How do I troubleshoot errors in adprep /forestprep

Posted on 2010-11-12
Last Modified: 2012-08-14
When running adprep32 /forestprep to ready a 2003 forest for a 2008 upgrade we receive this error.  

Opened Connection to <servername>
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 47
Connecting to "servername"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.................................................................
Add error on line 2044: Unwilling To Perform
The server side error is "Schema update failed: class in aux-class list does not  exist or is not in auxiliary class."
117 entries modified successfully.
An error has occurred in the program
ERROR: Import from file C:\WINDOWS\system32\sch31.ldf failed. Error file is saved in ldif.err.31.

Any Ideas??
Question by:dgpsmart
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 34125505
Please, check out these two documents and make sure everything is ready:

Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2

How to migrate your Active Directory Domain to Windows Server 2008

Make sure you have raised the domain functional level to Windows 2000 native or Windows 2003 and that you are running under the correct user rights (group membership and stuff).
LVL 57

Expert Comment

by:Mike Kline
ID: 34125561
look in the debug\adprep\logs folder, any more info in the logs there?
LVL 11

Expert Comment

ID: 34129532
Hi dgpsmart,,

Try running a dcdiag and netdiag to see if you receive errors.  Maybe you have errors to address before a 2008 upgrade.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 24

Expert Comment

ID: 34130805
First question,do you have exchange server in your environment & if yes is it installed on the DC only?
Second, is your schema has been modifed for any application,is yes then that can be problem too,which can see from your post.

Mike has given you the path where you get log of Adprep,check, if there is any help.

Author Comment

ID: 34138006
rmrustice: I have gone over the information in the articles and verified all.

mkline71: Attached are the log files all can be opened with notepad or other text editor. I also included Line2044ofSch31.ldf.txt. This is the section of sch31.ldf that seems to not want to update.

g00se:  I ran both commands and all seems to pass just fine

Awinish:  There has never been an Exchange server in this Forest or Domain as far as I know. There may have been one in a domain that had a trust with this one some years ago.

Additional Information:  Virus software has need disabled, WINS service has been unistalled, We do not use MS DNS,
LVL 24

Expert Comment

ID: 34138218
Don't post the result on screen, just attach the below result.

 DCDIAG /V /C /D > C:\Dcdiag.txt

I hope you are running adprep /forestprep on schema master role & serve ris recognised as SChema master.

Can you verify

You can see when the last modification to the schema was performed from ADSIedit.  
Open up the Schema naming context and then get properties on CN=Schema,CN=Configuration,DC=yourdomain,dc=com. Specific interest would be the attributes modifyTimeStamp and objectVersion.  
Check to see if the objectVersion is the same on the isolated DC as on the production DCs.  The objectVersion on a schema that has had the 2003 additions applied is 30.


Author Comment

ID: 34139328
Awinish: Thanks for your input. I ran the dcdiag that you noted and found 4 errors,
1. The ismserv service was not running
2. there was an orphaned frs member
3. It failed doing lookups on our secondary name server. Since we do not have that secondary DNS server in this development enviornment I removed the entry from the network interface.

I resolved the orphaned frs object.

Before I could do that I had to repair or register the dll for adsiedit because it was broke.

Now the dcdiag test has no failures in it. Is there anything specific you want to know. It contains a lot to network and domain information I do not want to share.

Author Comment

ID: 34139991
Let's focus our attention to SFU This may have been installed and used at one time. Any thoughts there
LVL 24

Expert Comment

ID: 34142012
If everything has come up clean,try running adprep & yes may be i wanted to see the log & don worry we are all professional & we do understand,so replace yoour domain name to something

You need to check when & what are the purpose & you need to remove to update the schema else it will not allow.


Author Comment

ID: 34145769
Here is the DcDiag.txt File.  We hope to open a support case with Microsoft today but if there is anything you can do to help. Thanks
LVL 24

Expert Comment

ID: 34145850
The dcdiag is clean apart from DNS server: (<name unavailable>) which is listed in the test.

If there is modification in schema,i can't do much as schema is sensitive & handled with care,so opening case with MS PSS is good solution & i would be interested in knowing the solution provided.

If there is any modification done in schema, then there are specialist in MS who does this job,so lets see the outcome.

Accepted Solution

dgpsmart earned 0 total points
ID: 34150659
Thanks to all those that helped. after 3 hours with Microsoft we found that the objectclasscategory value on the Posixgroup object was incorrectly set. Since this evolves several modifications to the Schema via LDP and adsiedit and well as a schema dump, I will not be posting the process. However if you do a schema dump and the reference the oid that was at the line location where the process failed you will at least help you find where the problem is. Like looking for a needle in a haystack.


Author Comment

ID: 34150686
Thanks to everyone for your help

Author Closing Comment

ID: 34182495
Microsoft Support Solved the Problem

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question