?
Solved

adprep /domainprep failure

Posted on 2007-12-04
6
Medium Priority
?
1,318 Views
Last Modified: 2013-12-05
I try to upgrade a windows 2000 domain to windows 2003.
First I give the command adprep / forestprep with succes.
Then I give the command adprep /domainprep and get the following error:
"Adprep was unable to modify the security descriptor on object CN=User"

The masterroles are all available
The rights for enterprise and domain admins are correct
I checked the registry key sysvol with the correct path

attached the part of the logfile with the failure message

Adprep was unable to modify the security descriptor on object CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.
 
[Status/Consequence] 
 
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
 
[User Action] 
 
Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.
 
Adprep encountered an LDAP error. 
 
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
 
 
 
Adprep was unable to update domain-wide information. 
 
[Status/Consequence]
 
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
 
[User Action]

Open in new window

0
Comment
Question by:ldhbeheer
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401993
Do you have schema administrator privilages?
make sure the account is not only a domain admin, but both an enterprise admin and schema administrator
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20401997
...
How long did you wait after running /forestprep - it could just be a matter of waiting a while for the changes to replicate
0
 

Author Comment

by:ldhbeheer
ID: 20402045
The user is member of the DA, EA and the schema admin and I waited one day after running adprep /forestprep
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 51

Expert Comment

by:Netman66
ID: 20402813
This:

CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL.

refers to a Group Policy Object (GPO) that you have removed the default ACEs from - either denying access to Domain and or Enterprise Admins or removing them from the policy.

0
 

Author Comment

by:ldhbeheer
ID: 20418198
This policy, wich is probably the problem,  "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=NHK,DC=NL." is the default domain policy.
For this policy i have granted full access for the DA and EA groups and still I have the notification unkown when I open policies under AD, system
when I try to open this policy under system/policies I get a message "you have  no permission to view this object.
How can I change that.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 20418821
Open SYSVOL on the server (C:\Windows\Sysvol\SYSVOL\domain\policies\GUID)
On the User folder, check the permissions.
It's likely they don't match what permissions have been set on the Default Domain Policy GPO.

Make them consistent.

To ensure the GPO is correct, check the ACLs against a new GPO you create at the domain level - just create one, but don't link it.  Use the default ACLs as a guide to reset the Default Domain Policy.  Also use the folders in SYSVOL for the new policy as a guide to getting the permissions correct on the DDP folders.

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question