Tuesday, January 7, 2014

Windows Server 2012 - Active Directory - ADPREP

Or... adding a Windows 2012 domain controller to a Windows 2008 (R2) domain


Adding a Windows 2008 domain controller to a Windows 2003 domain - where all domain controllers are running Windows 2003 - or a Windows 2008 R2 controller to a domain where all the current controllers were at 2008, required the execution of the adprep command to prepare the forest and the domain for the latest domain controllers.
 
This has changed - to some extent - with Windows 2012. Previously, it was necessary to run the adprep commands (we'll see them in a second) manually, before promoting a server running the newer OS. When we promote a Windows 2012 server to domain controller status, the process includes running the adprep /forestprep and adprep /domainprep commands automatically, in the background.
 
However, we can still execute these commands manually and in either case, certain criteria still must be respected.

 
 
If we proceed manually, we need to execute 2 or 3 commands:

adprep /forestprep to prepare the forest

adprep /domainprep to prepare the domain

And optionally...

adprep /rodcprep if we plan to user "Read-Only" domain controllers.

We should run the first command on the schema master and the second on the infrastructure master.
 
If we are not sure which domain controller holds these roles, we can determine that with this command:

netdom query fsmo

Or alternately:

dsquery server -hasfsmo schema

dsquery server -hasfsmo infra

Of course, the schema master and the infrastructure master may be located on the same domain controller.
 
The user running the commands must be schema administrator (in the forest) and domain administrator in each of the domains to be prepared.
 
So, let's make a first attempt.
 
We need to have the Windows Server 2012 media available, either the DVD or the .iso file (which we would have to mount). Once we've mounted the .iso file or inserted the DVD, we browse to the following location on that media:

Note: in this case, the DVD has been inserted in the D: drive. The drive letter, of course, could be something else.

PS C:\Users\admin> cd\
PS C:\> D:
PS D:\> cd support
PS D:\support> cd adprep
PS D:\support\adprep>

Note: instead of "cd" we could use the Powershell equivalent "sl" to "set" the location.

Now, if we execute the command as we would at the traditional Windows command line, we will encounter an error:

PS D:\support\adprep> adprep /forestprep

The term 'adprep' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again [snip].

Suggestion [3,General]: The command adprep was not found, but does exist in the current location. Windows PowerShell doesn't load commands from the current location by default. If you trust this command, instead type ".\adprep". See "get-help about_Command_Precedence" for more details.

So, in Powershell we need to enter the full command like this:

PS D:\support\adprep> .\adprep /forestprep

But we encounter one more obstacle:

Adprep detected that the supplied or default user is not a member of the following group: Schema Admins Group.
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Verify the user is a member of Enterprise Admins group and Schema Admins group.


In fact, this is an error I created by removing the administrator account used to execute the command from the schema administrators group. I wanted to illustrate what would happen if this requirement was not met. This is not an implausible scenario. Some experts recommend that the schema admins group remain empty until there is a need to upgrade the schema. This is to prevent accidental unplanned schema upgrades.

So, in summary...

1. We have to prefix the actual command with .\ when running the command in PowerShell.
2. The user running the command must be member of the schema admin group - and the domain administrators group of any domain being prepared for Windows 2012.

 
Once these requirements are met, we can make some progress:

PS D:\support\adprep> .\adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or later. You are about to upgrade the schema for the Active Directory forest named 'mynet.lan', using the Active Directory domain controller (schema master) 'DC2.mynet.lan'.
This operation cannot be reversed after it completes.


[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.


C

Current Schema Version is 47

Upgrading schema to version 56

Verifying file signature
Connecting to "DC2.mynet.lan"
Logging in as current user using SSPI
Importing directory from file "D:\support\adprep\sch48.ldf"

The command has completed successfully
Verifying file signature
Connecting to "DC2.mynet.lan"
Logging in as current user using SSPI
Importing directory from file "D:\support\adprep\sch56.ldf"
Loading entries....
188 entries modified successfully.

The command has completed successfully
........................................................................................................................
[...]
........................................................................................................................
......................................................................................
Adprep successfully updated the forest-wide information.


---------

We then can prepare the domain:

---------

PS D:\support\adprep> .\adprep /domainprep

Adprep successfully updated the domain-wide information.

--------

The output of the adprep /forestprep command shows a progression from schema version 47 to schema version 56. Schema version 47 represents Windows 2008 R2 and 56 Windows 2012.
 
Here is a chart of the schema version numbers and the corresponding operating system:

13 = Windows 2000 Server
30 = Windows Server 2003
31 = Windows Server 2003 R2
44 = Windows Server 2008
47 = Windows Server 2008 R2
56 = Windows Server 2012
69 = Windows Server 2012 R2

I happened to know beforehand that I was moving from Windows Server 2008 R2 to Windows Server 2012. But what if you do not know?

The current schema version can be displayed with this command:

PS C:\> dsquery * "cn=schema,cn=configuration,dc=mynet,dc=lan" -scope base -attr objectversion
 
objectversion
  56

It can also be viewed in both the ADSI Editor (screenshot 1) and in the registry (screenshot 2) at the locations indicated:

ADSI:




Registry:



In case the path is not legible, I'll rewrite it here:

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\SchemaVersion

By viewing the schema version before and after the upgrade, we can verify the success of the operation.


References:

How to determine the current Active Directory or Exchange Server schema version

Running Adprep.exe

2 comments:

  1. Sharing my experience to say,if someone need windows product keys,you can go to www.vanskeys.com to got.I'm here to buy a key, a hundred percent genuine.

    ReplyDelete

  2. free product key of windows 7 ultimate 64-bit , windows 7 keygen , window 7 starter to home premium , windows 10 product key surface , buy windows 10 product key , home server 2011 key , office 2013 activation 100% working forever , office 2016 product key , lyf0PS

    windows server 2012 r2 buy

    office 2013 key sale

    cheap rosetta stone french

    ReplyDelete