9/14/2016 Running Adprep.

exe

Running Adprep.exe
Updated: July 20, 2014

Applies To: Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server
2012, Windows Server 2012 R2

This topic explains what Adprep.exe is. It also provides links to step-by-step instructions for running Adprep.exe.

What is Adprep.exe?

Considerations for using Adprep.exe in Windows Server 2012 R2 and Windows Server 2012

Considerations for using Adprep.exe in Windows Server 2008 R2 and Windows Server 2008

Running Adprep.exe

Troubleshooting errors with Adprep.exe

What is Adprep.exe?
Adprep.exe is a command-line tool that is included on the installation disk of each version of WindowsServer.
Adprep.exe performs operations that must be completed on the domain controllers that run in an existing
ActiveDirectory environment before you can add a domain controller that runs that version of WindowsServer.

Adprep.exe commands run automatically as needed as part of the AD DS installation process on servers that run
Windows Server 2012 or later. The commands need to run in the following cases:

Before you add the first domain controller that runs a version of WindowsServer that is later than the
latest version that is running in your existing domain.

Before you upgrade an existing domain controller to a later version of WindowsServer, if that domain
controller will be the first domain controller in the domain or forest to run that version of
WindowsServer.

For example, if your organization has domain controllers that run Windows2000Server or
WindowsServer2003, before you can add a new domain controller that runs Windows Server2008R2 or
upgrade one of the existing domain controllers to Windows Server2008R2, you must run Adprep.exe from the
\Support\Adprep folder of the Windows Server2008R2 installation DVD on your existing domain controllers.

Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain
controllers that run WindowsServer2003 and you want to add domain controllers that run Windows
Server2008R2, you only have to run Adprep.exe from the Windows Server2008R2 operating system disk. It is
not necessary to run the version from Windows Server2008 because the version in Windows Server2008R2
includes all the changes from previous versions.

What does Adprep.exe do?

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 1/18
9/14/2016 Running Adprep.exe

Adprep.exe has parameters that perform a variety of operations that help prepare an existing ActiveDirectory
environment for a domain controller that runs a later version of WindowsServer. Not all versions of
Adprep.exe perform the same operations, but generally the different types of operations that Adprep.exe can
perform include the following:

Updating the ActiveDirectory schema

Updating security descriptors

Modifying access control lists (ACLs) on ActiveDirectory objects and on files in the SYSVOL shared
folder

Creating new objects, as needed

Creating new containers, as needed

For more information about the changes that Adprep.exe performs, see the following resources:

For Windows Server 2012 and later, see Changes Made by Adprep.exe.

For Windows Server2008R2, see Windows Server 2008 R2: Appendix of Changes to Adprep.exe to
Support AD DS.

For Windows Server2008, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support
AD DS.

For WindowsServer2003R2, see Extending Your ActiveDirectory Schema in WindowsServer2003R2

(http://go.microsoft.com/fwlink/?LinkId=138879).

For WindowsServer2003, see Prepare Your Infrastructure for Upgrade

(http://go.microsoft.com/fwlink/?LinkId=138878).

Considerations for using Adprep.exe in Windows Server 2012

R2 and Windows Server 2012
Beginning with Windows Server 2012, Adprep.exe is integrated into the AD DS installation process and runs
automatically as needed. For example, when you install the first domain controller that runs Windows Server
2012 into an existing domain and forest
forest, then adprep /forestprep
forest and adprep /domainprep automatically run
and report the results of the operations.

Some organizations may prefer to run Adprep.exe separately, either in advance of an AD DS installation or
simply to extend an existing AD DS schema to support new features such as the Device Registration Service in
Windows Server 2012 R2. For this reason, Adprep.exe is also included in the \Support\Adprep folder of the
operating system disk.

Also beginning with Windows Server 2012, there is only one 64-bit version of Adprep.exe. It can be run remotely
from any server that runs a 64-bit version of Windows Server 2008 or later. The computer where you run it can
be either domain-joined or in a workgroup. It includes new syntax and parameter options in order to run it
remotely.

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 2/18
9/14/2016 Running Adprep.exe

For more information about the objects and containers that are created when the schema is extended to
support Windows Server 2012 R2 and Windows Server 2012, see Changes to Adprep.exe.

Mitigating performance impact of deferred index creation

The execution of ADPREP and other applications that add indexed attributes to Active Directory databases
greater than 100 GB may cause high CPU utilization by LSASS and high disk utilization from the writing of
indexes. Then new indexes also trigger a replication event that must be processed by other DCs in the forest.
forest

The addition of indexes in large Active Directory databases can prevent DCs from responding to clients and
application server requests and cause desktop user or application performance degradation or operational
failures. Windows Server 2008 R2 added indexes to improve LDAP query performance for certain queries.
Windows Server 2012 and Windows Server 2012 R2 include those same indexes.

By installing hotfix 2846725 and enabling the DSheuristic attribute on DCs that run Windows Server 2008 R2,
index creation is deferred and the time when indexing takes place is staggered across all DCs in the forest.
forest

Beginning in Windows Server 2012, the introduction of schema changes occurs independently from the
indexing of the attributes. See Deferred Index Creation.

In addition to applying the hotfix, you can take these steps to help prepare for the schema update:

Check the AD database size. See Determine the Database Size and Location Online.

Check the number of deleted objects.

Check the number of DCs that will get indexing.

Check the link speeds to those DCs

Use a test bed that reflects the production environment so that potential replication problems will be
reproduced by testing (e.g. dont test in a single domain forest if the production environment really has
multiple domains).

Considerations for using Adprep.exe in Windows Server 2008

R2 and Windows Server 2008
In Windows Server2008R2, Adprep.exe is located in the \Support\Adprep folder of the operating system disk.
In Windows Server2008, Adprep.exe is located in the \Sources\Adprep folder.

Windows Server2008R2 includes a 32-bit version and a 64-bit version of Adprep.exe. The 64-bit version runs by
default. If you want to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of
Adprep.exe (Adprep32.exe).

Running Adprep.exe
To complete the required operations, you must run the Adprep.exe commands that are listed in the following
table. You must run adprep /forestprep
forest before you run other commands. Some commands must be run on

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 3/18
9/14/2016 Running Adprep.exe

specific domain controllers, as indicated in the table. None of the commands requires a restart of the server
after the operation is complete. The remaining sections in this topic contain more details about each command.

Command Domain controller Number of times to run the

command

adprep Must be run on the schema operations master for the Once for the entire forest
/forestprep
forest forest
forest.

adprep Must be run on the infrastructure operations master for Once in each domain where
/domainprep the domain. you plan to install an additional
domain controller that runs a
later version of
WindowsServer than the latest
version that is running in the
domain.

Note

Domains where you will not

add a new domain
controller will be affected
by adprep /forestprep
forest , but
they do not require you to
run adprep /domainprep.

adprep Must be run on the infrastructure operations master for Once in each domain within the
/domainprep the domain. forest
/gpprep
If you already ran the /gpprep parameter for
WindowsServer2003, you do not have to run it again
for later versions of Windows Server.

adprep Can be run from any computer. This command Once for the entire forest
/rodcprep performs operations remotely. For the operations to
complete successfully, the domain naming operations
master for the forest and the infrastructure operations
master for each application directory partition and
Note
each domain partition must be accessible.

This If you already ran this command for Windows

command is Server2008, you do not have to run it again for later
optional. Run versions of Windows Server.
it only if you
want to install
a read-only
domain
controller
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 4/18
9/14/2016 Running Adprep.exe

(RODC).

Note

If you plan to add an RODC to the forest

forest, you can run adprep /rodcprep right after you run adprep
/forestprep
forest and then verify that both operations have replicated throughout the forest
forest. Both commands
require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.

