When you are using Windows Server 2003 or Windows Server 2008 32bit Domain Controllers, it seems that you cannot simply extend schema manually using Windows Server 2012/2012R2 adprep utility. Especially if you do not need to promote new Windows Server 2012/2012R2 Domain Controller.
Previous Windows Server versions like:
- Windows Server 2003
- Windows Server 2008
contained only 32bit adprep utility.
In Windows Server 2008R2 there were two adprep tool versions:
- adprep32.exe for 32bit operating systems
- adprep.exe for 64bit operating systems
When Windows Server 2012 was released only one 64bit adprep version is available. There is no more 32bit tool to extend schema. With this Windows version new feature called transparent adpreping was introduced. This feature allows Active Directory promotion wizard automatically extend schema and prepare Infrastructure Master if it was ran with appropriate credentials:
- Enterprise Admin or Schema Admin to extend schema
- Enterprise or Domain Administrator to prepare Infrastructure Master
But what if you have 32bit Domain Controllers in your environment and you wish to extend schema without implementing Windows Server 2012/2012R2 DC?
You cannot execute adprep tool on 32bit OS directly, because you will get an error message
But new adprep released with Windows Server 2012 supports new switches which can be executed remotely on any 64bit OS.
To check them, mount DVD media or ISO file to any 64bit OS machine in your domain environment. In this example Windows 7 Enterprise 64bit workstation joined to the domain is used.
Go to X:\Support\ADPREP folder where X: is your DVD drive letter. In this example Windows Server 2012R2 adprep is used in environment where only Windows Server 2003 32bit Domain Controller is available.
d: cd support\adprep adprep.exe /?
As you can see there is a lot of new switches but they would not be discussed here. You can now simply start extending schema. Execute elevated command prompt and type
adprep.exe /forestprep /user <EnterpriseOrSchemaAdmin> /userdomain <ForestRootDNSDomainName> /password *
adprep.exe /forestprep /user administrator /userdomain testenv.local /password *
instead of /password * you can simply put account’s password but this might be seen by others, so it’s better to leave * because you will be prompted for the password
type password (it will not show on the screen) and press enter to start the action
adprep will start extension procedure
just wait couple of minutes to complete schema extension
and after all, run ADSI Editor (adsiedit.msc) to verify if schema version has changed
When you are able to see version 69, then Windows Server 2012R2 schema was applied!
Above procedure showed you how to do that for single forest, single domain environment. What if you have multiple forests in your organization? How to handle that scenario? Let’s see how to do that.
You need to add within adprep syntax one more switch /forest and specify for which forest you would like to extend schema. Of course, you need to be a member of Enterprise or Schema Admins group in that forest, to successfully perform an action.
adprep.exe /forestprep /forest <ForestDNSNameToApplySchema> /user <EnterpriseOrSchemaAdminForThatForest> /userdomain <ForestDomainDNSName> /password *
adprep.exe /forestprep /forest testenv.local /user administrator /userdomain testenv.local /password *
Just repeat above step for every forest you need to extend schema in.
Everything was done on a workstation which is added into domain. There is also another possibility. All those steps are available to any 64bit OS which is not joined to the domain.
In this case you need to be sure that NIC is configured properly to pointing on DNS server which is able to resolve forest root domain name
check if you can successfully ping forest DNS name and of course if Schema Master server is available from this network
and use adprep as it was shown for other forests with /forest switch
That’s all! I hope it would help you if you need to extend schema manually on 32bit Domain Controllers.
Author: Krzysztof Pytko
You may heard that new Microsoft Windows server is being developed. Currently this Windows version is called Technical Preview and you can download it for free from Microsoft Technet Evaluation Center at this link
Now, this is a good time to start testing new Windows Server version. Before final edition, you can get familiar with new features and test roles to be prepared for migration in the future. This article will describe forest root domain controller promotion based on Windows Server Technical Preview.
Domain Controller promotion process did not change from previous Windows Server 2012/2012R2 version and there is still no possibility to do that over dcpromo utility. First of all, you need to install Active Directory Domain Services role from Server Manager console.
But before you will do that, let’s see what information do you need to start promoting DC.
- Company name – which will be helpful in choosing forest/domain name
- Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
- ISP DNS servers on any public DNS servers – to be able to access the Internet resources from our company
- Services we need to run – what additional services will be required to fulfil a company requirements
Let’s start collecting them all.
- Company name – Test Environment
- Network configuration – IP addresses range 192.168.1.0/24; the first available IP address is a router (default gateway)
- Public DNS servers – 126.96.36.199 and 188.8.131.52 (Google public DNS servers)
- Services – Active Directory: Directory Services, DNS server(s)
Now, you can install your first Windows Server Technical Preview and configure it. After that you would be able to promote this server as a Domain Controller.
When your server is installed, then you need to log on there on local administrator account and you can start its preparation.
Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.10 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company.
You may also set up there other options like NIC teaming, remote management and remote access.
This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.10 to point the server to DNS itself.
To configure network parameters, click on “Local Server” node on the left side of Server Manager
and then click on “Ethernet” to configure these settings
You will see “Network connections” where you network card is being seen
edit its properties and set up required IP information under IPv4 section
Under its properties put valid IP address, network mask, default gateway and DNS server IP address
Now, let’s configure server name and reboot it to be able start Domain Controller promotion. To change server name, click on “Computer name” section and provide appropriate name
apply changes and reboot server. When your server is up and running again, you can start promotion process.
Install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen
You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Domain Services” role. Confirm all dependent roles/features to be installed with AD:DS role
confirm also features which will be installed with selected role
Go “Next” to screen with installation summary and click “Install”
and wait until Active Directory: Domain Services role will be installed
When role is installed, you will see yellow exclamation mark in notification area
That means, there are additional steps to do after role installation. Click on that field and you will see what do to next
Click on “Promote this server to a domain controller” and promotion wizard will be displayed.
It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.
In your case, you are configuring new forest root domain, so you need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example you will use testenv.local as DNS domain name
On the next screen, you need to specify Domain and Forest Functional Levels.
When you are configuring new forest root domain then you cannot set up Windows Server 2003 Domain or Forest Functional Level. The lowest possible mode is Windows Server 2008. You need to know that when you are planning new infrastructure because Windows Server 2003 Domain Controllers are not supported in this scenario anymore because Windows Server 2003 support is ending soon.
Information! Currently, the highest possible Domain and Forest Functional Level is Windows Server 2012R2! It looks like Technical Preview version is not ready for new levels or they are unstable to be implemented yet.
For more details about raising domain and forest functional levels, please check another articles on my blog:
Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.
Define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.
Specify Directory Services Restore Mode (DSRM) password which will be also used for domain administrator account at this stage
As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step
When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of DNS domain name).
Specify location of AD database and SYSVOL. You may leave defaults or move them to dedicated drive
You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller
when you are ready, click on next to go to the final screen where script will be executed in a background
If all prerequisites will pass, you can start installation
Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.
Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, onto it, using password specified during server preparation process (the same password as for local Administrator or probably the same as for Directory Services Restoration Mode 🙂 )
Log on, using domain administrator credentials into your new Domain Controller.
We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.
If you do not have public DNS server(s) IP address or you do not want to define them, do not put anything under “Forwarders” tab and by default “Root hints” will be used. For that, skip few below steps.
Open DNS management console from Tools in Server Manager and select server name.
In the right pane at the bottom of that window, double click on Forwarders
When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access
You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (184.108.40.206. and 220.127.116.11) Wait until they will be validated and close console
After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.
In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons and right delegation scenarios.
Author: Krzysztof Pytko
My friend Wojciech has started his blog recently and you can find there a lot of interesting articles. His knowledge base is increasing, so keep an eye on his blog, it’s worth!
One of really useful articles at this moment is about Active Directory Topology Visualization
If you have ever considered documenting your Domain Controllers connection map but you could not find free and easy tool for that, Wojciech prepared Visual Basic Script generating your AD topology which you can simply use in your documentation.
It is really simple in use, just double click on it and wait couple of minutes (depend on the environment size – how many DCs are in your domain). After some time you will receive Domain Controllers connection map.
This is also helpful in process of troubleshooting. But for the details just take a look at http://wojciech.pazdzierkiewicz.pl/?p=533
And do not forget visiting his blog to extend your Active Directory knowledge!
Author: Krzysztof Pytko