What do I need to do to prepare my Windows 2000 forest for the installation of the first Windows Server 2003 DC?
Achieve instantaneous visibility into user & group permissions with the free Permissions Analyzer Tool for Active Directory!
- Get a complete hierarchical view of the effective permissions & access rights for a specific file folder (NTFS) or share drive
- Easily see what permissions a user has for an object and why (group membership or direct permissions)
- See it all from a totally cool desktop dashboard
Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest and domains with the ADPrep utility.
- ADPrep /forestprep on the schema master in your Windows 2000 forest.
- ADPrep /domainprep on the Infrastructure Master in each AD domain.
ADPrep is located in the i386 directory of the Windows Server 2003 install media.
UPDATE: For Windows Server 2008, please refer to our Windows Server 2008 ADPrep article
Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the older Windows Server 2003 media, and instead you need to look for it in the second CD. You see, Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a slip-streamed version of Windows Server 2003 with Service Pack 2 (SP2). Installation disk 2 contains the Windows Server 2003 R2 files.
The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.
You can find the R2 ADPrep tool in the following folder on the second CD:
(where drive is the drive letter of your CD-Rom drive)
Read more about ADPrep and Windows Server 2003 R2 in KB 917385
Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange 2000 before installing the first Windows Server 2003 DC in your existing organization.
Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domain controllers before running ADPrep. SP2 fixed a critical internal AD bug, which can manifest itself when extending the schema. There were also some fixes to improve the replication delay that can be seen when indexing attributes.
Similar to the Exchange setup.exe /forestprep and /domainprep switches.
- The Exchange /forestprep command extends the schema and adds some objects in the Configuration Naming Context.
- The Exchange / domainprep command adds objects within the Domain Naming Context of the domain it is being run on and sets some ACLs.
The ADPrep command follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003.
The ADPrep /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2003.
Since the schema is extended and objects are added in several places in the Configuration NC, the user running /forestprep must be a member of both the Schema Admins and Enterprise Admins groups.
The ADPrep /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.
Before you can run ADPrep /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
/domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.
You can view detailed output of the ADPrep command by looking at the log files in the %Systemroot%\system32\debug\adprep\ogs directory.
Each time ADPrep is executed, a new log file is generated that contains the actions taken during that particular invocation. The log files are named based on the time and date ADPrep was run.
Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2003 or installing new Windows Server 2003 domain controllers.