Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest (309628)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
This article was previously published under Q309628

SUMMARY

This article discusses the operations that are performed by the Microsoft Windows Server 2003 Adprep.exe utility that is used to prepare a Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of Windows Server 2003 domain controllers.

MORE INFORMATION

To prepare a Windows 2000 forest to host new or upgraded Windows Server 2003 domain controllers, you must run the adprep /forestprep command on the schema operations master, and you must run the adprep /domainprep command on the infrastructure operations master of each domain that will host Windows Server 2003 domain controllers. The Adprep.exe utility prepares a Windows 2000 forest and its domain for the addition of Windows Server 2003 domain controllers. You run Adprep.exe from the I386 folder of the Windows Server 2003 media.

This article describes the 36 operations that are performed by the adprep /forestprep command and the 50 operations that are performed by the adprep /domainprep command.

For information about the access control entry (ACE) strings that are used in Adprep.exe operations, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/ace_strings.asp

For information about the security identifier (SID) string constants that are used in Adprep.exe operations, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/sid_strings.asp

Forest Upgrade

A total of 43 operational updates have been defined in the adprep /forestprep command over the course of the Windows Server 2003 development cycle. Six operations that were defined in beta releases of Windows Server 2003 have been removed in the released version. The released Windows Server 2003 adprep /forestprep command directly performs 36 operations in the CN=Configuration and CN=Schema partitions of the schema operations master. These operations are subsequently replicated to all other domain controllers in the forest. The operational GUID 94fdebc6-8eeb-4640-80de-ec52b9ca17fa1 is performed by a process other than the Adprep.exe utility. To keep track of each operation that is performed, the adprep /forestprep command creates a log file in Active Directory with the following structure:
  • A new container CN=ForestUpdates,CN=Configuration,DC= forest root domain is created on the schema master.
  • A new container CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain is created on the schema master.
  • For each operation that is performed by the adprep /forestprep command, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=ForestUpdates,CN=Configuration,DC=forest root domain container. Each operational GUID identifies the operation.
  • If all 36 operations are successfully added, the CN=Windows2003Update,CN=ForestUpdates,CN=Configuration,DC=forest root domain object will be created and its revision attribute (CN=Revision in the schema, syntax Integer) set to 9.
The following is a list of SID strings that have changed:
  1. {5E47E5DF-E74F-4eb4-BD8E-C468F0C93394}
    • Update the schema by calling the Schema Upgrade utility (Schupgr.exe).
  2. {Removed}
  3. {3467DAE5-DEDD-4648-9066-F48AC186B20A}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name (also known as DN).
    • Add the ACE to the CN=Sites,CN=Configuration,CN=ForestRootDomain container.
    • ACEs:
      (((OA;CI;LCRPLORC;;bf967ab3-0de6-11d0-a285-00aa003049e2;ED), Add),)
  4. {33B7EE33-1386-47cf-BAA1-B03E06473253}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the SAM-Domain object with the path of the distinguished name CN=SAM-Domain,CN=Schema,CN=Configuration,DC=ForestRootDomain.
    • ACEs:
      (((OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU), Add),
      ((A;;RPRC;;;RU), Add),
      ((A;;LCRPLORC;;;ED), Add),
      ((OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add), ((OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU), Add),
      ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add),
      ((A;;RC;;;RU), Remove))
  5. {E9EE8D55-C2FB-4723-A333-C80FF4DFBF45}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the Domain-DNS object with the path of the distinguished name CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ForestRootDomain.
    • ACEs:
      (((OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU), Add),
      ((A;;RPRC;;;RU), Add),
      ((A;;LCRPLORC;;;ED), Add),
      ((OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU), Add),
      ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU), Add), ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED), Add),
      ((OA;CIIO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add), ((A;;RC;;;RU), Remove)
      )
  6. {CCFAE63A-7FB5-454c-83AB-0E8E1214974E}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the Organizational-Unit object with the path of the distinguished name CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=ForestRootDomain.
    • ACEs:
      ((A;;LCRPLORC;;;ED), Add),
      ((OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO), Add))
  7. {AD3C7909-B154-4c16-8BF7-2C3A7870BB3D}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the Group-Policy-Container object with the path of the distinguished name CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=ForestRootDomain.
    • ACEs:
      ((A;CI;LCRPLORC;;;ED), Add))
  8. {26AD2EBF-F8F5-44a4-B97C-A616C8B9D09A}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the Trusted-Domain object with the path of the distinguished name CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=ForestRootDomain.
    • ACEs:
      ( (OA;;WP;736e4812-af31-11d2-b7df-00805f48caeb;bf967ab8-0de6-11d0-a285-00aa003049e2;CO), Add),
      (A;SD;;;CO), Add))
  9. {4444C516-F43A-4c12-9C4B-B5C064941D61}
    • Operation: Call a function.
    • Update display specifiers.
    • Upgrade display specifiers. For additional information about display specifiers, click the following article number to view the article in the Microsoft Knowledge Base:

