Windows Server 2012: Domain-Wide Updates

Published: January 31, 2013

Updated: January 31, 2013

Applies To: Windows Server 2012

You can review the following set of changes to help understand the schema updates that are performed by adprep /domainprep in Windows Server 2012 and prepare for them. After the operations that are performed by the domainprep command in Windows Server 2012 (operations 78, 79, 80, and 81) complete, the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain object is set to 9:

In Windows Server 2012, Adprep commands run automatically as needed during AD DS installation. They can also be run separately in advance of AD DS installation. For more information, see Running Adprep.exe.

For more information about how to interpret the access control entry (ACE) strings, see ACE strings

For more information about how to interpret the security ID (SID) strings, see SID strings


Operations number and GUID Description Attributes Permissions

Operation 78: {c3c927a6-cc1d-47c0-966b-be8f9b63d991}

Create a new object CN=TPM Devices in the Domain partition.

  • Object class: msTPM-InformationObjectsContainer


Operation 79: {54afcfb9-637a-4251-9f47-4d50e7021211}

Created an access control entry for the TPM service.


  • (OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)

Operation 80: {f4728883-84dd-483c-9897-274f2ebcf11e}

Grant "Clone DC" extended right to Cloneable Domain Controllers group


  • (OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;domain SID-522)

Operation 81: {ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff}

Grant ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity to Principal Self on all objects.


  • (OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)

Community Additions