One question which I often come across is how to upgrade your domain from windows 2003 to windows 2008 or 2008 R2.
Mostly organizations are running their domain controller on windows 2003 x86(32bit), windows 2008 R2 is available only in x64(64bit) & initially when we want to upgrade their domain from windows 2000 to 2003 they use ADPREP.EXE as 99% organization has their DC on 32bit system.
Now, you too decided to upgrade your domain controller to windows 2008 R2 which is only available in x64bit, & while looking for ADPREP.EXE, you found ADPREP32.EXE as well as ADPREP.EXE both is available in windows 2008 R2 media, now you are confused which one to be used on windows 2003 which is 32bit to prepare schema so you can introduce x64 bit (2008 or 2008 R2) domain controller.
Thinking ADPREP32.EXE is made for 32bit dc & since you are going to use windows 2008 R2 which is x64, you decided to run on windows 2000 or 2003 which is 32 bit & what’s next you got error, scratching your head looking for here & there checking your Active directory health using DCDIAG & NETDIAG (NETDIAG is not available in windows 2008 & above), but everything is well & good. Now you decided to verify replication using REPADMIN & REPLMON (REPLMON is not available in windows 2008 & above) tool that’s also fine, you again decided to re-look to account used for ADPREP which has to be member of following schema admin, enterprise admin & domain admin it is too in place, so what is wrong or making ADPREP to fail when everything is in place.
Well, its nothing wrong but you chose the wrong version of ADPREP, MS has released two version of ADPREP32.EXE which has to run on 32bit OS DC & ADPREP.EXE has to run on 64 bit DC. There is no different between ADPREP32.EXE & ADPREP.EXE, both does the same job, its only for compatibility with 32bit OS & 64bit OS.
This time you went ahead & tried ADPREP32.EXE from 2008 or 2008 R2 media & you found it working.
I found people have doubt, if I upgrade the schema from windows 2000/2003 to 2008/2008 R2, will there be any issue, to clear the doubt, ADPREP will only add the new attribute & classes, but it will not modify or delete the already existing attribute or classes.
One more important thing if you have multiple domain or domain controller with large site base, wait for the replication cycle to finish & make sure changes has replicated to all the DC’s, then only proceed.
You need to run the below commands on the following DC servers only not on member server or new windows 2008 R2 which is going to be ADC:
|adprep.exe /forestprep||Schema Master|
|adprep.exe /domainprep||Infrastructure Master|
|adprep.exe /domainprep /gpprep||Infrastructure Master|
|adprep.exe /rodcprep *(This command is optional. Run it only if you want to install a read-only domain controller (RODC). There is no harms in running even. )||Domain Naming Master/IM(Can be executed on any of the DC)|
adprep.exe /domainprep /gpprep is not required, if you are upgrading your domain from windows 2003/20032 to windows 2008/2008 R2, its only required during the upgrade of windows 2000 to 2003/R2 or 2008/R2.
The function of gpprep is to add permission on policy folder in Sysvol.
Once you verify everything is well & good, then only proceed, which is only way to achieve error free upgrade.
To know more about Adprep /forestprep, adprep /domainprep, adprep /domainprep /gpprep & why we need to run it, refer below.
AD Schema Version:
|Windows 2012 R2||69|
|Windows 2008 R2||47|
|Windows 2003 R2||31|
How to find the current Schema Version
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
In multi-domain environment, sometimes you don’t run domainprep after forestprep & the reason could be, you don’t want to upgrade all the domain or it is postponed for later time due to business requriements. In this case to find out whether domainprep was earlier ran or not, you can check the revision attribute.
AD Revision Version:
|OS Version||Revision Version|
|Windows 2008 R2||5|
dsquery * CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,dc=domainname,dc=local -scope base -attr revision
In case of the multiple domain forest, use only domain.local because schema master will be common & will be running on the DC with schema role only.
To find out which DC is holding DNS partition, run below command. To find out DC holding DomainDnsZones for particular domain, provide specific domain name. To find out DC holding forestDnsZones partition, enter root domain.
dsquery * CN=Infrastructure,DC=DomainDnsZones,DC=Domain,DC=com -attr fSMORoleOwner
dsquery * CN=Infrastructure,DC=forestDnsZones,DC=Domain,DC=com -attr fSMORoleOwner
References to the AD upgrade in windows 2008 or 2008 R2
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains
Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains
Performing an Active Directory Health Check Before Upgrading
Few Steps prior to preparing your environment for windows 2008 or 2008 R2.
- Checking your Domain & domain controller health using dcdiag, & netdiag(Netdiag is not available in windows 2008 & above) tool.
- Check replication using repadmin tool.
- Check the DNS name resolution & its related error in event log.
- Check error related to sysvol & FRS.
Troubleshooting ADPREP errors.