Link to home
Start Free TrialLog in
Avatar of LLUIGI
LLUIGIFlag for United States of America

asked on

Adprep and DCPROMO Error when upgrading from 2003 to 2008 r2

I Am Upgrading my domain to server 2008 r2 I have ran the following:

ADPREP /FORESTPREP
ADPREP /DOMAINPREP
ADPREP /DOMAINPREP /GPPREP
ADPREP /RODCPREP

When I run ADPREP /RDCPREP I get errors that you can see in the log at the bottom of the post on the 2008 r2 machine when I run DCPROMO any help would be appreciated.



****LOG STARTS NOW****
Adprep created the log file ADPrep.log under C:\WINDOWS\debug\adprep\logs\20141101142915 directory.



Adprep connected to the domain FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local Active Directory Domain Services.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



==============================================================================

Adprep found partition DC=DomainDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=DomainDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=0273d441-cc89-45e1-8f77-6ea55c3ada99,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=DomainDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=ForestDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=ForestDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=73620c7c-9952-4b60-8bd5-2ffc8c86781c,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=ForestDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to the Infrastructure FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=WALLACHBETH,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20141101142915 directory for more information.



To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group.  If that is not the case, please correct the problem, and then restart Adprep.
Avatar of it_saige
it_saige
Flag of United States of America image

Have you made sure that your user is a member of the Enterprise Admins group.  Also, make sure that your user is a member of Schema Admins.

-saige-
Avatar of LLUIGI

ASKER

Yes I am good on that front
Also if you are not planning on deploying a Read-Only Domain Controller, there is no need to run ADPREP /RODCPREP.

-saige-
Avatar of LLUIGI

ASKER

ok then that is the only error we received in the process so far why is DCPROMO asking for adprep again?
Avatar of LLUIGI

ASKER

I have noticed that replication between my 2 2003 Server is now reporting a mismatch error. when I run DCPROMO it still requests ADPREP To be ran
Which ADPREP did you run (DVD location)?  Did you run ADPREP on your 2003 domain controller?  Does the 2003 domain controller hold all of the FSMO roles?

-saige-
Hi

it looks like this


Adprep /rodcprep will log an error if the infrastructure master for an application directory partition is not available

If the domain controller that holds the infrastructure operations master (also known as flexible single master operations or FSMO) role for an application directory partition is not available when you run the adprep /rodcprep command to prepare a forest for an RODC, the command can return an error. The error is logged in the Adprep.log file, and it indicates that Adprep failed an operation on the application directory partition that is named in the error. By default, domain controllers have application directory partitions for DNS.
The infrastructure operations master role holder for each application directory partition must be online when you run adprep /rodcprep. If the role holder is not online, which could happen if the domain controller that hosted the role was forcefully demoted without performing metadata cleanup, then adprep /rodcprep can log the error.
noteNote
The infrastructure operations master role for an application directory partition is not the same as the infrastructure operations master role for a domain partition.
For more information about fixing this issue, see article 949257 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=114419).

from

http://technet.microsoft.com/en-gb/library/2a325aca-db4f-4004-a5d7-8703082d8702(v=ws.10)#BKMK_RodcprepError
that said if you dont  plan to use rodc you can disregard this message
Avatar of LLUIGI

ASKER

ok thank you but what does that have to do with the DCPROMO error asking to run ADPREP /FORESTPREP on the DC that holds the FSMO Roles when that already has been done successfully?
Avatar of LLUIGI

ASKER

rodc is out I just need to clear up DCPROMO Error so I can move forward.
Avatar of LLUIGI

ASKER

please see attached adprep log file  
ADPrep.log
On the server that you ran ADPREP from:
1.  Click Start, click Run, type cmd in the Open box, and then press ENTER.
2.  Type ntdsutil, and then press ENTER.
3.  Type rol, and then press ENTER.
4.  Type con, and then press ENTER.
5.  Type con to ser localhost, and then press ENTER.
6.  Type quit, and then press ENTER.
7.  Type sel op tar, and then press ENTER.
8.  Type li ro for con ser, and then press ENTER.

Please provide the output from running list roles for connected server

Example output:User generated image
-saige-
Based on your ADPREP.LOG.  Run the following command and provide the output please:

DSACLS "CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=wallachbeth,DC=local"

-saige-
ASKER CERTIFIED SOLUTION
Avatar of it_saige
it_saige
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder,

and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder.

You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Source

To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. None of the commands requires a restart of the server after the operation is complete. The remaining sections in this topic contain more details about each command.
Source

-saige-
Avatar of compdigit44
compdigit44

Below is how to tell if Forestprep was run in your environment. I would suggest runn this on the server with the schema role.. Also can you paste the results of the following command:   repadmin /showrepl

To verify that adprep /forestprep completed successfully


1.Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.


2.Click Start, click Run, type ADSIEdit.msc, and then click OK.


3.Click Action, and then click Connect to.


4.Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.


5.Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

where forest_root_domain is the distinguished name of your forest root domain.


6.Double-click CN=ForestUpdates.


7.Right-click CN=ActiveDirectoryUpdate, and then click  Properties.


8.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click  OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the Revision attribute value is 2, and then click  OK.


9.Click ADSI Edit, click Action, and then click Connect to.


10.Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.


11.Double-click Schema.


12.Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties

where forest_root_domain is the distinguished name of your forest root domain.


13.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the objectVersion attribute value is set to 44, and then click OK.
seems you are using adprep from 2008 media while putting in a 2008 R2 server; that would cause this to happen
as mentioned, the schema needs to be at 47 while yours is at 44 (2008 level)
you run dcpromo on the 2008 R2 server and says you need to run adprep because it's at 2008 level, not 2008 R2
if your 2003 server is 32bit, run adprep32 there from the R2 media
Avatar of LLUIGI

ASKER

I used the ADPREP from the 2008 r2 dvd (Successful)
and then I contacted MS and they sent me a link for the x86 version which I tried to run but said it already has ran
Avatar of LLUIGI

ASKER

Will I be able to run ADPREP again if I use the ADPREP from the 2008 r2 \sources\adprep\
are you certain it is R2 media before?
the adprep log shows sch44.ldf as the last file it processed which is for 2008; it should have gone through sch47.ldf for R2
as i said, if your 2003 server is 32bit, use adprep32; adprep won't work there since it's 64bit binary
You should only need to run ADPREP once per domain.  You don't need to run it on each server unless you have your FSMO roles segregated, then in that case you would run:
1.  ADPREP /FORESTPREP on your Schema Operations Master (Once for the entire forest)
2.  ADPREP /DOMAINPREP on your Infrastructure Operations Masters (Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.)
3.  ADPREP /DOMAINPREP /GPPREP on your Infrastructure Operations Masters (Once in each domain within the forest).  Note:  If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for later versions of Windows Server.

Now I would recommend that we get a state of the domain since you have successfully ran adprep.  compdigit44 gave instructions on how to check your schema level here: Check Schema Instructions.

-saige-
Avatar of LLUIGI

ASKER

OK I have adprep32 running now
Avatar of LLUIGI

ASKER

Inadvertently downloaded Server 2008 not Server 2008 r2 all is correct now. Thank you
Avatar of LLUIGI

ASKER

Server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
Domain - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
PDC - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
RID - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
Infrastructure - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sit
es,CN=Configuration,DC=wallachbeth,DC=local
select operation target:
Not a problem.  Glad you have it all sorted out now.

-saige-
Avatar of LLUIGI

ASKER

Checked Schema Level and the correct values 5 and 47 have been confirmed thanks again