Article ID: 324392
Article Last Modified on 7/24/2007
APPLIES TO
- Microsoft Windows Server 2003 Service Pack 1, when used with:
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
This article was previously published under Q324392
SUMMARY
The Active Directory Preparation Tool (Adprep.exe) in Microsoft Windows Server 2003 prepares a Microsoft Windows 2000 forest and its domains for the installation of Windows Server 2003 domain controllers. This article documents the enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 (SP1). This article also provides a hotfix that includes the updated version of Adprep.exe. You can apply this hotfix to update Adprep.exe even if you do not install Windows Server 2003 SP1.
Note We recommend that you always use the latest version of Adprep.exe to extend the schema.
MORE INFORMATION
To prepare a Windows 2000 forest to host new or upgraded Windows Server 2003 domain controllers, run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command on the infrastructure operations master in each domain.
The updated version of Adprep.exe supports the following commands and enhancements. These enhancements help administrators successfully upgrade to Windows Server 2003.
- adprep /forestprep
The adprep /forestprep command performs the same operations as in the original release version of Windows Server 2003. The syntax of this command is unchanged. Enhancements include better error message handling in configurations that prevent the adprep /forestprep command from successfully running. - adprep /domainprep
In Windows Server 2003 without service packs, the adprep /domainprep command adds more restrictive security descriptors to all Group Policy objects (GPOs) in the SYSVOL shared resource. When you modify the permissions on all the GPOs in the SYSVOL tree, the NT File Replication service (NTFRS) on the originating domain controller must send all the GPOs to all the other domain controllers in that domain. Some network infrastructures that contain many domain controllers or GPOs may already be under stress if they are connected by slow network links. When the adprep /domainprep command is used, the incremental overhead from the full synchronization of GPOs in the SYSVOL shared resource may overload such networks. To resolve this problem, the updated version of Adprep.exe decouples the modification of permissions in the SYSVOL shared resource from the other operations that are performed by the adprep /domainprep command.
In the version of Adprep.exe that is included with Windows Server 2003 SP1, the adprep /domainprep command performs the same operations as in the earlier version of Adprep.exe. However, the updated command does not modify permissions on GPOs unless you use the new /gpprep switch. After you install the updated version of Adprep.exe, you receive the following message when you run the adprep /domainprep command: - adprep /domainprep /gpprep
The functionality of the adprep domainprep /gpprep command depends on the state of the domain. If the updated adprep /domainprep command has not been run, this command is the functional equivalent of the adprep /domainprep command in the original release of Windows Server 2003. In these circumstances, the command performs all the domain operations that are listed in Microsoft Knowledge Base article 309628. These operations include setting the permissions for GPOs in the SYSVOL. If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the Sysvol shared resource. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSoP) functionality for site-based policy.
For additional information about Adprep.exe in the original release version of Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
309628 Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest
Because of these enhancements, we recommend that you use the updated version of Adprep.exe.
Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:
Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:
Prerequisites
No prerequisites are required.
Restart requirement
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, 32-bit versions
Date Time Version Size File name ----------------------------------------------------------------- 23-Jul-2004 09:04 5.2.3790.196 397,824 Adprep.exe
Windows Server 2003, 64-bit versions
Date Time Version Size File name Platform ----------------------------------------------------------------- 23-Jul-2004 09:05 5.2.3790.196 1,071,616 Adprep.exe IA-64
To integrate the updated file that this hotfix provides with the files on the original Windows Server 2003 installation CD, follow these steps:
- Copy the contents of the \I386 folder from the Windows Server 2003 CD to your computer.
- Download the 194432_ENU_i386_zip.exe hotfix file to your computer.
- In Windows Explorer, locate and then double-click the hotfix file.
- When you are prompted, specify a folder for the extracted files.
- Locate and double-click the WindowsServer2003-KB324392-x86-enu.exe file.
Note This file is in the folder that you specified in step 4.
- When you are prompted to specify a folder for the extracted files, type the path of the \I386 folder that you copied from the Windows Server 2003 CD in step 1.
At a command prompt, run the adprep command and its command line arguments from the \I386 folder.
Other enhancements to Adprep.exe
Besides the enhancements that have already been mentioned, the updated version of Adprep.exe includes the following enhancements:
- The adprep /forestprep command introduces forest-wide and domain-wide schema changes.
To enable the adprep /forestprep command to introduce schema changes, the domain controller that holds the role of schema operations master must be operational on the network. Additionally, this domain controller must have performed inbound replication of the CN=Schema partitions since the domain controller was last restarted.
If the adprep /forestprep command cannot introduce the schema changes, you receive the following error message: The original release version of the Windows Server 2003 adprep /forestprep command does not display this error message. - The adprep /forestprep command uses the Schupgr.exe utility to implement schema additions.
If Windows 2000 domain controllers contain schema extensions that are not compatible with Windows Server 2003 schema extensions, the Schupgr.exe utility and the adprep /forestprep command cannot implement all schema additions. In this scenario, the adprep /forestprep command detects probable conflicting schema extensions and reports them to the user before it upgrades the schema. - The Initsync failure warning is changed.
For the adprep /forestprep command to make schema updates to the forest, the Schema Master operations master must meet InitSync requirements by performing an inbound replication of the schema partition from at least one other domain controller in the forest. If the Schema Master cannot successfully perform this inbound replication, the Schema Master role will not be available. This problem causes the adprep /forestprep command to fail. In Windows Server 2003 without service packs, the error message that is generated in this situation does not correctly identify this Initsync problem.
The version of Adprep.exe that is included with Windows Server 2003 SP1 correctly identifies the Initsync problem and generates the following error message: - Adprep performs schema verification.
You might experience difficulty with the adprep /forestprep command when you run the version of Adprep.exe that is included with Windows Server 2003 without service packs, and you have schema extensions that are not valid. These schema extensions may have been installed by third-party programs. These schema extensions incorrectly obtain either RFC-defined object identifiers or Microsoft-reserved schema definitions. Then, the schema extensions use these definitions on objects that have a different distinguished name (DN) path or a different LDAP display name.
In the version of Adprep.exe that is included in Windows Server 2003 without service packs, the Adprep log file does not clearly indicate the affected Active Directory attribute. Therefore, you must manually identify the incorrect attribute among all the possible additions that are made by one of the LDAP directory interchange format files. Typically, this file is the Sch18.ldf file.
In the version of Adprep.exe that is included with Windows Server 2003 SP1, Adprep validates the schema before the adprep /forestprep command proceeds. If Adprep detects an incompatible schema extension, the command stops. The command then generates an error message that is similar to following error message. This error message logs the object identifier and the distinguished name of the problem object.In this situation, you must contact the vendor of the program that added the schema extensions that are not valid and have the vendor correct the schema object. Then, the vendor must update the program so that the program works with the corrected schema object.
You can also add a relative distinguished name and use a valid object identifier. For example, you can add myinetOrg together with the correct object identifier for inetOrg. In this example, the solution is to rename myinetOrg to inetOrg and then to add a new extension for the program together with a program update.
In the example that appears in this error message, the vendor must change the UniqueID relative distinguished name to MyUniqueID or to any other name.
- Exchange InetOrgPerson detection is added.
Consider the following scenario:- You extend the schema by using the version of Adprep that is included with Windows Server 2003 without service packs.
- The schema has been extended by Microsoft Exchange 2000 Server.
- The InetOrgPerson fix has not been applied.
In this scenario, you receive no error message. The schema is extended, but the LDAP display names of the following three Exchange attributes are damaged:
- MS-Exchange-HouseIdentifier
- MS-Exchange-Secretary
- MS-Exchange-LabeledURI
One example of this problem is the following.
Exchange 2000 schema without InetOrgPerson fixObject type Value Attribute MS-Exchange-HouseIdentifier LDAPDisplayName HouseIdentifier Windows Server 2003 schema extension
Object type Value Attribute HouseIdentifier LDAPDisplayName HouseIdentifier Because the Windows Server 2003 schema requires the HouseIdentifier LDAPDisplayName, the Windows Server 2003 schema update damages the existing HouseIdentifier LDAPDisplayName that Exchange 2000 added. After the adprep /forestprep command finishes running, the LDAPDisplayName of the MS-Exchange-HouseIdentifier appears as follows.
Object type Value Attribute HouseIdentifier LDAPDisplayName DUP-houseIdentifier-354b0ca8-9b6c-4722-aae7-e66906cc9eef The updated version of Adprep that is included in Windows Server 2003 SP1 correctly detects Exchange 2000 schema extensions. If the Exchange 2000 schema was not updated by the InetOrgPerson fix, Adprep logs a message that directs the user to article 325379. The message also directs the user to resolve the schema conflict before running Adprep. In this situation, Adprep generates the following error message:
For more information about the terminology that is used in this article, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional query words: share shares Group Policies deployment execute executing
Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwinserv2003presp1fix kbinfo KB324392