ADPrep /forestPrep fails preparing Win2K domain for Win2K3 DC's

Posted on 2005-03-14
Medium Priority
Last Modified: 2008-05-13
I have a domain with three Win2KSP4 Domain controllers: Server1 is a DC/DNS AD Int with all FSMO roles and is the global catalog server. Server 2 and 3 are both DC/DNS AD Int. I took Server1 offline to run ADPrep /forestprep after running DCDiag, etc. to pre-verify readiness. After booting and running ADPrep /forestPrep form the Win2K3 CD, it updated the schema but stopped the process without returning the schema to it's original state. I don't have a good system state from Server1 to restore AD from. I am not sure if this is part of the issue but, but Server1 is the only DC that was upgraded from NT to 2000.

I attempted the same process in our test area with litlle trouble in comparison (only a small DNS issue fixed with help from dnslint.exe) and successfully added a Win2K3 DC to our test domain.

It seems at this point my only option is to use ntdsutil and asdiedit to seize the roles, GCS and clean up the failed DC data from AD. However, if I have other options, I'd like to hear them.  Below I will include abbreviated output of the ADPrep.log and the schupgr.log. Thanks in advance for any assistance.

From ADPrep.log
Adprep was about to call the following LDAP API. ldap_search_s(). The base
entry to start the search is

LDAP API ldap_search_s() finished, return code is 0x20

Adprep successfully determined whether Microsoft Windows Services for UNIX
(SFU) is installed or not. If adprep detected SFU, adprep also verified that
Microsoft hotfix Q293783 for SFU has been applied.

Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence] The schema will not be restored to its original state.
[User Action]  Check the Ldif.err log file in the
C:\WINNT\system32\debug\adprep\logs\20050311143717 directory for detailed

Adprep was unable to update forest-wide information.  [Status/Consequence]
Adprep requires access to existing forest-wide information from the schema
master in order to complete this operation. [User Action] Check the log
file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20050311143717
directory for more information.

From schupgr.log
Opened Connection to VABEACH5 SSPI Bind succeeded Found Naming Context
DC=vb,DC=vdh,DC=virginia,DC=gov Found Naming Context
CN=Schema,CN=Configuration,DC=vb,DC=vdh,DC=virginia,DC=gov Found Naming
Context CN=Configuration,DC=vb,DC=vdh,DC=virginia,DC=gov Current Schema
Version is 13 Upgrading schema to version 30 ERROR: Failed to transfer the
schema FSMO role: 52 (Unavailable).   If the error code is "Insufficient
Rights", make sure you are logged in as a member of the schema admin group.

Question by:jefmik
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4

Expert Comment

ID: 13542134
It really looks to me as if the schema did NOT in fact get updated and that the schema master role was actually not held by the system you tried to perform the adprep on, which is the cause of the failure.  Can you verify that the schema master role is not held by either of the other two DCs?
LVL 33

Assisted Solution

NJComputerNetworks earned 200 total points
ID: 13544092
It is very important to verify that DNS is working right.  NSLOOKUP is a good tool to verify this.  For example, run NSLOOKUP and type in your domain name.  Make sure that all IP addresses for each DC is returned.

Also, it is important that your AD environment is clean and replicating properly.  Go into AD Sites and Services and try to manually replicate to each DC in your environment.  If, for example, you got rid of a DC without running DCPROMO, you will have replication problems.  You may run into schema update problems if your AD environment is not replicating properly.

However, I'm not sure what this exact error message means...(except that you ran the command without schema rights)

Author Comment

ID: 13545313
mansnes - The adpreplog also had in it dozens of lines like this:
Adprep copied file R:\I386\sch30.ldf from installation point to local machine under directory C:\WINNT\system32.
Adprep copied file R:\I386\dcpromo.cs_ from installation point to local machine under directory C:\WINNT\system32\debug\adprep\data.
Indicating it had copied files to the server and I thought maybe this was part of AD. That combined with the fact the log also said the "Schema would not be restored to original state" makes me wonder. The schema master right now is held by Server1 (original Operations Masters DC that is offline) on all three servers.    Is there a way to check the Schema version?

NJComputerNetworks- nslookup for domain is in the "Live" domain returns the IP of server2 only. On Server1 (original Operations Masters DC that is offline) it returns "DNS request timed out". I would think this is bad. On the replication, the two servers online will replicate with each other, returning "Active Directory has successfully replicatated the connections". No, I haven't removed a DC without using DCPromo, but I have removed one before using it. On the Rights issue, I verified in advance that the account I was using was a memeber of the Enterprise Admins, Domain Admins and Schema Admins.

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Accepted Solution

mansnes earned 1000 total points
ID: 13548256
You can see when the last modification to the schema was performed from ADSIedit.  Open up the Schema naming context and then get properties on CN=Schema,CN=Configuration,DC=yourdomain,dc=com.  (if you hide attributes without values, it'll make it easier to find what you're looking for.)  Of specific interest would be the attributes modifyTimeStamp and objectVersion.  Check to see if the objectVersion is the same on the isolated DC as on the production DCs.  The objectVersion on a schema that has had the 2003 additions applied is 30.

Expert Comment

ID: 13548301
There's also another location you can check to see if the schema additions have been implemented from within ADSIedit.  Check for the existance of the following attribute:

Author Comment

ID: 13549467
mansnes- I didn't find the Windows2003 attribute in either place (offline or online DC). But, I did find that both have the same objectversion of 13. The Timestamps are about 15 minutes off, with the offline server having the latest stamp. My test area successfully updated (according to ADPrep) but it doesn't have the Windows2003 attribute. What do you think?

NJComputer - I did find the remnants of a successfully removed DC in ADSS and removed it. It didn't show up anywhere else. I cleared the DNS cache and scavenged old records. Now I can resolve the domain name with nslookup my.domain.com where I couldn't before.

Expert Comment

ID: 13549971
ADPREP always places the CN=Windows2003Update,CN=ForestUpdates,CN=Configuration,DC=domain_name,DC=domain_root on every domain controller that has had the updates applied successfully.  If the attribute is not there, the DC you're checking on has not had the updates successfully applied to it.  There's another one, too, for the domain updates (/domainprep) found at CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=domain_name,DC=root_name.

There's a decent article about performing offline schema updates in last month's Redmond magazine.  The article is based on a HUGE forest structure, so it's purpose is to reduce replication issues, but it is quite relevant: http://www.redmondmag.com/columns/article.asp?EditorialsID=889

Expert Comment

ID: 13549995
I think I know why you don't see that Windows2003Update attribute.  If you have Win2k's ADSIedit set to hide attributes with no values, it won't show up since its mere existence is what defines whether or not the updates have been applied.  This attribute has no value.  If the attribute exists, they have been applied.  If there is no such attribute, then they haven't.  Win2003's ADSIedit has a different UI and it exposes that attribute when you drill down to it.

Expert Comment

ID: 13550033
If you look closely at the end of your original posting at the lines

Current Schema Version is 13
Upgrading schema to version 30
ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable).  

That, with your posting saying your schema is still at version 13 tells me that you did not update the schema.  The last line of your posting would seem to indicate the process was trying to get the schema FSMO role but could not (because the role holder was kept on the production network and this server was isolated from that network for the updates).

I'd say connect the server back up to production, let replication do its thing to get this server back up to date, transfer the Schema FSMO role to this server, disconnect it from the network and try again.

Expert Comment

ID: 13550067
and you shouldn't worry about this:

Adprep copied file R:\I386\sch30.ldf from installation point to local machine under directory C:\WINNT\system32.
Adprep copied file R:\I386\dcpromo.cs_ from installation point to local machine under directory C:\WINNT\system32\debug\adprep\data.
Indicating it had copied files to the server and I thought maybe this was part of AD

The Active Directory database is actually contained within a single file called ntdis.dit.  It was just copying the data for the update to a folder for processing.

Author Comment

ID: 13552291
mansnes- I agree, the schema seems to be intact. The FSMO issue concerns me though, because this (the offline DC) was the operations masters for all 5 roles and the GCS. I will have two GCS's in the domain from now on. I checked all the roles in the MMC's prior to starting the process, but I guess that wasn't enough. But, it could be a replication issue that existed prior to starting the process.

I was looking at ADPrep and there is a NofileCopy option that I can't find any doc's about. Are you familiar with it?

It is most likely that we will just put the DC back online, stabilize the domain and proceed from there. Won't happen until thu night or sat though.

Expert Comment

ID: 13557899
didn't know about the NoFileCopy switch but I'd imagine it just keeps adprep from doing the step it did on your system and instead pulls the files directly from the CD for the schema and domain upgrades.

Let me know how it goes!

Author Comment

ID: 13583067
mansnes - After some final testing, brought the DC (Server1) back online and it has been replicating fine. Added 2 new users and verified objects replicated to other DC's. I verified the schema on all three severs and the Versions were the same. We didn't have a lot of Group policies in effect, but the ones that were are still there. Quite a relief. It is likely I could have just put the DC back on line last weekend, but I just wanted to be sure. Thanks so much for your help!

njcomputer - there was a DNS configuration issue in the TCP/IP properties, DNS suffix settings that I had to tweak. I don't understand why it worked because I change the settings from the original settings, then returned to the original and then resolution worked as expected. But, I don't care I'll take it. Thanks!

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question