adprep.exe /domainprep /gpprep

[tehsteve86]

I was tasked with upgrading 2 of my Domain Controllers to Windows Server 2012 R2 a few months back. Prior to the upgrade, we were running Server 2008 R2 w/ functional levels of Server 2003. The upgrade went smoothly, all functional levels were raised, ms replication analyzer tool shows successful everywhere, and no issues with GPOs. Based on my understanding our very first domain was originally running SBS and most likely the command adprep.exe /domainprep /gpprep was already ran when the 2008R2 was installed. I might be mistaken and this might have been overlooked, since the person failed to raise the functional levels. Based on my reading, this command only needs to be ran once on the entire domain.

 

I followed the 2012R2 GUI for the upgrade (prep commands ran automatically) & only now realized that "adprep.exe /domainprep /gpprep" wasn't included. My question is: how can I check if this was already ran at some point in time? Can I run this command again manually right now, or will I have to wait for the next DC upgrade?

 

I did some research and came across an interesting article stating that this command doesn't even need to be ran if the first DC ever built was a 2k3. However, I am not sure if this concept also applies to SBS.

 

Can someone clear the air for me? If adprep.exe /domainprep /gpprep was never ran, then my GPOs would have never migrated over right?
 

[sc302 Veteran]

Read through this and follow the verify sections to confirm that it was indeed ran.

https://technet.microsoft.com/en-us/library/dd464018%28v=ws.10%29.aspx

[tehsteve86]

verifying adprep /domainprep /gpprep

You can also verify that this command is complete by using the steps for verifying that adprep /domainprep completed successfully, or you can verify that the operation added the Read permission for the Enterprise Domain Controllers group on all GPOs. For more information, see Verifying adprep /domainprep.

 

I'm not a fan of the above instructions. If adprep /domainprep ran successfully and you can verify that CN=ActiveDirectoryUpdate = 10, that doesn't necessarily mean that the /gpprep was also ran right? The first line is probably just a reference for SysAdmins that are currently in the process of /domainprepping to watch what the output of the box says.

 

However, the next step where it says to check read permissions seems to put my mind at ease.

[sc302 Veteran]

That does not verify that the gpprep was ran, only that domainprep was ran and it updated successfully (if it weren't successful that number would not change).

[tehsteve86]

So the only thing to check is really that read permission I am assuming?

[sc302 Veteran]

yes.  However there is always the logs....if you remember what dc you ran the adprep on.

 

%SystemRoot%\Debug\adprep\logs

[blaktron Veteran]

Or you can just run it again because that command does nothing destructive to an existing installation

[tehsteve86]

Final question!

 

Say that the command was never ran, but everything appears to be running smoothy: replication works & functional levels raised.

Can you just re-run the command if needed and that's it? Or would you have to rebuild the DCs for scratch or wait for next release of Windows Server?

[sc302 Veteran]

Well your new dc's would give you a nice error and not let themselves become dc's.  but if you needed to rerun them, I will point you back to the original document I posted in post #2.

https://technet.micr...8(v=ws.10).aspx

[tehsteve86]

Awesome thanks!