• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

Problem running /rodcprep when installing a 2008 DC in a 2003 environment

I'm in the process of migrating from sbs2003 to exchange 2010 and 2008 DC.

Having a problem with the /rodcprep command.

The error I'm getting is:

Adprep found partition DC=ForestDnsZones,DC=domain,DC=local, and is about to update the permissions.
[2011/10/20:09:26:26.988]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=local.
[2011/10/20:09:26:26.988]
LDAP API ldap_search_s finished, return code is 0x0
[2011/10/20:09:26:26.988]
Adprep could not contact a replica for partition DC=ForestDnsZones,DC=domain,DC=local.
[2011/10/20:09:26:26.988]
Adprep encountered an LDAP error.

Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
[2011/10/20:09:26:26.988]
Adprep failed the operation on partition DC=ForestDnsZones,DC=domain,DC=local. Skipping to next partition.

=============================================================================

I believe the problem is with the server that holds the infrastructure role?

if I run net dom fmso then it correctly reports that all 5 fmso roles are held by the SBS server

if i run this:
ldifde -f Infra_DomainDNSZones.ldf -d "CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=com" -l fSMORoleOwner

then the owner is reported as being the only other DC that we have, not the sbs server

My question is how do I get the right info into AD to allow /rodcprep to run correctly?
Any answers need to be step by step please as my scripting/ldifde is pretty basic.

Thanks in advance
0
ITSMEPJB
Asked:
ITSMEPJB
  • 16
  • 12
1 Solution
 
ldavis07Commented:
Are you running them both on the same 32 or 64 bit architecture? If so then, do this:

Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...

Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.

In the Command Prompt window, type the following command:

    adprep /forestprep

after that is complete run: adprep /domainprep
after that you may have to run this command since you are running an older sbs: adprep /domainprep /gpprep
0
 
ITSMEPJBAuthor Commented:
Sorry, should have mentioned. Already run /forestprep, /adprep and /adprep /gpprep

It only falls over at /rodcprep
0
 
ITSMEPJBAuthor Commented:
That should have read /forestprep  /domainprep  /domainprep /gpprep
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
ldavis07Commented:
Ah gotcha. Are you running this is the schema master?
Are the 2008 machine's DNS settings in IP properties are using the 2003
DC's IP addresses?

Any errors in the event logs on the DCs or the 2008 machine?
0
 
ITSMEPJBAuthor Commented:
There's no 2008 machine yet. This is at the preparing 2003 schema stage.
The other DC is another 2003 server.
The other 2003 DC has first it's own ip and then the sbs server ip listed as DNS servers
0
 
ldavis07Commented:
What errors are you getting in the event log on the 2003 machine? Is the sbs server admitting any logs?
0
 
ITSMEPJBAuthor Commented:
No errors being reported.
0
 
ldavis07Commented:
can you post the ipconfig/all from the 2003 machine?
0
 
ldavis07Commented:
Are hte secondary DNS set up in the forwarders section already,make
 sure  its not  in the actual tcp/ip settings.Remove that  then ran adprep /rodcprep again
0
 
ITSMEPJBAuthor Commented:
ipconfig
0
 
ldavis07Commented:
It does not look like you have a DHCP server running have you checked to see if that is the case? Also it looks like your DNS server and WINS server may be having some conflicts. As well your subnet mask for the PPP interface has the wrong subnet mask
0
 
ITSMEPJBAuthor Commented:
Why do you think there's no dhcp server? Can you explain why there are DNS and WINS conflicts?
Ignore the PPP adapter.
0
 
ldavis07Commented:
It says DHCP is not enabled. As well your DNS and WINS server have the same address. Did you also see that your bottom subnet mask is all 255?
0
 
ITSMEPJBAuthor Commented:
It says DHCP is not enabled on the adapter not that there's no dhcp server.

What is the problem with DNS and WINS on the same server, remember this is an SBS setup.

I've removed the ip address of the second DC from the ipconfig, there is no entry in dns forwarders for the second DC. /rodcprep still doesn't work.

Can you please explain where we are going with the ipconfig changes? I thought it was a problem with AD entries?
0
 
ldavis07Commented:
Well what i mean is that your IP address and your servers are running on the same network that is causing conflicts. you cant have you IP address and your servers be the same address. That is why you have to have DHCP enabled that way it will obtain its address different from the servers so there is no conflict. You have that IP address listed 3 times (IP address, Wins server, DNS server) that is a conflict
0
 
ITSMEPJBAuthor Commented:
Sorry but I think you've mis-read some information.

There are only two servers, an sbs server and another DC. The sbs server runs dhcp/dns etc. etc. so its IP address and the address of the DNS server etc. are the same.

I think this is going astray from the problem?

0
 
ldavis07Commented:
Well from what you have said the problem is with the rotc...and you are having problems updating to the new server is from what i am understanding. Well if you have conflicts in your addresses yes that can be a problem.
0
 
ITSMEPJBAuthor Commented:
I don't believe I have IP address conflicts.

Any other ideas?
0
 
ldavis07Commented:
http://technet.microsoft.com/en-us/library/cc772234%28WS.10%29.aspx

have you checked this site yet? That might explain better in more detail
0
 
ldavis07Commented:
are you migrating or simply trying to upgrade to it?
0
 
ldavis07Commented:
i found this it may help

If you are deploying a read-only domain controller (RODC) in an existing Windows Server 2003 forest, the RODC might not properly advertise as a time source for client computers. If you want client computers to synchronize their time from their local RODC, either one of the following configurations must be in place so that the Windows Time service (W32time) can advertise properly on the RODC:

    The primary domain controller (PDC) emulator operations master in the domain must be running Windows Server 2008.
0
 
ldavis07Commented:
You can install a server running Windows Server 2008 and then either transfer the PDC emulator role to it or configure it as a GTIMESERV server for the domain.

In a forest root domain, the writable Windows Server 2008 domain controller that you configure as a GTIMESERV server must synchronize time from an external time source. In a child domain, the writable Windows Server 2008 domain controller that you configure as a GTIMESERV server can synchronize time from the domain hierarchy or from the same external time source that you configured for the forest root domain.

On a writable Windows Server 2008 domain controller in the forest root domain, run the following command:

W32tm /config /manualpeerlist: time_source /syncfromflags:MANUAL /reliable:YES /update

Where time_source is the name of an external time source.

On a writable Windows Server 2008 domain controller in a child domain, run the following command:

W32tm /config /syncfromflags:DOMHIER /reliable:YES /update

Then, run the following commands on the RODC to synchronize it with its time source and check its status:

w32tm /resync

w32tm /query /status /verbose
0
 
ITSMEPJBAuthor Commented:
No sorry, I think we have definately wandered off topic.

I have an SBS 2003 server that I am upgrading the schema to 2008 version.

I am not installing a RODC I am simply upgrading the 2003 schema by running

adprep32 /rodcprep

this is when it fails
0
 
ldavis07Commented:
well microsoft did saying when you are trying to upgrade from the 2003 to 2008 the timestamp may be a issue that is why you use the: GTIMESERV server must synchronize time from an external time source. To allow it to correlate with the new 2008 timestamp
0
 
ldavis07Commented:
If you are deploying a read-only domain controller (RODC) in an existing Windows Server 2003 forest, the RODC might not properly advertise as a time source for client computers. If you want client computers to synchronize their time from their local RODC, either one of the following configurations must be in place so that the Windows Time service (W32time) can advertise properly on the RODC:

    The primary domain controller (PDC) emulator operations master in the domain must be running Windows Server 2008.


That is straight from microsoft
0
 
ITSMEPJBAuthor Commented:
I am not installing an RODC
0
 
ldavis07Commented:
well you said you had a problem when you ran the rodc/prep as you should know this step is optional and does not need to be done. have you tried to verify if the system is working without running it?

upgrading the 2003 schema by running

adprep32 /rodcprep

Running adprep /rodcprep

Running the adprep /rodcprep command is optional. It is required only if you want to install an RODC in the forest. This command updates the security descriptors for application directory partitions to give RODCs permission to replicate updates to the partitions. Each application directory partition has an infrastructure master. The adprep /rodcprep command must update the security descriptor for each application directory partition on the infrastructure master for that partition.

There are two application directory partitions that are created by default for Domain Name System (DNS) data: DomainDNSZones and ForestDNSZones. If the infrastructure master for either of these partitions is offline or if it has been forcefully removed from the forest, adprep /rodcprep fails with an error. For more information, see article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=140285). In addition, this command must contact the domain naming operations master to obtain a list of the application and domain directory partitions that are in the forest. Therefore, the domain naming master must be accessible when you run this command.
0
 
ITSMEPJBAuthor Commented:
Bit of a workaround in the end, simplest thing was to not install the RODC prep, install a 2008 DC then DCpromo out the 2003 DC, run the RODC prep, then re-promo the 2003 DC.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 16
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now