If you are not sure which computer holds the operations master (also known as flexible single master operations
or FSMO) role that you need, type the following command at a command prompt on a computer on which you
have Netdom.exe installed, and then press ENTER:

netdom query FSMO

Netdom.exe is installed by default on domain controllers that run Windows Server2008 or later. You can also
install Netdom.exe on an administrative workstation. For more information, see Microsoft Remote Server
Administration Tools for Windows Vista (KB941314) (http://go.microsoft.com/fwlink/?LinkID=89361) or
WindowsServer2003 Service Pack2 32-bit Support Tools (http://go.microsoft.com/fwlink/?LinkID=100114).

Running adprep /forestprep

Run the adprep /forestprep
forest command to update the ActiveDirectory schema and perform other forest-wide
forest
updates. The schema updates are required to support new object types. Other forest
forest-wide updates are
required to update permissions and default security descriptors. The following sections include more details
about running adprep /forestprep
forest :

Preparing to run adprep /forestprep

forest

Running adprep /forestprep

forest

Verifying that adprep /forestprep

forest completed successfully

Preparing to run adprep /forestprep

Organizations should review and understand the schema updates and other changes that Adprep.exe
makes as part of the schema management process in ActiveDirectory Domain Services (ADDS). Test the
Adprep.exe schema updates in a lab environment to ensure that they will not conflict with any applications
that run in your environment. There should not be any conflicts if your applications use Request for
Comments (RFC)-compliant object and attribute definitions. For more information about the updates that
Adprep.exe performs for different versions of Windows Server, see Changes Made by Adprep.exe,
Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS, and Windows Server
2008: Appendix of Changes to Adprep.exe to Support AD DS.

Adprep.exe has built-in fail-safes that prevent potential problems that can arise from a schema update. The
fail-safes handle conflicting updates, such as the introduction of duplicate object identifiers, and cause
Adprep.exe to stop until an administrator reconciles the conflicts. An administrator can also manually stop
and restart Adprep.exe. Adprep.exe skips redundant updates and it resumes at the point where it was
stopped.

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 5/18
9/14/2016 Running Adprep.exe

Because of these fail-safes, we do not recommend that you disable replication on the schema master as an
additional precaution before you run Adprep.exe as it should not be necessary. If you nonetheless choose
to disable replication on the schema master or isolate it physically from the production network, be aware
of the following issues that you might encounter:

Monitoring software may detect that replication is disabled and initiaterecovery activity that re-
enables replication.

If you boot the schema master on a private network, it will fail initial synchronization unless you also
place a second domain controller on the same private network.

If you boot the schema master on a private network and it is not a DNS server, place a DNS server
on the same private network and have the schema master point to it as the preferred DNS server.

If you boot the schema master on a private network and it is a DNS server and additional domain
controllers are in the forest, you could wait several minutes for the operating system to start.

To help ensure that the adprep /forestprep

forest command runs successfully, complete these additional steps
before you run the command on the schema operations master role holder in the forest:
forest

1. Make a system state backup for your domain controllers, including the schema master and at least
one other domain controller from each domain in the forest. After the changes that adprep
/forestprep makes replicate throughout the forest, they can be reversed only by forest recovery.
You can implement forest recovery more effectively if you have recent and trusted system state
backups. For more information about backing up a domain controller, see Performing an
Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?LinkID=132632). For
more information about planning for forest recovery, see Planning for Active Directory Forest
Recovery (http://go.microsoft.com/fwlink/?LinkId=140265).

2. Make sure that you can log on to the schema master with an account that has sufficient credentials
to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise
Admins group, and the Domain Admins group of the domain that hosts the schema master, which is,
by default, the forest root domain.

Note

The built-in Administrator account in the forest root domain is a member of the Schema Admins
group by default.

