Saturday, December 29, 2012

Windows Server 2008 ADPREP

Before you can introduce Windows Server 2008 domain controllers into existing Windows 2000 or Windows Server 2003 domains, you must prepare the forest and domains with the ADPREP utility. ADPREP.exe is a command-line tool that extends the Active Directory schema, and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system.

Note: ADPREP was also available in Windows Server 2003 and Windows Server 2003 R2. In Windows Server 2008, ADPREP follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003 or Windows Server 2003 R2. Please read my "Windows 2003 ADPREP" article for more information on that.

ADPREP.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the 'sources'adprep folder.

When you run it, it must be run ADPREP from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Where should I run ADPREP?

ADPREP /forestprep must be run on the Schema Master of a forest and under the credentials of someone in the Schema Admins and Enterprise Admins groups.

ADPREP /domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group.

Important: Since at the time of running ADPREP you still do not have any Windows Server 2008 Domain Controllers, it should be made clear that these commands MUST be run on EXISTING Windows 2000 or Windows Server 2003 Domain Controllers. That is why you MUST make sure you keep a copy of the 32-bit version of the Windows Server 2008 installation DVD. You cannot use the 64-bit version of the installation media to run ADPREP on 32-bit versions of Windows 2000/2003. Because Windows Server 2008 installation media is 64-bit by default, remember to request the 32-bit version when you get your copy. In case you don't have the 32-bit version available, you can also use the evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, so just download the file from Microsoft's website, and use it to run ADPREP on your 32-bit Windows 2000/2003 DCs.

What does ADPREP do?
Before running ADPREP, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

ADPREP /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2008. You can view the schema extensions by looking at the .ldf files in the 'sources'adprep directory on the Windows Server 2008 DVD. These files contain LDIF entries for adding and modifying new and existing classes and attributes.

ADPREP /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal.
Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest.
You can view detailed output of the ADPREP command by looking at the log files in the %Systemroot%'system32'debug'adprep'logs directory. Each time ADPREP is executed, a new log file is generated that contains the actions taken during that particular invocation.  The log files are named based on the time and date ADPREP was run.
Once you’ve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2008 or installing new Windows Server 2008 domain controllers.
Running ADPREP
In order to run ADPREP, insert the DVD media of Windows Server 2008 into the DVD drive of the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master of a forest.
Lamer note: You can use a network path or even copy the files locally to the server if you don't have a DVD drive on your DC…
If you're prompted to install Windows Server 2008, do NOT install it. Close the window instead.

Browse to the 'sources'adprep directory.

Open a Command Prompt window (Click Start > Run > CMD > Enter), and drag the ADPREP.exe file to the Command Prompt window.
Lamer note: If you can't drag 'n drop, you can simply type the path… duh…
In the Command Prompt window, type the following command:
adprep /forestprep

In order to prevent accidental running of the command, you must press the "C" key on your keyboard, then press Enter. Command will begin to load a bunch of LDIF files containing all the necessary changes to the existing AD and Schema. Process will take a few moments.

When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all the changes throughout the entire forest BEFORE proceeding to the next step.

Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep

Unlike the /forestprep action which takes some time, the /domainprep action is almost instantaneous.
Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not Windows NT 4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is not the case, you'll get this error:
Adprep detected that the domain is not in native mode


Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep
Switch your domain to Native mode or above, then repeat the operation.

Again, make sure you let the existing Domain Controllers replicate all the changes throughout the domain BEFORE proceeding to the next step.
Repeat the /domainprep action for each domain in the forest that requires new Windows Server 2008 Domain Controllers.
Windows 2000 Domain Notes
When upgrading Windows 2000 domains, an additional command must be run before installing the first Windows Server 2008 DC.
Go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the Command Prompt window, and type:
adprep /domainprep /gpprep
This command performs similar updates as domainprep. However, this command also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. In Active Directory environments that run Microsoft Windows® 2000, this command performs updates during off-peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing Group Policy objects (GPOs). This command is also available on Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.

Windows 2003 Domain and first RODC Notes

In Windows Server 2008, a new Domain Controller installation option is available, called Read Only domain Controller. I will not go into detail about RODCs in this article (search my site for more information about RODCs), however, in order to enable the installation of the first RODC in an existing Windows Server 2003 Active Directory forest, where you have already added at least one Windows Server 2008 regular DC, you must run the following command:
adprep /rodcprep
This command updates permissions on application directory partitions to enable replication of the partitions to RODCs. This operation runs remotely; it contacts the infrastructure master in each domain to update the permissions. You need to run this command only once in the forest. You can run this command on any computer in the forest. You must be a member of the Enterprise Admins group to run this command.
You are now ready to introduce your first Windows Server 2008 Domain Controller. Read my "Installing Active Directory on Windows Server 2008" article for more information on that.


Download Windows Server 2008 Evaluation

Original Link :

Thursday, December 13, 2012

Why can't I create new Active Directory objects?

