Solved

adprep /domainprep failure

Posted on 2007-12-04
6
1,305 Views
Last Modified: 2013-12-05
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"

The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path

attached the part of the logfile with the failure message

Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
 
[Status/Consequence] 
 
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
 
[User Action] 
 
Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
 
Adprep encountered an LDAP error. 
 
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
 
 
 
Adprep was unable to update domain-wide information. 
 
[Status/Consequence]
 
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
 
[User Action]

Open in new window

0
Comment
Question by:ldhbeheer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401993
Do you have schema administrator privilages?
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20401997
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
0
 

Author Comment

by:ldhbeheer
ID: 20402045
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 51

Expert Comment

by:Netman66
ID: 20402813
This:

CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.

refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.

0
 

Author Comment

by:ldhbeheer
ID: 20418198
This policy, wich is probably the problem,  "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL." is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have  no permission to view this object.
How can I change that.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20418821
Open SYSVOL on the server (C:\Windows\Sysvol\SYSVOL\domain\policies\GUID)
On the User folder, check the permissions.
It's likely they don't match what permissions have been set on the Default Domain Policy GPO.

Make them consistent.

To ensure the GPO is correct, check the ACLs against a new GPO you create at the domain level - just create one, but don't link it.  Use the default ACLs as a guide to reset the Default Domain Policy.  Also use the folders in SYSVOL for the new policy as a guide to getting the permissions correct on the DDP folders.

0

Featured Post

Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question