Solved

2003 to 2008 upgrade ADPREP fails

Posted on 2013-01-06
3
648 Views
Last Modified: 2013-02-03
Hello

First assignment of the year, upgrading some client old systems. Part of it will be to migrate de DC for 2003 to 2008 servers.

Launched adprep /forestprep and worked flawlessly. Now doing the domain part and it fails as follow (sorry it's a french machine...)
(... successful log suppressed)
L’API LDAP ldap_modify_ext_s() s’est terminée, le code renvoyé est 0x0 
[2013/01/06:22:33:22.786]
Adprep a correctement modifié le descripteur de sécurité sur l’objet CN=BuiltIn,DC=activdom,DC=ch.
[État/Conséquence]
Adprep a fusionné le descripteur de sécurité existant avec la nouvelle entrée de contrôle d’accès (ACE). 
[2013/01/06:22:33:22.786]
Adprep était sur le point d’appeler l’API LDAP suivante. ldap_add_s(). L’entrée à ajouter est cn=dda1d01d-4bd7-4c49-a184-46f9241b560e,cn=Operations,cn=DomainUpdates,cn=System,DC=mydom,DC=ch.
[2013/01/06:22:33:22.786]
L’API LDAP ldap_add_s() s’est terminée, le code renvoyé est 0x0 
[2013/01/06:22:33:22.786]
Adprep a correctement créé l’objet cn=dda1d01d-4bd7-4c49-a184-46f9241b560e,cn=Operations,cn=DomainUpdates,cn=System,DC=mydom,DC=ch des services de domaine Active Directory.
[2013/01/06:22:33:22.786]
Adprep était sur le point d’appeler l’API LDAP suivante. ldap_search_s(). L’entrée de base pour lancer la recherche est cn=a1789bfb-e0a2-4739-8cc0-e77d892d080a,cn=Operations,cn=DomainUpdates,cn=System,DC=mydom,DC=ch.
[2013/01/06:22:33:22.786]
L’API LDAP ldap_search_s() s’est terminée, le code renvoyé est 0x20 
[2013/01/06:22:33:22.786]
Adprep a vérifié l’état de l’opération cn=a1789bfb-e0a2-4739-8cc0-e77d892d080a,cn=Operations,cn=DomainUpdates,cn=System,DC=mydom,DC=ch. 
[État/Conséquence]
L’opération ne s’est pas exécutée ou ne s’est pas correctement exécutée. Elle sera exécutée ultérieurement.
[2013/01/06:22:33:22.786]
Adprep était sur le point d’appeler l’API LDAP suivante. ldap_search_s(). L’entrée de base pour lancer la recherche est CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydom,DC=ch.
[2013/01/06:22:33:22.786]
L’API LDAP ldap_search_s() s’est terminée, le code renvoyé est 0x20 
[2013/01/06:22:33:22.786]
Adprep n’a pas pu modifier le descripteur de sécurité sur l’objet CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydom,DC=ch.
[État/Conséquence] 
ADPREP n’a pas pu fusionner le descripteur de sécurité existant avec la nouvelle entrée de contrôle d’accès (ACE).
[Action utilisateur] 
Pour plus d’informations, consultez le fichier journal ADPrep.log dans le répertoire C:\WINDOWS\debug\adprep\logs\20130106223322.
[2013/01/06:22:33:22.802]
Adprep a rencontré une erreur LDAP. 
Code d’erreur : 0x20. Code d’erreur étendue du serveur : 0x208d, Message d’erreur du serveur : 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=File Replication Service,CN=System,DC=mydom,DC=ch'
.
[2013/01/06:22:33:22.802]
Adprep n’a pas pu mettre à jour les informations du domaine. 
[État/Conséquence]
Adprep doit pouvoir accéder aux informations existantes de tout le domaine à partir du maître d’infrastructure pour achever cette opération.
[Action utilisateur]
Pour plus d’informations, consultez le fichier journal, ADPrep.log, dans le répertoire C:\WINDOWS\debug\adprep\logs\20130106223322. 

Open in new window


Apparently something wrong with not being able to merge the security descriptors on some AD objects.

Rings a bell ?
0
Comment
Question by:atak2983
  • 2
3 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38749354
Adprep requires access to existing information across the field from the infrastructure master to complete this operation.

Make sure your infrastructure master server will be online state.  


For more info refer below link this might be help you out.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e23689f9-b893-4256-932e-5b604e313b80/

http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx
0
 
LVL 1

Accepted Solution

by:
atak2983 earned 0 total points
ID: 38755659
Thanks for your help

Running a DCDIAG /V I actually see some error whihc I guess I should correct before going further...
Performing initial setup:
   * Verifying that the local machine MY-PDC, is a DC.
   * Connecting to directory service on server MY-PDC.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.
 
