Troubleshooting ADPREP Errors

Hi all, Rob Newhouse again, and today I am talking about errors that you may see while running ADPREP . Normally I do not like to create a laundry list of errors, however I believe it should be beneficial and save you some time and (maybe) money by posting these common errors. This is a follow up to my previous post So You Want to Upgrade to Windows 2008 Domain Controllers (ADPREP).

So you have run ADPREP and it has failed. The first thing that you need to do is open your C:\Windows\Debug\Adprep\Logs folder. There will be a separate file each time that you run ADPREP.
At the bottom of the file, you will see what the problem is. Common failures include:

Errors Running Adprep /Forestprep

Adprep Was Unable to Extend the Schema

Adprep was unable to extend the schema.

[Status/Consequence]

The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.

[User Action]

Verify that the schema master is connected to the network and can communicate with other Active Directory Domain Controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.

Solution

This error indicates that there are AD replication problems in the environment. In order to continue the replication issue must be resolved.

To check what replication problems you are having install your Windows Support tools and run Repadmin /Showrepl or Repadmin /Showreps on the Schema Master. This should show you which DC’s you are having problems with.

Once you have determined the DC (s) that has the problem, check to see if you can connect to \\server(servername) and \\FQDN(servername)

If both are unsuccessful then you may have a networking problem, a broken secure channel or a 5 minute time difference between the two machines.

If one is unsuccessful you have a networking problem involving DNS or Netbios name resolution.

If both are successful:

On both the DC that is not replicating with the Schema Master as well as the Schema Master:

  1. In the TCP\Nic properties point DNS to a single DNS server
  2. At a cmd prompt type
  3. Netdiag /fix

On the Schema Master

  1. Open Active Directory Sites and Services
  2. Expand the site that the Schema Master is in
  3. Right click on the NTDS settings under the Schema Master and choose All Tasks\Check Replication topology.
  4. Refresh the view
  5. Right click on each replication object and attempt a replication

These are just some basic troubleshooting steps. If you get an error message, go to Support.Microsoft.com and in the search type in the error message in quotes.

User Not a Member of Required Groups

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.local\Domain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.local\Domain Admins group.

- Or -

Adprep was unable to check the current User's group membership

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Domain Admins Group, Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied

Solution

Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.

As an alternative to creating a new account you can

1. Increase Maxtokensize in the registry

a) Open Regedit
b) Navigate to HKLM\System\Current Control Set\Control\Lsa\Kerberos\Parameters
c) Add a new Dword
d) MaxtokenSize
e) Value 65535

or

2. Remove all unnecessary groups

ADPREP not Running on Schema Master

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

C

Forest-wide information can only be updated on the Active Directory Domain Controller that holds the schema operations master role.

[Status/Consequence]

Adprep has stopped on this Active Directory Domain Controller and must be run on the current schema operations master, which is Rob731.Contoso.local.

[User Action]
Log on to the Rob731.Contoso.local Active Directory Domain Controller, change to the directory of adprep.exe on the installation media, and then type the following command at the command prompt to complete the forest update: adprep /forestprep

Solution

On rare occasions you may experience this message when you are on the schema master. In these cases transfer the schema master to another DC and then transfer it back to the original and run Adprep /Forestprep again. See also How to view and transfer FSMO roles in the graphical user interface.

If your schema master was on another machine that was removed from Active Directory then you will have to seize the schema master Role using Ntdsutil. See also Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

In your Adprep log you see “Error 0x80070020 (Error_sharing_Violation)”

Solution

This is normally caused by antivirus programs' on-demand scanning. To resolve the issue, disable the antivirus software on-demand scanning feature.

Adprep /Forestprep Fails Due To OID Conflict On Any Schema Attribute

“OID will not be changed resulting in probable failure to add a new class.”

Solution

This error happens when custom schema changes have been made, or when a third-party software makes schema changes that conflict with Microsoft’s.

What you will see is “OID will not be changed resulting in probable failure to add a new class.”

To resolve this issue, open the ADPREP log to see what the failed object is. If you know the third-party software that is using the attribute, contact them and determine if there is a fix. Otherwise I would recommend opening a case with Microsoft for assistance resolving this issue.

Schema update failed: An attribute with the same link identifier already exists.

