Adprep and DCPROMO Error when upgrading from 2003 to 2008 r2

I Am Upgrading my domain to server 2008 r2 I have ran the following:

ADPREP /FORESTPREP
ADPREP /DOMAINPREP
ADPREP /DOMAINPREP /GPPREP
ADPREP /RODCPREP

When I run ADPREP /RDCPREP I get errors that you can see in the log at the bottom of the post on the 2008 r2 machine when I run DCPROMO any help would be appreciated.



****LOG STARTS NOW****
Adprep created the log file ADPrep.log under C:\WINDOWS\debug\adprep\logs\20141101142915 directory.



Adprep connected to the domain FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local Active Directory Domain Services.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



==============================================================================

Adprep found partition DC=DomainDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=DomainDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=DomainDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=DomainDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=0273d441-cc89-45e1-8f77-6ea55c3ada99,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=DomainDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=ForestDnsZones,DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to a replica DC WallachBethFS.wallachbeth.local that holds partition DC=ForestDnsZones,DC=wallachbeth,DC=local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=ForestDnsZones,DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=ForestDnsZones,DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=73620c7c-9952-4b60-8bd5-2ffc8c86781c,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=ForestDnsZones,DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



==============================================================================

Adprep found partition DC=wallachbeth,DC=local, and is about to update the permissions.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=wallachbeth,DC=local.



LDAP API ldap_search_s finished, return code is 0x0



Adprep connected to the Infrastructure FSMO: WallachBethFS.wallachbeth.local.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=wallachbeth,DC=local.



LDAP API ldap_search_s() finished, return code is 0x0



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=wallachbeth,DC=local.



LDAP API ldap_modify_ext_s() finished, return code is 0x0



Adprep successfully modified the security descriptor on object DC=wallachbeth,DC=local.

[Status/Consequence]

Adprep merged the existing security descriptor with the new access control entry (ACE).



Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=WALLACHBETH,CN=Partitions,CN=Configuration,DC=wallachbeth,DC=local.



LDAP API ldap_modify_s() finished, return code is 0x33



Adprep failed the operation on partition DC=wallachbeth,DC=local. Skipping to next partition.

==============================================================================



Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20141101142915 directory for more information.



To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group.  If that is not the case, please correct the problem, and then restart Adprep.
LLUIGIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Have you made sure that your user is a member of the Enterprise Admins group.  Also, make sure that your user is a member of Schema Admins.

-saige-
0
LLUIGIAuthor Commented:
Yes I am good on that front
0
it_saigeDeveloperCommented:
Also if you are not planning on deploying a Read-Only Domain Controller, there is no need to run ADPREP /RODCPREP.

-saige-
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LLUIGIAuthor Commented:
ok then that is the only error we received in the process so far why is DCPROMO asking for adprep again?
0
LLUIGIAuthor Commented:
I have noticed that replication between my 2 2003 Server is now reporting a mismatch error. when I run DCPROMO it still requests ADPREP To be ran
0
it_saigeDeveloperCommented:
Which ADPREP did you run (DVD location)?  Did you run ADPREP on your 2003 domain controller?  Does the 2003 domain controller hold all of the FSMO roles?

-saige-
0
JAN PAKULAICT Infranstructure ManagerCommented:
Hi

it looks like this


Adprep /rodcprep will log an error if the infrastructure master for an application directory partition is not available

If the domain controller that holds the infrastructure operations master (also known as flexible single master operations or FSMO) role for an application directory partition is not available when you run the adprep /rodcprep command to prepare a forest for an RODC, the command can return an error. The error is logged in the Adprep.log file, and it indicates that Adprep failed an operation on the application directory partition that is named in the error. By default, domain controllers have application directory partitions for DNS.
The infrastructure operations master role holder for each application directory partition must be online when you run adprep /rodcprep. If the role holder is not online, which could happen if the domain controller that hosted the role was forcefully demoted without performing metadata cleanup, then adprep /rodcprep can log the error.
noteNote
The infrastructure operations master role for an application directory partition is not the same as the infrastructure operations master role for a domain partition.
For more information about fixing this issue, see article 949257 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=114419).

from

http://technet.microsoft.com/en-gb/library/2a325aca-db4f-4004-a5d7-8703082d8702(v=ws.10)#BKMK_RodcprepError
0
JAN PAKULAICT Infranstructure ManagerCommented:
that said if you dont  plan to use rodc you can disregard this message
0
LLUIGIAuthor Commented:
ok thank you but what does that have to do with the DCPROMO error asking to run ADPREP /FORESTPREP on the DC that holds the FSMO Roles when that already has been done successfully?
0
LLUIGIAuthor Commented:
rodc is out I just need to clear up DCPROMO Error so I can move forward.
0
LLUIGIAuthor Commented:
please see attached adprep log file  
ADPrep.log
0
it_saigeDeveloperCommented:
On the server that you ran ADPREP from:
1.  Click Start, click Run, type cmd in the Open box, and then press ENTER.
2.  Type ntdsutil, and then press ENTER.
3.  Type rol, and then press ENTER.
4.  Type con, and then press ENTER.
5.  Type con to ser localhost, and then press ENTER.
6.  Type quit, and then press ENTER.
7.  Type sel op tar, and then press ENTER.
8.  Type li ro for con ser, and then press ENTER.

Please provide the output from running list roles for connected server

Example output:Capture.JPG
-saige-
0
it_saigeDeveloperCommented:
Based on your ADPREP.LOG.  Run the following command and provide the output please:

DSACLS "CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=wallachbeth,DC=local"

-saige-
0
it_saigeDeveloperCommented:
One other thing.  The ADPREP.log you provided only gives schema updated to 44.  Schema needs to be updated to 47 for 2008 R2 to be joined to the domain.  Again, which ADPREP did you use?

-saige-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
it_saigeDeveloperCommented:
Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder,

and it is available on the Windows Server 2008 R2 installation disk in the \support\adprep folder.

You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Source

To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. None of the commands requires a restart of the server after the operation is complete. The remaining sections in this topic contain more details about each command.
Source

-saige-
0
compdigit44Commented:
Below is how to tell if Forestprep was run in your environment. I would suggest runn this on the server with the schema role.. Also can you paste the results of the following command:   repadmin /showrepl

To verify that adprep /forestprep completed successfully


1.Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.


2.Click Start, click Run, type ADSIEdit.msc, and then click OK.


3.Click Action, and then click Connect to.


4.Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.


5.Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain

where forest_root_domain is the distinguished name of your forest root domain.


6.Double-click CN=ForestUpdates.


7.Right-click CN=ActiveDirectoryUpdate, and then click  Properties.


8.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click  OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the Revision attribute value is 2, and then click  OK.


9.Click ADSI Edit, click Action, and then click Connect to.


10.Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.


11.Double-click Schema.


12.Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties

where forest_root_domain is the distinguished name of your forest root domain.


13.If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

If you ran adprep /forestprep for Windows Server 2008, confirm that the objectVersion attribute value is set to 44, and then click OK.
0
Seth SimmonsSr. Systems AdministratorCommented:
seems you are using adprep from 2008 media while putting in a 2008 R2 server; that would cause this to happen
as mentioned, the schema needs to be at 47 while yours is at 44 (2008 level)
you run dcpromo on the 2008 R2 server and says you need to run adprep because it's at 2008 level, not 2008 R2
if your 2003 server is 32bit, run adprep32 there from the R2 media
0
LLUIGIAuthor Commented:
I used the ADPREP from the 2008 r2 dvd (Successful)
and then I contacted MS and they sent me a link for the x86 version which I tried to run but said it already has ran
0
LLUIGIAuthor Commented:
Will I be able to run ADPREP again if I use the ADPREP from the 2008 r2 \sources\adprep\
0
Seth SimmonsSr. Systems AdministratorCommented:
are you certain it is R2 media before?
the adprep log shows sch44.ldf as the last file it processed which is for 2008; it should have gone through sch47.ldf for R2
as i said, if your 2003 server is 32bit, use adprep32; adprep won't work there since it's 64bit binary
0
it_saigeDeveloperCommented:
You should only need to run ADPREP once per domain.  You don't need to run it on each server unless you have your FSMO roles segregated, then in that case you would run:
1.  ADPREP /FORESTPREP on your Schema Operations Master (Once for the entire forest)
2.  ADPREP /DOMAINPREP on your Infrastructure Operations Masters (Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.)
3.  ADPREP /DOMAINPREP /GPPREP on your Infrastructure Operations Masters (Once in each domain within the forest).  Note:  If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for later versions of Windows Server.

Now I would recommend that we get a state of the domain since you have successfully ran adprep.  compdigit44 gave instructions on how to check your schema level here: Check Schema Instructions.

-saige-
0
LLUIGIAuthor Commented:
OK I have adprep32 running now
0
LLUIGIAuthor Commented:
Inadvertently downloaded Server 2008 not Server 2008 r2 all is correct now. Thank you
0
LLUIGIAuthor Commented:
Server "localhost" knows about 5 roles
Schema - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
Domain - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Co
nfiguration,DC=wallachbeth,DC=local
PDC - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
RID - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sites,CN=Confi
guration,DC=wallachbeth,DC=local
Infrastructure - CN=NTDS Settings,CN=WALLACHBETHFS,CN=Servers,CN=100-Wall,CN=Sit
es,CN=Configuration,DC=wallachbeth,DC=local
select operation target:
0
it_saigeDeveloperCommented:
Not a problem.  Glad you have it all sorted out now.

-saige-
0
LLUIGIAuthor Commented:
Checked Schema Level and the correct values 5 and 47 have been confirmed thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.