Troubleshooting ADPREP Errors

Troubleshooting ADPREP Errors

  • Comments 21
  • Likes

Hi all, Rob Newhouse again, and today I am talking about errors that you may see while running ADPREP. Normally I do not like to create a laundry list of errors, however I believe it should be beneficial and save you some time and (maybe) money by posting these common errors. This is a follow up to my previous post So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP).

So you have run ADPREP and it has failed. The first thing that you need to do is open your C:\Windows\Debug\Adprep\Logs folder. There will be a separate file each time that you run ADPREP.
At the bottom of the file, you will see what the problem is. Common failures include:

Errors Running Adprep /Forestprep

Adprep Was Unable to Extend the Schema

Adprep was unable to extend the schema.

[Status/Consequence]

The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.

[User Action]

Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

Solution

This error indicates that there are AD replication problems in the environment. In order to continue the replication issue must be resolved.

To check what replication problems you are having install your Windows Support tools and run Repadmin /Showrepl or Repadmin /Showreps on the Schema Master. This should show you which DC’s you are having problems with.

Once you have determined the DC (s) that has the problem, check to see if you can connect to \\server(servername) and \\FQDN(servername)

If both are unsuccessful then you may have a networking problem, a broken secure channel or a 5 minute time difference between the two machines.

If one is unsuccessful you have a networking problem involving DNS or Netbios name resolution.

If both are successful:

On both the DC that is not replicating with the Schema Master as well as the Schema Master:

  1. In the TCP\Nic properties point DNS to a single DNS server
  2. At a cmd prompt type
  3. Netdiag /fix

On the Schema Master

  1. Open Active Directory Sites and Services
  2. Expand the site that the Schema Master is in
  3. Right click on the NTDS settings under the Schema Master and choose All Tasks\Check Replication topology.
  4. Refresh the view
  5. Right click on each replication object and attempt a replication

These are just some basic troubleshooting steps. If you get an error message, go to Support.Microsoft.com and in the search type in the error message in quotes.

User Not a Member of Required Groups

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.local\Domain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.local\Domain Admins group.

- Or -

Adprep was unable to check the current User's group membership

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Domain Admins Group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied

Solution

Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.

As an alternative to creating a new account you can

1. Increase Maxtokensize in the registry

a) Open Regedit
b) Navigate to HKLM\System\Current Control Set\Control\Lsa\Kerberos\Parameters
c) Add a new Dword
d) MaxtokenSize
e) Value 65535

or

2. Remove all unnecessary groups

ADPREP not Running on Schema Master

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

C

Forest-wide information can only be updated on the Active Directory Domain Controller that holds the schema operations master role.

[Status/Consequence]

Adprep has stopped on this Active Directory Domain Controller and must be run on the current schema operations master, which is Rob731.Contoso.local.

[User Action]
Log on to the Rob731.Contoso.local Active Directory Domain Controller, change to the directory of adprep.exe on the installation media, and then type the following command at the command prompt to complete the forest update: adprep /forestprep

Solution

On rare occasions you may experience this message when you are on the schema master. In these cases transfer the schema master to another DC and then transfer it back to the original and run Adprep /Forestprep again. See also How to view and transfer FSMO roles in the graphical user interface.

If your schema master was on another machine that was removed from Active Directory then you will have to seize the schema master Role using Ntdsutil. See also Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

In your Adprep log you see “Error 0x80070020 (Error_sharing_Violation)”

Solution

This is normally caused by antivirus programs' on-demand scanning. To resolve the issue, disable the antivirus software on-demand scanning feature.

Adprep /Forestprep Fails Due To OID Conflict On Any Schema Attribute

“OID will not be changed resulting in probable failure to add a new class.”

Solution

This error happens when custom schema changes have been made, or when a third-party software makes schema changes that conflict with Microsoft’s.

What you will see is “OID will not be changed resulting in probable failure to add a new class.”

To resolve this issue, open the ADPREP log to see what the failed object is. If you know the third-party software that is using the attribute, contact them and determine if there is a fix. Otherwise I would recommend opening a case with Microsoft for assistance resolving this issue.

Schema update failed: An attribute with the same link identifier already exists.

This error occurs when you are trying to update/add an object in the schema and the link identifier already exists for another attribute. Some third party apps will modify the schema with a link identifier set that is owned by the OS.

You will see the following in the CMD prompt window. The key here is the message about link identifier.

Connecting to "Machine"
Logging in as current user using SSPI
Importing directory from file "D:\Sources\adprep\schXX.ldf"
Loading entriesAdd error on line 249: Unwilling To Perform
The server side error is "Schema update failed: An attribute with the same link identifier already exists."
15 entries modified successfully.
An error has occurred in the program
................
Opened Connection to Machine
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 44
ERROR: Import from file D:\Sources\adprep \sch34.ldf failed. Error file is saved in ldif.err.34.

When you look in the ldif.err.XX log you will see the attribute we are trying to add:

Entry DN: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=Contoso,DC=local
Add error on line 249: Unwilling To Perform The server side error is "Schema update failed: An attribute with the same link identifier already exists."An error has occurred in the program."

Solution

In this instance please contact Microsoft for a resolution.   This error indicates that there is a link identifier that is already in use that shouldn’t be there.

Errors Running Adprep /Domainprep

Forestprep Not Run Or Not Recognized As Having Been Run

Running domainprep ...
Forest-wide information needs to be updated before the domain-wide information can be updated.

[User Action] 

Log on to the schema master Rob731.Contoso.local for this forest, run the following command from the installation media to complete the forest update first:  adprep.exe /forestprep and then rerun adprep.exe /domainprep on infrastructure master again.

Solution

This problem can happen if you haven’t run Adprep /Forestprep yet, or if replication is broken and you are running it on a different DC or Domain than you ran the Adprep /Forestprep on. To resolve this issue either run Adprep /Forestprep or resolve the replication issue depending on the situation.

Not In Windows 2000/2003 Native Mode

Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action] 

Configure the domain to run in native mode and re-run domainprep
Raise the domain functional level to 2000 Native mode
To raise Windows 2003 to native mode
1)    Open Active Directory Users and computers
2)    Right click on your domain name and select Raise Domain Functional Level
3)    Use the drop down to select Windows 2000 Native Mode
4)    Click Raise

clip_image002

Unable To Contact Infrastructure Master

Adprep was unable to check the domain update status.

[Status/Consequence]

Adprep queries the directory to see if the domain has already been prepared. If the information is unavailable or unknown, Adprep proceeds without attempting this operation. 

[User Action] 

Restart Adprep and check the ADPrep.log file. Verify in the log file that this domain has already been successfully prepared.
Adprep encountered a Win32 error.  Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Check connectivity to the Infrastructure Master.

Errors Running Adprep /Domainprep

If you have already run Adprep domain prep, there is really only one error that you can get. When you run the Adprep /Domainprep /Gpprep after you have done the normal Domainprep you are only setting permissions on the policies folder. Below is the error that you will receive if they are inaccessible.

Group Policies Missing Or Inaccessible

Adprep was unable to complete because the call back function failed. 

[Status/Consequence]

Error message: (null)

[User Action] 

Check the log file ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20080806171216 directory for more information

Solution

Check to make sure that your sysvol\sysvol\policies\{6ac…………..} and {31b…………….} folders exist and are accessible. If either or both are missing and you have a backup of these folders, restore the folders. If you do not have a backup and the folders are not in an NTFRS_Policies folder, then contact Microsoft for assistance in recreating the folders.

Errors Running Adprep /Rodcprep

Adprep /Rodcprep Fails Due To Insufficient Permissions

Adprep connected to the domain FSMO: Rob731.Contoso.local.

Adprep found partition DC=ForestDnsZones,DC=Contoso,DC=local, and is about to update the permissions.

