Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 (324392)
The information in this article applies to:
- Microsoft Windows Server 2003 SP1, when used with:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
This article was previously published under Q324392 SUMMARYThe Active Directory Preparation Tool (Adprep.exe) in Microsoft Windows Server 2003 prepares a Microsoft Windows 2000 forest and its domains for the installation of Windows Server 2003 domain controllers. This article documents the enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 (SP1). This article also provides a hotfix that includes the updated version of Adprep.exe. You can apply this hotfix to update Adprep.exe even if you do not install Windows Server 2003 SP1.
Note We recommend that you always use the latest version of Adprep.exe to extend the schema.MORE INFORMATIONTo prepare a Windows 2000 forest to host new or upgraded Windows Server 2003 domain controllers, run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command on the infrastructure operations master in each domain. The updated version of Adprep.exe supports the following commands and enhancements. These enhancements help administrators successfully upgrade to Windows Server 2003. - adprep /forestprep
The adprep /forestprep command performs the same operations as in the original release version of Windows Server 2003. The syntax of this command is unchanged. Enhancements include better error message handling in configurations that prevent the adprep /forestprep command from successfully running. - adprep /domainprep
In Windows Server 2003 without service packs, the adprep /domainprep command adds more restrictive security descriptors to all Group Policy objects (GPOs) in the SYSVOL shared resource. When you modify the permissions on all the GPOs in the SYSVOL tree, the NT File Replication service (NTFRS) on the originating domain controller must send all the GPOs to all the other domain controllers in that domain. Some network infrastructures that contain many domain controllers or GPOs may already be under stress if they are connected by slow network links. When the adprep /domainprep command is used, the incremental overhead from the full synchronization of GPOs in the SYSVOL shared resource may overload such networks. To resolve this problem, the updated version of Adprep.exe decouples the modification of permissions in the SYSVOL shared resource from the other operations that are performed by the adprep /domainprep command.
In the version of Adprep.exe that is included with Windows Server 2003 SP1, the adprep /domainprep command performs the same operations as in the earlier version of Adprep.exe. However, the updated command does not modify permissions on GPOs unless you use the new /gpprep switch. After you install the updated version of Adprep.exe, you receive the following message when you run the adprep /domainprep command:The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running ?adprep.exe /domainprep /gpprep? on the DC that holds the infrastructure operations master role.
This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the domain controllers in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group Policy Objects. - adprep /domainprep /gpprep
The functionality of the adprep domainprep /gpprep command depends on the state of the domain. If the updated adprep /domainprep command has not been run, this command is the functional equivalent of the adprep /domainprep command in the original release of Windows Server 2003. In these circumstances, the command performs all the domain operations that are listed in Microsoft Knowledge Base article 309628. These operations include setting the permissions for GPOs in the SYSVOL. If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the Sysvol shared resource. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSoP) functionality for site-based policy.
For additional information about Adprep.exe in the original release version of Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
309628
Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest
Because of these enhancements, we recommend that you use the updated version of Adprep.exe. Hotfix informationA supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. PrerequisitesNo prerequisites are required. Restart requirementYou do not have to restart your computer after you apply this hotfix. Hotfix replacement informationThis hotfix does not replace any other hotfixes. File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, 32-bit versions Date Time Version Size File name
-----------------------------------------------------------------
23-Jul-2004 09:04 5.2.3790.196 397,824 Adprep.exe Windows Server 2003, 64-bit versions Date Time Version Size File name Platform
-----------------------------------------------------------------
23-Jul-2004 09:05 5.2.3790.196 1,071,616 Adprep.exe IA-64 To integrate the updated file that this hotfix provides with the files on the original Windows Server 2003 installation CD, follow these steps: - Copy the contents of the \I386 folder from the Windows Server 2003 CD to your computer.
- Download the 194432_ENU_i386_zip.exe hotfix file to your computer.
- In Windows Explorer, locate and then double-click the hotfix file.
- When you are prompted, specify a folder for the extracted files.
- Locate and double-click the WindowsServer2003-KB324392-x86-enu.exe file.
Note This file is in the folder that you specified in step 4. - When you are prompted to specify a folder for the extracted files, type the path of the \I386 folder that you copied from the Windows Server 2003 CD in step 1.
At a command prompt, run the adprep command and its command line arguments from the \I386 folder. Other enhancements to Adprep.exeBesides the enhancements that have already been mentioned, the updated version of Adprep.exe includes the following enhancements: - The adprep /forestprep command introduces forest-wide and domain-wide schema changes.
To enable the adprep /forestprep command to introduce schema changes, the domain controller that holds the role of schema operations master must be operational on the network. Additionally, this domain controller must have performed inbound replication of the CN=Schema partitions since the domain controller was last restarted.
If the adprep /forestprep command cannot introduce the schema changes, you receive the following error message:Adprep was unable to extend the schema. [Status/Consequence] The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended. [User Action] Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.
The original release version of the Windows Server 2003 adprep /forestprep command does not display this error message. - The adprep /forestprep command uses the Schupgr.exe utility to implement schema additions.
If Windows 2000 domain controllers contain schema extensions that are not compatible with Windows Server 2003 schema extensions, the Schupgr.exe utility and the adprep /forestprep command cannot implement all schema additions. In this scenario, the adprep /forestprep command detects probable conflicting schema extensions and reports them to the user before it upgrades the schema. - The Initsync failure warning is changed.
For the adprep /forestprep command to make schema updates to the forest, the Schema Master operations master must meet InitSync requirements by performing an inbound replication of the schema partition from at least one other domain controller in the forest. If the Schema Master cannot successfully perform this inbound replication, the Schema Master role will not be available. This problem causes the adprep /forestprep command to fail. In Windows Server 2003 without service packs, the error message that is generated in this situation does not correctly identify this Initsync problem.
The version of Adprep.exe that is included with Windows Server 2003 SP1 correctly identifies the Initsync problem and generates the following error message: ADPREP was unable to extend the schema.
[Status/Consequence]
The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
[User Action]
Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run ADPREP again. - Adprep performs schema verification.
You might experience difficulty with the adprep /forestprep command when you run the version of Adprep.exe that is included with Windows Server 2003 without service packs, and you have schema extensions that are not valid. These schema extensions may have been installed by third-party programs. These schema extensions incorrectly obtain either RFC-defined object identifiers or Microsoft-reserved schema definitions. Then, the schema extensions use these definitions on objects that have a different distinguished name (DN) path or a different LDAP display name.
In the version of Adprep.exe that is included in Windows Server 2003 without service packs, the Adprep log file does not clearly indicate the affected Active Directory attribute. Therefore, you must manually identify the incorrect attribute among all the possible additions that are made by one of the LDAP directory interchange format files. Typically, this file is the Sch18.ldf file.
In the version of Adprep.exe that is included with Windows Server 2003 SP1, Adprep validates the schema before the adprep /forestprep command proceeds. If Adprep detects an incompatible schema extension, the command stops. The command then generates an error message that is similar to following error message. This error message logs the object identifier and the distinguished name of the problem object.OID "2.5.4.45" defined for object CN=UniqueID,CN=Schema,CN=Configuration,DC=ADPREP,DC=com conflicts with the schema extensions needed for Windows 2003.
[Status/Consequence]
ADPREP will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "2.5.4.45" and resolve this inconsistency. Then run ADPREP again. In this situation, you must contact the vendor of the program that added the schema extensions that are not valid and have the vendor correct the schema object. Then, the vendor must update the program so that the program works with the corrected schema object.
In the example that appears in this error message, the vendor must change the UniqueID relative distinguished name to MyUniqueID or to any other name.
You can also add a relative distinguished name and use a valid object identifier. For example, you can add myinetOrg together with the correct object identifier for inetOrg. In this example, the solution is to rename myinetOrg to inetOrg and then to add a new extension for the program together with a program update.
- Exchange InetOrgPerson detection is added.
Consider the following scenario:- You extend the schema by using the version of Adprep that is included with Windows Server 2003 without service packs.
- The schema has been extended by Microsoft Exchange 2000 Server.
- The InetOrgPerson fix has not been applied.
In this scenario, you receive no error message. The schema is extended, but the LDAP display names of the following three Exchange attributes are damaged:- MS-Exchange-HouseIdentifier
- MS-Exchange-Secretary
- MS-Exchange-LabeledURI
One example of this problem is the following.
Exchange 2000 schema without InetOrgPerson fixObject type | Value | Attribute | MS-Exchange-HouseIdentifier | LDAPDisplayName | HouseIdentifier | Windows Server 2003 schema extensionObject type | Value | Attribute | HouseIdentifier | LDAPDisplayName | HouseIdentifier | Because the Windows Server 2003 schema requires the HouseIdentifier LDAPDisplayName, the Windows Server 2003 schema update damages the existing HouseIdentifier LDAPDisplayName that Exchange 2000 added. After the adprep /forestprep command finishes running, the LDAPDisplayName of the MS-Exchange-HouseIdentifier appears as follows.Object type | Value | Attribute | HouseIdentifier | LDAPDisplayName | DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef | The updated version of Adprep that is included in Windows Server 2003 SP1 correctly detects Exchange 2000 schema extensions. If the Exchange 2000 schema was not updated by the InetOrgPerson fix, Adprep logs a message that directs the user to article 325379. The message also directs the user to resolve the schema conflict before running Adprep. In this situation, Adprep generates the following error message:ADPREP was unable to extend the schema.
[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not upgraded.
[User Action]
The schema conflict must be resolved before running ADPREP. Resolve the schema conflict, allow the change to replicate between all replication partners, and then run ADPREP. For information on resolving the conflict, see Microsoft Knowledge Base article Q325379
For more information about the terminology that is used in this article, click the following article number to view the article in the Microsoft Knowledge Base: 824684 Description of the standard terminology that is used to describe Microsoft software updates
Modification Type: | Minor | Last Reviewed: | 10/10/2005 |
---|
Keywords: | kbHotfixServer kbQFE kbBug kbfix kbQFE kbWinServ2003preSP1fix kbinfo KB324392 kbAudITPRO |
---|
|