I’m still an ADPrep kinda guy

Reading Time: 3 minutes

In Windows Server 2012, Microsoft introduced the new streamlined Active Directory Domain Services Configuration Wizard, that in most Microsoft documentation is labeled the successor to dcpromo.exe. I’m a big fan of the new wizard, but there’s one feature I don’t use: the automatic Active Directory preparation steps it can perform for you to update the schema to accommodate new Domain Controllers. I still use adprep.exe.

Here’s why.

 

It has a default time-out

One of my biggest grips with the automatic preparation feature is the way it checks whether it can continue to promote the server to a Domain Controller. For this, the Active Directory preparation needs to be replicated throughout the Active Directory domain. If you use time restrictions on Active Directory replication or a lag site in the domain, the replication of the schema updates would take a longer time to complete, than the wizard expects, and it will time out.

When you reach this time out, you will need to prepare the Active Directory domain manually.

 

It doesn’t support strict delegation

Preparing the Active Directory domain and Active Directory forest requires specific administrative privileges. In environments with decentralized management, these administrative privileges may be assigned to different people.

This way, an administrator in a domain has control over the Active Directory capabilities defined by the Domain Functional Level (DFL) and the Domain Controllers (s)he is capable to deploy and maintain.

Note:
Deploying Windows Server 2012 Domain Controllers requires the Windows Server 2003 Domain Functional Level.

Arguably, the delegated administrator doesn’t have much to say anyway. Since the Active Directory schema is maintained centrally, this is the one place of management.

When the administrative privileges have been separated, a Domain Admin in a domain, can not use the automatic Active Directory preparation feature in the Active Directory Domain Services Configuration Wizard, because (s)he doesn’t have the privileges to perform a forest-wide preparation.

 

It doesn’t perform all preparations

As detailed in KnowledgeBase article 2737129, the automatic preparation feature does not perform the Group Policy Preparation step. This is to prevent needless resets of administrator-set specific delegation permissions on the System Volume (SYSVOL).

When you need the Active Directory environment prepared for cross domain planning functionality for Group Policy and RSOP Planning Mode, you will need to prepare the Active Directory domain manually, but only if your Active Directory domain has ever run on Windows 2000 Server-based Domain Controllers.

 

Not every promotion method works

There’s three methods to promote a server to a Domain Controller after installation:

  1. The Active Directory Domain Services Configuration Wizard
  2. The Install-ADDSDomainController Windows PowerShell Cmdlet
  3. Dcpromo.exe with an answer file.

First off, the Active Directory Domain Services Configuration Wizard is only available on ‘Server with a GUI’ installations. On Server Core installations, only the latter two methods to promote a server to a Domain Controller are available.

Choosing dcpromo.exe with an answerfile to promote a server to a Domain Controller, you’ll find yourself confronted with the following error:

To install a domain controller into this Active Directory forest, you must first prepare the forest using "adprep /forestprep". The Adprep utility is available on the Windows Server 2012 installation media in the \support\adprep folder.

Using the Install-ADDSDomainController Windows PowerShell Cmdlet, however, will trigger the automatic Active Directory preparation.

Note:
The Install-ADDSDomainController Windows PowerShell Cmdlet is only available after you install the Active Directory Domain Services Server Role, since it’s part of the ADDSDeployment module.

 

 

Replication could result in Denial of Service

In really large environments, admins would want to replicate the Active Directory schema updates separately throughout the environment. Marking an attribute as indexable in the Active Directory schema for such an environment, might result in all Active Directory Domain Controllers building the index for the attribute, using up CPU cycles. You could perform a Denial of Service on your Domain Controllers with this.

Windows Server 2012 does offer the Deferred Index Creation feature to avoid this situation, but it won’t be available to you when you are migrating to Windows Server 2012 Domain Controllers; it’s available when you migrate from Windows Domain Controllers onwards. Plus, you need to enable Deferred Index Creation, manually. It’s not enabled by default.

 

Concluding

The automatic Active Directory preparation steps the Active Directory Domain Services Configuration Wizard can perform for you to update the schema to accommodate new Domain Controllers is designed for small environments. It is perfect for environments with a couple of Domain Controllers in a single Active Directory site, in a single Active Directory domain, in a single Active Directory forest.

Related blogposts

KnowledgeBase: Gpprep is not performed when you automatically prepare
KnowledgeBase: Adprep "not a valid Win32 application" error on Windows Server 2003 x64  KnowledgeBase: "The system cannot find the file specified" Adprep /gpprep error
Transitioning your Windows Server 2003 Domain Controllers to Windows Server 2012
New features in AD DS in Windows Server 2012, Part 3: New Upgrade Process

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.