3. If any domain controllers in the forest are running Windows2000Server, they must be running
ServicePack4 (SP4). To obtain Windows2000ServerSP4, see Windows2000ServicePack4 Network
Install for IT Professionals (http://go.microsoft.com/fwlink/?LinkId=140267).

4. If you are running Exchange2000, see article 325379 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=140269) for more information about preventing potential
schema conflicts.

5. Run the following Repadmin.exe command to ensure that replication is working throughout the
forest:

repadmin /replsum /bysrc /bydest /sort:delta

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 6/18
9/14/2016 Running Adprep.exe

All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the
time that has elapsed since the last successful replication) should be less than or roughly equal to
the replication frequency of the site link that the domain controller uses for replication. The default
replication frequency is 180minutes.

6. Antivirus software that is running on a schema master can interfere with running adprep /forestprep.
The introduction of display specifiers during the adprep /forestprep operation calls an external
function that can cause locks on files or folders that are used by antivirus software utilities.

In this case, the following error can appear when you run adprep /forestprep:

Adprep was unable to complete because the call back function failed.

If you are running antivirus software on the schema master and receive this error when you run
adprep /forestprep, temporarily disable the antivirus software until the command completes. For
more information, see Adprep was unable to complete because the call back function failed.

For more information about completing these preparatory steps, see So You Want to Upgrade to
Windows2008 Domain Controllers (ADPREP) (http://go.microsoft.com/fwlink/?LinkId=138880).

Running adprep /forestprep

You can run the adprep /forestprep
forest command from the WindowsServer DVD, or you can copy the
contents of the folder that includes Adprep.exe to your schema master and run Adprep.exe from that
location. If you copy Adprep.exe to the schema master, be sure to copy the entire contents of the folder.

For more information about how to run the adprep /forestprep

forest command, see Prepare a Windows 2000
or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or
Windows Server 2008 R2.

Verifying that adprep /forestprep completed successfully

When the adprep /forestprep
forest command completes, a message appears in the Command Prompt window
to indicate that Adprep has successfully updated the forest
forest-wide information. You can also use the
following procedure to verify that adprep /forestprep
forest completed successfully.

To verify that adprep /forestprep completed successfully

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default
on domain controllers that run Windows Server2008 or Windows Server2008R2.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming
contexts, and then click OK.

5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

forest

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 7/18
9/14/2016 Running Adprep.exe

where forest_root_domain
forest is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates
Forest .

7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

8. Confirm that the revision attribute value is correct for the version of adprep /forestprep
forest , and
then click OK.

For Windows Server 2012 R2, the value is 15.

For Windows Server 2012, the value is 11.

For Windows Server2008R2, the value is 5.

For Windows Server2008, the value is 2.

9. Click ADSI Edit, click Action, and then click Connect to.

10. Click Select a Well known naming context, select Schema in the list of available naming
contexts, and then click OK.

11. Double-click Schema.

12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain

forest , and then click Properties.

where forest_root_domain
forest is the distinguished name of your forest root domain.

13. Confirm that the objectVersion attribute value is correct for the version of adprep /forestprep
forest ,
and then click OK.

For Windows Server 2012 R2, the value is 69.

For Windows Server 2012, the value is 56.

For Windows Server2008R2, the value is 47.

For Windows Server2008, the value is 44.

Running adprep /domainprep

After the adprep /forestprep
forest operations are complete, you are ready to run the adprep /domainprep
command to prepare your domains. The following sections include more details about running adprep
/domainprep:

Preparing to run adprep /domainprep

Running adprep /domainprep

Verifying adprep /domainprep

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 8/18
9/14/2016 Running Adprep.exe

Preparing to run adprep /domainprep

To help ensure that the adprep /domainprep command runs successfully, complete these steps before you
run the command on the infrastructure operations master role holder in each domain:

1. Make sure that the schema updates that adprep /forestprep performs replicated throughout the
forest or that they at least replicated to the infrastructure master for the domain where you plan to
run adprep /domainprep. For more information, see Verifying that adprep /forestprep
forest completed
successfully.

2. Make sure that you can log on to the infrastructure master with an account that is a member of the
Domain Admins group.

3. Verify that the domain functional level is at least Windows2000native.

Running adprep /domainprep

When you are ready to run adprep /domainprep, insert the WindowsServer operating system DVD into
the DVD drive of the infrastructure master. Then, change directories to the folder that contains Adprep.exe
and run the command. For more information, see Prepare a Windows 2000 or Windows Server 2003
Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.

Verifying adprep /domainprep

When adprep /domainprep completes, a message appears in the Command Prompt window to indicate
that Adprep successfully updated the domain-wide information. You can also use the following procedure
to verify that adprep /domainprep completed successfully.

To verify that adprep /domainprep completed successfully

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default
on domain controllers that run Windows Server2008 or Windows Server2008R2.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Default naming context in the list of
available naming contexts, and then click OK.

5. Double-click Default naming context, double-click the container that is the distinguished name of
the domain, and then double-click CN=System.

6. Double-click CN=DomainUpdates, right-click CN=ActiveDirectoryUpdate, and then click

Properties.

7. Confirm that the revision attribute value is correct for the version of adprep /domainprep, and
then click OK.

For Windows Server 2012 R2, the value is 10.

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 9/18
9/14/2016 Running Adprep.exe

For Windows Server 2012, the value is 9.

For Windows Server2008R2, the value is 5.

For Windows Server2008, the value is 3.

Running adprep /domainprep /gpprep

If you ran the version of the adprep /domainprep command that is included in Windows Server2008 or later,
the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on
GroupPolicy objects (GPOs) in the SYSVOL shared folder. The additional ACEs give enterprise domain
controllers read access permissions on GPOs. These permissions are required to support Resultant Set of
Policy (RSOP) functionality for site-based policy.

Note

Although other adprep.exe commands are run automatically as part of the AD DS installation process
beginning with Windows Server 2012, the adprep /domainprep /gpprep command is not run
automatically. If the command has never been run in your environment, you may need to run it separately.
For more information, see KB article 2737129.

Running adprep /domainprep /gpprep can create a lot of replication traffic because every GPO is updated.
Therefore, you might want to run this command during off-peak hours to minimize the impact of the
additional replication.

If you run adprep /domainprep /gpprep before you run adprep /domainprep, Adprep.exe runs both
commands sequentially. First, it performs the /domainprep operations, and then it performs the /gpprep
operations.

If you are running an earlier version of Adprep.exe, see article 324392 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=140283).

The following sections include more details about running adprep /domainprep /gpprep:

Preparing to run adprep /domainprep /gpprep

Running adprep /domainprep /gpprep

Verifying adprep /domainprep /gpprep

Preparing to run adprep /domainprep /gpprep

To help ensure that adprep /domainprep /gpprep runs successfully, complete these steps before you run
the command on the infrastructure operations master role holder in each domain.

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 10/18
9/14/2016 Running Adprep.exe

1. Make sure that you have completed the preparatory steps for running adprep /domainprep. For
more information, see Preparing to run adprep /domainprep.

2. Make sure that the Default Domain Policy and the Default Domain Controllers Policy are located
on the infrastructure master. To do this, use WindowsExplorer to navigate to the
%windir%\SYSVOL\sysvol\domain_name\Policies folder. Confirm that the following globally unique
identifiers (GUIDs) appear in the Policies folder:

{31B2F340-016D-11D2-945F-00C04FB984F9}

{6AC1786C-016F-11D2-945F-00C04fB984F9}

3. Antivirus software that is running on an infrastructure master can interfere with running adprep
/domainprep /gpprep. In this case, the following error message can appear when you run adprep
/domainprep /gpprep:

Adprep was unable to complete because the call back function failed.

If you are running antivirus software on the infrastructure master and receive this error message
when you run adprep /domainprep /gpprep, temporarily disable the antivirus software until the
command completes. For more information, see Adprep was unable to complete because the call
back function failed.

Running adprep /domainprep /gpprep

When you are ready to run the adprep /domainprep /gpprep command, insert the WindowsServer
operating system DVD into the DVD drive of the infrastructure master. Then, change directories to the
folder that contains Adprep.exe and run the command. For more information, see Prepare a Windows 2000
or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows
Server 2008 R2.

Verifying adprep /domainprep /gpprep

If you have not yet run adprep /domainprep, when you run adprep /domainprep /gpprep you see a
message that indicates that adprep /domainprep successfully updated the domain-wide information,
followed by a message that indicates that Adprep successfully updated the GPO information. If you have
already run adprep /domainprep, the message indicates that the domain-wide information has already
been updated and that the operation will not be repeated, followed by the message that indicates that
Adprep successfully updated the GPO information.

You can also verify that this command is complete by using the steps for verifying that adprep
/domainprep completed successfully, or you can verify that the operation added the Read permission for
the Enterprise Domain Controllers group on all GPOs. For more information, see Verifying adprep
/domainprep.

Running adprep /rodcprep

Running the adprep /rodcprep command is optional. It is required only if you want to install an RODC in the
forest. This command updates the security descriptors for domain and application directory partitions to give
forest

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 11/18
9/14/2016 Running Adprep.exe

RODCs permission to replicate updates to the partitions.

Each application directory partition has an infrastructure master. The adprep /rodcprep command must
update the security descriptor for each application directory partition on the infrastructure master for that
partition.

There are two application directory partitions that are created by default for Domain Name System (DNS)
data: DomainDNSZones and Forest ForestDNSZones. If the infrastructure master for either of these partitions is
offline or if it has been forcefully removed from the forest,
forest adprep /rodcprep fails with an error. For more
information, see article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?
LinkId=140285). In addition, this command must contact the domain naming operations master to obtain a list
of the application and domain directory partitions that are in the forest
forest. Therefore, the domain naming master
must be accessible when you run this command.

The command also updates the defaultSecurityDescriptor of the domainDNS classSchema object
(CN=Domain-DNS,CN=Schema,CN=Configuration,<Forest Forest Root Domain DN>) to grant the Replicating
Directory Changes control access right to the Enterprise Read-Only Domain Controllers security group.
When you create a new domain or application partition, the new object inherits the default permissions from
the schema object. For more information, see When To Use Forest
ForestPrep, DomainPrep AndRODCPrep.

The following sections include more details about running adprep /rodcprep:

Preparing to run adprep /rodcprep

Running adprep /rodcprep

Verifying adprep /rodcprep

Preparing to run adprep /rodcprep

To help ensure that the adprep /rodcprep command runs successfully, complete these steps before you
run the command:

1. Make sure you can log on to a computer with an account that is a member of the Enterprise Admins
group.

2. Make sure that the domain naming master and the infrastructure master for each application
directory partition are accessible.

Running adprep /rodcprep

When you are ready to run the adprep /rodcprep command, insert the WindowsServer operating system
DVD into the DVD drive of the computer. Then, change directories to the folder that contains Adprep.exe
and run the command. For more information, see Prepare a Forest for a Read-Only Domain Controller .

Verifying adprep /rodcprep

When the adprep /rodcprep command completes, a message appears in the Command Prompt window to

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 12/18
9/14/2016 Running Adprep.exe

indicate that all partitions are updated. You can also use the following procedure to verify that adprep
/rodcprep completed successfully.

To verify that adprep /rodcprep completed successfully

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on
domain controllers that run Windows Server2008 or Windows Server2008R2.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming
contexts, and then click OK.

5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

forest

where forest_root_domain
forest is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates
Forest .

7. Right-click CN=ActivedirectoryRodcUpdate, and then click Properties.

8. Confirm that the Revision attribute value is 2, and then click OK.

Troubleshooting errors with Adprep.exe

This section explains how to correct problems when Adprep.exe fails. Adprep.exe errors are logged in the
%windir%\Debug\Adprep\Logs folder. There will be a separate file each time that you run ADPREP. At the
bottom of the file, you can see what the problem is. Some common causes for Adprep.exe errors include the
following:

Insufficient credentials to run the command

Operations master role holders are not accessible

Schema conflicts

Adprep was unable to complete because the call back function failed

You receive an error when you run adprep /forestprep

forest that says Adprep is valid, but is for a machine
type other than the current machine

For more information, see Troubleshooting ADPREP Errors (http://go.microsoft.com/fwlink/?LinkId=138881).

Insufficient credentials to run the command

Each Adprep.exe command requires a different set of credentials. The following table lists the credential

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 13/18
9/14/2016 Running Adprep.exe

requirements for each command.

Adprep.exe command Credentials that are required to run the command

adprep /forestprep
forest
Schema Admins

Enterprise Admins

Domain Admins of the domain that hosts the schema master

adprep /domainprep Domain Admins

adprep /domainprep /gpprep Domain Admins

adprep /rodcprep Enterprise Admins

Operations master role holders are not accessible

If Adprep.exe cannot contact the operations master role holders that are required to complete the command,
the command fails with an error. Because the adprep /forestprep
forest and adprep /domainprep /gpprep
commands must be run directly on the schema master and the infrastructure master, respectively, these
commands are less likely to generate this type of error.

The adprep /rodcprep command, however, can be run from any computer. This command runs remotely, and
it must contact the domain naming master for the forest to obtain a list of application directory partitions that
are in the forest
forest. It then must contact the infrastructure master for each of the application directory partitions.
If an infrastructure master is offline or if it has been forcefully removed from the domain, the adprep
/rodcprep command fails. For more information, see article 949257 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=140285).

Schema conflicts
Schema conflicts can cause the following Adprep errors:

OID will not be changed resulting in probable failure to add a new class

This error occurs when custom schema changes have been made or when non-Microsoft software
makes schema changes that conflict with a schema change from Microsoft.

To resolve this issue, open the ADPREP log to see what the failed object is. If you know the non-
Microsoft software that is using the attribute, contact the makers of that software and determine if
there is a fix. Otherwise, contact Microsoft Customer Support Services.

Schema update failed: An attribute with the same link identifier already exists

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 14/18
9/14/2016 Running Adprep.exe

This error occurs when you are trying to update or add an object in the schema and the link identifier
already exists for another attribute. Some non-Microsoft applications modify the schema with a link
identifier set that is owned by the operating system. For more information about resolving this error,
see Troubleshooting ADPREP Errors (http://go.microsoft.com/fwlink/?LinkId=138881).

Adprep was unable to complete because the call back function failed
This error message can appear when an external function called by adprep /forestprepor adprep
/domainprep /gpprepcauses locks on files or folders that are used by antivirus software utilities running
on the schema master or the infrastructure master.

If you see this error message when you run adprep /forestprep, try disabling the antivirus software and
running the command again. After the adprep /forestprepcommand completes, you can enable the
antivirus software again.

If you see this error message when you run adprep /domainprep /gpprep, investigate and resolve the
following possible causes:

The \SCRIPTS folder is absent from the SYSVOL shared folder.

The Default Domain Policy and the Default Domain Controller Policy are absent from SYSVOL.

The Default Domain Policy and the Default Domain Controller Policy do not have the default globally
unique identifiers (GUIDs). The Default Domain Policy GUID is {31B2F340-016D-11D2-945F-
00C04FB984F9}. The default Default Domain Controller Policy GUID is {6AC1786C-016F-11D2-945F-
00C04fB984F9}.

The registry entry HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysVol does

not exist or does not point to a valid SYSVOL path, such as %SystemRoot%\SYSVOL\sysvol.

There are problems with file system junction points between %SystemRoot%\SYSVOL\sysvol\domain
and %SystemRoot%\SYSVOL\. Running a DIR command of the SYSVOL folder tree structure is not
sufficient to validate the junction points. Instead, use LinkD to verify existence of junction points and
validate linked folders. For more information about using LinkD, see Gather the SYSVOL path
information (http://go.microsoft.com/fwlink/?LinkId=158003).

You receive an error when you run adprep /forestprep that says Adprep is valid, but is
for a machine type other than the current machine
You can receive this error if you try to run Adprep.exe from the Windows Server2008R2 installation DVD on a
schema master that runs a 32-bit version of WindowsServer. By default, Windows Server2008R2 runs the 64-
bit version of Adprep.exe. To resolve this error, open an elevated command prompt on the schema master
and run the 32-bit version of the command:

Adprep32.exe /forestprep
forest

The Adprep32.exe tool is in the support\adprep folder of the Windows Server2008R2 installation DVD.

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 15/18
9/14/2016 Running Adprep.exe

Community Additions

LUBE DMC
safdasd

LUBE DMC
1/21/2015

SHBB
Thanks, That is very useful

Ta

shabnambb
1/15/2014

Server 2012
If you ran adprep /domainprep for Windows Server 2012, confirm that the Revision attribute value is 9, and then click OK

add above to verify 2012 AD

thekindpunisher
6/6/2013

Numbers to verify for Windows Server 2012

Hi Martin, Thanks for the question and sorry for the delayed response. For Windows Server 2012, the ActiveDirectoryUpdate
container Revision attribute will be 11, and the Schema objectVersion attribute will be 56. The topic will updated to reflect this
later this week (ETA 5/9/2013). I also added a link to http://technet.microsoft.com/library/hh994609.aspx, which covers the
changes to objects and permissions that adprep makes for Windows Server 2012.

Thanks,

Justin [MSFT]

Justin Hall MSFT

5/7/2013

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 16/18
9/14/2016 Running Adprep.exe

same adprep problem

hi pup

i have problem with upgrade my DC from 2003 R2 to 2008 R2

my msg is

ADPREP was unable to modify the default security descriptor on object CN=ms-DS-M

anaged-Service-Account,CN=Schema,CN=Configuration,DC=nrc,DC=sci,DC=eg.

[Status/Consequence]

Adprep attempts to merge the existing default security descriptors with the new

access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20120325121151

directory for more information.

Adprep encountered an LDAP error.

Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000

208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

'CN=Schema,CN=Configuration,DC=nrc,DC=sci,DC=eg'

can you help me please

omar elkhodary
3/25/2012

Adprep32 / Windows 2008R2

after run adprep32 /forestperp
forest on Windows 2008 server :

Configuration Container the revision attribute value is 2

Schema Container the object version attribute value is 47

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 17/18
9/14/2016 Running Adprep.exe

What can I do?

infob_JS
10/20/2011

Office Communications Server 2007 R2 does not work correctly

982020 Office Communications Server 2007 R2, OCS 2007 or LCS 2005 does not work correctly after you upgrade to Windows
Server 2008 R2

http://support.microsoft.com/default.aspx?scid=kb;EN-US;982020

Bulent Ozkir
8/25/2010

Issue with adprep /domainprep

on a 2000 server DC, adding a 2008 server.
when running adprep /domainprep, I am getting a error: "adprep detected that the domain is not in native mode"
you need to switchs your domain to Native mode or above, then repeat the operation (in Active directory domains and
trusts\properties)
Hope it helps

The Net Doctor

8/11/2010

Forestprerp verfication for Windows 2008R2 RC

For Configuration Container the revision attribute value is changed to 5

For the Schema Container the object version attribute value is set to 47

Thank you for the correction. The topic has been updated to include corresponding values for Windows Server 2008 and
Windows Server 2008 R2.

Justinha
12/23/2009

2016 Microsoft

https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx 18/18