Adprep – Add Windows 2012 R2 domain controller to 2008 R2 domain

Before adding new Windows 2012/2012R2 domain controller to existing 2008/2008R2 AD environment we need to run adprep.exe for schema extensions. In 2012/2012R2 version  if you are adding new domain controller GUI wizard will do it automatically for you. Still if you want to do it old fashion way, you will run it from command prompt. With running adprep you will do some, or all of next actions, depending of AD version you are upgrading from:

  • Updating the Active Directory schema
  • Updating security descriptors
  • Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
  • Creating new objects, as needed
  • Creating new containers, as needed
  • When you are running adprep.exe for new 2012/2012R2 domain controller in 2008 R2 AD environment  you will change next settings:
  • 2012/2012R2: Forest-Wide Updates
  • 2012/2012R2: Domain-Wide Updates
  • 2012/2012R2: Read-Only Domain Controller Updates
  • 2012/2012R2: Schema Updates
  • After upgrading AD schema, it will change its version. There are next versions of AD schema:

    Version    Windows Server Version
    13            Windows 2000 Server
    30            Windows Server 2003
    31            Windows Server 2003 R2
    44            Windows Server 2008
    47            Windows Server 2008 R2
    56            Windows Server 2012
    69            Windows Server 2012 R2
    81            Windows Server 2016 CTP

    To check your current AD schema version run this PowerShell line or simple schupgr command from prompt

    Get-ADObject (get-adrootdse).schemaNamingContext -Property objectVersion


    To run adprep.exe, go to you installation media folder \Support\Adprep. Run next commands in this order:


  • adprep /forestprep – Must be run on the schema operations master for the forest.
  • adprep /domainprep – Must be run on the infrastructure operations master for the domain
  • adprep /domainprep /gpprep – Must be run on the infrastructure operations master for the domain.If you already run the /gpprep parameter for Windows Server 2003, you do not have to run it again for later versions of Windows Server
  • How to check this if you don’t remember did you run it sometimes before. Just run it again and it will say adprep did not attempt to rerun this operation.


    Or just check if Enterprise domain controllers have read access on GPO policy in %sysroot%\sysvol\domain\policies folders



  • adprep /rodcprep – This command is optional. Run it only if you want to install a read-only domain controller (RODC).
  • After you finished upgrade, and transfer FSMO roles to new Windows 2012/2012R2 DC servers you will get new Security Groups in Builtin and Users container
    • Access Control Assistance Operators
    • Hyper-V Administrators
    • Protected Users
    • RDS Endpoint Servers
    • RDS Management Servers
    • RDS Remote Access Servers
    • Remote Management Users
    • Cloneable Domain Controllers
    • WinRMRemoteWMIUsers

    For complete comparison of security groups by Windows OS version visit link:

    I hope this short manual will help with your upgrade of AD domain. see you


One thought on “Adprep – Add Windows 2012 R2 domain controller to 2008 R2 domain

  1. Pingback: Migrando o Active Directory para uma nova versão do Windows Server | Eduardo Mozart

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s