New features in Active Directory Domain Services in Windows Server 2012, Part 3: New Upgrade Process

Reading Time: 4 minutes

While a lot of lab environments will be set up as I explained in part 2 of this series (with the New Promotion Process), in the real world a lot of Active Directory environments will be upgraded or transitioned, because they’re already equipped with Domain Controllers running a previous version of Windows Server. In this blogpost I’ll explain the work the Active Directory team has done to make transitioning and upgrading easier by streamlining the Active Directory Preparation process.

Note:
The behavior of Windows Server 2012 and the actions needed to prepare an Active Directory environment for Windows Server 2012 only applies to situations where you implement Windows Server 2012-based Domain Controllers. If you merely deploy Windows Server 2012 as File or Print servers, you don’t need to prepare your Active Directory, since Windows Server 2012 member servers work out of the box.

The following topics will be explained in this blogpost:

 

What's New

Goodbye difficult upgrade process

In previous versions of Windows Server, when you would upgrade or transition the Active Directory environment, a couple of manual actions needed to be performed on the old Domain Controllers: You first had to prepare the Active Directory.

Microsoft provided two tools to facilitate this preparation; adprep.exe for 64bit (x64) Domain Controllers and adprep32.exe for 32bit (x86) Domain Controllers. To make things more complex, you needed to run the following commands on typical Domain Controllers in your current Active Directory environment: You needed to run the Forest Preparation (adprep.exe /forestprep) on the Schema Master, run the Domain Preparation (adprep.exe /domainprep) on the Infrastructure Master, and run the (optional) Read-only Domain Controller preparation (adprep.exe /rodcprep) on the Domain Naming Master, etc. After you’re done you needed to check proper replication before you set your next migration step… Long story short: It was a pain.

Tip!
If you want to know more about transitioning and upgrading Active Directory with previous versions of Windows Server be sure to check out the following blogposts:

Automation

In Windows Server 2012, the whole Active Directory preparation process is automated. When you promote a Windows Server 2012-based member server to an additional Domain Controller for a domain or upgrade a Windows Server 2008 x64 or Windows Server 2008 R2-based Domain Controller to Windows Server 2012, the Active Directory Domain Services Configuration Wizard will determine whether the environment needs to be prepared as part of the promotion process.

It will alert you that Preparation is needed as part of the Domain Controller Promotion process:

Preparation Options screen of the Active Directory Domain Services Configuration Wizard (click for larger screenshot)

During the Promotion Process, the Active Directory Domain Services Configuration Wizard will automatically target the Domain Controllers holding the appropriate FSMO roles (independent of their architecture (x86/x64)) as you can see in this screenshot:

Forest Preparation by the Active Directory Domain Services Configuration Wizard (click for larger screenshot)

When done with the preparation steps, the Active Directory Schema would be at 56. After replication, following actions would be performed, depending on the scenario (e.g. commence Domain Controller promotion in the existing domain.). If the changes don’t get replicated within a reasonable timeframe, the Active Directory Domain Services Configuration Wizard would error out.

Of course, you can also manually check the schema version per Domain Controller with the following command-line one-liner:

repadmin /showattr * "cn=schema,cn=configuration,dc=domain,dc=tld" /atts:objectVersion

When all your Domain Controllers report Schema version 56, the Active Directory preparation has replicated to all Domain Controllers.

 

The new adprep.exe

In more advanced environments, though, the new automated process will flag serious security and process concerns. In these scenarios you can manually perform the Active Directory preparation steps.

In that case, luckily, you can still revert to adprep.exe.

Tip!
Just like previous versions of Windows Server, you can find adprep.exe in the \Support\Adprep folder of your Windows Server installation media, together with its suporting *.csv, *.ldf and *.dll files.

New features

New features of adprep.exe itself are:

  • Adprep32.exe is no longer available. Preparing your Active Directory is no longer available on 32bit (x86) Windows Operating Systems. On the upside, adprep.exe can be run from any 64bit domain-joined machine and will target the Domain Controller with specific Flexible Single Master Operations (FSMO) roles according to the preparation step chosen. For instance, you can simply run adprep.exe from the fresh Windows Server 2012 installation you intent to promote as a new Domain Controller.

Tip!
Preparing Active Directory from a domain-joined Windows 8 x64 client is also possible when you use the Remote Server Administration Tools (RSAT).

  • Adprep.exe is now multilingual. It supports output localization to help administrators less fluid in the English language, in remote domains to prepare their domains more easily. Language files can be found on the Windows Server installation media in their respective languages.

 

 

Requirements

To be able to introduce Windows Server 2012 Domain Controllers with automatic Active Directory Preparation, the Active Directory forest in which you want to introduce them needs to be running the Windows Server 2003 Forest Functional Level (FFL).

 

Concluding

Microsoft has made it easier for admins in existing Active Directory environments to prepare their it for Windows Server 2012 Domain Controllers.

Related posts

Transitioning your Active Directory to Windows Server 2008 R2
Considerations when upgrading your Active Directory to Windows Server 2008 and 2008 R2
Transitioning your Active Directory to Windows Server 2008
Upgrading your Active Directory to Windows Server 2008

Further reading

Windows Server 2012 Simplifies Active Directory Upgrades and Deployments
What's New in Active Directory Domain Services Installation and Removal
Windows Server 2012: Changes Made by Adprep.exe

2 Responses to New features in Active Directory Domain Services in Windows Server 2012, Part 3: New Upgrade Process

  1.  

    Password reset krbtgt account when DFL change'
    https://techcommunity.microsoft.com/t5/exchange-team-blog/considering-updating-your-domain-functional-level-from-windows/ba-p/611208

    'The underlying issue is due to the addition of the AES hashes (128 and 256) introduced. The changes only add the AES hashes during the one DFL change from 2003 to any higher level (’08, ‘08R2, ’12, ‘12R2) domain functional level. The potential to implement other newer/updated encryption types in future OS versions does exist and we once again could run into this issue.

    Guess no enhancements yet but still valid. Guess no other 'unexpected' issues come with upgrading DFL/FFL levels today?

    • Hi Arian,

      Regularly resetting the password for KRBTGT and KRBTGT_* accounts is a Microsoft recommended practice.

      Personally, I would want to see KRBTGT password resets again with a DFL raise, but:

      • There was no big technical reason to introduce a new DFL
      • They had to wait for a Windows Server release where everybody has already moved their DFL to Windows Server 2008 and beyond (otherwise you could end up resetting the KRBTGT password twice within a short time period, prematurely ending Kerberos sessions)
      • No enterprises have asked Microsoft to make it impossible to block Windows Server 2016 Domain Controllers from a domain, once they've migrated their Domain Controllers to Windows Server 2019 and/or Windows Server 2022.
      • Microsoft feels their recommendation is sufficient. (Although I'm resetting KRBTGT password stemming from 2014 at most of my customers
       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.