Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

adprep /domainprep problems adding 2003 server to 2000 domain

Posted on 2004-10-21
19
Medium Priority
?
588 Views
Last Modified: 2012-06-27
I am pulling my hair out over this one.  

I am trying to add a 2003 server to a 2000 domain.

adprep /forestprep ran with no errors

adprep /domainprep runs with the following error:

Adprep created the log file ADPrep.log under C:\WINNT\system32\debug\adprep\logs\20041021094556 directory.



Adprep copied file d:\i386\schema.ini from installation point to local machine under directory C:\WINNT.



Adprep successfully made the LDAP connection to the local domain controller TESTSERVER.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local directory service.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.



Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_add_s() finished, return code is 0x44



Adprep attempted to create the directory service object cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The object exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.




LDAP API ldap_add_s() finished, return code is 0x44



Adprep attempted to create the directory service object cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The object exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=ab402345-d3c3-455d-9ff7-40268a1099b6,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=ab402345-d3c3-455d-9ff7-40268a1099b6,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=bab5f54d-06c8-48de-9b87-d78b796564e4,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=bab5f54d-06c8-48de-9b87-d78b796564e4,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=7868d4c8-ac41-4e05-b401-776280e8e9f1,cn=Operations,cn=DomainUpdates,cn=System,DC=brenner,DC=brenneroil,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=7868d4c8-ac41-4e05-b401-776280e8e9f1,cn=Operations,cn=DomainUpdates,cn=System,DC=brenner,DC=brenneroil,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=860c36ed-5241-4c62-a18b-cf6ff9994173,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=860c36ed-5241-4c62-a18b-cf6ff9994173,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com has completed.

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x20



Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x0

This is my setup:
w2k server is only dc in the domain and has exchange 2000
ran inetorgpersonfix script (after forestprep)
ran adprep /forestprep - no errors
ran adprep /domainprep - error is above
checked all system policy permissions:  domain admins, enterpriseadmins, administrators have full control over AD policies etc.
checked registry:  schema update is set to 1
sysvol is set to c:\winnt\sysvol\sysvol

I just cannot get the brand new 2003 server to run dcpromo without it telling me I have to run adprep /domainprep.

Any help would be much appreciated.

Thanks for your time



0
Comment
Question by:95reasons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
19 Comments
 
LVL 1

Expert Comment

by:blueivy
ID: 12370407
0
 

Author Comment

by:95reasons
ID: 12370443
I read that article also, this is my problem, the GUID identified doesn't exisit in the policies container.  I can't find it anywhere.

5)Locate the GUID identified in the last entry of the Adprep log file.
6) Right-click the entry and select Properties, then Security.
7) Change the permissions on this GUID to allow Full Control to the Denied groups.  This might involve taking Ownership to accomplish.

Thanks again for your help.
0
 
LVL 1

Expert Comment

by:blueivy
ID: 12370571
The only thing I can see out of the ordinary is the following line:

===============

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.



LDAP API ldap_search_s() finished, return code is 0x20

===============

All of the other ldap_seach() queries returned 0x0. Have you checked for this GUID? It's a long shot and I'm assuming that 0x0 means it exists and can continue whereas 0x20 seems ot indicate success, but it's the only thing I can see out of the ordinary.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:95reasons
ID: 12370619
That is one of my problems, I don't know exactly where to look.
0
 

Author Comment

by:95reasons
ID: 12370717
Well, I say I don't know where to look, not completely right:  That GUID is not located in the container CN=system, CN=operations,CN= (various containers with varying GUID's none of which are the GUID that errors out in the log.)

Is there somewhere else to look?

I don't see it in adsiedit either.

Thanks for the quick responses on this.

0
 
LVL 1

Expert Comment

by:blueivy
ID: 12370758
That should be the only place to look System -> Domain Updates -> Operations -> the GUID.

Hmmm. Not sure on this one. If 0x20 successfully created the GUId, you'd expect to see it there. If it didn't, you'd expect to see it there. Are the right permission on System -> Domain Updates -> Operations (ie. Domain Admins, Admins etc. etc)?
0
 

Author Comment

by:95reasons
ID: 12370963
It isn't listed anywhere under operations.  My permissions under operations and all the GUID containers to the right are FULL CONTROL for Administrators,Domain Admins, Enterprise Admins (allow inheritable permissions is also checked.)  I'm logged in as administrator (who is a member in each of the afforementioned groups including schema admins.)

0
 
LVL 1

Expert Comment

by:blueivy
ID: 12371154
I am at a loss on this one. The only other article I could find that might help is:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/prepare_for_the_upgrade_of_a_mixed_or_Win2000_domain.asp

Partiularly the part on the schema master. You've probably followed this though.
0
 

Author Comment

by:95reasons
ID: 12371389
No, I didn't have the snap-in registered.  I just reloaded the schema.  No luck.

The other posts I have seen on this topic seem to include a GUID that is the same as mine.  They all solved their problems by fixing errors with dcdiag and / or changing permissions.


I just don't get why the adprep log lists a GUID that I can't find anywhere in active directory.

Thanks for the help.
0
 
LVL 1

Expert Comment

by:blueivy
ID: 12371464
No problem. Hope you can get it sorted. I'll keep an eye on the call.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12377808
Wow...I'm famous!

That's my Technet article.

On the main DC you can also use ADUC to look at each and every GPO you created in the Domain.  On the Security tab of the GPO itself you must have Enterprise Admins, Domain Admins and SYSTEM with minimum Read/Write permissions - it's best to give full control.

The reason this part of ADPREP fails is because one or more of the above security principals has been removed or denied access to one or more Group Policy objects that have been created.  This almost always occurs because an Admin doesn't want a policy to apply to them so they remove access to their group by either denying access or removing the ACE from the policy.

Let me know if you need more help.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 12377819
I should also add that there will very likely be other ACE's on those GPO's - do not remove them - we just want to make sure that EA, DA and SYSTEM are there and have access.

0
 

Author Comment

by:95reasons
ID: 12437312
Hey Netman66 I'm back.  Its been a while but I'm still working on this problem. I ended up installing 2000 on the box and mad AD play nice
with the existing DC.  Now everything is great, but I still really need to upgrade to 2003 on the one server.

Is there a way for me to manually create the GUID container the  adprep /domainprep is looking for to solve my problem?
0
 

Author Comment

by:95reasons
ID: 12437326
Clarification:

Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=test,DC=test,DC=com.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.

If I were to try to create the 6ada9ff7... cn manually (if that is even possible) would it solve my problem.

Thanks again
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 12437933
Not likely - it's pretty specific and getting it right would be very lucky.

You need to find that GUID on one of the SYSVOLs - it's very likely a policy - if it doesn't exist, then remove it from the System>Policies section of ADUC in advanced mode.

You should be able to run /domainprep now.

Looking more closely, I don't think that's where it's failing - at that GUID.  I think that GUID is just the state of the AD that adprep uses to determine where it's at in the process.  There is very likely another GUID which represents a policy that doesn't have the correct access for EA, DA or Administrators that is stopping it from finishing.  Did you look at your GPOs yet?




0
 

Author Comment

by:95reasons
ID: 12438179
YOU ARE THE MAN!!!!!!!

That was it.  There was a lone policy in sysvol that didn't have the correct permissions (Actually a couple of them)  It WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



Thank you so much.


EE is fantastic
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12441494
Do you think you could cheer up a little?  Hehe - just kidding.... :o)

Glad I could help out.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question