MORE INFORMATION

To prepare a Windows 2000 forest to host new or upgraded Windows Server 2003 domain controllers, run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command on the infrastructure operations master in each domain.

The updated version of Adprep.exe supports the following commands and enhancements. These enhancements help administrators successfully upgrade to Windows Server 2003.

• adprep /forestprep
  
  The adprep /forestprep command performs the same operations as in the original release version of Windows Server 2003. The syntax of this command is unchanged. Enhancements include better error message handling in configurations that prevent the adprep /forestprep command from successfully running.
• adprep /domainprep
  
  In Windows Server 2003 without service packs, the adprep /domainprep command adds more restrictive security descriptors to all Group Policy objects (GPOs) in the SYSVOL shared resource. When you modify the permissions on all the GPOs in the SYSVOL tree, the NT File Replication service (NTFRS) on the originating domain controller must send all the GPOs to all the other domain controllers in that domain. Some network infrastructures that contain many domain controllers or GPOs may already be under stress if they are connected by slow network links. When the adprep /domainprep command is used, the incremental overhead from the full synchronization of GPOs in the SYSVOL shared resource may overload such networks. To resolve this problem, the updated version of Adprep.exe decouples the modification of permissions in the SYSVOL shared resource from the other operations that are performed by the adprep /domainprep command.
  
  In the version of Adprep.exe that is included with Windows Server 2003 SP1, the adprep /domainprep command performs the same operations as in the earlier version of Adprep.exe. However, the updated command does not modify permissions on GPOs unless you use the new /gpprep switch. After you install the updated version of Adprep.exe, you receive the following message when you run the adprep /domainprep command:

  The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running ?adprep.exe /domainprep /gpprep? on the DC that holds the infrastructure operations master role.
  
  This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the domain controllers in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group Policy Objects.

• adprep /domainprep /gpprep
  
  The functionality of the adprep domainprep /gpprep command depends on the state of the domain. If the updated adprep /domainprep command has not been run, this command is the functional equivalent of the adprep /domainprep command in the original release of Windows Server 2003. In these circumstances, the command performs all the domain operations that are listed in Microsoft Knowledge Base article 309628. These operations include setting the permissions for GPOs in the SYSVOL. If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the Sysvol shared resource. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSoP) functionality for site-based policy.

For additional information about Adprep.exe in the original release version of Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Because of these enhancements, we recommend that you use the updated version of Adprep.exe.

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

Prerequisites

No prerequisites are required.

Restart requirement

You do not have to restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, 32-bit versions

   Date         Time   Version            Size  File name
   -----------------------------------------------------------------
   23-Jul-2004  09:04  5.2.3790.196    397,824  Adprep.exe

Windows Server 2003, 64-bit versions

   Date         Time   Version            Size  File name   Platform
   -----------------------------------------------------------------
   23-Jul-2004  09:05  5.2.3790.196  1,071,616  Adprep.exe     IA-64

To integrate the updated file that this hotfix provides with the files on the original Windows Server 2003 installation CD, follow these steps:

1. Copy the contents of the \I386 folder from the Windows Server 2003 CD to your computer.
2. Download the 194432_ENU_i386_zip.exe hotfix file to your computer.
3. In Windows Explorer, locate and then double-click the hotfix file.
4. When you are prompted, specify a folder for the extracted files.
5. Locate and double-click the WindowsServer2003-KB324392-x86-enu.exe file.
   

Note This file is in the folder that you specified in step 4.

1. When you are prompted to specify a folder for the extracted files, type the path of the \I386 folder that you copied from the Windows Server 2003 CD in step 1.

At a command prompt, run the adprep command and its command line arguments from the \I386 folder.

Other enhancements to Adprep.exe

Besides the enhancements that have already been mentioned, the updated version of Adprep.exe includes the following enhancements:

• The adprep /forestprep command introduces forest-wide and domain-wide schema changes.
  
  To enable the adprep /forestprep command to introduce schema changes, the domain controller that holds the role of schema operations master must be operational on the network. Additionally, this domain controller must have performed inbound replication of the CN=Schema partitions since the domain controller was last restarted.
  
  If the adprep /forestprep command cannot introduce the schema changes, you receive the following error message:

  Adprep was unable to extend the schema.
  [Status/Consequence]
  The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
  [User Action]
  Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

  The original release version of the Windows Server 2003 adprep /forestprep command does not display this error message.
• The adprep /forestprep command uses the Schupgr.exe utility to implement schema additions.
  
  If Windows 2000 domain controllers contain schema extensions that are not compatible with Windows Server 2003 schema extensions, the Schupgr.exe utility and the adprep /forestprep command cannot implement all schema additions. In this scenario, the adprep /forestprep command detects probable conflicting schema extensions and reports them to the user before it upgrades the schema.
• The Initsync failure warning is changed.
  
