Solved

adprep /domainprep problems adding 2003 server to 2000 domain

Posted on 2004-10-21
578 Views
Last Modified: 2012-06-27
I am pulling my hair out over this one.  

I am trying to add a 2003 server to a 2000 domain.

adprep /forestprep ran with no errors

adprep /domainprep runs with the following error:

Adprep created the log file ADPrep.log under C:\WINNT\system32\debug\adprep\logs\20041021094556 directory.



Adprep copied file d:\i386\schema.ini from installation point to local machine under directory C:\WINNT.



Adprep successfully made the LDAP connection to the local domain controller TESTSERVER.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local directory service.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.



Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_add_s() finished, return code is 0x44



Adprep attempted to create the directory service object cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The object exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.




LDAP API ldap_add_s() finished, return code is 0x44



Adprep attempted to create the directory service object cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The object exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=ab402345-d3c3-455d-9ff7-40268a1099b6,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=ab402345-d3c3-455d-9ff7-40268a1099b6,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=bab5f54d-06c8-48de-9b87-d78b796564e4,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=bab5f54d-06c8-48de-9b87-d78b796564e4,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=7868d4c8-ac41-4e05-b401-776280e8e9f1,cn=Operations,cn=DomainUpdates,cn=System,DC=brenner,DC=brenneroil,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=7868d4c8-ac41-4e05-b401-776280e8e9f1,cn=Operations,cn=DomainUpdates,cn=System,DC=brenner,DC=brenneroil,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=860c36ed-5241-4c62-a18b-cf6ff9994173,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=860c36ed-5241-4c62-a18b-cf6ff9994173,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x20



Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0

This is my setup:
w2k server is only dc in the domain and has exchange 2000
ran inetorgpersonfix script (after forestprep)
ran adprep /forestprep - no errors
ran adprep /domainprep - error is above
checked all system policy permissions:  domain admins, enterpriseadmins, administrators have full control over AD policies etc.
checked registry:  schema update is set to 1
sysvol is set to c:\winnt\sysvol\sysvol

I just cannot get the brand new 2003 server to run dcpromo without it telling me I have to run adprep /domainprep.

Any help would be much appreciated.

Thanks for your time



0
Question by:95reasons
    17 Comments
     
    LVL 1

    Expert Comment

    by:blueivy
    0
     

    Author Comment

    by:95reasons
    I read that article also, this is my problem, the GUID identified doesn't exisit in the policies container.  I can't find it anywhere.

    5)Locate the GUID identified in the last entry of the Adprep log file.
    6) Right-click the entry and select Properties, then Security.
    7) Change the permissions on this GUID to allow Full Control to the Denied groups.  This might involve taking Ownership to accomplish.

    Thanks again for your help.
    0
     
    LVL 1

    Expert Comment

    by:blueivy
    The only thing I can see out of the ordinary is the following line:

    ===============

    Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



    LDAP API ldap_search_s() finished, return code is 0x20

    ===============

    All of the other ldap_seach() queries returned 0x0. Have you checked for this GUID? It's a long shot and I'm assuming that 0x0 means it exists and can continue whereas 0x20 seems ot indicate success, but it's the only thing I can see out of the ordinary.
    0
     

    Author Comment

    by:95reasons
    That is one of my problems, I don't know exactly where to look.
    0
     

    Author Comment

    by:95reasons
    Well, I say I don't know where to look, not completely right:  That GUID is not located in the container CN=system, CN=operations,CN= (various containers with varying GUID's none of which are the GUID that errors out in the log.)

    Is there somewhere else to look?

    I don't see it in adsiedit either.

    Thanks for the quick responses on this.

    0
     
    LVL 1

    Expert Comment

    by:blueivy
    That should be the only place to look System -> Domain Updates -> Operations -> the GUID.

