We help IT Professionals succeed at work.

unable to run "setup /forestprep" during exchange 2003 install.  permissions error encountered.

Last Modified: 2012-06-27
I'm bringing up a brand new network for one of my clients.  I built a brand new server, installed windows 2003 and then promoted it to a DC.  Everything went fine until I tried to install exchange.

(I'm aware of the pitfalls associated with installing exchange on a DC.  Unfortunately, they are a necessary evil in this situation)

setup /forestprep returns the following error:

The component "Microsoft Exchange Forest Preparation" cannot be assigned
the action "ForestPrep" because:
 - Either you do not have permission to update the Active
Directory schema or Active Directory service is currently too busy.

I'm aware of the Knowledge base article KB274196 which identifies the "remote registry service" as the culprit.  My server has this service running correctly and my Exchange setup log does not contain the same errors listed in that KB article.

Here is a copy of my exchange install log: http://pastebin.ca/730149

Here is a copy of netdiag's output:  http://pastebin.ca/730151

Here is a copy of dcdiag's output: http://pastebin.ca/730152 

Any assistance would be appreciated.


Watch Question

Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Make sure that the account you are using is a member of the schema administrators group.


I am doing this as the Domain Administrator who is a schema administrator by default.  I double checked just in case the permission had been removed.  Everything is fine.


Sorry, I think that was a little vague.  I mean to say that there were no problems with the domain administrator's permissions.  The overall problem persists.


It wasn't that vague.

Anyway, there are a few things here.  First, I would reboot, then try setup again - I know, I know, amazingly scientific.  

Second, assuming that does no good, I would make the Domain admin account you are using, a member of the local administrators group (it is a long shot, I know, and it shouldn't matter as it is already in there with domain admins, but humour me - then reboot and try again).

Third, how many servers?  Is this Exchange server the first DC?  If not, find out which one is, find out if it is the Schema Master FSMO role holder, and then run forestprep on that one.

Finally, you could also have a look at this, but it is another long shot -> http://support.microsoft.com/kb/326262



Hey Red,

I've already tried the reboot trick twice.  I love the magic of rebooting.  Unfortunately, no dice this time.

So far as I'm aware, a system that has been promoted to a DC no longer has a "local administrators" group.  I hunted around for one just in case but there's nothing like that in AD, and the "users and groups" item has been removed from the computer management tree.

This is the only server in the domain (the only computer at all for that matter) so it is the Schema master.

I had already gone through that article.  I even made that change to the registry, even though those errors do not appear in my setup log.  No dice there either.


Why is netdiag showing up as windows 2000?  And why have you not updated the server at all (you only have 2 listed hotfixes).


This seems unrelated but it might be important information.  

This is a rebuild of their previous server which crashed with no backup.  I was able to pull a copy of the ntds.dit file off of the crashed server and attempted to recover it after rebuilding the server with identical settings.

Since I didn't have a system state backup I attempted my recovery using ntdsutil in ds recovery mode.  I simply set the db path to a different directory containing the old ntds.dit file.  Unfortunatly this did not work because no one knew the origional dsrm password.  so I returned the settings to the origional path.  I ran "integrity" which succeeded and then booted the server with no further problems.


I don't have a clue why netdiag is showing the server as windows 2000.  I thought that was pretty strange too.  I am actually running the sp2 update as I type this.  I'm headed home after that but I'll report back in the morning.

Thanks for all the help so far.  I really appreciate the friendly respect that you capably communicate  in your messages.



Why are you trying to recover anything on what sounds like a clean network install?  What is stopping you from formatting it and starting again?


Several answers:

There was a pre-existing network here before I came along.  They hired me to re-create their network after a total server failure.  When I walked in the door they had a non-functional DC with two of the 3 raid5 drives in failure mode.  I forced the array back online and was able to copy the ntds.dit file (thats the active directory database) from the degraded array.  

I then started from scratch and built them a fresh server.  The first thing I tried to do was recover their pre-existing AD database so as to not have to rebuild all their accounts from scratch.  I used the ntdsutil method that I mentioned above.  That was unsuccessful because no one remembered the old dsrm password.  So, I proceeded with the fresh AD database.  

At this point I've recreated all their accounts and group permissions for file shares, All their workstations have been joined to the domain (my assistant did that last night) and all their old profiles have been transfered into new ones.  That is why I don't want to format and reinstall.  

At this point I think our best lead is probably the weird "windows 2000" message in netdiag.  I ran a fixboot to see if it was something with the kernel but that didn't seem to do much.  (to be honest, i don't know what fixboot really fixes.)


How many users are we talking about here?

Anyway, rebuilds aside (FWIW, I NEVER use a server that gives me problems when configuring it - if something goes wrong, it gets formatted til it plays nice - it might take 4 or 5 installs, but it is worth it) how did the service pack and updates go for windows?

Where did you get netdiag?  Download the latest version in the support tools.




So here's the solution.  If you're reading this thread hoping for an elegant answer, I'm sorry but I'm not going to be able to provide one.

I ran out of time to wait for assistance and went with the hit-it-with-a-hammer method.  I took a system-state backup of the server and formated it.  After rebuilding it exactly as it had been before, I recovered the system state.  All of this was done using the built in backup software (formerly known as ntbackup).  Once I had recovered the system-state I no longer had the forestprep error.  I'm still in the dark as to why it was happening in the first place.

All I learned about the problem is that it isn't related to netdiag reporting the wrong OS (it still does that) and whatever was causing the trouble isn't stored in the system state.

<email address removed>

Unlock this solution and get a sample of our free trial.
(No credit card required)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.