Solved

adprep /domainprep failure

Posted on 2007-12-04
6
1,304 Views
Last Modified: 2013-12-05
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"

The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path

attached the part of the logfile with the failure message

Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
 
[Status/Consequence] 
 
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
 
[User Action] 
 
Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
 
Adprep encountered an LDAP error. 
 
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
 
 
 
Adprep was unable to update domain-wide information. 
 
[Status/Consequence]
 
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
 
[User Action]

Open in new window

0
Comment
Question by:ldhbeheer
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401993
Do you have schema administrator privilages?
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20401997
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
0
 

Author Comment

by:ldhbeheer
ID: 20402045
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Netman66
ID: 20402813
This:

CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.

refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.

0
 

Author Comment

by:ldhbeheer
ID: 20418198
This policy, wich is probably the problem,  "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL." is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have  no permission to view this object.
How can I change that.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20418821
Open SYSVOL on the server (C:\Windows\Sysvol\SYSVOL\domain\policies\GUID)
On the User folder, check the permissions.
It's likely they don't match what permissions have been set on the Default Domain Policy GPO.

Make them consistent.

To ensure the GPO is correct, check the ACLs against a new GPO you create at the domain level - just create one, but don't link it.  Use the default ACLs as a guide to reset the Default Domain Policy.  Also use the folders in SYSVOL for the new policy as a guide to getting the permissions correct on the DDP folders.

0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question