KnowledgeBase: Group Policy preparation is not performed when you automatically prepare an existing domain for Windows Server 2012
In KnowledgeBase article 2737129, titled Group Policy preparation is not performed when you automatically prepare an existing domain for Windows Server 2012, Microsoft describes the preparation steps in the new automatic Active Directory Domain Services Upgrade process in more detail.
About the new automatic preparation process
In Windows Server 2012, the whole Active Directory preparation process is automated. When you promote a Windows Server 2012-based member server to an additional Domain Controller for a domain or upgrade a Windows Server 2008 x64 or Windows Server 2008 R2-based Domain Controller to Windows Server 2012, the Active Directory Domain Services Configuration Wizard will determine whether the environment needs to be prepared as part of the promotion process:
If you’re creating a replica Domain Controller in a Windows Server 2003-based Active Directory environment, you will need to perform these steps manually, as described in the blogpost Adprep "not a valid Win32 application" error on Windows Server 2003, 64-bit version.
What’s interesting is, that the KnowledgeBase article shows the automatic upgrade process does not perform Group Policy Preparation, the equivalent of:
adprep.exe /domainprep /gpprep
To make things worse, when you use the Active Directory Domain Services Configuration Wizard (the ‘new’ dcpromo) you don’t get notified of this. Only when you use the
Install-ADDSDomainController PowerShell Cmdlets, you might notice the piece of text describing additional actions need to be performed:
The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory Domain Services permissions to be updated for existing Group Policy Objects (GPOs).
This is by design.
What Group Policy Preparation does
Group Policy preparation adds cross-domain planning functionality for Group Policy and Resultant Set of Policy (RSoP) planning mode. This requires updating the file system in SYSVOL and Active Directory permissions for existing group policies. If the environment already contains custom or delegated permissions that were put in place manually by administrators, Group Policy preparation triggers replication of all Group Policy files in SYSVOL and may deny RSOP functionality to delegated users until their permissions are re-created by administrators.
The solution, but whether you need it?
Microsoft has decided not to automatically perform Group Policy preparation as part of the automatic upgrade process, to prevent needless resets of administrator-set specific delegation permissions on SYSVOL.
Furthermore, Administrators only need to run Group Policy preparation only one time in the history of a domain. Group Policy preparation does not need be run with every upgrade and has been available since Windows Server 2003.
Also, If your Active Directory domain has never run on Windows 2000 Server-based Domain Controllers, there has never been a need to perform Group Policy preparation.
Odds are your Active Directory has already been prepared.
Performing Group Policy preparation
If you’re in doubt whether Group Policy Preparation has already been performedin the domain, you can always perform Group Policy Preparation again. To do so, perform one of the following actions:
- Run adprep.exe /domainprep /gpprep from the \support\adprep folder on the Windows Server installation media of the Windows Server version running on your original Domain Controllers. Perform this command on the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) role as a member of the Domain Admins group.
- Run adprep.exe /domainprep /gpprep from from the \support\adprep folder on the Windows Server 2012 installation media on a Windows 8 x64 installation or Windows Server 2012 installation. See the blogpost Adprep "not a valid Win32 application" error on Windows Server 2003, 64-bit version for more detailed instructions on how to perform these actions.
When the response from either one of these commands contains the following output, Group Policy Preparation has already been performed:
Domain-wide information has already been updated.
Adprep did not attempt to rerun this operation.
Adprep successfully updated the Group Policy Object (GPO) information.
With Windows 2000 Server now no longer supported, Microsoft has decided to make the Group Policy preparation an optional action you can perform on the command line.
New features in ADDS in Windows Server 2012, Part 3: New Upgrade Process
Adprep "not a valid Win32 application" error on Windows Server 2003, 64-bit version
Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest
Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392