Windows Server 2008 R2 adprep sch45.ldf schema import error

probberts
probberts used Ask the Experts™
on
I am attempting to upgrade a Windows Server 2008 (SP2, x64) domain controller (only DC in the domain at the moment) so that I can add a new Windows Server 2008 R2 server to the domain.  I've been trying to get the "adprep /forestprep" command to work without success.

Just to confirm, before someone asks, I'm logged into the Enterprise Administrator user who is a member of Enterprise, Domain, and Schema Admins.  I'm also running my cmd window in administrative mode, so I'm certain it's not a permission issue.  I've tried running adprep from the Windows 2008 R2 CD path \sources\adprep\ as well as from the local computer after copying all the files to to the hard drive, neither makes a difference.  Although the 2k8 SP2 server is the only DC, I went ahead and tested to make sure that it thinks it is the FSMO and that also looks just fine.

All that being said, here's the error I receive:

-----------------------------------
Opened Connection to <DC>
SSPI Bind Succeeded
Current Schema Version is 44
Upgrading schema to version 47
Verifying file signature
Failed to verify file signature: error 0x800b010e
ERROR: Import from file C:\Windows\System32\sch45.ldf failed. Error file is saved in ldif.err.45.
---------------------------------------------

I dug into the debug logs in C:\Windows\Debug\adprep\<date>\ and found that the following command is throwing the error:

c:\Windows\system32\ldifde.exe -i -f c:\Windows\system32\sch45.ldf -s <DC name> -j . -$ c:\Windows\system32\schupgrade.cat

Running this command with the -v (verbose) prompts me with a "NT5DS - Security Warning" popup box with the following listed:

Name: sch45.ldf
Publisher: Unknown Publisher

When I click on the "Unknown Publisher" link it tells me that the file is signed to "Microsoft Windows" and that the expiration for the Cert is 1/22/2010 (why is this expired?).  Since finding this I've tried to reboot and do the F8 trick to disable the driver signature enforcement and this error is still thrown...

I've run out of troubleshooting ideas and can't find a single hit on this error message.

Thank you in advance.
Adam
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:


If you  
Run ADSIEDIT.msc, connecting to the context of Schema and check the right to CN =
Schema, CN = Configuration, DC = domain, DC = local (properties / security /
optional)

It will be something like
name resolution
Schema Admins special
Schema Admins change the schema master
Schema Admins secret Replication Synchronization
Schema Admins Monitor Replication Active directory
Schema Admins replication of all directory changes
Schema Admins Manage replication topology
Schema Admins Replication Synchronization
Schema Admins Replicating Directory Changes
Schema Admins update kesh scheme
Schema Admins Restore burial

Must be so (at Pomotrel restored from backup server and on another test domain
where the adprep passed)

Schema Admins special
Schema Admins change the schema master

Ie we need to remove everything and created all permissions one. Reboot the server.

NOTE:This is schema modification ,PLEASE take SYSTEM STATE backup prior to working on this.Thanks.

Author

Commented:
Himvy,
I just looked at the Schema permissions for the Schema Admins group.  The advance security settings show that Schema Admins is permitted to "Change schema master".  The group is also configured with special permissions to do everything else, except for the following:

Full control
Delete
Delete subtree
Delete all child objects
Delete attributeSchema objects
Delete classSchema objects
Delete lostAndFound objects

Just so I'm clear, are you recommending that I remove and re-add these permissions and reboot?

Thank you!

Commented:


  Yes and as i said please make sure that you have good system state back .
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
I did as you suggested and there is no change to the behavior.  I even elevated the Schema Admin permissions to "Full", but that didn't help either.

The real problem seams to be that windows doesn't trust the sch45.ldf file, so the ldifde.exe process aborts.  Is there anyway to prevent the NT5DS security from being triggered so I can bypass the error?

Author

Commented:
Another note, "schupgr" is what appears to be actually calling Crypto to check the certficiate validity for the sch45.ldf file.  I tried to disable crypto to see if that would prevent the check, but the service is changed to "Manual" and started anyway.

I attempted to upgrade the 2008 SP2 server to 2008 R2, but of course the upgrade requires that I run "adprep /forestprep" before I can even install the OS upgrade....

Help.... please....
I found a solution and it all went back to the CERT message that I indicated above.

The special thing about my situation is that this DC is located in a non-internet connected environment, so the CERTs and Revocation Lists are not capable of updating automatically.  In this case I had to download a few CRT and CRL files to allow the process to continue.

Here are the links to the CRL files:
http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl (Apply to Trusted Root Certification Authorities)
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl (Apply to Trusted Root Certification Authorities)
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl (Apply to Trusted Root Certification Authorities)
http://crl.microsoft.com/pki/crl/products/WinPCA.crl (Apply to Intermediate Certificate Authorities)

Here are the CRT file links:
http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt (Apply to Intermediate Certificate Authorities)
http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt (Apply to Trusted Root Certification Authorities)

After I updated all of these files in the manner indicated in the paretheses, above, everything ran just fine!

I hope my troubles can help someone else in the future as this was a major pain to troubleshoot.
Additionally, if the server can't connect to windows update due to a cryptography error, it cannot complete the command.

Once I did this: Windows Update 80092026 plus Certificate Crypto Operation Failed
The command completed successfully.

-Sean
The solution from probberts will also work for Windows 2012R2 forestprep.

Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial