A dear friend of mine asked me the following question:
Let’s say you have a W2K3 forest and you want to upgrade to W2K8, W2K8R2, W2K12 or W2K12R2
- Under which circumstances do you need to (re)run /DomainPrep?
- Under which circumstances do you need to (re)run /RODCPrep?
–
When upgrading AD you need to run ADPREP with /ForestPrep, later with /DomainPrep and finally with /RODCPrep. However, is there ANY scenario where you would need to RErun ADPREP with any of those options?
This document explains how to prepare an AD forest.
This document explains how to prepare an AD domain.
This document explains how to prepare an AD forest/domain for RODCs.
–
For upgrading AD forests/domains you might also want to have a look at the following:
- (2010-05-19) Information About Upgrading To Windows Server 2008 R2 AD
- W2K3 To W2K8/W2K8R2 Active Directory Upgrade Considerations
- Upgrading or Migrating Active Directory to Windows Server 2012 – Build Your Roadmap Now
- Upgrade Active Directory to Windows Server 2012 – Phase 1: Assessment
- Upgrade Active Directory to Windows Server 2012 – Phase 2: Build Your Plan
- (2006-06-06) How To Check That FORESTPREP And DOMAINPREP Replicated To All DCs?
–
Let’s assume you have an AD forest with multiple AD domains and all DCs are running W2K3.
–
[When To Run ADPREP /ForestPrep]
To be able to support an up level DC in the W2K3 AD forest, you must execute ADPREP /ForestPrep in that AD forest. That command will target the Schema Master and update the AD schema and perform other forest-wide updates to support at most the OS version for the DC you want to implement and that also belongs to the same ADPREP version. You only need to execute this ONCE per AD forest!
For an example of W2K8 Forest-Wide Updates, see this.
For an example of W2K8 Schema Updates, see this.
–
[When To Run ADPREP /DomainPrep]
To be able to support an up level DC in any of the W2K3 AD domains within the AD forest, you must execute ADPREP /DomainPrep in the any of the W2K3 AD domains within the AD forest where you want to support the up level DCs. That command will target the Infrastructure Master and update the AD domain configuration to support at most the OS version for the DC you want to implement and that also belongs to the same ADPREP version. You only need to execute this ONCE per AD domain! However, if you, in addition to the upgrade, create a new AD domain running the latest available OS version, it IS NOT needed to run ADPREP /DomainPrep in that new domain. However, if you, in addition to the upgrade, create a new AD domain running a lower level OS version than the OS version you are upgrading to, it IS needed to run ADPREP /DomainPrep in that new domain. You might ask yourself why you would use an older OS version for the new AD domain and then upgrade to the version you want, and why not use the latest OS version you need.
For an example of W2K8 Domain-Wide Updates, see this.
–
[When To Run ADPREP /RODCPrep]
To be able to support an up level RODC in the W2K3 AD forest, you must execute ADPREP /RODCPrep in that AD forest. That command will target the Infrastructure Master of any domain NC and any application NC to update the permissions of the domain/application NC (e.g. adding the Enterprise Read-Only Domain Controllers SID) to support at most the OS version for the RODC you want to implement and that also belongs to the same ADPREP version. You must therefore make sure that every DC specified as the Infrastructure Master of every domain/application NC is available and/or up-and-running. You only need to execute this ONCE per AD forest! However, if you, in addition to the upgrade, create a new AD domain running the latest available OS version, it IS NOT needed to run ADPREP /RODCPrep in that new domain. Do you know why?
When running ADPREP /ForestPrep (not ADPREP /RODCPrep), the "defaultSecurityDescriptor" of the domainDNS classSchema object "CN=Domain-DNS,CN=Schema,CN=Configuration,<Forest Root Domain DN>" is also updated to include an ACE for the "Enterprise Read-Only Domain Controllers" (SID: S-1-5-21-<Domain>-498) security group. This is done through forest wide update 57 as shown below:
Figure 1: Forest-Wide Update #57 Updating The Default Security Descriptor Of The Domain-DNS Object
–
The "defaultSecurityDescriptor" of the domainDNS classSchema object is (for W2K8R2):
D:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-1302963225-1802291915-4189581584-498)(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;LCRPLORC;;;AU)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)S:(AU;SA;WPWDWO;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
For this AD forest: S-1-5-21-1302963225-1802291915-4189581584-498 > "Enterprise Read-Only Domain Controllers" security group (be aware that this SID, although well-known is different per AD forest as it depends on the domain SID of the forest root AD domain.)
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 > "Replicating Directory Changes" control access right.
–
Therefore, as soon as you create a new AD domain/application NC the new NC object inherits the default permissions from the schema object.
For an example of W2K8 RODC Updates, see this.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 