Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook

You're reading from   Active Directory Administration Cookbook Actionable, proven solutions to identity management and authentication on servers and in the cloud

Arrow left icon
Product type Paperback
Published in May 2019
Publisher Packt
ISBN-13 9781789806984
Length 620 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Optimizing Forests, Domains, and Trusts FREE CHAPTER 2. Managing Domain Controllers 3. Managing Active Directory Roles and Features 4. Managing Containers and Organizational Units 5. Managing Active Directory Sites and Troubleshooting Replication 6. Managing Active Directory Users 7. Managing Active Directory Groups 8. Managing Active Directory Computers 9. Getting the Most Out of Group Policy 10. Securing Active Directory 11. Managing Federation 12. Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO) 13. Handling Synchronization in a Hybrid World (Azure AD Connect) 14. Hardening Azure AD 15. Other Books You May Enjoy

Using adprep.exe to prepare for new Active Directory functionality

The Active Directory schema defines the way that objects can be created, and what attributes are required or are optional for these objects. With every version of Windows Server, the base schema has been improved and extended.

Many features require certain schema versions for Active Directory. For instance, when you want to deploy a Windows Server 2016-based Active Directory Federation Services (AD FS) farm, you'll need the Windows Server 2016 schema.

Since Windows Server 2012, Microsoft updates the Active Directory schema automatically when you promote the first Windows Server 2012-based member server to an Active Directory domain controller.

However, consider what will happen if you want to do any of the following:

  • Update the Active Directory schema only, because your organization doesn't want domain controllers running the latest version
  • Delegate the promotion of the first domain controller to a lesser-privileged user, instead of an admin that is a member of the Schema Admins group
  • Control the proper replication of the schema update to all domain controllers, before promoting the first domain controller
  • Avoid the default time-out that the Active Directory Configuration Wizard provides for proper replication
  • Perform all Active Directory preparations, including the Group Policy preparation step

In these situations, you'll want to update the Active Directory schema manually, using adprep.exe from the Windows Server installation media.

Getting ready

Copy the entire contents of the \support\adprep folder from the Windows Server installation media to a temporary folder on your system's hard disk.

Required permissions

The Active Directory preparation process consists of four separate stages. You'll need an account with the following group memberships for each stage:

Stage

Required group memberships

Preparing the forest

Enterprise Admins

Schema Admins

Domain Admins in the forest root domain

Preparing the forest for Read-only Domain Controllers (RODCs)

Domain Admins in the forest root domain

Preparing the domain

Domain Admins

Fixing up Group Policy permissions

Domain Admins

How to do it...

Start Command Prompt in the file explorer window of the folder where you've copied the files to.

On Windows 10 version 1803 and up, you can simply type cmd in the address bar to achieve this.

The Active Directory preparation process consists of four separate stages:

  • Preparing the forest
  • Preparing the forest for RODCs
  • Preparing the domain
  • Fixing up Group Policy permissions

After these steps, you'll want to check proper Active Directory replication.

Preparing the forest

Perform these steps to prepare the Active Directory forest:

To prepare the Active Directory forest, run the following command:

adprep.exe /forestprep /forest lucernpub.com /user EntAdmin /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

Next, you issue the c command type, followed by Enter.

The following line at the end of the output indicates the successful preparation of the Active Directory forest:

Adprep successfully updated the forest-wide information 

Preparing the forest for RODCs

The /rodcprep switch for adprep.exe triggers the preparation of the forest for RODCs. This action only needs to be performed when the intention is to run RODCs in the Active Directory forest:

To prepare the Active Directory forest for RODCs, run the following command:

adprep.exe /rodcprep /forest lucernpub.com /user DomAdmin /userdomain lucernpub.com /password P@ssw0rd 

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory forest for RODCs:

Rodcprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\ <date> for more information. 

Preparing the domain

Perform these steps to prepare the domain:

To prepare the Active Directory domain, run the following command:

adprep.exe /domainprep /domain lucernpub.com /user DomAdm /userdomain lucernpub /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the domain-wide information

Fixing up Group Policy permissions

Group Policy preparation, as part of adprep.exe, adds two pieces of functionality to Active Directory:

  • Cross-domain planning functionality for Group Policy
  • Resultant Set of Policy (RSoP) planning mode

GPOs are stored in both the System Volume (SYSVOL) and Active Directory. Both locations require an update of the permissions for existing GPOs, in order to take advantage of the preceding functionality.

If the Active Directory domain already contains custom or delegated permissions, Group Policy preparation kicks off the replication of all Group Policy files in the SYSVOL, and may deny the functionality of RSoP to delegated admins until their permissions are recreated.

Group Policy preparation does not need to be run with every upgrade. Admins need to run Group Policy preparation only once, and they only need to run it if an Active Directory domain has run on Windows 2000 Server-based domain controllers at one point in its existence. If an environment was created with domain controllers running Windows Server 2003, or newer versions of Windows Server, the Group Policy preparation step can be skipped.

To fix up Group Policy permissions, run the following command:

adprep.exe /domainprep /gpprep /domain lucernpub.com /user DomAdm /userdomain lucernpub.com /password P@ssw0rd

Replace the value for the domain and the values for the credentials with values that make sense for your Active Directory environment.

The following line at the end of the output indicates the successful preparation of the Active Directory domain:

Adprep successfully updated the Group Policy Object (GPO) information.

Checking the preparation replication

When done with the preparation steps, the Active Directory schema base version should be upgraded to a higher number, corresponding to the new schema version.

The following table shows the version numbers in accordance to the Active Directory level:

Windows Server version

Schema version

Windows 2000 Server

13

Windows Server 2003

30

Windows Server 2003 R2

31

Windows Server 2008

44

Windows Server 2008 R2

47

Windows Server 2012

56

Windows Server 2012 R2

69

Windows Server 2016

87

Windows Server 2019

88

You can manually check the schema version per domain controller with the following command from any of your domain controllers:

repadmin.exe /showattr * "cn=schema,cn=configuration,dc=lucernpub,dc=com" /atts:objectVersion

Replace lucernpub and com with values for your Active Directory environment.

When all domain controllers report the same schema version, the Active Directory preparation has replicated successfully to all domain controllers.

How it works...

In Windows Server 2012 (and later versions), the whole Active Directory preparation process is automated. When you promote a Windows Server 2012-based member server (or any newer version of Windows Server) to an additional domain controller for a domain, or upgrade a domain controller running a previous version to Windows Server 2012 (or any newer version of Windows Server), the Active Directory Domain Services Configuration Wizard determines whether the environment needs to be prepared as part of the promotion process.

Larger organizations often separate the schema or preparation work from the actual domain controller-promotion process work to minimize risk, adhere to small change windows, and more.

However, adprep.exe is still available to prepare the Active Directory forest and/or Active Directory domain(s) manually.

There's more...

Unless there is a big reason not to, preparing for the latest available Active Directory schema version is the best way to go. A reason not to do this is when an organization doesn't want to enable the promotion of the latest version(s) of Windows Server to domain controllers in a delegated environment.

You have been reading a chapter from
Active Directory Administration Cookbook
Published in: May 2019
Publisher: Packt
ISBN-13: 9781789806984
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image