Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

adprep /domainprep failure

Posted on 2007-12-04
6
Medium Priority
?
1,317 Views
Last Modified: 2013-12-05
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"

The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path

attached the part of the logfile with the failure message

Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
 
[Status/Consequence] 
 
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
 
[User Action] 
 
Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
 
Adprep encountered an LDAP error. 
 
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
 
 
 
Adprep was unable to update domain-wide information. 
 
[Status/Consequence]
 
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
 
[User Action]

Open in new window

0
Comment
Question by:ldhbeheer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401993
Do you have schema administrator privilages?
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20401997
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
0
 

Author Comment

by:ldhbeheer
ID: 20402045
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 51

Expert Comment

by:Netman66
ID: 20402813
This:

CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.

refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.

0
 

Author Comment

by:ldhbeheer
ID: 20418198
This policy, wich is probably the problem,  "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL." is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have  no permission to view this object.
How can I change that.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 20418821
Open SYSVOL on the server (C:\Windows\Sysvol\SYSVOL\domain\policies\GUID)
On the User folder, check the permissions.
It's likely they don't match what permissions have been set on the Default Domain Policy GPO.

Make them consistent.

To ensure the GPO is correct, check the ACLs against a new GPO you create at the domain level - just create one, but don't link it.  Use the default ACLs as a guide to reset the Default Domain Policy.  Also use the folders in SYSVOL for the new policy as a guide to getting the permissions correct on the DDP folders.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question