Active Directory Preparation Tool (adprep.exe)

Applies To: Windows Server 2003 with SP1

What does ADPrep.exe do?

Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of Windows Server 2003 domain controllers.

Who does this feature apply to?

The changes in ADPrep.exe for Windows Server 2003 Service Pack 1 will be of interest to:

  • IT professionals who support Active Directory, such as Active Directory administrators, Active Directory Schema administrators, Domain Name System (DNS) administrators, and domain controller administrators.

  • Help desk professionals.

  • Application developers.

  • System integrators.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Adprep.exe enhancement to detect conflicting Exchange Server schema objects

Detailed description

When Microsoft Exchange Server is deployed in an organization, Exchange Server uses Active Directory as a data store and it extends the Windows 2000 Active Directory schema to enable it to store objects specific to Exchange Server. The ldapDisplayName of the attribute schema ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-Identifier defined by Exchange Server conflicts with the iNetOrgPerson schema that Active Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is installed, Adprep.exe will be able to detect the presence of the schema conflict and block the upgrade of the schema until the issue has been resolved.

Why is this change important?

Upgrading the Active Directory schema from Windows 2000 to Windows 2003 when these schema objects are present causes the ldapDisplayName to become corrupted and results in issues with Active Directory replication. Fixing the Exchange Server schema objects before the upgrade occurs results in a much smoother upgrade experience.

What works differently?

The Windows 2000 Active Directory schema cannot be upgraded to the Windows Server 2003 schema until the required Exchange Server schema objects are fixed.

How do I resolve these issues?

If Adprep.exe detects the presence of the conflicting Exchange Server schema objects, you can use the following procedure to fix these objects and enable Adprep.exe to successfully upgrade your Active Directory schema.

To fix conflicting Exchange Server schema objects

  1. Log on to the computer that holds the Schema Operation Master role. By default, the first domain controller that you install in your forest is the Schema Operation Master. You must log on using an account that is a member of the Schema Admins security group.

  2. Click Start, click Run, type notepad.exe in the Open box, and then click OK.

  3. Create the InetOrgPersonPrevent.ldf script by copying the following text including the trailing hyphen after "schemaUpdateNow: 1" to Notepad:

    dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X

    changetype: Modify

    replace:LDAPDisplayName

    LDAPDisplayName: msExchAssistantName

    -

    dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X

    changetype: Modify

    replace: LDAPDisplayName

    LDAPDisplayName: msExchLabeledURI

    -

    dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X

    changetype: Modify

    replace: LDAPDisplayName

    LDAPDisplayName: msExchHouseIdentifier

    -

    dn:

    changetype: Modify

    add: schemaUpdateNow

    schemaUpdateNow: 1

    -

  4. On the File menu, click Save. In the Save As dialog box, follow these steps to save the InetOrgPersonPrevent.ldf script:

    • In File name, type the following:

      \%userprofile%\InetOrgPersonPrevent.ldf

    • In Save as type, click All Files.

    • In Encoding, click Unicode.

    • Click Save.

    • Close Notepad.

  5. Run the InetOrgPersonPrevent.ldf script using the following steps:

    • Click Start, click Run, type cmd in the Open box, and then click OK.

    • At a command prompt, type the following, and then press ENTER:

      cd %userprofile%

    • Type the following command

      c:\documents and settings\%username%ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "domain_name_path_for_forest_root_domain"

  6. Verify that the ldapDisplayNames for the CN=ms-Exch-Assistant-Name, CN=ms-Exch-LabeledURI, and CN=ms-Exch-House-Identifier attributes in the schema naming context now appear as msExchAssistantName, msExchLabeledURI, and msExchHouseIdentifier.

Note

In step 5 of the previous procedure note the following details: DC=X is a case-sensitive constant. The domain name path for the root domain must be enclosed in quotation marks. For example, the command syntax for an Active Directory forest whose forest root domain is Contoso.com would be: c:\documents and settings\administrator>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dc=contoso,dc=com"

Adprep.exe enhancement to detect other conflicting schema objects

Detailed description

Many applications use Active Directory as a data store and extend the Windows 2000 Active Directory schema to enable it to store objects specific to the application. If an application defined a non-RFC compliant schema object, such that the ldapDisplayName, object identifier (OID) or other schema attributes conflict with the Windows 2003 Active Directory schema, when Adprep.exe is run it will detect the conflict and display a generic error.

Why is this change important?

Upgrading the Active Directory schema from the Windows 2000 Server schema to the Windows Server 2003 schema when these schema objects are present causes the object to become corrupted and results in issues with Active Directory replication. Fixing the schema objects before the upgrade occurs results in a much smoother upgrade experience.

What works differently?

The Windows 2000 Active Directory schema cannot be upgraded to the Windows Server 2003 schema until the conflicting schema objects are fixed. In Windows Server 2003 Service Pac 1, Adprep.exe will identify that a conflicting schema object exists, prevent the corruption of the schema object by blocking the upgrade, and if possible identify which objects are in conflict so that you can resolve the conflict.

Adprep.exe enhancement to perform SYSVOL operations in a separate step

Detailed description

In previous versions of Windows Server 2003 running adprep /domainprep resulted in the addition of an inheritable access control entry (ACE) to all Group Policy objects (GPOs) in the SYSVOL folder. This ACE gives Enterprise domain controllers read access to the GPOs to support Resultant Set of Policy (RSoP) functionality for site base policy. The addition of this ACE is detected by the file replication service (FRS) and initiates an FRS synchronization of all GPOs in the SYSVOL folder.

In Windows Server 2003 Service Pack 1, the addition of the ACE to the GPOs in the SYSVOL folder is not performed while running adprep /domainprep. Instead, a new switch (/gpprep) has been added to adprep to add the inheritable ACE to the GPO folders in the SYSVOL directory. This allows administrators to update the ACE of the GPO objects at their convenience.

Why is this change important?

If an organization has a large number of files contained in the GPOs or slow links to replication servers, the FRS synchronization triggered by the /domainprep operation could adversely affect the deployment schedule for Windows Server 2003. By putting this operation at the discretion of the administrator, the impact of this operation can be planned and scheduled as part of the deployment.

What works differently?

The deployment of a Windows Server 2003 domain controller can occur after running adprep /forestprep and adprep /domainprep. Resultant Set of Policy (RSoP) functionality will only be operational after running adprep /domainprep /gpprep.