Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
Deployment
 Microsoft Product Support Quick Sta...
Microsoft Product Support Quick Start to Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains

Updated: November 14, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic explains the process for upgrading domain controllers to Windows Server 2008 or Windows Server 2008 R2. It has links to related information about the upgrade process and issues that you might encounter.

What’s new in AD DS in Windows Server 2008 and Windows Server 2008 R2

The following table has links to more information about new features and functionality in Windows Server 2008 and Windows Server 2008 R2.

 

Operating system What’s new

Windows Server 2008

For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Windows Server 2003 with Service Pack 1 (SP1) to Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164410).

For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008, see Active Directory Domain Services Role (http://go.microsoft.com/fwlink/?LinkId=164414).

Some functionality that was available in previous versions of Windows Server is deprecated in Windows Server 2008. For example, SMTP Replication is removed by default. For more information, see article 947057 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164416). The Browser Service is disabled by default in Windows Server 2008 and Windows Server 2008 R2 domain controllers.

Windows Server 2008 R2

For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139049). For information about specific features in AD DS in Windows Server 2008 R2, see What's New in Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=139655).

In Windows Server 2008 R2, Dcpromo.exe does not allow the creation of a domain that has a single-label Domain Name System (DNS) name. If you try to promote an additional domain controller in a domain that has a single-label DNS name (such as contoso, instead of contoso.com), the check box to install a DNS server is not available in Dcpromo.exe. Upgrading Windows Server 2003 domain controllers in Windows Server 2008 R2 and Windows Server 2008 R2 single-label domains is supported. Promoting additional Windows Server 2008 R2 and Windows Server 2008 R2 domain controllers into existing single-label DNS domains is supported.

Windows Server 2008 R2 does not support MSMQ in domain mode for Windows NT 4 and Windows 2000 MSMQ clients running against Windows Server 2008 R2 domain controllers that have no Windows Server 2003 or Windows Server 2008 domain controllers in the same environment.

For more information about other functionality in Windows Server 2003 that is deprecated in Windows 7 and Windows Server 2008 R2, see Deprecated Features for Windows 7 and Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=177815).

For more information about other known issues for AD DS, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418).

System requirements for installing Windows Server 2008 and Windows Server 2008 R2

For system requirements for Windows Server 2008, see “System Requirements” in Installing Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164421).

For disk-space requirements for AD DS in Windows Server 2008, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164423).

For system requirements for Windows Server 2008 R2, see Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=160341).

For disk-space requirements for AD DS in Windows Server 2008 R2, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkID=164423).

The AD DS database (Ntds.dit) on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows, for the following reasons:

  • The "partial merge" feature is disabled on Windows Server 2008 R2 domain controllers.

  • Windows Server 2008 R2 Adprep /forestprep adds two new indices on the large link table.

  • The Windows Server 2008 R2 Active Directory Recycle Bin feature, when it is enabled, preserves attributes on deleted objects for the recycled object lifetime.

The Active Directory database on a Windows Server 2008 domain controller that is promoted into a Windows 2000 domain should be a size that is similar to the size of the Active Directory databases on the Windows 2000 domain controllers. While Windows Server 2008 R2 additions increase the database size, the addition of a single-instance store that is supported by domain controllers that run Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 offsets that increase. Windows Server 2008 R2 domain controllers are estimated to be 10 percent larger than Windows Server 2008 domain controllers, not counting the Active Directory Recycle Bin.

In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the database size by an additional 15 to 20 percent of the original AD DS database size, using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days. Additional space requirements depend on the size and count of the objects that can be recycled.

If an in-place upgrade to Windows Server 2008 or Windows Server 2008 R2 rolls back silently to the previous operating system version, check for sufficient free disk space on the partitions that host the AD DS database and log files.

Supported in-place upgrade paths

For upgrades to Windows Server 2008, see “Supported upgrade paths” in Guide for Upgrading to Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=146616).

For upgrades to Windows Server 2008 R2, see “Supported upgrade paths” in Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=160341) and Windows Server 2008 R2 Upgrade Paths (http://go.microsoft.com/fwlink/?LinkID=154894).

If you replace domain controllers, use the metadata cleanup method in Windows Server 2008 and remove DNS and Windows Internet Name Service (WINS) records for the original role holder. For more information, see Cleaning metadata of removed writable domain controllers in Appendix A: Forest Recovery Procedures (http://go.microsoft.com/fwlink/?LinkId=164553).

If you want to migrate the AD DS server role, DNS server roles, IP address, computer name, and supporting configuration state, from an existing server to a new Windows Server 2008 or Windows Server 2008 R2 destination server, see AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles (http://go.microsoft.com/fwlink/?LinkId=177812). For example, refer to this article if you want to ensure that the new server has the same IP address or server name as the legacy server, or if you have made configuration changes, such as registry changes or file-based DNS zones, on the legacy DNS server and you want them retained on the new DNS server.

Functional level features and requirements

Features that are enabled for Windows Server 2008 and Windows Server 2008 R2 domain and forest functional levels are documented in Understanding Domain and Forest Functionality (http://go.microsoft.com/fwlink/?LinkId=164555). Domain and forest functional level requirements for the deployment of Windows Server 2008 and Windows Server 2008 R2 domain controllers are as follows:

  • Adprep /forestprep does not have any domain or forest functional level requirements.

  • Adprep /domainprep requires a Windows 2000 native or higher domain functional level in each target domain.

  • Adprep /rodcprep does not have any functional-level requirements.

  • You can install Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 domain controllers in the same domain or forest without any functional-level requirement.

  • For installation of a read-only domain controller (RODC), the forest functional level must be Windows Server 2003 or higher.

Client, server, and application interoperability

  • Windows NT 4.0 computers cannot be joined to Windows Server 2008 and Windows Server 2008 R2 domains or domain controllers.

  • Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7 client computers are fully compatible with writable Windows Server 2008 and Windows Server 2008 R2 domain controllers. For member-computer interoperability with RODCs, see Known Issues for Deploying RODCs (http://go.microsoft.com/fwlink/?LinkID=164418).

  • For more information about which versions of Microsoft Exchange Server can interoperate with different versions of Windows, see Exchange Server Supportability Matrix (http://go.microsoft.com/fwlink/?LinkID=165034).

  • For a list of applications that are compatible with RODCs, see Applications That Are Known to Work with RODCs (http://go.microsoft.com/fwlink/?LinkID=133779). Exchange Server requires a writable domain controller; therefore, it does not work with RODCs.

Secure default settings in Windows Server 2008 and Windows Server 2008 R2

Windows Server 2008 and Windows Server 2008 R2 domain controllers have the following secure default settings, compared to Windows 2000 and Windows Server 2003 domain controllers.

 

Encryption type or policy

Windows Server 2008 default

Windows Server 2008 R2 default

Comment

AllowNT4Crypto

Disabled

Disabled

Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers. In all cases, these settings can be relaxed to allow interoperability at the expense of security. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558).

DES

Enabled

Disabled

Article 977321 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=177717)

CBT/Extended Protection for Integrated Authentication

N/A

Enabled

See Microsoft Security Advisory (937811) (http://go.microsoft.com/fwlink/?LinkId=164559) and

LMv2

Enabled

Disabled

See article 976918 in the Microsoft Knowledge Base.

Virtualized domain controllers on Hyper-V™, VMware, and other virtualization software

Regardless of the virtual host software product that you are using, read Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=139651) for special requirements related to running virtualized domain controllers. Specific requirements include the following:

  • Do not stop or pause domain controllers.

  • Do not restore snapshots of domain controller role computers. This action causes an update sequence number (USN) rollback that can result in permanent inconsistencies between domain controller databases.

  • All physical-to-virtual (P2V) conversions for domain controller role computers should be done in offline mode. System Center Virtual Machine Manager enforces this for Hyper-V. For information about other virtualization software, see the vendor documentation.

  • Configure virtualized domain controllers to synchronize with a time source in accordance with the recommendations for your hosting software.

  • For more considerations about running domain controllers in virtual machines, see article 888794 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=141292).

Administration, remote administration, and cross-version administration

The following changes have been made to local and remote administration tools for the Windows Server 2008 and Windows Server 2008 R2 operating systems.

  • The installation of a server role, such as Active Directory Domain Services, by Server Manager also locally installs all GUI and command-line tools that you can use to administer that role. To install tools locally to manage other server roles, click Add Features in Server Manager.

  • The GUI and command-line tools that were formerly in the Administrative Tools Pack (ADMINPACK.MSI), Support Tools (SUPPTOOLS.MSI), and Resource Kit tools have been consolidated into a single collection called Remote Server Administration Tools (RSAT).

  • As 64-bit hardware and operating systems became more popular, x86-based (32-bit) and x64-based (64-bit) versions of administration tools were released. See the following table for more information.

  • Additional steps are required to make the administration tools that RSAT installs appear in the Start menu of Windows Vista computers. For these additional steps, see the following procedure.

As a general rule, the administrative tools only install and run correctly on the operating system versions with which they were released. For example, the Windows Server 2008 administration tools install and run only on Windows Vista client computers and Windows Server 2008 server computers.

Administration tools whose files are copied from the server operating system disk will generally not execute on the corresponding client operating system and are not supported. For example, tools that are copied from the Windows Server 2008 operating system disk to Windows Vista will not work.

For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkId=177813).

To display the administration tools on the Start menu

  1. Right-click Start, and then click Properties.

  2. On the Start Menu tab, click Customize.

  3. In the Customize Start Menu dialog box, scroll down to System administrative tools, and then click Display on the All Programs menu and the Start menu.

  4. Click OK.

For more information, see Installing Remote Server Administration Tools (http://go.microsoft.com/fwlink/?LinkID=153624).

Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2

Make sure that you have the following domain controller roles configured properly to synchronize the Windows Time service (W32time):

  • Forest-root primary domain controller (PDC) on a physical computer. See Configure the Windows Time service on the PDC emulator (http://go.microsoft.com/fwlink/?LinkId=91969).

  • Non-forest-root domain controller on a physical computer

  • Domain controller on Hyper-V

  • Domain controller on VMware

  • Hyper-V host

  • VMware host

Add time-rollback protection on Windows Server 2003 domain controllers by using Group Policy, making sure that you have the policy detail fixes in place before you do.

Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2

Read the following release notes for more information about specific issues that can affect these versions of Windows Server:

Release notes for Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=99299)

Release notes for Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139330)

Verifications you can make and recommended hotfixes you can install before you begin

  1. All domain controllers in the forest should meet the following conditions:

    1. Be online.

    2. Be healthy (Run dcdiag /v to see if there are any problems.)

    3. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). For more information, see “CSV Format” in Repadmin Requirements, Syntax, and Parameter Descriptions (http://go.microsoft.com/fwlink/?LinkID=147380).

    4. Have successfully inbound-replicated and outbound-replicated SYSVOL.

    5. Metadata for stale or nonexistent domain controllers, or domain controllers that cannot be made to replicate, should be removed from their respective domains. For more information, see Cleaning metadata of removed writable domain controllers in Appendix A: Forest Recovery Procedures (http://go.microsoft.com/fwlink/?LinkID=164553).

    6. All domains must be at the Windows 2000 native functional level or higher to run adprep /domainprep. Windows NT 4.0 domain controllers are not permitted in this functional level.

    7. Have sufficient free disk space to accommodate the upgrade.

      For more information about disk-space requirements for Windows Server 2008 and Windows Server 2008 R2, see System requirements for installing Windows Server 2008 and Windows Server 2008 R2. The task for administrators is to accurately forecast the immediate and long-term growth for Ntds.dit files on Windows Server 2008 and Windows Server 2008 R2 domain controllers so that hard drives and partitions that host Active Directory files can be sized properly on physical and virtual domain controllers.

  2. Check for incompatibilities with secure defaults in Windows Server 2008 and Windows Server 2008 R2. For more information, see Secure default settings in Windows Server 2008 and Windows Server 2008 R2.

  3. Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers.

    1. For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (“slipstream”) by adding the latest service pack and hotfixes for your operating system. As of September 2009, the latest service pack for Windows Server 2008 is Service Pack 2 (SP2). For information about obtaining the latest service pack, see article 968849 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164585) and see Installing Windows Server 2008 with Service Pack 2 (http://go.microsoft.com/fwlink/?LinkId=164586). Windows Server 2008 R2 includes updates from Windows Server 2008 SP2. To make sure that you have all of the latest updates, see Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290) or see article 968849 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164585) for download information.

      1. If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment.

      2. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2, remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers.



      3. The following table lists hotfixes for Windows Server 2008. You can install a hotfix individually, or you can install the service pack that includes it.

         

        Description

        Microsoft Knowledge Base article

        Service pack

        Domain controllers that are configured to use the Japanese language locale

        949189 (http://go.microsoft.com/fwlink/?LinkId=164588)

        Windows Server 2008 SP2

        EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008

        948690 (http://go.microsoft.com/fwlink/?LinkID=106115)

        Not included in any Windows Server 2008 Service Pack

        Records on Windows Server 2008 secondary DNS server are deleted following zone transfer

        953317 (http://go.microsoft.com/fwlink/?LinkId=164590)

        Windows Server 2008 SP2

        Use root hints if no forwarders are available

        2001154 (http://go.microsoft.com/fwlink/?LinkId=165959)

        Setting Locale info in GPP causes Event Log and dependent services to fail

        If you change “Regional Option – User Locale – enabled,” the Windows Event Log Service, DNS Server Service, task Scheduler Service fail to start

        For prevention and resolution, see 951430 (http://go.microsoft.com/fwlink/?LinkId=165960). To be included in Windows Server 2008 SP3

        GPMC Filter fix

        [KB article in progress]

        Windows Server 2008 SP2

        If you use devolution to resolve DNS names (instead of suffix search list), apply the DNS devolution hotfix.

        [KB article in progress]

        Windows Server 2008 SP2

        Group Policy Preferences rerelease

        943729 (http://go.microsoft.com/fwlink/?LinkId=164591)

        974266 (http://go.microsoft.com/fwlink/?LinkID=165035)

        Windows Server 2008 SP2

        Synchronize the Directory Services Restore Mode (DSRM) Administrator password with a domain user account

        961320961320 (http://go.microsoft.com/fwlink/?LinkId=177814)

        The following table lists hotfixes for Windows Server 2008 R2.

         

        Description

        Microsoft Knowledge Base article

        Comment

        Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502

        [KB article in progress]

        [The article will include a hotfix.]

        Event ID 1202 logged with status 0x534 if security policy modified

        2000705 (http://go.microsoft.com/fwlink/?LinkId=165961)

        Hotfix is in progress. Also scheduled for Windows Server 2008 R2 SP1.

        TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades

        [KB article in progress]

        Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel.

        Deploying the first Windows Server 2008 R2 domain controller in an existing Active Directory forest may temporarily halt Active Directory replication to strict-mode destination domain controllers.

        [KB article in progress]

Run Adprep commands

This section describes how to run the following adprep commands.

If you encounter errors when you run an Adprep command, see Adprep errors.

Add schema changes using adprep /forestprep

  1. Identify the domain controller that holds the schema operations master role (also known as flexible single master operations or FSMO role) and verify that it has inbound-replicated the schema partition since startup:

    1. Run the dcdiag /test:knowsofroleholders command. If the schema role is assigned to a domain controller with a deleted NTDS settings object, follow the steps in article 255504 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=70776) to seize the role to a live domain controller in the forest root domain.

    2. Log on to the schema operations master with an account that has Enterprise Admins, Schema Admins, and Domain Admins credentials in the forest root domain. By default, the built-in administrator account in a forest root domain has these credentials.

    3. On the schema master, run the repadmin /showreps command. If schema master has inbound-replicated the schema partition since startup, continue to the next step. Otherwise, use the replicate now command Dssite.msc to trigger inbound replication of the schema partition to the schema master. (See Force replication over a connection (http://go.microsoft.com/fwlink/?LinkId=164634)). You can also use the repadmin /replicate <name of schema master> <GUID of replication partner> command. The showreps command returns the globally unique identifier (GUID) of all replication partners of the schema master.

  2. Locate the correct version of Adprep for your upgrade:

    • The Windows Server 2008 installation media contain one version of adprep, Adprep.exe, in the \sources\adprep folder Windows Server 2008 installation disk, that runs on both x86-based and x64-based operations masters.

    • Windows Server 2008 R2 installation media contain both x86-based (Adprep32.exe) and x64-based (Adprep.exe) versions of adprep in the \support\adprep folder of the Windows Server 2008 R2 installation disk.

    • Windows Server 2008 and Windows Server 2008 R2 schema updates can be added directly to forests with Windows 2000 Server, Windows Server 2003, or Windows Server 2008 schema versions.

    • Windows Server 2008 and Windows Server 2008 R2 versions of adprep.exe can be run directly on Windows Server 2000 SP4, Windows Server 2003, Windows Server 2003 R2, and Windows Server 2008 (for Windows Server 2008 R2) operations masters.

    • If you copy Adprep.exe from the installation media to a local computer or a network share, copy the entire adprep folder and provide the full path to the Adprep.exe file.

  3. Update the forest schema with adprep /forestprep.

    While you are still logged on to the console of the schema master with an account that has Enterprise Admins, Schema Admin, and Domain Admin credentials, run the appropriate version of adprep /forestprep from the Windows Server 2008 or Windows Server 2008 R2 installation media. Specify the full path to Adprep.exe to prevent running another version of Adprep that may be present in the PATH environment variable.

    For example, if you are running the Windows Server 2008 version of Adprep from a DVD drive or network path that is assigned the drive letter D:, the command to run is as follows: 

    >D:\sources\adprep\adprep /forestprep
     The syntax for running Windows Server 2008 R2 Adprep on a 64-bit schema master is as follows:

    <dvd drive letter>:\support\adprep\adprep /forestprep
     The syntax for running Windows Server 2008 R2 Adprep on a 32-bit, x86-based schema master is as follows: 

    D:\support\adprep\adprep32 /forestprep
     For a list of operations that Windows Server 2008 adprep /forestprep performs, see Windows Server 2008: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164636).

    For a list of operations that Windows Server 2008 R2 adprep /forestprep performs , see Windows Server 2008 R2: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164637).

If you encounter errors, see “Forestprep errors” later in this topic.

If you are deploying RODCs, run adprep /rodcprep

Run Windows Server 2008 R2 adprep /rodcprep in a forest that has already been prepared with Windows Server 2008adprep /rodcprep. Proceed to adprep /domainprepprep.

If you are deploying RODCs for the first time:

While still logged on with Enterprise Admins credentials on the schema master, run adprep /rodcprep.

noteNote
Rodcprep will run on any member computer or domain controller in the forest if you are logged on with Enterprise Admin credentials. You can run adprep /rodcprep before or after adprep /domainprep. We recommend running adprep /rodcprep on the schema master immediately after adprep /forestprep as a matter of convenience because that operation also requires Enterprise Admins credentials.

For Windows Server 2008 Rodcprep, specify the full path to Adprep. For example, if the DVD or network path is assigned drive D:, run the following command: 

c:\windows >D:\sources\adprep\adprep /rodcprep

For Windows Server 2008 R2:

  1. If the computer where you run Rodcprep is a 64-bit computer, run the following command:

    D:\support\adprep\adprep /rodcprep
  2. If the computer where you run Rodcprep is a 32-bit computer, run the following command:

    D:\support\adprep\adprep32 /rodcprep

If you encounter errors, see “Rodcprep errors” later in this topic.

Run adprep /domainprep /gpprep

For each domain that you intend to add Windows Server 2008 or Windows Server 2008 R2 domain controllers to:

  1. Run netdom query fsmo or dcdiag /test:<name of FSMO test> to identify the infrastructure operations master.

  2. If operations master roles are assigned to deleted or offline domain controllers, transfer or seize the roles as required.

  3. Log on to the infrastructure master with an account that has Domain Admins credentials.

  4. Run Windows Server 2008 adprep /domainprep /gpprep from the Windows Server 2008 operating system disk using the following syntax:

    noteNote
    You do not have to add the /gpprep parameter in the following command if you already ran it for Windows Server 2003.

    <drive>:\<path>\adprep /domainprep /gpprep
     For example, if the DVD or network path is assigned drive D, use the following syntax:

    D:\sources\adprep\adprep /domainprep /gpprep
     For Windows Server 2008 R2:

    If the infrastructure master is 64-bit, use the following syntax:

    D:\support\adprep\adprep /domainprep /gpprep
     If the infrastructure master is 32-bit, use the following syntax:

    D:\support\adprep\adprep32 /domainprep /gpprep
     If you encounter errors, see “Domainprep errors” later in this topic

Upgrade domain controllers

This section includes the following topics:

Background information about the in-place upgrade process

When you upgrade existing domain controllers or promote new domain controllers into existing domains, consider the following:

  • Computers running Windows 2000 Server cannot be upgraded in place to Windows Server 2008 or Windows Server 2008 R2.

  • In-place upgrades from Windows Server 2003 or Windows Server 2003 R2 to Windows Server 2008 or Windows Server 2008 R2 are supported, with the following exception: x86-based operating systems cannot be upgraded in place to x64-based versions of Windows Server 2008 or Windows Server 2008 R2 (which supports only the x64-based architecture).

  • A writeable domain controller cannot be upgraded to be an RODC. The reverse is also true.

  • A server that runs the full installation of Windows Server 2008 R2 cannot be upgraded to be a server that runs a Server Core installation of Windows Server 2008 R2. The reverse is also true.

  • For more information about supported and unsupported upgrades, see Windows Server 2008 R2 Upgrade Paths (http://go.microsoft.com/fwlink/?LinkID=154894).

  • Windows Server 2008 and Windows Server 2008 R2 both auto-install Internet Protocol version 6 (IPv6). Do not arbitrarily disable or remove IPv6.

  • To promote RODCs:

    • The adprep[32] /rodcprep command must have completed successfully.

    • The forest functional level must be Windows Server 2003 or higher.

    • A writable (or “full”) domain controller that runs Windows Server 2008 or Windows Server 2008 R2 must exist in the target domain.

Upgrading and promoting new domain controllers into an existing domain

Complete the following steps if you are performing either of these in-place upgrades:

  • Upgrading to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 domain controllers

  • Upgrading to Windows Server 2008 R2 from Windows Server 2008 or Windows Server 2003 or domain controllers

  1. If you have the Japanese language locale installed on Windows Server 2003 domain controllers that are being upgraded in place to Windows Server 2008, read and comply with article 949189 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164588).

  2. If the Active Directory Migration Tool (ADMT) version 3.1 is installed on a Windows Server 2003 or Windows Server 2008 domain controller that is being upgraded to Windows Server 2008 R2, uninstall ADMT 3.1 before the upgrade.

  3. When promoting new domain controllers, make sure that object information about the newly promoted domain controllers (the computer account in the domain partition and the NTDS Settings object in the configuration partition) has outbound replicated to a sufficient number of domain controllers that are remaining in the forest before you retire the only domain controller in the forest that has that object information. For example, if you promote DC2 and use DC1 as the helper domain controller, then make sure that DC1 has outbound replicated object information about DC2 to other domain controllers before you retire DC1. This is particularly an issue where the helper domain controllers used by newly promoted domain controllers are rapidly demoted before outbound reapplication takes place.

  4. Run <dvd or network path>:\setup.exe.

  5. Read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) and consider the right setting for the AllowNT4Cryto policy for your environment.

  6. If dcpromo.exe fails, see Dcpromo errors.

  7. If you have remotely encrypted Encrypting File System (EFS) files on Windows Server 2003 computers that are being upgraded in place to Windows Server 2008, read and comply with article 948690 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=106115). This problem does not apply to domain controllers that are upgraded to Windows Server 2008 R2.

  8. Consider installing the following fixes after the in-place upgrade unless they are integrated into your installation media:

    • If you are installing Windows Server 2008, install Service Pack 2 (SP2). Windows Server 2008 R2 includes Windows Server 2008 SP2 fixes.