      308592 How Dcpromo.exe Adds Display Specifiers to Active Directory Forests

  10. {Removed}
  11. {Removed}
  12. {436A1A4B-F41A-46e6-AC86-427720EF29F3}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACE to the CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ntdev,DC=microsoft,DC=com container.
    • ACEs:
      ((A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CA), Add),
      (A;;RPLCLORC;;;RU), Add))
  13. {B2B7FB45-F50D-41bc-A73B-8F580F3B636A}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACE to the CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ntdev,DC=microsoft,DC=com container.
    • ACE=
      ((A;;RPLCLORC;;;RU), Add)
  14. {1BDF6366-C3DB-4d0b-B8CB-F99BA9BCE20F}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACE to the CN=Configuration,DC=ForestRootDomain container.
    • ACEs=
      ((OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED), Add,
      (OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA), Add)
  15. {63C0F51A-067C-4640-8A4F-044FB33F1049}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACE to the CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs=
      ((OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED), Add,
      (OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA), Add)
  16. {Removed}
    • Operation: {Removed}
    • Removed January 25, 2002
  17. {Removed}
    • Operation: {Removed}
    • Removed January 25, 2002
  18. {DAE441C0-366E-482E-98D960A99A1898CC}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the SAM-Server object with the path of the distinguished name CN=SAM-Server,CN=Schema,CN=Configuration,DC=DomainName..
    • (OA;;CR;91d67418-0135-4acc-8d79-c08e857cfbec;;AU)
      (OA;;CR;91d67418-0135-4acc-8d79-c08e857cfbec;;RU)
  19. {7DD09CA6-F0D6-43BF-B7F8EF348F435617}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the SAM-Domain object with the path of the distinguished name. These changes were taken out of the schema upgrade files. Adprep.exe can now do a default security descriptor merge, instead of just deleting the existing default security descriptor.
    • ACE:
      ((OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD), Add,
      (OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA), Add))
  20. {6B800A81-AFFE-4A15-8E-416EA0C7AA89E4}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the Domain-DNS object with the path of the distinguished name. These changes were taken out of the schema upgrade files. Adprep.exe can now do a default security descriptor merge, instead of just deleting the existing default security descriptor.
    • ACE:
      ((OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD), Add,
      (OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA), Add)
  21. {DD07182C-3174-4C95-902AD64FEE285BBF}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the DNS-Zone object with the path of the distinguished name. These changes were taken out of the schema upgrade files. Adprep.exe can now do a default security descriptor merge, instead of just deleting the existing default security descriptor.
    • ACE:
      (A;;LCRPLORC;;;ED), Remove)
  22. {ffa5ee3c-1405-476d-b344-7ad37d69cc25}
    • Operation: Call a function.
    • Updates the display specifiers with post Beta-3 U.I. enhancements.
    • See operation 8.
  23. {099F1587-AF70-49C6-AB6C-7B3E82BE0FE2}
    • Operation: Merge a default security descriptor.
    • Merge a default security descriptor on the computer object with new ACEs in the schema.
    • ACEs:
      (((OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add),
      ((OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add),
      ((OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add),
      ((OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO), Add))
  24. {1a3f6b15-55f2-4752-ba27-3d38a8232c4d}
    • Operation: Merge a default security descriptor.
    • Replace the ACE in the default security descriptor on the SAM-Domain object.
    • ACEs:
      (((OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;BU), Remove),
      ((OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557), Add))
  25. {dee21a17-4e8e-4f40-a58c-c0c009b685a7}
    • Operation: Merge a default security descriptor.
    • Replace the ACE in the default security descriptor on the Domain-DNS object.
    • ACEs:
      (((OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;BU), Remove),
      ((OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557), Add))
  26. {9bd98bb4-4047-4de5-bf4c-7bd1d0f6d21d}
    • Operation: Merge a default security descriptor.
    • Add three ACEs to the default security descriptor on the SAM-Domain object.
    • ACEs:
      (((OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU), Add),
      ((OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU), Add),
      ((OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU), Add))
  27. {3fe80fbf-bf39-4773-b5bd-3e5767a30d2d}
    • Merge a default security descriptor.
    • Add three ACEs to the default security descriptor on the Domain-DNS object.
    • ACEs:
      (((OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU), Add),
      ((OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU), Add),
      ((OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU), Add))
  28. {Removed}
  29. {f02915e2-9141-4f73-b8e7-2804662782da}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor on the DNS-Zone object.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;CO), Add)
  30. {39902c52-ef24-4b4b-8033-2c9dfdd173a2}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptors of ACEs on the partitions container.
    • ACEs:
      (((A;;RPLCLORC;;;AU), Remove),
      ((A;;LCLORC;;;AU), Add), ((OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU), Add),
      ((OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU), Add),
      ((OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU), Add),
      ((OA;;RP;789EE1EB-8C8E-4e4c-8CEC-79B31B7617B5;;AU), Add),
      ((OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU), Add))
  31. {20bf09b4-6d0b-4cd1-9c09-4231edf1209b}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptors of ACEs on the partitions container.
    • ACEs:
      ((A;;CC;;;ED), Add)
  32. {94f238bb-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-Base container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  33. {94f238bc-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-Filter container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  34. {94f238bd-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-ISAKMP-Policy container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  35. {94f238be-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-Negotiation-Policy container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  36. {94f238bf-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-NFA container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  37. {94f238c0-831c-11d6-977b-00c04f613221}
    • Operation: Merge a default security descriptor.
    • Add the ACE to the default security descriptor of the CN=Ipsec-Policy container.
    • ACEs:
      ((A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA), Remove,
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY), Remove,
      (A;;RPLCLORC;;;AU), Remove)
  38. {eda27b47-e610-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the user object.
    • Add the ACE to the CN=User,CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs:
      ((OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560), Add)
  39. {eda27b48-e610-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the inetOrgPerson object.
    • Add the ACE to the CN=Ipsec-Policy container.
    • ACEs:
      ((OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560), Add)
  40. {eda27b49-e610-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the Computer object.
    • Add the ACE to the CN=Computer,CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs:
      ((OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560), Add)
  41. {eda27b4a-e610-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the Group object.
    • Add the ACE to the CN=Group,CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs:
      ((OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560), Add)
  42. {26d9c510-e61a-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the User object.
    • Add the ACE to the CN=User,CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs:
      ((OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561), Add)
      ACE2
      ACE3
  43. {26d9c511-e61a-11d6-9793-00c04f613221}
    • Operation: Merge the default security descriptor on the inetOrgPerson object.
    • Add the ACE to the CN= inetOrgPerson,CN=Schema,CN=Configuration,DC=ForestRootDomain container.
    • ACEs:
      ((OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561), Add)

Domain Upgrade

In the release version of Windows Server 2003, the adprep /domainprep command adds 50 operations to the domain controller that hosts the infrastructure master role or the operations master role. Most of the operations security descriptor modifications to existing objects and attributes in the Active Directory domain partition and Group Policy objects in the file system. All changes that were made by adprep / domainprep target the infrastructure operations master in the targeted domain. To keep track of each operation that is performed, the adprep /domainprep command creates a log file in Active Directory with the following structure:
  • A new container CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=DomainName is created on the infrastructure master.
  • A new container CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName is created on the infrastructure master.
  • For each operation that is performed by the adprep /domainprep command, a unique alpha-numeric string (or GUID) is written under the CN=Operations,CN=DomainUpdates,CN=System,DC=DomainName container. Each operational GUID identifies the operation.
  • If all the operations in the following list succeed, the CN=Windows2003Update object overall task will be stamped as completed successfully by setting the revision attribute (CN=Revision in the schema, syntax Integer) to 8.
A total of 55 forest operational updates have been defined over the course of the Windows Server 2003 development cycle. Five operations that were defined in beta releases of Windows Server 2003 have been removed in the original released version of Windows Server 2003. The following list includes the current operations that are performed by the adprep /domainprep command, and it includes the operations that were removed from the adprep /domainprep command:
  1. {AB402345-D3C3-455d-9FF7-40268A1099B6}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=WMIPolicy,CN=System,CN=X container.