Doing initial required tests
  
   Testing server: Premier-Site-par-defaut\MY-PDC
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... MY-PDC passed test Connectivity
 
Doing primary tests
  
   Testing server: Premier-Site-par-defaut\MY-PDC
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=mydom,DC=ch
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=mydom,DC=ch
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                 6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=mydom,DC=ch
               Latency information for 6 entries in the vector were ignored.
                  6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
         * Replication Site Latency Check
         ......................... MY-PDC passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MY-PDC.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=mydom,DC=ch
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=mydom,DC=ch
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=mydom,DC=ch
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=mydom,DC=ch
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=mydom,DC=ch
            (Domain,Version 2)
         ......................... MY-PDC passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MY-PDC\netlogon
         Verified share \\MY-PDC\sysvol
         ......................... MY-PDC passed test NetLogons
      Starting test: Advertising
         The DC MY-PDC is advertising itself as a DC and having a DS.
         The DC MY-PDC is advertising as an LDAP server
         The DC MY-PDC is advertising as having a writeable directory
         The DC MY-PDC is advertising as a Key Distribution Center
         The DC MY-PDC is advertising as a time server
         The DS MY-PDC is advertising as a GC.
         ......................... MY-PDC passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Domain Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role PDC Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Rid Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         ......................... MY-PDC passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 5105 to 1073741823
         * MY-PDC.mydom.ch is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 3605 to 4104
         * rIDPreviousAllocationPool is 3605 to 4104
         * rIDNextRID: 3622
         ......................... MY-PDC passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC MY-PDC on DC MY-PDC.
         * SPN found :LDAP/MY-PDC.mydom.ch/mydom.ch
         * SPN found :LDAP/MY-PDC.mydom.ch
         * SPN found :LDAP/MY-PDC
         * SPN found :LDAP/MY-PDC.mydom.ch/mydom
         * SPN found :LDAP/ea56c2b4-3a12-4eae-b4ac-3f75bfe50834._msdcs.mydom.ch
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea56c2b4-3a12-4eae-b4ac-3f75bfe50834/mydom.ch
         * SPN found :HOST/MY-PDC.mydom.ch/mydom.ch
         * SPN found :HOST/MY-PDC.mydom.ch
         * SPN found :HOST/MY-PDC
         * SPN found :HOST/MY-PDC.mydom.ch/mydom
         * SPN found :GC/MY-PDC.mydom.ch/mydom.ch
         ......................... MY-PDC passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MY-PDC passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         MY-PDC is in domain DC=mydom,DC=ch
         Checking for CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch in domain DC=mydom,DC=ch on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch in domain CN=Configuration,DC=mydom,DC=ch on 1 servers
            Object is up-to-date on all servers.
         ......................... MY-PDC passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MY-PDC passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034FA
            Time Generated: 01/07/2013   18:51:23
            (Event String could not be retrieved)
         ......................... MY-PDC failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:36:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:36:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:41:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:41:34
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:46:35
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 01/08/2013   17:46:35
            (Event String could not be retrieved)
         ......................... MY-PDC failed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:24
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/08/2013   17:46:27
            (Event String could not be retrieved)
         ......................... MY-PDC failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch and backlink on
         CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
         are correct.
         Some objects relating to the DC MY-PDC have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=MY-PDC,OU=Domain Controllers,DC=mydom,DC=ch
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
            
            [1] Problem: Missing Expected Value
             Base Object:
            CN=NTDS Settings,CN=MY-PDC,CN=Servers,CN=Premier-Site-par-defaut,CN=Sites,CN=Configuration,DC=mydom,DC=ch
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
            
         ......................... MY-PDC failed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
  
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
  
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
  
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
  
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
  
   Running partition tests on : mydom
      Starting test: CrossRefValidation
         ......................... mydom passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mydom passed test CheckSDRefDom
  
   Running enterprise tests on : mydom.ch
      Starting test: Intersite
         Skipping site Premier-Site-par-defaut, this site is outside the scope
         provided by the command line arguments provided.
         ......................... mydom.ch passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         PDC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         Time Server Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         KDC Name: \\MY-PDC.mydom.ch
         Locator Flags: 0xe00003fd
         ......................... mydom.ch passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Open in new window

I have looked into the linked KB article but I muss confess that I am not too sure which case would apply in my situation. Can you shed some light ?
0
 
LVL 1

Author Closing Comment

by:atak2983
ID: 38848338
I finally managed to solve my issue by manually re-creating missing entries in the AD...
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now