Adprep connected to a replica DC Rob731.Contoso.local that holds partition DC=ForestDnsZones,DC=Contoso,DC=local.

Adprep was unable to modify the security descriptor on object DC=ForestDnsZones,DC=Contoso,DC=local.

[Status/Consequence] 

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action] 

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080813153240 directory for more information.
Adprep encountered an LDAP error.  Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151D54, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=local. Skipping to next partition.

Solution

You will see other partitions DC=domainDnsZones,DC=Contoso,DC=local as well. To fix this issue make sure you are in the Domain Admins and Enterprise Admins groups.

Adprep /Rodcprep Fails Because It Cannot Connect To Domain Naming Master

Adprep could not contact the Domain Naming FSMO to read the partitions. The Domain Naming FSMO must be reachable for this operation to proceed. 

[Status/Consequence]

The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.

[User Action] 

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080813175105 directory for possible cause of failure.
Adprep encountered a Win32 error.  Error code: 0x54b Error message: The specified domain either does not exist or could not be contacted..

Solution

This error indicates that there is a problem with the domain naming master. Verify that you can contact the Domain Naming Master for the forest. You can check the operations master role in Active Directory Users and Computers.

Adprep /Rodcprep Fails Because It Cannot Connect To Infrastructure Master

Adprep found partition DC=Contoso,DC=local, and is about to update the permissions.
Adprep could not contact the Infrastructure FSMO for domain DC=Contoso,DC=local. The Infrastructure FSMO must be reachable for this operation to proceed. 

[Status/Consequence]

The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080814090356 directory for possible cause of failure.
Adprep encountered a Win32 error.  Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Adprep failed the operation on partition DC=Contoso,DC=local. Skipping to next partition.

Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080814090356 directory for more information. To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group. If that is not the case, please correct the problem, and then restart Adprep.

Solution

On the Schema Master run the following command:

Netdom Query FSMO

You should see the five FSMO roles including the Infrastructure Master. Once you have determined who the Infrastructure master is type \\Servername and \\FQDN(servername). Ensure that you can connect to the Infrastructure master

If you need to transfer or seize the Infrastructure master for any reason follow:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Or

How to view and transfer FSMO roles in the graphical user interface

This concludes this post on many of the errors that you may encounter while running ADPREP. For those reading this after running into an error, I hope that it helped to resolve the issue.

- Rob Newhouse

  • PingBack from http://www.server-talk.eu/2008/10/16/how-to-exchange-server-2007-schema-extensions-installieren/

  • Hello and good day.

    Please give me advice to solve such a problem.

    I'm upgrading sole DC of my personal domain it.local (primarily used for Hyper-V & SCVMM2008, DNS&DHCP) on Windows 2008 x64 Std to Windows 2008 R2 beta x64 Ent and setup.exe wanted me to run adprep /forestprep (done successfully) and then I run adprep /domainprep error occurred:

    Running domainprep ...

    Adprep was unable to modify some attributes on object DC=it,DC=local.

    [User Action]

    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20090207110436 directory for more information.

    Adprep encountered an LDAP error.

    Error code: 0x14. Server extended error code: 0x2083, Server error message: 00002083: AtrErr: DSID-03151699, #1:

    0: 00002083: DSID-03151699, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 9054f (otherWellKnownObjects):len 164

    Adprep was unable to update domain information.

    [Status/Consequence]

    Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

    [User Action]

    Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20090207110436 directory for more information.

    Googling around found nothing for "Adprep encountered an LDAP error 0x14". Some time after adprep /forestprep was ended succesfully dcdiag utility showed many errors of this type:

    Starting test: SystemLog

    An Warning Event occurred.  EventID: 0x80001116

    Time Generated: 02/06/2009   19:37:42

    EvtFormatMessage failed, error 1815 Win32 Error 1815.

    (Event String (event log = System) could not be retrieved, error 0x717)

    As of now all dcdiag errors are gone. But adprep /domainprep still runs into error.

    Thank you for attention.

  • Check the Adprep log that was generated after running the domain prep.  You can find the log under %windir%\debug\Adprep

    Once you find the log, go down to the failure.

    Find what object it was attempting to modify when the failure occured.

    I need this information so I can look at the object and see what the attribute you are failing on is supposed to look at.

    Thanks

    Rob

  • Thank you, Rob.

    I've checked adprep.log from the directory shown on my first query and there are more details:

    - succesfully ended these steps:

    1) Adprep successfully made the LDAP connection to the local Active Directory Domain Controller TEST.

    2) LDAP API ldap_search_s() finished, return code is 0x0

    Adprep successfully retrieved information from the local Active Directory Domain Services.

    Adprep successfully initialized global variables.

    3) LDAP API ldap_add_s() finished, return code is 0x44

    Adprep attempted to create the Active Directory Domain Services object cn=DomainUpdates,cn=System,DC=it,DC=local.

    4) LDAP API ldap_add_s() finished, return code is 0x44

    Adprep attempted to create the Active Directory Domain Services object cn=Operations,cn=DomainUpdates,cn=System,DC=it,DC=local.

    5) LDAP API ldap_search_s() finished, return code is 0x0

    Adprep checked to verify whether operation cn=ab402345-d3c3-455d-9ff7-40268a1099b6,cn=Operations,cn=DomainUpdates,cn=System,DC=it,DC=local has completed.

    ...skipped many similar cn= operations...

    - and then error occured:

    6) Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=it,DC=local.

    LDAP API ldap_search_s() finished, return code is 0x20

    Adprep verified the state of operation cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=it,DC=local.

    The operation has not run or is not currently running. It will be run next.

    7) Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is DC=it,DC=local.

    LDAP API ldap_modify_s() finished, return code is 0x14

    Adprep was unable to modify some attributes on object DC=it,DC=local.

    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20090207110436 directory for more information.

    Adprep encountered an LDAP error.

    Error code: 0x14. Server extended error code: 0x2083, Server error message: 00002083: AtrErr: DSID-03151699, #1:

    0: 00002083: DSID-03151699, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 9054f (otherWellKnownObjects):len 164

    Adprep was unable to update domain information.

    I have no idea what object adprep could not create or update and why.

    ldifde -d "cn=d262aae8-41f7-48ed-9f35-56bbb677573d,cn=Operations,cn=DomainUpdates,cn=System,DC=it,DC=local" -f op1.ldf

    produces zero-length file. And ADSI Edit management console shows 73 objects in CN=Operations,CN=DomainUpdates,CN=System,DC=it,DC=local

  • Check the permissions on that object.

    You can find the object in ADUC

    Make sure you are looking at advanced features

    System\DomainUpdates\Operations\

    d262aae8-41f7-48ed-9f35-56bbb677573d

    Right click and choose properties

    Check your security and see if it matches the security on the last success above it.

    If it does check the attribute editor for Otherwellknowobjects.

    It says that there is a value already in there.

    Enterprise Admins should have full control

    If there is a value let me know what's in it.

    Thanks

    Rob

  • Yeah, advanced features revealed System\DomainUpdates\Operations !

    I saw there:

    - there are no object d262aae8-41f7-48ed-9f35-56bbb677573d

    - the last success object before it is 5e1574f6-55df-493e-a671-aaeffca6a100 with security effective permissions all enabled and inherited from parent System\DomainUpdates\Operations for built-in administrator

    - Enterprise Admins have full control too

    - 5e1574f6-55df-493e-a671-aaeffca6a100 object and all other objects (73 in System\DomainUpdates\Operations) have Otherwellknowobjects attribute "not set".

    It seems that d262aae8-41f7-48ed-9f35-56bbb677573d is invisible to adprep, ldifde, ADSI Edit and ADUC or does not exists in AD.

    In I've found schema.ini:

    ...

    CHILD=5e1574f6-55df-493e-a671-aaeffca6a100

    CHILD=d262aae8-41f7-48ed-9f35-56bbb677573d

    ...

