Link to home
Start Free TrialLog in
Avatar of probberts
probbertsFlag for United States of America

asked on

Windows Server 2008 R2 adprep sch45.ldf schema import error

I am attempting to upgrade a Windows Server 2008 (SP2, x64) domain controller (only DC in the domain at the moment) so that I can add a new Windows Server 2008 R2 server to the domain.  I've been trying to get the "adprep /forestprep" command to work without success.

Just to confirm, before someone asks, I'm logged into the Enterprise Administrator user who is a member of Enterprise, Domain, and Schema Admins.  I'm also running my cmd window in administrative mode, so I'm certain it's not a permission issue.  I've tried running adprep from the Windows 2008 R2 CD path \sources\adprep\ as well as from the local computer after copying all the files to to the hard drive, neither makes a difference.  Although the 2k8 SP2 server is the only DC, I went ahead and tested to make sure that it thinks it is the FSMO and that also looks just fine.

All that being said, here's the error I receive:

-----------------------------------
Opened Connection to <DC>
SSPI Bind Succeeded
Current Schema Version is 44
Upgrading schema to version 47
Verifying file signature
Failed to verify file signature: error 0x800b010e
ERROR: Import from file C:\Windows\System32\sch45.ldf failed. Error file is saved in ldif.err.45.
---------------------------------------------

I dug into the debug logs in C:\Windows\Debug\adprep\<date>\ and found that the following command is throwing the error:

c:\Windows\system32\ldifde.exe -i -f c:\Windows\system32\sch45.ldf -s <DC name> -j . -$ c:\Windows\system32\schupgrade.cat

Running this command with the -v (verbose) prompts me with a "NT5DS - Security Warning" popup box with the following listed:

Name: sch45.ldf
Publisher: Unknown Publisher

When I click on the "Unknown Publisher" link it tells me that the file is signed to "Microsoft Windows" and that the expiration for the Cert is 1/22/2010 (why is this expired?).  Since finding this I've tried to reboot and do the F8 trick to disable the driver signature enforcement and this error is still thrown...

I've run out of troubleshooting ideas and can't find a single hit on this error message.

Thank you in advance.
Adam
Avatar of himvy
himvy
Flag of India image



If you  
Run ADSIEDIT.msc, connecting to the context of Schema and check the right to CN =
Schema, CN = Configuration, DC = domain, DC = local (properties / security /
optional)

It will be something like
name resolution
Schema Admins special
Schema Admins change the schema master
Schema Admins secret Replication Synchronization
Schema Admins Monitor Replication Active directory
Schema Admins replication of all directory changes
Schema Admins Manage replication topology
Schema Admins Replication Synchronization
Schema Admins Replicating Directory Changes
Schema Admins update kesh scheme
Schema Admins Restore burial

Must be so (at Pomotrel restored from backup server and on another test domain
where the adprep passed)

Schema Admins special
Schema Admins change the schema master

Ie we need to remove everything and created all permissions one. Reboot the server.

NOTE:This is schema modification ,PLEASE take SYSTEM STATE backup prior to working on this.Thanks.
Avatar of probberts

ASKER

Himvy,
I just looked at the Schema permissions for the Schema Admins group.  The advance security settings show that Schema Admins is permitted to "Change schema master".  The group is also configured with special permissions to do everything else, except for the following:

Full control
Delete
Delete subtree
Delete all child objects
Delete attributeSchema objects
Delete classSchema objects
Delete lostAndFound objects

Just so I'm clear, are you recommending that I remove and re-add these permissions and reboot?

Thank you!


  Yes and as i said please make sure that you have good system state back .
I did as you suggested and there is no change to the behavior.  I even elevated the Schema Admin permissions to "Full", but that didn't help either.

The real problem seams to be that windows doesn't trust the sch45.ldf file, so the ldifde.exe process aborts.  Is there anyway to prevent the NT5DS security from being triggered so I can bypass the error?
Another note, "schupgr" is what appears to be actually calling Crypto to check the certficiate validity for the sch45.ldf file.  I tried to disable crypto to see if that would prevent the check, but the service is changed to "Manual" and started anyway.

I attempted to upgrade the 2008 SP2 server to 2008 R2, but of course the upgrade requires that I run "adprep /forestprep" before I can even install the OS upgrade....

Help.... please....
ASKER CERTIFIED SOLUTION
Avatar of probberts
probberts
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of seanmrice
seanmrice

Additionally, if the server can't connect to windows update due to a cryptography error, it cannot complete the command.

Once I did this: Windows Update 80092026 plus Certificate Crypto Operation Failed
The command completed successfully.

-Sean
The solution from probberts will also work for Windows 2012R2 forestprep.

Thanks.