Solved

Adprep and DCPROMO Error when upgrading from 2003 to 2008 r2

Posted on 2014-11-01
26
253 Views
Last Modified: 2014-11-03
I Am Upgrading my domain to server 2008 r2 I have ran the following:

ADPREP /FORESTPREP
ADPREP /DOMAINPREP
ADPREP /DOMAINPREP /GPPREP
ADPREP /RODCPREP

When I run ADPREP /RDCPREP I get errors that you can see in the log at the bottom of the post on the 2008 r2 machine when I run DCPROMO any help would be appreciated.



****LOG STARTS NOW****
Adprep created the log file ADPrep.log under C:\WINDOWS\debug\adprep\logs\20141101142915 directory.



Adprep connected to the domain FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local Active Directory Domain Services.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



==============================================================================

Adprep found partition DC=DomainDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=DomainDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=0273d441-cc89-45e1-8f77-6ea55c3ada99,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=DomainDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=ForestDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=ForestDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=73620c7c-9952-4b60-8bd5-2ffc8c86781c,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=ForestDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to the Infrastructure FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=WALLACHBETH,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20141101142915 directory for more information.



To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group.  If that is not the case, please correct the problem, and then restart Adprep.
0
Comment
Question by:LLUIGI
  • 12
  • 9
  • 2
  • +2
26 Comments
 
LVL 32

Expert Comment

by:it_saige
ID: 40417530
Have you made sure that your user is a member of the Enterprise Admins group.  Also, make sure that your user is a member of Schema Admins.

-saige-
0
 

Author Comment

by:LLUIGI
ID: 40417532
Yes I am good on that front
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40417533
Also if you are not planning on deploying a Read-Only Domain Controller, there is no need to run ADPREP /RODCPREP.

-saige-
0
 

Author Comment

by:LLUIGI
ID: 40417539
ok then that is the only error we received in the process so far why is DCPROMO asking for adprep again?
0
 

Author Comment

by:LLUIGI
ID: 40417541
I have noticed that replication between my 2 2003 Server is now reporting a mismatch error. when I run DCPROMO it still requests ADPREP To be ran
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40417544
Which ADPREP did you run (DVD location)?  Did you run ADPREP on your 2003 domain controller?  Does the 2003 domain controller hold all of the FSMO roles?

-saige-
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40417549
Hi

it looks like this


Adprep /rodcprep will log an error if the infrastructure master for an application directory partition is not available

If the domain controller that holds the infrastructure operations master (also known as flexible single master operations or FSMO) role for an application directory partition is not available when you run the adprep /rodcprep command to prepare a forest for an RODC, the command can return an error. The error is logged in the Adprep.log file, and it indicates that Adprep failed an operation on the application directory partition that is named in the error. By default, domain controllers have application directory partitions for DNS.
The infrastructure operations master role holder for each application directory partition must be online when you run adprep /rodcprep. If the role holder is not online, which could happen if the domain controller that hosted the role was forcefully demoted without performing metadata cleanup, then adprep /rodcprep can log the error.
noteNote
The infrastructure operations master role for an application directory partition is not the same as the infrastructure operations master role for a domain partition.
For more information about fixing this issue, see article 949257 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=114419).

from

http://technet.microsoft.com/en-gb/library/2a325aca-db4f-4004-a5d7-8703082d8702(v=ws.10)#BKMK_RodcprepError
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40417551
that said if you dont  plan to use rodc you can disregard this message
0
 

Author Comment

by:LLUIGI
ID: 40417559
ok thank you but what does that have to do with the DCPROMO error asking to run ADPREP /FORESTPREP on the DC that holds the FSMO Roles when that already has been done successfully?
0
 

Author Comment

by:LLUIGI
ID: 40417560
rodc is out I just need to clear up DCPROMO Error so I can move forward.
0
 

Author Comment

by:LLUIGI
ID: 40417562
please see attached adprep log file  
ADPrep.log
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40417570
On the server that you ran ADPREP from:
1.  Click Start, click Run, type cmd in the Open box, and then press ENTER.
2.  Type ntdsutil, and then press ENTER.
3.  Type rol, and then press ENTER.
4.  Type con, and then press ENTER.
5.  Type con to ser localhost, and then press ENTER.
6.  Type quit, and then press ENTER.
7.  Type sel op tar, and then press ENTER.
8.  Type li ro for con ser, and then press ENTER.

Please provide the output from running list roles for connected server

Example output:Capture.JPG
-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40417579
Based on your ADPREP.LOG.  Run the following command and provide the output please:

DSACLS "CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=wallachbeth,DC=local"

-saige-
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40417583
One other thing.  The ADPREP.log you provided only gives schema updated to 44.  Schema needs to be updated to 47 for 2008 R2 to be joined to the domain.  Again, which ADPREP did you use?

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40417606
Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder,

and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder.

You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Source

To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. None of the commands requires a restart of the server after the operation is complete. The remaining sections in this topic contain more details about each command.
Source

-saige-
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40418297
Below is how to tell if Forestprep was run in your environment. I would suggest runn this on the server with the schema role.. Also can you paste the results of the following command:   repadmin /showrepl

To verify that adprep /forestprep completed successfully


1.Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.


2.Click Start, click Run, type ADSIEdit.msc, and then click OK.


3.Click Action, and then click Connect to.


4.Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.


5.Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

where forest_root_domain is the distinguished name of your forest root domain.


6.Double-click CN=ForestUpdates.


7.Right-click CN=ActiveDirectoryUpdate, and then click  Properties.


8.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click  OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the Revision attribute value is 2, and then click  OK.


9.Click ADSI Edit, click Action, and then click Connect to.


10.Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.


11.Double-click Schema.


12.Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties

where forest_root_domain is the distinguished name of your forest root domain.


13.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the objectVersion attribute value is set to 44, and then click OK.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40418664
seems you are using adprep from 2008 media while putting in a 2008 R2 server; that would cause this to happen
as mentioned, the schema needs to be at 47 while yours is at 44 (2008 level)
you run dcpromo on the 2008 R2 server and says you need to run adprep because it's at 2008 level, not 2008 R2
if your 2003 server is 32bit, run adprep32 there from the R2 media
0
 

Author Comment

by:LLUIGI
ID: 40419389
I used the ADPREP from the 2008 r2 dvd (Successful)
and then I contacted MS and they sent me a link for the x86 version which I tried to run but said it already has ran
0
 

Author Comment

by:LLUIGI
ID: 40419405
Will I be able to run ADPREP again if I use the ADPREP from the 2008 r2 \sources\adprep\
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40419457
are you certain it is R2 media before?
the adprep log shows sch44.ldf as the last file it processed which is for 2008; it should have gone through sch47.ldf for R2
as i said, if your 2003 server is 32bit, use adprep32; adprep won't work there since it's 64bit binary
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40419461
You should only need to run ADPREP once per domain.  You don't need to run it on each server unless you have your FSMO roles segregated, then in that case you would run:
1.  ADPREP /FORESTPREP on your Schema Operations Master (Once for the entire forest)
2.  ADPREP /DOMAINPREP on your Infrastructure Operations Masters (Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.)
3.  ADPREP /DOMAINPREP /GPPREP on your Infrastructure Operations Masters (Once in each domain within the forest).  Note:  If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for later versions of Windows Server.

Now I would recommend that we get a state of the domain since you have successfully ran adprep.  compdigit44 gave instructions on how to check your schema level here: Check Schema Instructions.

-saige-
0
 

Author Comment

by:LLUIGI
ID: 40419464
OK I have adprep32 running now
0
 

Author Closing Comment

by:LLUIGI
ID: 40419514
Inadvertently downloaded Server 2008 not Server 2008 r2 all is correct now. Thank you
0
 

Author Comment

by:LLUIGI
ID: 40419526
Server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
Domain - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
PDC - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
RID - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
Infrastructure - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sit
es,CN=Configuration,DC=wallachbeth,DC=local
select operation target:
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40419550
Not a problem.  Glad you have it all sorted out now.

-saige-
0
 

Author Comment

by:LLUIGI
ID: 40419676
Checked Schema Level and the correct values 5 and 47 have been confirmed thanks again
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now