ldhbeheer
asked on
adprep /domainprep failure
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"
The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path
attached the part of the logfile with the failure message
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"
The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path
attached the part of the logfile with the failure message
Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
[User Action]
Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep was unable to update domain-wide information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
ASKER
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
This:
CN=User,CN={31B2F340-016D- 11D2-945F- 00C04FB984 F9},CN=Pol icies,CN=S ystem,DC=N HK,DC=NL.
refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.
CN=User,CN={31B2F340-016D-
refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.
ASKER
This policy, wich is probably the problem, "CN=User,CN={31B2F340-016D -11D2-945F -00C04FB98 4F9},CN=Po licies,CN= System,DC= NHK,DC=NL. " is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have no permission to view this object.
How can I change that.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have no permission to view this object.
How can I change that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator