Академический Документы
Профессиональный Документы
Культура Документы
exe
Running Adprep.exe
Updated: July 20, 2014
Applies To: Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server
2012, Windows Server 2012 R2
This topic explains what Adprep.exe is. It also provides links to step-by-step instructions for running Adprep.exe.
What is Adprep.exe?
Considerations for using Adprep.exe in Windows Server 2012 R2 and Windows Server 2012
Considerations for using Adprep.exe in Windows Server 2008 R2 and Windows Server 2008
Running Adprep.exe
What is Adprep.exe?
Adprep.exe is a command-line tool that is included on the installation disk of each version of WindowsServer.
Adprep.exe performs operations that must be completed on the domain controllers that run in an existing
ActiveDirectory environment before you can add a domain controller that runs that version of WindowsServer.
Adprep.exe commands run automatically as needed as part of the AD DS installation process on servers that run
Windows Server 2012 or later. The commands need to run in the following cases:
Before you add the first domain controller that runs a version of WindowsServer that is later than the
latest version that is running in your existing domain.
Before you upgrade an existing domain controller to a later version of WindowsServer, if that domain
controller will be the first domain controller in the domain or forest to run that version of
WindowsServer.
For example, if your organization has domain controllers that run Windows2000Server or
WindowsServer2003, before you can add a new domain controller that runs Windows Server2008R2 or
upgrade one of the existing domain controllers to Windows Server2008R2, you must run Adprep.exe from the
\Support\Adprep folder of the Windows Server2008R2 installation DVD on your existing domain controllers.
Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain
controllers that run WindowsServer2003 and you want to add domain controllers that run Windows
Server2008R2, you only have to run Adprep.exe from the Windows Server2008R2 operating system disk. It is
not necessary to run the version from Windows Server2008 because the version in Windows Server2008R2
includes all the changes from previous versions.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 1/18
9/14/2016 Running Adprep.exe
Adprep.exe has parameters that perform a variety of operations that help prepare an existing ActiveDirectory
environment for a domain controller that runs a later version of WindowsServer. Not all versions of
Adprep.exe perform the same operations, but generally the different types of operations that Adprep.exe can
perform include the following:
Modifying access control lists (ACLs) on ActiveDirectory objects and on files in the SYSVOL shared
folder
For more information about the changes that Adprep.exe performs, see the following resources:
For Windows Server 2012 and later, see Changes Made by Adprep.exe.
For Windows Server2008R2, see Windows Server 2008 R2: Appendix of Changes to Adprep.exe to
Support AD DS.
For Windows Server2008, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support
AD DS.
Some organizations may prefer to run Adprep.exe separately, either in advance of an AD DS installation or
simply to extend an existing AD DS schema to support new features such as the Device Registration Service in
Windows Server 2012 R2. For this reason, Adprep.exe is also included in the \Support\Adprep folder of the
operating system disk.
Also beginning with Windows Server 2012, there is only one 64-bit version of Adprep.exe. It can be run remotely
from any server that runs a 64-bit version of Windows Server 2008 or later. The computer where you run it can
be either domain-joined or in a workgroup. It includes new syntax and parameter options in order to run it
remotely.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 2/18
9/14/2016 Running Adprep.exe
For more information about the objects and containers that are created when the schema is extended to
support Windows Server 2012 R2 and Windows Server 2012, see Changes to Adprep.exe.
The addition of indexes in large Active Directory databases can prevent DCs from responding to clients and
application server requests and cause desktop user or application performance degradation or operational
failures. Windows Server 2008 R2 added indexes to improve LDAP query performance for certain queries.
Windows Server 2012 and Windows Server 2012 R2 include those same indexes.
By installing hotfix 2846725 and enabling the DSheuristic attribute on DCs that run Windows Server 2008 R2,
index creation is deferred and the time when indexing takes place is staggered across all DCs in the forest.
forest
Beginning in Windows Server 2012, the introduction of schema changes occurs independently from the
indexing of the attributes. See Deferred Index Creation.
In addition to applying the hotfix, you can take these steps to help prepare for the schema update:
Check the AD database size. See Determine the Database Size and Location Online.
Use a test bed that reflects the production environment so that potential replication problems will be
reproduced by testing (e.g. dont test in a single domain forest if the production environment really has
multiple domains).
Windows Server2008R2 includes a 32-bit version and a 64-bit version of Adprep.exe. The 64-bit version runs by
default. If you want to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of
Adprep.exe (Adprep32.exe).
Running Adprep.exe
To complete the required operations, you must run the Adprep.exe commands that are listed in the following
table. You must run adprep /forestprep
forest before you run other commands. Some commands must be run on
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 3/18
9/14/2016 Running Adprep.exe
specific domain controllers, as indicated in the table. None of the commands requires a restart of the server
after the operation is complete. The remaining sections in this topic contain more details about each command.
adprep Must be run on the schema operations master for the Once for the entire forest
/forestprep
forest forest
forest.
adprep Must be run on the infrastructure operations master for Once in each domain where
/domainprep the domain. you plan to install an additional
domain controller that runs a
later version of
WindowsServer than the latest
version that is running in the
domain.
Note
adprep Must be run on the infrastructure operations master for Once in each domain within the
/domainprep the domain. forest
/gpprep
If you already ran the /gpprep parameter for
WindowsServer2003, you do not have to run it again
for later versions of Windows Server.
adprep Can be run from any computer. This command Once for the entire forest
/rodcprep performs operations remotely. For the operations to
complete successfully, the domain naming operations
master for the forest and the infrastructure operations
master for each application directory partition and
Note
each domain partition must be accessible.
(RODC).
Note
If you are not sure which computer holds the operations master (also known as flexible single master operations
or FSMO) role that you need, type the following command at a command prompt on a computer on which you
have Netdom.exe installed, and then press ENTER:
Netdom.exe is installed by default on domain controllers that run Windows Server2008 or later. You can also
install Netdom.exe on an administrative workstation. For more information, see Microsoft Remote Server
Administration Tools for Windows Vista (KB941314) (http://go.microsoft.com/fwlink/?LinkID=89361) or
WindowsServer2003 Service Pack2 32-bit Support Tools (http://go.microsoft.com/fwlink/?LinkID=100114).
Adprep.exe has built-in fail-safes that prevent potential problems that can arise from a schema update. The
fail-safes handle conflicting updates, such as the introduction of duplicate object identifiers, and cause
Adprep.exe to stop until an administrator reconciles the conflicts. An administrator can also manually stop
and restart Adprep.exe. Adprep.exe skips redundant updates and it resumes at the point where it was
stopped.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 5/18
9/14/2016 Running Adprep.exe
Because of these fail-safes, we do not recommend that you disable replication on the schema master as an
additional precaution before you run Adprep.exe as it should not be necessary. If you nonetheless choose
to disable replication on the schema master or isolate it physically from the production network, be aware
of the following issues that you might encounter:
Monitoring software may detect that replication is disabled and initiaterecovery activity that re-
enables replication.
If you boot the schema master on a private network, it will fail initial synchronization unless you also
place a second domain controller on the same private network.
If you boot the schema master on a private network and it is not a DNS server, place a DNS server
on the same private network and have the schema master point to it as the preferred DNS server.
If you boot the schema master on a private network and it is a DNS server and additional domain
controllers are in the forest, you could wait several minutes for the operating system to start.
1. Make a system state backup for your domain controllers, including the schema master and at least
one other domain controller from each domain in the forest. After the changes that adprep
/forestprep makes replicate throughout the forest, they can be reversed only by forest recovery.
You can implement forest recovery more effectively if you have recent and trusted system state
backups. For more information about backing up a domain controller, see Performing an
Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?LinkID=132632). For
more information about planning for forest recovery, see Planning for Active Directory Forest
Recovery (http://go.microsoft.com/fwlink/?LinkId=140265).
2. Make sure that you can log on to the schema master with an account that has sufficient credentials
to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise
Admins group, and the Domain Admins group of the domain that hosts the schema master, which is,
by default, the forest root domain.
Note
The built-in Administrator account in the forest root domain is a member of the Schema Admins
group by default.
3. If any domain controllers in the forest are running Windows2000Server, they must be running
ServicePack4 (SP4). To obtain Windows2000ServerSP4, see Windows2000ServicePack4 Network
Install for IT Professionals (http://go.microsoft.com/fwlink/?LinkId=140267).
4. If you are running Exchange2000, see article 325379 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=140269) for more information about preventing potential
schema conflicts.
5. Run the following Repadmin.exe command to ensure that replication is working throughout the
forest:
All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the
time that has elapsed since the last successful replication) should be less than or roughly equal to
the replication frequency of the site link that the domain controller uses for replication. The default
replication frequency is 180minutes.
6. Antivirus software that is running on a schema master can interfere with running adprep /forestprep.
The introduction of display specifiers during the adprep /forestprep operation calls an external
function that can cause locks on files or folders that are used by antivirus software utilities.
In this case, the following error can appear when you run adprep /forestprep:
Adprep was unable to complete because the call back function failed.
If you are running antivirus software on the schema master and receive this error when you run
adprep /forestprep, temporarily disable the antivirus software until the command completes. For
more information, see Adprep was unable to complete because the call back function failed.
For more information about completing these preparatory steps, see So You Want to Upgrade to
Windows2008 Domain Controllers (ADPREP) (http://go.microsoft.com/fwlink/?LinkId=138880).
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
4. Click Select a well known Naming Context, select Configuration in the list of available naming
contexts, and then click OK.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 7/18
9/14/2016 Running Adprep.exe
where forest_root_domain
forest is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates
Forest .
8. Confirm that the revision attribute value is correct for the version of adprep /forestprep
forest , and
then click OK.
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming
contexts, and then click OK.
where forest_root_domain
forest is the distinguished name of your forest root domain.
13. Confirm that the objectVersion attribute value is correct for the version of adprep /forestprep
forest ,
and then click OK.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 8/18
9/14/2016 Running Adprep.exe
1. Make sure that the schema updates that adprep /forestprep performs replicated throughout the
forest or that they at least replicated to the infrastructure master for the domain where you plan to
run adprep /domainprep. For more information, see Verifying that adprep /forestprep
forest completed
successfully.
2. Make sure that you can log on to the infrastructure master with an account that is a member of the
Domain Admins group.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
4. Click Select a well known Naming Context, select Default naming context in the list of
available naming contexts, and then click OK.
5. Double-click Default naming context, double-click the container that is the distinguished name of
the domain, and then double-click CN=System.
7. Confirm that the revision attribute value is correct for the version of adprep /domainprep, and
then click OK.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 9/18
9/14/2016 Running Adprep.exe
Note
Although other adprep.exe commands are run automatically as part of the AD DS installation process
beginning with Windows Server 2012, the adprep /domainprep /gpprep command is not run
automatically. If the command has never been run in your environment, you may need to run it separately.
For more information, see KB article 2737129.
Running adprep /domainprep /gpprep can create a lot of replication traffic because every GPO is updated.
Therefore, you might want to run this command during off-peak hours to minimize the impact of the
additional replication.
If you run adprep /domainprep /gpprep before you run adprep /domainprep, Adprep.exe runs both
commands sequentially. First, it performs the /domainprep operations, and then it performs the /gpprep
operations.
If you are running an earlier version of Adprep.exe, see article 324392 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=140283).
The following sections include more details about running adprep /domainprep /gpprep:
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 10/18
9/14/2016 Running Adprep.exe
1. Make sure that you have completed the preparatory steps for running adprep /domainprep. For
more information, see Preparing to run adprep /domainprep.
2. Make sure that the Default Domain Policy and the Default Domain Controllers Policy are located
on the infrastructure master. To do this, use WindowsExplorer to navigate to the
%windir%\SYSVOL\sysvol\domain_name\Policies folder. Confirm that the following globally unique
identifiers (GUIDs) appear in the Policies folder:
{31B2F340-016D-11D2-945F-00C04FB984F9}
{6AC1786C-016F-11D2-945F-00C04fB984F9}
3. Antivirus software that is running on an infrastructure master can interfere with running adprep
/domainprep /gpprep. In this case, the following error message can appear when you run adprep
/domainprep /gpprep:
Adprep was unable to complete because the call back function failed.
If you are running antivirus software on the infrastructure master and receive this error message
when you run adprep /domainprep /gpprep, temporarily disable the antivirus software until the
command completes. For more information, see Adprep was unable to complete because the call
back function failed.
You can also verify that this command is complete by using the steps for verifying that adprep
/domainprep completed successfully, or you can verify that the operation added the Read permission for
the Enterprise Domain Controllers group on all GPOs. For more information, see Verifying adprep
/domainprep.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 11/18
9/14/2016 Running Adprep.exe
Each application directory partition has an infrastructure master. The adprep /rodcprep command must
update the security descriptor for each application directory partition on the infrastructure master for that
partition.
There are two application directory partitions that are created by default for Domain Name System (DNS)
data: DomainDNSZones and Forest ForestDNSZones. If the infrastructure master for either of these partitions is
offline or if it has been forcefully removed from the forest,
forest adprep /rodcprep fails with an error. For more
information, see article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?
LinkId=140285). In addition, this command must contact the domain naming operations master to obtain a list
of the application and domain directory partitions that are in the forest
forest. Therefore, the domain naming master
must be accessible when you run this command.
The command also updates the defaultSecurityDescriptor of the domainDNS classSchema object
(CN=Domain-DNS,CN=Schema,CN=Configuration,<Forest Forest Root Domain DN>) to grant the Replicating
Directory Changes control access right to the Enterprise Read-Only Domain Controllers security group.
When you create a new domain or application partition, the new object inherits the default permissions from
the schema object. For more information, see When To Use Forest
ForestPrep, DomainPrep AndRODCPrep.
The following sections include more details about running adprep /rodcprep:
1. Make sure you can log on to a computer with an account that is a member of the Enterprise Admins
group.
2. Make sure that the domain naming master and the infrastructure master for each application
directory partition are accessible.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 12/18
9/14/2016 Running Adprep.exe
indicate that all partitions are updated. You can also use the following procedure to verify that adprep
/rodcprep completed successfully.
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on
domain controllers that run Windows Server2008 or Windows Server2008R2.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
4. Click Select a well known Naming Context, select Configuration in the list of available naming
contexts, and then click OK.
where forest_root_domain
forest is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates
Forest .
8. Confirm that the Revision attribute value is 2, and then click OK.
Schema conflicts
Adprep was unable to complete because the call back function failed
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 13/18
9/14/2016 Running Adprep.exe
adprep /forestprep
forest
Schema Admins
Enterprise Admins
The adprep /rodcprep command, however, can be run from any computer. This command runs remotely, and
it must contact the domain naming master for the forest to obtain a list of application directory partitions that
are in the forest
forest. It then must contact the infrastructure master for each of the application directory partitions.
If an infrastructure master is offline or if it has been forcefully removed from the domain, the adprep
/rodcprep command fails. For more information, see article 949257 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=140285).
Schema conflicts
Schema conflicts can cause the following Adprep errors:
OID will not be changed resulting in probable failure to add a new class
This error occurs when custom schema changes have been made or when non-Microsoft software
makes schema changes that conflict with a schema change from Microsoft.
To resolve this issue, open the ADPREP log to see what the failed object is. If you know the non-
Microsoft software that is using the attribute, contact the makers of that software and determine if
there is a fix. Otherwise, contact Microsoft Customer Support Services.
Schema update failed: An attribute with the same link identifier already exists
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 14/18
9/14/2016 Running Adprep.exe
This error occurs when you are trying to update or add an object in the schema and the link identifier
already exists for another attribute. Some non-Microsoft applications modify the schema with a link
identifier set that is owned by the operating system. For more information about resolving this error,
see Troubleshooting ADPREP Errors (http://go.microsoft.com/fwlink/?LinkId=138881).
Adprep was unable to complete because the call back function failed
This error message can appear when an external function called by adprep /forestprepor adprep
/domainprep /gpprepcauses locks on files or folders that are used by antivirus software utilities running
on the schema master or the infrastructure master.
If you see this error message when you run adprep /forestprep, try disabling the antivirus software and
running the command again. After the adprep /forestprepcommand completes, you can enable the
antivirus software again.
If you see this error message when you run adprep /domainprep /gpprep, investigate and resolve the
following possible causes:
The Default Domain Policy and the Default Domain Controller Policy are absent from SYSVOL.
The Default Domain Policy and the Default Domain Controller Policy do not have the default globally
unique identifiers (GUIDs). The Default Domain Policy GUID is {31B2F340-016D-11D2-945F-
00C04FB984F9}. The default Default Domain Controller Policy GUID is {6AC1786C-016F-11D2-945F-
00C04fB984F9}.
There are problems with file system junction points between %SystemRoot%\SYSVOL\sysvol\domain
and %SystemRoot%\SYSVOL\. Running a DIR command of the SYSVOL folder tree structure is not
sufficient to validate the junction points. Instead, use LinkD to verify existence of junction points and
validate linked folders. For more information about using LinkD, see Gather the SYSVOL path
information (http://go.microsoft.com/fwlink/?LinkId=158003).
You receive an error when you run adprep /forestprep that says Adprep is valid, but is
for a machine type other than the current machine
You can receive this error if you try to run Adprep.exe from the Windows Server2008R2 installation DVD on a
schema master that runs a 32-bit version of WindowsServer. By default, Windows Server2008R2 runs the 64-
bit version of Adprep.exe. To resolve this error, open an elevated command prompt on the schema master
and run the 32-bit version of the command:
Adprep32.exe /forestprep
forest
The Adprep32.exe tool is in the support\adprep folder of the Windows Server2008R2 installation DVD.
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 15/18
9/14/2016 Running Adprep.exe
Community Additions
LUBE DMC
safdasd
LUBE DMC
1/21/2015
SHBB
Thanks, That is very useful
Ta
shabnambb
1/15/2014
Server 2012
If you ran adprep /domainprep for Windows Server 2012, confirm that the Revision attribute value is 9, and then click OK
thekindpunisher
6/6/2013
Thanks,
Justin [MSFT]
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 16/18
9/14/2016 Running Adprep.exe
my msg is
ADPREP was unable to modify the default security descriptor on object CN=ms-DS-M
anaged-Service-Account,CN=Schema,CN=Configuration,DC=nrc,DC=sci,DC=eg.
[Status/Consequence]
Adprep attempts to merge the existing default security descriptors with the new
[User Action]
Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000
208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Schema,CN=Configuration,DC=nrc,DC=sci,DC=eg'
omar elkhodary
3/25/2012
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 17/18
9/14/2016 Running Adprep.exe
infob_JS
10/20/2011
http://support.microsoft.com/default.aspx?scid=kb;EN-US;982020
Bulent Ozkir
8/25/2010
For the Schema Container the object version attribute value is set to 47
Thank you for the correction. The topic has been updated to include corresponding values for Windows Server 2008 and
Windows Server 2008 R2.
Justinha
12/23/2009
2016 Microsoft
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 18/18