    • If you are using Group Policy Preferences on Windows Vista or Windows Server 2008 computers, download the July 2009 update to article 943729 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164591).

    • Download the fix for a GPMC filter bug in article 949360 in the Microsoft Knowledge Base.

    • If you use devolution (as opposed to suffix search lists) to resolve DNS queries for single-label and non-fully-qualified DNS names, download the DNS devolution fix. See article 957579 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166140).

Complete the following steps if you are performing an in-place upgrade of Windows Server 2008 or Windows Server 2008 R2 writable domain controllers into existing Windows 2000 Server, Windows Server 2003 or Windows Server 2008 domains:

  1. Verify that the target domain is at the Windows 2000 native domain functional level or higher.

  2. If you are promoting Windows Server 2008 domain controllers that are configured to use the Japanese language, read and comply with article 949189 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=164588). The hotfix should be installed immediately after promotion and before the first boot into normal mode.

  3. From the Windows Start menu, run Dcpromo.exe (or install the Active Directory Domain Services Role in Server Manager, and then run Dcpromo).

  4. When the AllowNT4Crytpo page appears, read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) consider the right setting for AllowNT4Cryto for your environment.

  5. If you encounter an error, see the list of Dcpromo errors at the end of this topic.

Do the following if you are performing an in-place upgrade of Windows Server 2008 RODCs into existing Windows Server 2003 domains, Windows Server 2008 domains, or domains that have a mix of those operating systems:

  1. If the option to install RODC is not available in Dcpromo, verify that the forest functional level is Windows Server 2003 or higher.

  2. If the option to install RODC is not available and the error message indicates that there is no Windows Server 2008 in the domain, verify that a Windows Server 2008 domain controller exists in the domain and that it is accessible on the network to the RODC that you are promoting.

  3. If an error message indicates that access is denied, see the Microsoft Knowledge Base.

Post-installation tasks

For all domain controllers:

  • Configure the forest root PDC with an external time source. For more information, see Configure the forest root PDC with an external time source (http://go.microsoft.com/fwlink/?LinkId=91969).

  • Enable delete protection on organizational units (OUs) and other strategic containers to prevent accidental deletions.

  • Use only Active Directory–aware backup applications to restore domain controllers or roll back the contents of AD DS. Restoring snapshots that were created by imaging software is not supported on domain controllers.

Fixes to install after AD DS installation

After installation of AD DS, install the following hotfixes.

noteNote
It is impossible to provide an exhaustive list of hotfixes. The following is a list of fixes that are available in October 2009.

 

Hotfix

Windows Server 2008 SP1 (RTM)

Windows Server 2008 SP2

Windows Server 2008 R2

Article 949360: GPMC filter bug

Yes

No

No

Article 957959: DNS devolution fix

Yes

Yes

No

Article 943729: GPP rerelease

Yes

Yes

No

Article 949189: Japanese Language Locale

Yes

No

No

For RODCs:

  • If you are deploying RODCs, install the hotfix in article 953392 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=150337) on all Windows Server 2008 writable domain controllers. This fix is not required on Windows Server 2008 R2 writable domain controllers.

  • Read article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974), and install the corrective fixes on the Windows client and server computers that are affected by the scenarios that are listed in the Knowledge Base article.

Troubleshooting errors

This section describes errors in Adprep.exe and Dcpromo.exe. If you encounter an error that is not covered, search site:Microsoft.com: “error description” or post your problem to the following community sites:

Adprep errors

These sections describe errors for the forestprep, domainprep, and rodcprep commands.

Forestprep errors

  • If an error message indicates that the schema operations master is assigned to a deleted domain controller, see the Microsoft Knowledge Base.

  • If the error message says “Adprep was unable to extend the schema” or “Adprep failed to verify whether the schema master has completed a replication cycle after last reboot,” verify that the schema master has inbound-replicated the schema partition since the reboot. See Force a replication event with all partners in Forcing Replication (http://go.microsoft.com/fwlink/?LinkId=164668), and run the repadmin /syncall command.

