Solved

adprep /domainprep failure

Posted on 2007-12-04
6
1,299 Views
Last Modified: 2013-12-05
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"

The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path

attached the part of the logfile with the failure message

Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
 

[Status/Consequence] 
 

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
 

[User Action] 
 

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
 

Adprep encountered an LDAP error. 
 

Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
 
 
 

Adprep was unable to update domain-wide information. 
 

[Status/Consequence]
 

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
 

[User Action]

Open in new window

0
Comment
Question by:ldhbeheer
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401993
Do you have schema administrator privilages?
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20401997
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
0
 

Author Comment

by:ldhbeheer
ID: 20402045
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:Netman66
ID: 20402813
This:

CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.

refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.

0
 

Author Comment

by:ldhbeheer
ID: 20418198
This policy, wich is probably the problem,  "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL." is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have  no permission to view this object.
How can I change that.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20418821
Open SYSVOL on the server (C:\Windows\Sysvol\SYSVOL\domain\policies\GUID)
On the User folder, check the permissions.
It's likely they don't match what permissions have been set on the Default Domain Policy GPO.

Make them consistent.

To ensure the GPO is correct, check the ACLs against a new GPO you create at the domain level - just create one, but don't link it.  Use the default ACLs as a guide to reset the Default Domain Policy.  Also use the folders in SYSVOL for the new policy as a guide to getting the permissions correct on the DDP folders.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now