Has adprep been run?

      Comments Off on Has adprep been run?

I had an interesting question asked of me today, and I had to spend some time looking into it, so I thought I’d share the result of that with you.


As you know, adprep is used for preparing Active Directory to include Windows Server 2003 domain controllers. It comes in two flavors:



adprep /forestprep


Which is, of course, run once per forest, and



adprep /domainprep


Which is, of course, run once per domain.


Forestprep


The forestprep process creates a new container named:



CN=Operations,CN=ForestUpdates,CN=Configuration,DC=<VAR>ForestRootDomain</VAR>


Each operation executed by adprep/forestprep causes a new GUID-named container object to be created in the above container.


If you are upgrading from any version of Windows 2000 Server to Windows Server 2003, and adprep/forestprep has completed successfully, then the CN=Operations container will have 36 of the GUID-name objects contained within it. If you are upgrading from a beta or release-candidate version of Windows Server 2003 to the released version, you may have as many as 43 of these objects.


If there are fewer than 36 objects, then adprep/forestprep failed somewhere along the process. You can compare the list of operations and GUIDs in the Microsoft KB article 309628.


Domainprep


Similar to forestprep, the domainprep operation also creates a new container:



CN=Operations,CN=DomainUpdates,CN=System,DC=<VAR>DomainName</VAR>


but unlike forestprep, domainprep also creates a second container:



CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=<VAR>DomainName</VAR>


which contains a single attribute of interest CN=Revision.


The CN=Operations container will contain 50 updates (up to 55 if you are upgrading from beta-releases).


If all 50 of the operations are completed successfully, then the CN=Windows2003Update container will have its Revision attribute set to 8 (eight).


If the CN=Revision attribute is not eight, then each GUID in the CN=Operations,CN=DomainUpdates container may be examined to determine where adprep/domainprep failed. The list of these is also given in Microsoft KB article 309628.


Fun Fact


All of the non-schema updates that happen as a result of running adprep are executed on the domain controller which holds the infrastructure master FSMO role.

[Via Michael’s meanderings…]