In environments with a high rate of object creation or even during the process of migrating a large group of users, you may encounter the problem of being unable to create new objects in Active Directory. In most cases, the problem is simply a matter of the domain controller's running out of RIDs.
A RID or relative identifier is part of the unique security ID (SID) assigned to every object within the AD domain. The SID is created by combining an object's RID with the domain's own unique identification number. Since every domain controller in a Windows 2000 or Windows 2003 based AD domain can create new objects, the potential exists for two domain controllers to create objects with the same SID. So, to eliminate this potential, each domain controller is given a small range of RIDs to assign to new objects. The RID master (one of the FSMO AD roles) distributes the RIDs. When a DC uses all the RIDs in its current allotment, it requests a new RID set from the RID master.
If a DC attempts to create a new object before it receives the new RID set, the object will not be created. This produces an error, which is recorded in the Directory Services event log with an event ID of 16645. When this error appears in the event log, or you find yourself unable to create new objects, you need to resolve the issue. Here are some steps:
  1. Make sure the RID master is online and accessible. Use the Active Directory Users and Computers console to discover which DC is hosting the RID master FSMO role. Right click over the domain name from the console and select Operations Masters. Then select the RID master tab. Ping this server and attempt to connect to any share resource it offers to ensure communications.
  2. Test new object creation from another DC. If other DCs can create objects, then the problem is only with the initial DC. If no DCs can create objects, you may need to seize the RID master role.
  3. If a DC runs out of RIDs, it must request a new RID set from the RID master. There is no manual means to force this activity. So, you must wait for the DC to perform this operation on its own.
You can help avoid the problem in the future by increasing the size of the RID set. To do so, edit the Registry on the RID master DC. Change the RID Block Size entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values key. The minimum value is 500. Any assigned value to this entry between 0 and 500 will be treated as 500 by the system.
By default, Pre-SP4 Windows 2000 DCs are configured to request a new RID set when their current set is depleted by 80 percent. SP4 changed this value to 50 percent. Windows Server 2003 systems request new RID sets at 50 percent consumption. Microsoft documentation lists no means by which to alter the consumption percentage.

Original Post:

How to Send an Smtp Email using Powershell – Send-MailMessage


Sending an Smtp mail using power shell as been simplified using “Send-MailMessage” Cmdlet

Lets see how to do it !!

Send-MailMessage –From “” –To “”, “” -Subject "Mail using Powershell !!" –Body “Body of my Power shell Email” -Priority High -SMTPserver "Exchange2010 Server FQDN"


Logging into User1 or User2
Received the below email


Mail Generated to User1 and User2 Successfully !

Original Post:

How to Migrate Users Across forest (Cross Forest) using ADMT 3.2 with sid and Passwords

Once Trust is in place
Open Administrators Group in the Source Forest , Add Administrator of the Target Forest to acquire proper Permissions
Vice Versa
Open Administrators Group in the Target Forest , Add Administrator of the Source Forest to acquire proper Permissions
otherwise you will end up with Access denied errors while Moving Users back and forth
Once permission part is done
We have to configure a Password Export Server in the source domain to allow exporting the passwords to the Target domain

If your Source Domain DC is running a 64 bit Version
Password Export Server version 3.1 (x64)
If your Source Domain DC is running a 32 bit Version
Password Export Server version 3.1 (x86)

Choose Next

Before you choose next , We need to create a password Encryption file from the Target Domain

Reference –
Enabling Migration of Passwords

Open a Command Prompt where ADMT is installed on the Target Domain , Run the Below Command to Create a .pes file
admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath>


Once the File is Created on the Target Domain , Bring the File to the Source domain and Browse for the file


Click Finish

Reboot the Server to complete the installation

Start the “Password Export Serve Service”


Now Open ADMT , Choose User Account Migration Wizard
Choose Source Domain and Target domain

Now Select users


Choose the Target OU


Choose Migrate Passwords


Choose Target Same as source
Choose Migrate User SIDS to Target Domain


Type User name and Password of the Source domain

Choose Next


Choose Next


Choose Next



Great !!

Now Users with SID and Password have been migrated across forest (Cross forest) Successfully

Original Post:

How to install ADMT 3.2 in Windows Server 2008 R2

 Download Active Directory Migration Tool version 3.2


Type the Default Instance if you have a SQL Server ,
I have the SQL server on DC itself , So I have typed
If you are not aware of SQLEXPRESS , Have the Explained the Steps below to configure it
Only SQLEXPRESS 2005 will work properly if you are planning to Install on DC itself

People who are aware of SQL , Please skip the SQL setup


If you don’t have a SQL Server , You can Download
Microsoft SQL Server 2005 Express Edition Service Pack 3

Choose No
Then Close
Great !
Now SQL is configured

Start  – Administrative Tools –> Active Directory Migration Tool

Now ADMT is Ready to Migrate Users

Original Post