  • If the error message says “The callback function failed,” see Adprep was unable to complete because the call back function failed in Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkId=164669).

  • If the error message says “There is a schema conflict with Exchange 2000. The schema is not upgraded.”, see article 314649 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166190).

  • If the error message says ”An attribute with the same link identifier already exists,” see article 969307 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164670).

  • For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Domainprep errors

  1. If the error message says “Adprep detected that the domain is not in native mode,” see Raise the domain functional level (http://go.microsoft.com/fwlink/?LinkID=141249).

  2. If the error message indicates that the callback function failed, see Adprep was unable to complete because the call back function failed in Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=164669).

  3. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Rodcprep errors

  1. If Rodcprep fails with the error message “Adprep could not contact a replica for partition <distinguished name for the forest-wide or domain-wide DNS application partition>” that is documented in article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=140285), run the Fixfsmo.vbs script in the same article, and then rerun Rodcprep until it runs successfully.

  2. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).

Dcpromo errors

  1. If the upgrade rolls back without any onscreen error or recorded error in a debug log, verify that you have sufficient free disk space on the volumes that are hosting %systemdrive, Ntds.dit, and SYSVOL.

  2. If an error message says "To install a domain controller into this Active Directory forest, you must first prepare the forest using ""adprep /forestprep""… ", verify that /forestprep has been run and that the helper domain controller has inbound-replicated /forestprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

  3. If an error message says "To install a domain controller into this Active Directory domain, you must first prepare the forest using ""adprep /domainprep""…” and verify that /domainprep has been run and that the helper domain controller has inbound-replicated /domainprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597).

  4. If an error message says “the specified user already exists,” delete the stale machine account and verify that the helper domain controller has inbound-replicated that deletion. As an alternative, try another helper domain controller.

  5. If an error message says “You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline.” or “You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue?”, see the Microsoft Knowledge Base.

  6. If a warning indicates that there is no static IP address configured for an IPv6 address on a Windows Server 2008 domain controller, click Yes and complete the wizard.

  7. If the check box for installing the DNS Server role is unavailable, either the Active Directory domain has a single-label DNS name or Dcpromo.exe cannot discover another Microsoft DNS server in the domain.

  8. If you see the error message “A delegation for this DNS Server cannot be created because the authoritative parent zone cannot be found…,” see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418).

  9. If you see the error message “The DNS zone could not be created...," see the Microsoft Knowledge Base.

  10. If you see the logging event <unable to obtain local RID pool>, see the Microsoft Knowledge Base.

  11. If the system is unable to share SYSVOL, see the Microsoft Knowledge Base.

  12. If Dcpromo fails with an error message that says “Failed to modify the necessary properties for the machine account. Access is denied”, make sure that administrators are granted the Enable computer and user accounts to be trusted for delegation permission in Default Domain Controllers Policy and that the policy has been linked to the Domain Controllers OU. Also make sure that the helper domain controller’s machine account resides in the Domain Controllers OU and that it has successfully applied policy. For more information, see article 232070 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166198).

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
DCPROMO Errors      ShawnDup   |   Edit   |   Show History
I am unable to get any helpful results for the following.
If an error message says “You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline.” or “You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue?”, see the Microsoft Knowledge Base.

If I search the KB then it only refers me back to this page?

Any help will be appriciated.
Tags What's this?: Add a tag
Flag as ContentBug
Confusing statement about management tools      Modeverything   |   Edit   |   Show History
"As a general rule, the administrative tools only install and run correctly on the operating system versions with which they were released. For example, the Windows Server 2008 administration tools install and run only on Windows Vista client computers and Windows Server 2008 server computers.

Administration tools whose files are copied from the server operating system disk will generally not execute on the corresponding client operating system and are not supported. For example, tools that are copied from the Windows Server 2008 operating system disk to Windows Vista will not work."

I'm a bit confused...so in this example, will the Windows Server 2008 tools work on Vista or not? I ask, because we are getting ready to upgrade from Server 2003 to 2008 R2, and our clients from XP to Windows 7, and I want to know ahead of time if I can expect the adminpak tools to work on Windows 7.
Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker