exe
installed.
Make sure that you can log on to the schema master with an account that has sufficient credentials to run Adprep.exe
. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
Once you log on to the server holding this role, run the following command: Adprep.exe /forestPrep
at a command prompt.
This command only needs to be run once in the forest. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). Antivirus software can sometimes interfere with this command. You may want to temporarily disable the antivirus service from running on the Schema Master until the process has been completed.
After the domain controllers in the forest have successfully completed replication, you can continue on to the next step. The objectVersion
attribute will be set to 44 or 47 depending on if you ran adprep /forestPrep
for Windows 2008/2008 R2, respectively. This can be verified using ADSIEdit under the Schema, Configuration object.
The next step is to run Adprep.exe
in each domain, while logged on to the domain controller holding the Operations Master FSMO role. This command is only run on that server. You do not run this command on each domain controller. You must be logged in to that server as a Domain Admin. One of these two commands should be run:
Adprep.exe /domainPrep
Adprep.exe /domainPrep /gpPrep
If you already ran the /gpPrep
parameter for Windows Server 2003, you do not need to run it again for Windows Server 2008 or Windows Server 2008 R2. This command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL shared folder.
The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy. The final step is optional but should be considered. This step is required if you plan on installing one or more Read-Only Domain Controllers (RODC) in the forest. The command is as follows: Adprep.exe /rodcPrep
.
This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep/rodcprep
command must update the security descriptor for each application directory partition on the infrastructure master for that partition.
This command is run once for the entire forest. It can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible.
If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. You must be logged into the computer as an Enterprise Admin.