    Hmmm. Not sure on this one. If 0x20 successfully created the GUId, you'd expect to see it there. If it didn't, you'd expect to see it there. Are the right permission on System -> Domain Updates -> Operations (ie. Domain Admins, Admins etc. etc)?
    0
     

    Author Comment

    by:95reasons
    It isn't listed anywhere under operations.  My permissions under operations and all the GUID containers to the right are FULL CONTROL for Administrators,Domain Admins, Enterprise Admins (allow inheritable permissions is also checked.)  I'm logged in as administrator (who is a member in each of the afforementioned groups including schema admins.)

    0
     
    LVL 1

    Expert Comment

    by:blueivy
    I am at a loss on this one. The only other article I could find that might help is:

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/prepare_for_the_upgrade_of_a_mixed_or_Win2000_domain.asp

    Partiularly the part on the schema master. You've probably followed this though.
    0
     

    Author Comment

    by:95reasons
    No, I didn't have the snap-in registered.  I just reloaded the schema.  No luck.

    The other posts I have seen on this topic seem to include a GUID that is the same as mine.  They all solved their problems by fixing errors with dcdiag and / or changing permissions.


    I just don't get why the adprep log lists a GUID that I can't find anywhere in active directory.

    Thanks for the help.
    0
     
    LVL 1

    Expert Comment

    by:blueivy
    No problem. Hope you can get it sorted. I'll keep an eye on the call.
    0
     
    LVL 51

    Expert Comment

    by:Netman66
    Wow...I'm famous!

    That's my Technet article.

    On the main DC you can also use ADUC to look at each and every GPO you created in the Domain.  On the Security tab of the GPO itself you must have Enterprise Admins, Domain Admins and SYSTEM with minimum Read/Write permissions - it's best to give full control.

    The reason this part of ADPREP fails is because one or more of the above security principals has been removed or denied access to one or more Group Policy objects that have been created.  This almost always occurs because an Admin doesn't want a policy to apply to them so they remove access to their group by either denying access or removing the ACE from the policy.

    Let me know if you need more help.

    0
     
    LVL 51

    Expert Comment

    by:Netman66
    I should also add that there will very likely be other ACE's on those GPO's - do not remove them - we just want to make sure that EA, DA and SYSTEM are there and have access.

    0
     

    Author Comment

    by:95reasons
    Hey Netman66 I'm back.  Its been a while but I'm still working on this problem. I ended up installing 2000 on the box and mad AD play nice
    with the existing DC.  Now everything is great, but I still really need to upgrade to 2003 on the one server.

    Is there a way for me to manually create the GUID container the  adprep /domainprep is looking for to solve my problem?
    0
     

    Author Comment

    by:95reasons
    Clarification:

    Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

    [Status/Consequence]

    The operation has not run or is not currently running. It will be run next.

    If I were to try to create the 6ada9ff7... cn manually (if that is even possible) would it solve my problem.

    Thanks again
    0
     
    LVL 51

    Accepted Solution

    by:
    Not likely - it's pretty specific and getting it right would be very lucky.

    You need to find that GUID on one of the SYSVOLs - it's very likely a policy - if it doesn't exist, then remove it from the System>Policies section of ADUC in advanced mode.

    You should be able to run /domainprep now.

    Looking more closely, I don't think that's where it's failing - at that GUID.  I think that GUID is just the state of the AD that adprep uses to determine where it's at in the process.  There is very likely another GUID which represents a policy that doesn't have the correct access for EA, DA or Administrators that is stopping it from finishing.  Did you look at your GPOs yet?




    0
     

    Author Comment

    by:95reasons
    YOU ARE THE MAN!!!!!!!

    That was it.  There was a lone policy in sysvol that didn't have the correct permissions (Actually a couple of them)  It WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



    Thank you so much.


    EE is fantastic
    0
     
    LVL 51

    Expert Comment

    by:Netman66
    Do you think you could cheer up a little?  Hehe - just kidding.... :o)

    Glad I could help out.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now