      Object = CN=WMIPolicy,CN=System,CN=X
    • SD =
      O:DAD:P(A;;CCLCSWRPWPLORC;;;BA)
      (A;;CCLCSWRPWPLORC;;;PA)
      (A;CI;LCRPLORC;;;AU)(A;CI;LCRPLORC;;;SY)
      (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)
      (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
      (A;CIIO;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)
  2. {BAB5F54D-06C8-48de-9B87-D78B796564E4}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=ComPartitions,CN=System,DC=X container.
    • SD =
      O:DAG:DAD:(A;;RPLCLORC;;;AU)
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
  3. {F3DD09DD-25E8-4f9c-85DF-12D6D2F2F2F5}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=ComPartitionSets,CN=System,DC=X container.

      Class = container
    • SD =
      O:DAG:DAD:(A;;RPLCLORC;;;AU)
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
  4. {2416C60A-FE15-4d7a-A61E-DFFD5DF864D3}
    • Operation: Add the members to a group.
    • Add the Anonymous Logon members to the Pre-Windows 2000 Compatible Group.
    • Group = (Pre-Windows 2000 Compatible Group)
      Members = ((Anonymous Logon SID))
  5. {7868D4C8-AC41-4e05-B401-776280E8E9F1}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the domain object.

    • ACEs =((OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU), Add,
      ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU), Add,
      ((OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU), Add))
  6. {Removed}
  7. {860C36ED-5241-4c62-A18B-CF6FF9994173}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=X container.
    • ACEs =
      ((A;;LCRPLORC;;;ED), Add)
  8. {0E660EA3-8A5E-4495-9AD7-CA1BD4638F9E}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,CN=X container.
    • ACEs =
      ((A;;LCRPLORC;;;ED), Add)
  9. {A86FE12A-0F62-4e2a-B271-D27F601F8182}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the Group Policy container.
    • ACEs =
      ((OA;CI;LCRPLORC;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;ED), Add)
  10. {D85C0BFD-094F-4cad-A2B5-82AC9268475D}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the AdminSDHolder container.
    • ACEs =
      ((OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS), Add)
      ((OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA), Add)
  11. {6ADA9FF7-C9DF-45c1-908E-9FEF2FAB008A}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the Group Policy container.
    • ACEs=
      ((A;;LCRPLORC;;;ED), Add))
  12. {10B3AD2A-6883-4fa7-90FC-6377CBDC1B26}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the CN=User,CN={ 6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System container.
    • ACEs=
      ((A;;LCRPLORC;;;ED), Add)
  13. {98DE1D3E-6611-443b-8B4E-F4337F1DED0B}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the CN=Machine,CN={ 6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System container.
    • ACEs=
      ((A;;LCRPLORC;;;ED), Add)
  14. {F607FD87-80CF-45e2-890B-6CF97EC0E284}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACE to the CN=Machine,CN={ 31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System container.
    • ACEs=
      ((A;;LCRPLORC;;;ED), Add)
  15. {9CAC1F66-2167-47ad-A472-2A13251310E4}
    • Operation: Modify a set of attributes on a specific object by using the object's distinguished name.
    • Set the default values for attributes on the Easy Trust Creation object in the domain.
    • Attribute:Value:
      ((msDS-PerUserTrustQuota:1),
      (msDS-AllUsersTrustQuota: 1000),
      (msDS-PerUserTrustTombstonesQuota: 10))
  16. {Removed}
  17. {6FF880D6-11E7-4ed1-A20F-AAC45DA48650}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the domain container.
    • ((OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD), Add,
      (OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA), Add)
  18. {446f24ea-cfd5-4c52-834696e170bcb912}
    • Operation: Call a function.
    • Use the Resultant Set of Policy (RSOP) tool to set the ACEs in the %systemroot%\Sysvol\Sysvol\Domain NamePolicies folder. The Sysvol path can be found in the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysVol (RegSZ)

