Archive January | Avanti Networks Inc.

Archive for January, 2012

Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2

Tuesday, January 24th, 2012 | Solutions | No Comments

Before you can add a domain controller that is running Windows Server 2008 or Windows Server 2008 R2 to an Active Directory environment running Windows 2000 Server or Windows Server 2003, you must update the Active Directory schema. To update the schema, you must run Adprep.exe from the Windows Server 2008 or Windows Server 2008 R2 installation DVD on your existing domain controller that hosts the schema operations master role. In Windows Server 2008, Adprep.exe is located in the /Sources/adprep folder of the operating system installation DVD. In Windows Server 2008 R2, adprep.exe is located in the /Support/adprep folder.

Review the list of operations that are performed by Adprep.exe, and test the schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. There should not be any conflicts if your applications use Request for Comments (RFC)–compliant object and attribute definitions. For a list of specific operations that are performed when you update the Active Directory schema, see Windows Server 2008: Appendix of Changes to Adprep.exe to Support AD DS and Windows Server 2008 R2: Appendix of Changes to Adprep.exe to Support AD DS.

After you prepare the forest, prepare any domain where you plan to install a domain controller that runs Windows Server 2008 or Windows Server 2008 R2. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.

If you are creating a new forest, you do not have to prepare the schema or any of the domains in the forest.

Use the following procedure to update the Windows Server 2003 or Windows 2000 Server Active Directory schema for Windows Server 2008 or Windows Server 2008 R2.

Administrative credentials

To perform this procedure, you must use an account that has membership in all of the following groups:

Enterprise Admins
Schema Admins
Domain Admins for the domain that contains the schema master

To prepare the forest schema for Windows Server 2008 or Windows Server 2008 R2

Log on to the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.

Note

If you are unsure which domain controller hosts the schema master role, you can run netdom query fsmoon any domain controller.
Insert the Windows Server 2008 or Windows Server 2008 R2 DVD into the CD or DVD drive.
Click Start, click All Programs, click Accessories, right-click Command prompt, and then click Run as administrator.

Note
If you are unsure which domain controller hosts the schema master role, you can run netdom query fsmoon any domain controller.

If you are using the Windows Server 2008 DVD, type the following command, and then press ENTER:

D:\sources\adprep\adprep /forestprep

If you are using the Windows Server 2008 R2 DVD, type the following command, and then press ENTER:

Important
Windows Server 2008 R2 includes a 32-bit and 64-bit version of Adprep.exe. The 64-bit version runs by default. If you want to run one of the Adprep.exe commands on a 32-bit computer, use the 32-bit version of Adprep.exe (Adprep32.exe).

D:\support\adprep\adprep /forestprep

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 or Windows Server 2008 R2. For more information about running adprep /domainprep, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.

Note
If you plan to add a read-only domain controller (RODC) to the forest, you can run adprep /rodcprep right after you run adprep /forestprepand then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.

Tags: 2003, adprep, computer repair milford, domain controller, forest, Massachusetts, windows, windows 2008 server R2

Add Windows 2008 Server To An Existing Forest

Tuesday, January 24th, 2012 | Solutions | No Comments

Installing an Additional Domain Controller

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic explains how to install an additional Active Directory domain controller in an existing domain. The steps apply to domain controllers that run Windows Server 2008 or Windows Server 2008 R2. If the domain controller that you plan to install will be the first that runs Windows Server 2008 or Windows Server 2008 R2 in your domain or forest, you need to prepare the domain before you can install the domain controller. Otherwise, follow the links later in this topic for the different methods (using the GUI, command-line, or an answer file) to install the new domain controller.

To prepare the domain and forest, you need to run Adprep.exe (or adprep32.exe) commands. If you want to understand all the details about what Adprep.exe does, see Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). The Adprep commands that need to be completed are:

If you are installing the first Windows Server 2008 or Windows Server 2008 R2 domain controller in the forest, run the adprep /forestprep command on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
If you are installing the first Windows Server 2008 or Windows Server 2008 R2 domain controller in the domain, run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
If you are installing the first read-only domain controller (RODC) in the domain, run the adprep /rodcprep command on any computer in the forest. For more information, see Prepare a Forest for a Read-Only Domain Controller.

Use one of the following procedures as necessary to install an additional domain controller that runs Windows Server 2008 or Windows Server 2008 R2 in an existing domain:

Note
Regardless of which method you use, you must be a member of the Domain Admins group in the domain that is being installed.

You also have the option to use the install from media (IFM) method of installation. For this option, you must have prepared installation media, either by using the improved Ntdsutil.exe command-line tool or, if necessary, from a restored backup of a domain controller in the same domain. For information about using IFM to install a domain controller in an existing domain, see Installing AD DS from Media.

Note
By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an “Account Ops-FC” access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (http://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps: To open Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the console tree, right-click the affected domain controller account, and then click Properties. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

Note

By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an “Account Ops-FC” access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (http://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps:

To open Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, right-click the affected domain controller account, and then click Properties.
On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

Tags: 01757, 2003, computer repair massachusetts, Massachusetts, Milford, network, network Services Massachusetts, PC repair massachusetts, windows, windows 2008 server R2

Avanti Networks Inc.

Archive for January, 2012

Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2

To prepare the forest schema for Windows Server 2008 or Windows Server 2008 R2

Add Windows 2008 Server To An Existing Forest

Search

Services

What's New

Archives