Windows 2003 ADPrep
What do I need to do to prepare my Windows 2000 forest for the installation of the first Windows Server 2003 DC?
Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest and domains with the ADPrep utility.
- ADPrep /forestprep on the schema master in your Windows 2000 forest.
- ADPrep /domainprep on the Infrastructure Master in each AD domain.
ADPrep is located in the i386 directory of the Windows Server 2003 install media.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
UPDATE: For Windows Server 2008, please refer to our Windows Server 2008 ADPrep article
Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the older Windows Server 2003 media, and instead you need to look for it in the second CD. You see, Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a slip-streamed version of Windows Server 2003 with Service Pack 2 (SP2). Installation disk 2 contains the Windows Server 2003 R2 files.
The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.
You can find the R2 ADPrep tool in the following folder on the second CD:
(where drive is the drive letter of your CD-Rom drive)
Read more about ADPrep and Windows Server 2003 R2 in KB 917385
Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange 2000 before installing the first Windows Server 2003 DC in your existing organization.
Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domain controllers before running ADPrep. SP2 fixed a critical internal AD bug, which can manifest itself when extending the schema. There were also some fixes to improve the replication delay that can be seen when indexing attributes.
Similar to the Exchange setup.exe /forestprep and /domainprep switches.
- The Exchange /forestprep command extends the schema and adds some objects in the Configuration Naming Context.
- The Exchange / domainprep command adds objects within the Domain Naming Context of the domain it is being run on and sets some ACLs.
The ADPrep command follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003.
The ADPrep /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2003.
You can view the schema extensions by looking at the .ldf files in the \i386 directory on the Windows Server 2003 CD. These files contain LDIF entries for adding and modifying new and existing classes and attributes.
Since the schema is extended and objects are added in several places in the Configuration NC, the user running /forestprep must be a member of both the Schema Admins and Enterprise Admins groups.
The ADPrep /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.
Before you can run ADPrep /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
/domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.
You can view detailed output of the ADPrep command by looking at the log files in the %Systemroot%\system32\debug\adprep\ogs directory.
Each time ADPrep is executed, a new log file is generated that contains the actions taken during that particular invocation. The log files are named based on the time and date ADPrep was run.
Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2003 or installing new Windows Server 2003 domain controllers.