      For each folder under the %systemroot%\Sysvol\Polices folder, add the following ACE:
    • ACEs=
      (A;;LCRPLORC;;;ED)
  19. {293F0798-EA5C-4455-9F5D-45F33A30703B}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Add the ACEs to the SAM-Server object on the CN=Server,CN=System,DC=DomainName container.
    • ACEs=
      ((OA;;CR;91d67418-0135-4acc-8d79-c08e857cfbec;;AU), Add,
      (OA;;CR;91d67418-0135-4acc-8d79-c08e857cfbec;;RU), Add)
  20. {Removed}
    • Removed January 24, 2002.
  21. {Removed}
    • Removed January 24, 2002.
  22. {5c82b233-75fc-41b3-ac71-c69592e6bf15}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=ForeignSecurityPrincipals,DC=X container.
    • SD =
      O:DAG:DAD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
      (A;;RPLCLORC;;;AU)
  23. {Removed}
    • Removed April 23, 2002.
  24. {4dfbb973-8a62-4310-a90c-776e00f83222}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=Microsoft,CN=Program Data,DC=X container.
    • SD=
      O:DAG:DAD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA
      )(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
      (A;;RPLCLORC;;;AU)
  25. {8437C3D8-7689-4200-BF38-79E4AC33DFA0}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=Microsoft,CN=Program Data,DC=X container.
    • SD=O:DAG:DAD:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
      (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
      (A;;RPLCLORC;;;AU)
  26. {7cfb016c-4f87-4406-8166-bd9df943947f}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Replace the ACE in the security descriptor of the DC=X container.
    • ACEs=
      ((OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;BU), Remove,
      (OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557), Add))
  27. {f7ed4553-d82b-49ef-a839-2f38a36bb069}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Grant three controlAccessRights to Authenticated Users on the domain object with the distinguished name DC=X.
    • ACEs=
      ((OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU), Add,
      (OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU), Add,
      (OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU), Add)
  28. {8ca38317-13a4-4bd4-806f-ebed6acb5d0c}
    • Operation: Create one specific object with a particular distinguished name.
    • Create the CN=SOM,CN=WMIPolicyobject.
    • ACEs=
      O:DAD:P(A;CI;LCRPLORC;;;AU)
      (A;CI;LCRPLORC;;;SY)
      (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)
      (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)
      (A;;CCLCSWRPWPLORC;;;BA)(A;;CCLCSWRPWPLORC;;;PA)
      (A;CIIO;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;CO)
  29. {3c784009-1f57-4e2a-9b04-6915c9e71961}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove)
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA),Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY),Remove)
      ((A;CI;RPLCLORC;;;DC), Add)
      (A;CI;RPLCLORC;;;PA),Add,
      (A;CI;RPWPCRLCLOCCDCRCWDWOSW;;;DA),Add,
      (A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY),Add)
  30. {6bcd5678-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  31. {6bcd5679-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  32. {6bcd567a-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  33. {6bcd567b-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  34. {6bcd567c-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  35. {6bcd567d-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  36. {6bcd567e-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  37. {6bcd567f-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  38. {6bcd5680-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  39. {6bcd5681-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  40. {6bcd5682-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  41. {6bcd5683-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  42. {6bcd5684-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  43. {6bcd5685-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  44. {6bcd5686-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  45. {6bcd5687-8314-11d6-977b-00c04f613221}
    • Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  46. {6bcd5688-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  47. {6bcd5689-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  48. {6bcd568a-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  49. {6bcd568b-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  50. {6bcd568c-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  51. {6bcd568d-8314-11d6-977b-00c04f613221}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the CN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System object.
    • ACEs=
      ((A;;RPLCLORC;;;AU), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA), Remove,
      (A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY), Remove)
  52. {3051c66f-b332-4a73-9a20-2d6a7d6e6a1c}
    • Operation: Add to or remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the DC=X object.
    • ACEs=
      ((A;;RC;;;RU),Remove,
      (A;;RPRC;;;RU), Add))
  53. {3e4f4182-ac5d-4378-b760-0eab2de593e2}
    • Operation: Add to and remove a set of ACEs from a specific object by using the object's distinguished name.
    • Modify the security descriptor on the DC=X object.
    • ACEs=
      ((A;;RC;;;RU),Remove, (A;;RPRC;;;RU), Add))
      (A;;RPRC;;;RU), Add))
  54. {c4f17608-e611-11d6-9793-00c04f613221}
    • Operation: Add a set of ACEs to a specific object by using the object's distinguished name.
    • Add an ACE to the CN=AdminSDHolder,CN=System,DC=DomainName object.
    • ACEs=
      ((OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560), Add)
  55. {13d15cf0-e6c8-11d6-9793-00c04f613221}
    • Operation: Add a set of ACEs to a specific object by using the object's distinguished name.
    • Add an ACE to the CN=AdminSDHolder,CN=System,DC=DomainName object.
    • ACEs=
      ((OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561), Add)

Additional Information

The number of operational GUIDs that appear in the CN=Operations,CN=ForestUpdates container and in the CN=Operations,CN=DomainUpdates container depends on the upgrade path of the forest and its domains. Various operations that are performed by beta versions of Adprep.exe have been removed in the original released version of Windows Server 2003. The released version of Adprep.exe does not remove GUIDs that were added to the CN=Operations,CN=ForestUpdates container and to the CN=Operations,DomainUpdates container by beta versions of Adprep.exe. Therefore, a forest or domain that was prepared with Beta 3, Release Candidate (RC) 1 or with early RC2 versions of Adprep.exe will contain more operational GUIDs than one that was prepared with a released version.

Finally, objects under the CN=Operations,CN=ForestUpdates container and the CN=Operations,CN=DomainUpdates container are not exclusively created by Adprep.exe. Adprep.exe will add the operational GUIDs that represent the actions that Adprep.exe can perform. Similarly, the operating system installation process or the installation scripts may create additional operational GUIDs that are essentially registry keys that replicate between the correct scope of domain controllers.

Ordinarily there are 50 objects that are created by the adprep /domainprep command under CN=Operations,CN=DomainUpdates,CN=System,DC=X and 36 objects that are created by the adprep /forestprep command under CN=Operations,CN=ForestUpdates,CN=Configuration,DC=X. However, when a Windows 2000 Server Service Pack 3 (SP3) domain controller is directly upgraded with Windows Server build 3777 or a later version of Adprep.exe, an additional GUID, CN=6E157EDF-4E72-4052-A82A-EC3F91021A22, is created in the CN=ForestUpdates container. This container is not removed by later versions of Adprep.exe. Similarly, domains that were updated by early versions of Adprep.exe may also contain a CN=Windows2002Update container that is also not removed by later versions of Adprep.exe. There are known differences in NTSD/default security descriptor definitions between a forest that was prepared with the original released version of Windows Server 2003 and a forest that used a different upgrade path. The divergence in the number of operational GUID objects is by design.

Build 3777 (and later) versions of the Windows Server 2003 adprep /domainprep command creates two additional objects under CN=Operations,CN=DomainUpdates,CN=System,DC=X that are defined in the DomainUpdates section of Schema.ini.

[DomainUpdates]

[7ffef925-405b-440a-8d58-35e8cd6e98c3]
nTSecurityDescriptor=O:DAG:DAD:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
objectClass= Container
objectCategory= Container

[8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c]
nTSecurityDescriptor=O:DAG:DAD:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
objectClass= Container
objectCategory= Container
Important New IPSEC filters that are created between the execution of adprep /forestprep and adprep /domainprep will not apply to Windows 2000, Windows XP and Windows Server 2003 domain computers until adprep /domainprep has been executed in those domains where the IPSEC filter was created. IPSEC filters that are defined before the execution of adrprep /forestprep and after the execution of adprep /domainprep in each domain will continue to apply normally. As a best practice, Microsoft suggests that administrators promptly run adprep /domainprep on the infrastructure master domain controller for each domain in the forest following the execution and inbound replication of adprep /forestprep changes. 
;!--------------------------------------------------------
;! A Forest That Is Created with Windows Server 2003
;! This operation's GUID, 94fdebc6-8eeb-4640-80de-ec52b9ca17fa, is set on forests where the
;! first domain controller in the forest had at least a Windows Server 2003 code base, schema, and so on. 
;!--------------------------------------------------------
[94fdebc6-8eeb-4640-80de-ec52b9ca17fa]
nTSecurityDescriptor=O:EAG:EAD:(A;;RPLCLORC;;;WD)(A;;RPWPCRLCLOCCRCWDWOSW;;;EA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
objectClass=Container
ObjectCategory=Container
Modification Type:MajorLast Reviewed:9/13/2005
Keywords:kbwinservds kbActiveDirectory kbinfo KB309628 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.