• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1058
  • Last Modified:

How do I troubleshoot errors in adprep /forestprep

When running adprep32 /forestprep to ready a 2003 forest for a 2008 upgrade we receive this error.  

Opened Connection to <servername>
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 47
Connecting to "servername"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.................................................................
Add error on line 2044: Unwilling To Perform
The server side error is "Schema update failed: class in aux-class list does not  exist or is not in auxiliary class."
117 entries modified successfully.
An error has occurred in the program
ERROR: Import from file C:\WINDOWS\system32\sch31.ldf failed. Error file is saved in ldif.err.31.

Any Ideas??
1 Solution
Renato Montenegro RusticiIT SpecialistCommented:
Please, check out these two documents and make sure everything is ready:

Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2

How to migrate your Active Directory Domain to Windows Server 2008

Make sure you have raised the domain functional level to Windows 2000 native or Windows 2003 and that you are running under the correct user rights (group membership and stuff).
Mike KlineCommented:
look in the debug\adprep\logs folder, any more info in the logs there?
Hi dgpsmart,,

Try running a dcdiag and netdiag to see if you receive errors.  Maybe you have errors to address before a 2008 upgrade.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

First question,do you have exchange server in your environment & if yes is it installed on the DC only?
Second, is your schema has been modifed for any application,is yes then that can be problem too,which can see from your post.

Mike has given you the path where you get log of Adprep,check, if there is any help.
dgpsmartAuthor Commented:
rmrustice: I have gone over the information in the articles and verified all.

mkline71: Attached are the log files all can be opened with notepad or other text editor. I also included Line2044ofSch31.ldf.txt. This is the section of sch31.ldf that seems to not want to update.

g00se:  I ran both commands and all seems to pass just fine

Awinish:  There has never been an Exchange server in this Forest or Domain as far as I know. There may have been one in a domain that had a trust with this one some years ago.

Additional Information:  Virus software has need disabled, WINS service has been unistalled, We do not use MS DNS,
Don't post the result on screen, just attach the below result.

 DCDIAG /V /C /D > C:\Dcdiag.txt

I hope you are running adprep /forestprep on schema master role & serve ris recognised as SChema master.


Can you verify

You can see when the last modification to the schema was performed from ADSIedit.  
Open up the Schema naming context and then get properties on CN=Schema,CN=Configuration,DC=yourdomain,dc=com. Specific interest would be the attributes modifyTimeStamp and objectVersion.  
Check to see if the objectVersion is the same on the isolated DC as on the production DCs.  The objectVersion on a schema that has had the 2003 additions applied is 30.

dgpsmartAuthor Commented:
Awinish: Thanks for your input. I ran the dcdiag that you noted and found 4 errors,
1. The ismserv service was not running
2. there was an orphaned frs member
3. It failed doing lookups on our secondary name server. Since we do not have that secondary DNS server in this development enviornment I removed the entry from the network interface.

I resolved the orphaned frs object.

Before I could do that I had to repair or register the dll for adsiedit because it was broke.

Now the dcdiag test has no failures in it. Is there anything specific you want to know. It contains a lot to network and domain information I do not want to share.
dgpsmartAuthor Commented:
Let's focus our attention to SFU This may have been installed and used at one time. Any thoughts there
If everything has come up clean,try running adprep & yes may be i wanted to see the log & don worry we are all professional & we do understand,so replace yoour domain name to something abc.com

You need to check when & what are the purpose & you need to remove to update the schema else it will not allow.

dgpsmartAuthor Commented:
Here is the DcDiag.txt File.  We hope to open a support case with Microsoft today but if there is anything you can do to help. Thanks
The dcdiag is clean apart from DNS server: (<name unavailable>) which is listed in the test.

If there is modification in schema,i can't do much as schema is sensitive & handled with care,so opening case with MS PSS is good solution & i would be interested in knowing the solution provided.

If there is any modification done in schema, then there are specialist in MS who does this job,so lets see the outcome.
dgpsmartAuthor Commented:
Thanks to all those that helped. after 3 hours with Microsoft we found that the objectclasscategory value on the Posixgroup object was incorrectly set. Since this evolves several modifications to the Schema via LDP and adsiedit and well as a schema dump, I will not be posting the process. However if you do a schema dump and the reference the oid that was at the line location where the process failed you will at least help you find where the problem is. Like looking for a needle in a haystack.

dgpsmartAuthor Commented:
Thanks to everyone for your help
dgpsmartAuthor Commented:
Microsoft Support Solved the Problem
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now