    [5e1574f6-55df-493e-a671-aaeffca6a100]

    nTSecurityDescriptor=O:DAG:DAD:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)

    objectClass= Container

    objectCategory= Container

    [d262aae8-41f7-48ed-9f35-56bbb677573d]

    nTSecurityDescriptor=O:DAG:DAD:(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCDCRCWDWOSW;;;DA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)

    objectClass= Container

    objectCategory= Container

    ...

    And that is all - no any other file in adprep directory contains d262aae8-41f7-48ed-9f35-56bbb677573d.

    Thank you.

  • Hi IL2,

    Can you E-mail me the ADPREP logs (all of them that you have)  Just zip up the ADprep folder and that should take care of it.

    Also I would like the following

    ldifde -d dc=<domain>,dc=<domain> -f root.ldf

    Send me the root.ldf

    Then once you have that sent off, check the root of your domain for the otherwellknownobjects attribute.  See if it is populated.   If it is populated with the guid that you are having a problem with then

    Run a system State backup

    Clear the entry

    Run ADPREP /Domainprep

    You can send it to me at

    Robnew@microsoft.com

    Thank you

  • I have searched the net and I should say I have not come across an article like this which is so easy to understand and learn the concepts.

    cheers.

  • Hi,

    adprep /forestprep completed successfully but I found the following error in adprep.log.  I verified that object does not exist in our test or production forests which were both built within the last year and a half using Windows 2003 SP2 R2.  I know we never intentionally deleted it and I don't know if it was there when the forest was built.  Is it supposed to be there?  What's the best way to put it back?

    Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestname,DC=net.

    LDAP API ldap_search_s() finished, return code is 0x20

    Adprep was unable to modify the security descriptor on object CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestname,DC=net.

    [Status/Consequence]  

    ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

    [User Action]  

    Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20090406235639 directory for more information.

    Adprep encountered an LDAP error.  

    Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

    'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestname,DC=net'.

    Thank you.

  • Hi Steve,

    The CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestname,DC=net is a new Windows 2008 CA Template that is installed when you add a Windows 2008 Enterprise CA into your environment.  It would not have existed in Windows 2003 unless you had already installed a Windows 2008 Enterprise Server running 2008 Enterprise CA.  

    So in this case I will assume that you have not done either, and that object does not exist.  

    The error can be safely ignored.

    Thanks

    Rob

    Thanks

  • Hi Rob,

    That's great information. We have not installed a Windows 2008 Enterprise CA.

    Thanks for your prompt reply.

    Steve

  • Hi,

    I can see the adprep file being created every time I run adprep32.exe on the 2003 R2 domain controller, yet the adprep file is completely blank every time.

    T verification to see if it worked (see http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx#BKMK_Creds ) seems to indicate it did not work since the OU CN=ActiveDirectoryUpdate does not even exist.

    When trying to run DCpromo on a 2008 server it says adprep needs to be ran first.

    HELP ...

    Bart

  • A post elsewhere http://social.technet.microsoft.com/Forums/en/winserverMigration/thread/77b86b14-ce4f-4072-bff0-fcbbec8ab88b  indicates that this may be the cause:

    If adprep /? does not print anything, rename the folder adprep\en-US to the locale you are in.

    For example:

    Win2k3 Spanish, rename to: es-es

    Win2k3 English, rename to: en-US

    If you run adprep /forestprep without the folder rename, adprep runs but it does not upgrade your

    domain/forest schema

  • You have to copy the whole folder that comes with adprep. Do not just copy adprep32.exe on its own to the domain controller as I had done. If you do so, the adprep seems to run, it creates an empty log file and is done in a split second. Actually it does nothing and does not show any error message.

    So if adprep32.exe or adprep.exe shows blank or empty adprep log you may not have copied the whole adprep folder from the Win2008 R2 sources folder.

    Of course: I disclaim any responsablity for the validity of statements :-)

  • Sounds good to me. Nice find, blouwagie. :)