  For the adprep /forestprep command to make schema updates to the forest, the Schema Master operations master must meet InitSync requirements by performing an inbound replication of the schema partition from at least one other domain controller in the forest. If the Schema Master cannot successfully perform this inbound replication, the Schema Master role will not be available. This problem causes the adprep /forestprep command to fail. In Windows Server 2003 without service packs, the error message that is generated in this situation does not correctly identify this Initsync problem.
  
  The version of Adprep.exe that is included with Windows Server 2003 SP1 correctly identifies the Initsync problem and generates the following error message:

  ADPREP was unable to extend the schema.
  [Status/Consequence]
  
  The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
  
  [User Action]
  
  Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run ADPREP again.

• Adprep performs schema verification.
  
  You might experience difficulty with the adprep /forestprep command when you run the version of Adprep.exe that is included with Windows Server 2003 without service packs, and you have schema extensions that are not valid. These schema extensions may have been installed by third-party programs. These schema extensions incorrectly obtain either RFC-defined object identifiers or Microsoft-reserved schema definitions. Then, the schema extensions use these definitions on objects that have a different distinguished name (DN) path or a different LDAP display name.
  
  In the version of Adprep.exe that is included in Windows Server 2003 without service packs, the Adprep log file does not clearly indicate the affected Active Directory attribute. Therefore, you must manually identify the incorrect attribute among all the possible additions that are made by one of the LDAP directory interchange format files. Typically, this file is the Sch18.ldf file.
  
  In the version of Adprep.exe that is included with Windows Server 2003 SP1, Adprep validates the schema before the adprep /forestprep command proceeds. If Adprep detects an incompatible schema extension, the command stops. The command then generates an error message that is similar to following error message. This error message logs the object identifier and the distinguished name of the problem object.

  OID "2.5.4.45" defined for object CN=UniqueID,CN=Schema,CN=Configuration,DC=ADPREP,DC=com conflicts with the schema extensions needed for Windows 2003.
  
  [Status/Consequence]
  
  ADPREP will not extend your existing schema.
  
  [User Action]
  
  Contact the vendor of the application that extended the schema with the OID value "2.5.4.45" and resolve this inconsistency. Then run ADPREP again.

  In this situation, you must contact the vendor of the program that added the schema extensions that are not valid and have the vendor correct the schema object. Then, the vendor must update the program so that the program works with the corrected schema object.
  
  In the example that appears in this error message, the vendor must change the UniqueID relative distinguished name to MyUniqueID or to any other name.
  
  

  You can also add a relative distinguished name and use a valid object identifier. For example, you can add myinetOrg together with the correct object identifier for inetOrg. In this example, the solution is to rename myinetOrg to inetOrg and then to add a new extension for the program together with a program update.

• Exchange InetOrgPerson detection is added.
  
  Consider the following scenario:
  • You extend the schema by using the version of Adprep that is included with Windows Server 2003 without service packs.
  • The schema has been extended by Microsoft Exchange 2000 Server.
  • The InetOrgPerson fix has not been applied.

  In this scenario, you receive no error message. The schema is extended, but the LDAP display names of the following three Exchange attributes are damaged:

  • MS-Exchange-HouseIdentifier
  • MS-Exchange-Secretary
  • MS-Exchange-LabeledURI

  One example of this problem is the following.
  
  Exchange 2000 schema without InetOrgPerson fix

  Object type	Value
  Attribute	MS-Exchange-HouseIdentifier
  LDAPDisplayName	HouseIdentifier

  Windows Server 2003 schema extension

  Object type	Value
  Attribute	HouseIdentifier
  LDAPDisplayName	HouseIdentifier

  Because the Windows Server 2003 schema requires the HouseIdentifier LDAPDisplayName, the Windows Server 2003 schema update damages the existing HouseIdentifier LDAPDisplayName that Exchange 2000 added. After the adprep /forestprep command finishes running, the LDAPDisplayName of the MS-Exchange-HouseIdentifier appears as follows.

  Object type	Value
  Attribute	HouseIdentifier
  LDAPDisplayName	DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef

  The updated version of Adprep that is included in Windows Server 2003 SP1 correctly detects Exchange 2000 schema extensions. If the Exchange 2000 schema was not updated by the InetOrgPerson fix, Adprep logs a message that directs the user to article 325379. The message also directs the user to resolve the schema conflict before running Adprep. In this situation, Adprep generates the following error message:

  ADPREP was unable to extend the schema.
  
  [Status/Consequence]
  
  There is a schema conflict with Exchange 2000. The schema is not upgraded.
  
  [User Action]
  
  The schema conflict must be resolved before running ADPREP. Resolve the schema conflict, allow the change to replicate between all replication partners, and then run ADPREP. For information on resolving the conflict, see Microsoft Knowledge Base article Q325379

For more information about the terminology that is used in this article, click the following article number to view the article in the Microsoft Knowledge Base: