Manual Active Directory schema extension with Windows Server 2012/2012R2 adprep

 

When you are using Windows Server 2003 or Windows Server 2008 32bit Domain Controllers, it seems that you cannot simply extend schema manually using Windows Server 2012/2012R2 adprep utility. Especially if you do not need to promote new Windows Server 2012/2012R2 Domain Controller.

Previous Windows Server versions like:

  • Windows Server 2003
  • Windows Server 2008

contained only 32bit adprep utility.

In Windows Server 2008R2 there were two adprep tool versions:

  • adprep32.exe for 32bit operating systems
  • adprep.exe for 64bit operating systems

When Windows Server 2012 was released only one 64bit adprep version is available. There is no more 32bit tool to extend schema. With this Windows version new feature called transparent adpreping was introduced. This feature allows Active Directory promotion wizard automatically extend schema and prepare Infrastructure Master if it was ran with appropriate credentials:

  • Enterprise Admin or Schema Admin to extend schema
  • Enterprise or Domain Administrator to prepare Infrastructure Master

But what if you have 32bit Domain Controllers in your environment and you wish to extend schema without implementing Windows Server 2012/2012R2 DC?

You cannot execute adprep tool on 32bit OS directly, because you will get an error message

Adprep error message on 32bit OS

Adprep error message on 32bit OS

But new adprep released with Windows Server 2012 supports new switches which can be executed remotely on any 64bit OS.

To check them, mount DVD media or ISO file to any 64bit OS machine in your domain environment. In this example Windows 7 Enterprise 64bit workstation joined to the domain is used.

Go to X:\Support\ADPREP folder where X: is your DVD drive letter. In this example Windows Server 2012R2 adprep is used in environment where only Windows Server 2003 32bit Domain Controller is available.

d:
cd support\adprep
adprep.exe /?
New adprep help

New adprep help

Adprep switches

Adprep switches

Adprep switches

Adprep switches

As you can see there is a lot of new switches but they would not be discussed here. You can now simply start extending schema. Execute elevated command prompt and type

adprep.exe /forestprep /user <EnterpriseOrSchemaAdmin> /userdomain <ForestRootDNSDomainName> /password *

in example:

adprep.exe /forestprep /user administrator /userdomain testenv.local /password *
adprep syntax

adprep syntax

instead of /password * you can simply put account’s password but this might be seen by others, so it’s better to leave * because you will be prompted for the password

type password (it will not show on the screen) and press enter to start the action

adprep password input

adprep password input

adprep will start extension procedure

Schema extension start

Schema extension start

just wait couple of minutes to complete schema extension

Schema extension completed

Schema extension completed

and after all, run ADSI Editor (adsiedit.msc) to verify if schema version has changed

ADSIEdit

ADSIEdit

Changed schema version

Changed schema version

When you are able to see version 69, then Windows Server 2012R2 schema was applied!

Above procedure showed you how to do that for single forest, single domain environment. What if you have multiple forests in your organization? How to handle that scenario? Let’s see how to do that.

You need to add within adprep syntax one more switch /forest and specify for which forest you would like to extend schema. Of course, you need to be a member of Enterprise or Schema Admins group in that forest, to successfully perform an action.

adprep.exe /forestprep /forest <ForestDNSNameToApplySchema> /user <EnterpriseOrSchemaAdminForThatForest> /userdomain <ForestDomainDNSName> /password *
adprep.exe /forestprep /forest testenv.local /user administrator /userdomain testenv.local /password *
adprep for any forest

adprep for any forest

Just repeat above step for every forest you need to extend schema in.

Everything was done on a workstation which is added into domain. There is also another possibility. All those steps are available to any 64bit OS which is not joined to the domain.

In this case you need to be sure that NIC is configured properly to pointing on DNS server which is able to resolve forest root domain name

64bit OS NIC configuration for DNS settings

64bit OS NIC configuration for DNS settings

check if you can successfully ping forest DNS name and of course if Schema Master server is available from this network

ping <ForestDNSName>
ping testenv.local
Pinging forest DNS name

Pinging forest DNS name

and use adprep as it was shown for other forests with /forest switch

That’s all! I hope it would help you if you need to extend schema manually on 32bit Domain Controllers.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *