Solved

Adprep /forestprep fails

Posted on 2009-07-03
38
2,184 Views
Last Modified: 2012-05-07
I am trying to update a 2008 standard server to an existing 2000 domain.  The 2000 standard server is the only DC on this network.  I am logged in as the domain administrator on the 2000 server.  DNS is working correctly.  I get an error when I try to run adprep /forestprep and will not let me continue.  Below are the error log files that were generated by the adprep utility.

ldif.log

There is a syntax error in the input file
Failed on token starting with 'o' on line 63
8 entries modified successfully.
An error has occurred in the program

schupgr.log

Opened Connection to BURLING1
SSPI Bind succeeded
Found Naming Context DC=burling,DC=local
Found Naming Context CN=Schema,CN=Configuration,DC=burling,DC=local
Found Naming Context CN=Configuration,DC=burling,DC=local
Current Schema Version is 22
Upgrading schema to version 44
The command line passed to ldifde is C:\WINNT\system32\ldifde -i -f C:\WINNT\system32\sch23.ldf -s BURLING1 -c DC=X DC=burling,DC=local
ERROR: Import from file C:\WINNT\system32\sch23.ldf failed. Error file is saved in ldif.err.23.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the current logged on user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun schupgr.exe.

Sch23.ldf
# change objects in configuration container

dn: CN=DS-Replication-Get-Changes-All,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass  SMB.                 ( 8 ^       \<           ] # attrib6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Replicating Directory Changes All
localizationDisplayId: 62
rightsGUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
validAccesses: 256

The ojectClass line is line 63 from the sch23.ldf file.  I believe this is my issue, but I don't know how to resolve this issue.  Please Help.  Thanks
0
Comment
Question by:matucker1975
  • 14
  • 13
  • 10
  • +1
38 Comments
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774587
Silly but quick questions from me:
IS the user you're running ADPRep with a schema administrator.
Have you enabled schema updates?
Are you running adprep on the schema master?

Do you have exchange 2000 installed?
0
 
LVL 4

Assisted Solution

by:Mike_Courtney
Mike_Courtney earned 300 total points
ID: 24774597
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24774712
Do you just want to join the domain with the 2008 server or are you trying to prepare to promote it to a DC?  If the former, just join the domain. :)
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24774720
BTW (after the 2008 server is on the domain?) try running the prep from it instead?
0
 

Author Comment

by:matucker1975
ID: 24774825
The schema updates are enabled, the administrator account is a member of the following groups Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners,  and Schema Admins.  Exchange 2000 is not installed.  

One thing interesting is sysvol and netlogon are not listed as network share.  I don't know if this matters, but I thought I would provide the information
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774835
Are you running this on a DC with the Schema master role?

IF you are and no Sysvol or netlogon share are visible from a net share command then it sounds like you have a FRS issue - are there entries in the FRS log?
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24774838
If sysvol/netlogon aren't listed try DCDIAG and NETDIAG on the DC and check your FRS event log.  Also see questions above.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24774841
MC there is evidently only one DC from what I read.
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774893
HeHe, thans DatedMan - it's late here in the UK.

MaTucker, can you confirm that you've run a net share on the DC and it's not showing Sysvol or Netlogon share.
If so are there any entries in the System/FRS application log
0
 

Author Comment

by:matucker1975
ID: 24774953
I have ran net share and syslog and netlogon are not shares.  I was able to get the frs to sync.

Event Type:      Information
Event Source:      NtFrs
Event Category:      None
Event ID:      13516
Date:            7/3/2009
Time:            1:12:07 PM
User:            N/A
Computer:      BURLING1
Description:
The File Replication Service is no longer preventing the computer BURLING1 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

This is fine, but when you do a sysvol, it still does not show the sysvol and netlogon shares.  When I run netdiag, no errors.  I do have SQL 2000 running on this server, if that matters.  I wondering how to fix the Sch23.ldf file that is erroring out.  It looks like it may not have the correct object id, line 63.  This is the only present dc.  It is a windows 2000 server.  Im trying to promote a 2008 server to dc.  The 2008 server is on the domain.  I saw an entery to run the adprep on the 2008 server.  Is that correct?  I have not tried that yet.

0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24774975
It seems to be working - ldap is binding, it's identifying the current version as 22 - I'd be inclined to run it on the DC (reduce likelihood of errors)
Did you check out the article I posted - it seems it's running.
I am concerned about the lack of sysvol on the DC though.

Try running it on the W2000 DC after going through that article please
0
 

Author Comment

by:matucker1975
ID: 24775061
Mike, I am using an oem dell 2008 server dvd from the new server.  I am accessing the dvd on the old server from a network share.  The old server does not have a dvd player.  I have been running the adprep from m:\service\adprep\adprep.exe /forestprep.  In the adprep folder, there is an folder us-en folder that has an adprep.exe.mui file.  Do I need to try to run this file?  Do I need to remove the mui ext?   Orginally, I tried to copy the adprep folder to the c drive, and it did not run.  Thanks for your quick responses everyone.
0
 

Author Comment

by:matucker1975
ID: 24775066
Does anyone think that the sysvol and netlogon shares will ok on the 2008 server dc after it is promoted?
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24775331
I don't think things will be right until you're sharing SYSVOL.
0
 
LVL 4

Assisted Solution

by:Mike_Courtney
Mike_Courtney earned 300 total points
ID: 24776164
As you have a Windows 2000 domain you must complete the Forestprep and domainprep before you can make the 2008 server a DC. (In the same domani at least)

So we need to make sure your forestprep work.

Now you've explained the setup I'd suggest you copy the source/adprep directory from the DVD to the local drive of the Windows 2000 DC.

As you've already tried running it and it hasn't errored prior to importing the files I assume you're running Service Pack 4 on the 2000 DC.

I have concerns that your sysvol and netlogon aren't appearing - but can you explain exactly what you're doing to check if the SYSVOL and NETLOGON shares are present. Bearing in mind that these shares will only be on the 2000 DC.

They will appear on the 2008 DC after you've run DCPROMO and the SYSVOL has replicated from the Windows 2000 DC.

So can you confirm how you're checking the sysvol presence.
Then try it again after copying the files locally.
My instinct is to say there's a 'funny' with the running of ADPRep rather than any issue with the DC as it seems to be binding OK at the start of the forestprep.

Did you look over the article I sent a link to
0
 

Author Comment

by:matucker1975
ID: 24776606
Hi Mike,
I am checking to see if syslog and netlogon share are there by running net share command on the 2000 dc command prompt.  They file structure is there c:\winnt\syslog\domain.  I did copy the adprep locally to the 2000 dc and tried to run it.  It was faster, but still gave me the same error message.  I looked at the article, but everything I can tell is set to us-eng lang.  I even tried to rename the adprep.exe.mui file in the us-eng folder to adprep.exe, and placing it in the adprep folder, but it could not run the file.    I am am running service pack 4 on the 2000 dc.  I do not have another copy of windows 2008 dvd.  Do you think mine is corrupt somehow?  How does it create the .ldf files when adprep runs.  Do you know how to resolve schema conflicts?  The error states There is a syntax error in the input file
Failed on token starting with 'o' on line 63, which is
objectClass  SMB.                 ( 8 ^       \<           ] # attrib6da0-11d0-afd3-00c04fd930c9.
Thanks for all your help.



0
 

Author Comment

by:matucker1975
ID: 24776617
BTW (after the 2008 server is on the domain?) try running the prep from it instead?
The 2008 server is on the domain.  It tried to run adprep on the 2008 server and it would not let me, it said it was an incorrect windows version.  Im thinking this has to be ran on the windows 2000 dc.  This is the only dc and they do not run exchange.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24776622
BTW what antivirus are you using on the 2000 server?
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24776627
These servers are the same language as the DVD you're using?  

Just checking off some possible problems that caused similar situs for others.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 10

Expert Comment

by:Datedman
ID: 24776651
btw i am looking at my 2008 DVD now, on mine it's sources folder not service, that was a typo?  I have sch23.ldf in front of me and it doesn't look like what you're posting.

Line 63:

objectClass: controlAccessRight

Starting to think this is possibly a DVD read error, gah.  You said it "didn't work" when you copied to drive c?  What happened?  
0
 
LVL 10

Accepted Solution

by:
Datedman earned 200 total points
ID: 24776659
Here's that whole section from the file:

# change objects in configuration container

dn: CN=DS-Replication-Get-Changes-All,CN=Extended-Rights,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: controlAccessRight
ShowInAdvancedViewOnly: TRUE
appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
appliesTo: bf967a87-0de6-11d0-a285-00aa003049e2
appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
displayName: Replicating Directory Changes All
localizationDisplayId: 62
rightsGUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
validAccesses: 256

This is from the latest VLK CD with SP2 integrated.  Might be slightly different now but what I see in your file looks like garbage, no?
btw the reason i asked about AV is that one person had a similar problem and it was McAfee causing it.
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24776672
i'm with datedman on this. the file looks wrong. is this original media? good call on the av too.

did you get the schema file from the c drive or off the dvd (adprep copies them to c before starting)
if that's from C then compare it to the one on the cd.
also if it's the one on C rename it, stop any anti virus and try again.

I do have concerns over the sysvol not being available though.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24776685
Yeah MC seems as if there are multiple problems but the primary one is the way the file looks at this point.  Can't believe I didn't look at another copy sooner, DOH.
0
 

Author Comment

by:matucker1975
ID: 24776738
Datedman,
we are using symantec EndPoint Protection 11.0 - We currently have it disabled to make this migration.  I saw other posts where it could cause issues(McAfee).  The servers are the same language as the dvd we are using.  When I did a copy to the 2000 server the first time, It did not copy the schema.ini file so it would error out while running adprep.  I did an xcopy from the dvd to the server and all files compare correctly and adprep runs off of the local machine, but I still get the above error.  I am using an dell oem 2008 server reinstall dvd to gather the adprep directory for the 2000 server adprep.  I agree that the file looks like garbage, so I guess I need to compare what is on the dvd and what is in the copied file on the 2000 server adprep directory.  If there are any  discrepancies, I will change the file in the 2000 server adprep directory.  If they are the same, it looks like a possible bad dvd?  I am at my oher job now and will not be able to look at till after work.  Thanks for your help
0
 
LVL 10

Assisted Solution

by:Datedman
Datedman earned 200 total points
ID: 24776744
Could be a bad dvd I guess.  Weird tho, normally you'd get a read error, not sure what would cause that.

Iunno if it's legal to post you the contents of the adprep folder from my dvd...
0
 
LVL 4

Assisted Solution

by:Mike_Courtney
Mike_Courtney earned 300 total points
ID: 24776821
here's one from left field - is your 2008 media 64 bit I think they are by default. I'd also bet your 2000 box is 32 bit.

this may be part of it. you can download the 32bit version of 2008 from MS and run adprep from that.

here's a link to a good post on dan petri's site
http:/www.petri.co.Il/windows-server-2008-adprep.htm
0
 

Author Comment

by:matucker1975
ID: 24776834
I think I might download the evaluation copy of the 2008 32-bit from Microsoft tonight that way I have another copy of the adprep utility to work with.  I will give everyone a status update.  Hopefully I just have a bad Dell OEM DVD.
For anyone else that is looking for instructions on how to upgrade 2000/2003 to 2008 server, this site has an excellent step-by-step
http://www.petri.co.il/windows-server-2008-adprep.htm
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24776836
heh actually now that you mention it, *my* media is 64bit but i'm thinking that file is the same on either
0
 

Author Comment

by:matucker1975
ID: 24776852
Mike, we saw the web site at the same time, weird.  The 2000 ad is 32-bit and I am using the 32-bit dvd from dell.  I had the 32-bit 2008 installed from dell, so I have both the 32-bit and 64-bit software.  I think yall have the right idea of downloading the demo version from microsoft.  May take awhile, but we have alreay spent alot of time on this already.  Thanks
0
 

Author Comment

by:matucker1975
ID: 24776904
Would ya stop the SQL services before I run adprep?
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24776946
i don't think it's necessary but nor will it do any harm.
0
 

Author Comment

by:matucker1975
ID: 24777053
I was able to check the dvd and the file looks the same as in the copy location - bad dell, for sending bad media. - I am in the process of downloading the eval version of the 32-bit server english from microsoft.  It is 1.7gig may take awhile.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 24777478
try to run the Adprep /forestprep with an Enterprise Admin account!!
0
 

Author Comment

by:matucker1975
ID: 24777502
My administrator account is in the Enterprise Admin group.
0
 

Author Comment

by:matucker1975
ID: 24778148
I guess it was just a bad dvd from dell, I downloaded the eval 2008 and it worked without an hitch.  Thank you for all your help Mike and Datedman
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24778164
Pleasure.  Sorry it took so long for me to think of the file corruption, sheesh.
0
 

Author Closing Comment

by:matucker1975
ID: 31599685
Thanks for your help and pointing me to the right direction
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24778188
Typical tho isn't it - we've come so far that the most obvious we don't think of - and it was there for all  to see at the start - it even looks wrong with those bracketed bits.

But it works now and that's the most important and relatively quickly too.

Good luck with your upgrade Matucker,

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration, of the HP EVA 4400 SAN Storage. The name , IP and the WWN ID’s used here are not the real ones. ABOUT THE STORAGE For most of you reading this, you …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now