This error occurs when you are trying to update/add an object in the schema and the link identifier already exists for another attribute. Some third party apps will modify the schema with a link identifier set that is owned by the OS.

You will see the following in the CMD prompt window. The key here is the message about link identifier.

Connecting to "Machine"
Logging in as current user using SSPI
Importing directory from file "D:\Sources\adprep\schXX.ldf"
Loading entriesAdd error on line 249: Unwilling To Perform
The server side error is "Schema update failed: An attribute with the same link identifier already exists."
15 entries modified successfully.
An error has occurred in the program
................
Opened Connection to Machine
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 44
ERROR: Import from file D:\Sources\adprep \sch34.ldf failed. Error file is saved in ldif.err.34.

When you look in the ldif.err.XX log you will see the attribute we are trying to add:

Entry DN: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=Contoso,DC=local
Add error on line 249: Unwilling To Perform The server side error is "Schema update failed: An attribute with the same link identifier already exists."An error has occurred in the program."

Solution

In this instance please contact Microsoft for a resolution. This error indicates that there is a link identifier that is already in use that shouldn’t be there.

Errors Running Adprep /Domainprep

Forestprep Not Run Or Not Recognized As Having Been Run

Running domainprep ...
Forest-wide information needs to be updated before the domain-wide information can be updated.

[User Action]

Log on to the schema master Rob731.Contoso.local for this forest, run the following command from the installation media to complete the forest update first: adprep.exe /forestprep and then rerun adprep.exe /domainprep on infrastructure master again.

Solution

This problem can happen if you haven’t run Adprep /Forestprep yet, or if replication is broken and you are running it on a different DC or Domain than you ran the Adprep /Forestprep on. To resolve this issue either run Adprep /Forestprep or resolve the replication issue depending on the situation.

Not In Windows 2000/2003 Native Mode

Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep
Raise the domain functional level to 2000 Native mode
To raise Windows 2003 to native mode
1) Open Active Directory Users and computers
2) Right click on your domain name and select Raise Domain Functional Level
3) Use the drop down to select Windows 2000 Native Mode
4) Click Raise

clip_image002

Unable To Contact Infrastructure Master

Adprep was unable to check the domain update status.

[Status/Consequence]

Adprep queries the directory to see if the domain has already been prepared. If the information is unavailable or unknown, Adprep proceeds without attempting this operation.

[User Action]

Restart Adprep and check the ADPrep.log file. Verify in the log file that this domain has already been successfully prepared.
Adprep encountered a Win32 error. Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Check connectivity to the Infrastructure Master.

Errors Running Adprep /Domainprep

If you have already run Adprep domain prep, there is really only one error that you can get. When you run the Adprep /Domainprep /Gpprep after you have done the normal Domainprep you are only setting permissions on the policies folder. Below is the error that you will receive if they are inaccessible.

Group Policies Missing Or Inaccessible

Adprep was unable to complete because the call back function failed.

[Status/Consequence]

Error message: (null)

[User Action]

Check the log file ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20080806171216 directory for more information

Solution

Check to make sure that your sysvol\sysvol\policies\{6ac…………..} and {31b…………….} folders exist and are accessible. If either or both are missing and you have a backup of these folders, restore the folders. If you do not have a backup and the folders are not in an NTFRS_Policies folder, then contact Microsoft for assistance in recreating the folders.

Errors Running Adprep /Rodcprep

Adprep /Rodcprep Fails Due To Insufficient Permissions

Adprep connected to the domain FSMO: Rob731.Contoso.local.

Adprep found partition DC=ForestDnsZones,DC=Contoso,DC=local, and is about to update the permissions.

Adprep connected to a replica DC Rob731.Contoso.local that holds partition DC=ForestDnsZones,DC=Contoso,DC=local.

Adprep was unable to modify the security descriptor on object DC=ForestDnsZones,DC=Contoso,DC=local.

[Status/Consequence]

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080813153240 directory for more information.
Adprep encountered an LDAP error. Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151D54, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Adprep failed the operation on partition DC=ForestDnsZones,DC=Contoso,DC=local. Skipping to next partition.

Solution

You will see other partitions DC=domainDnsZones,DC=Contoso,DC=local as well. To fix this issue make sure you are in the Domain Admins and Enterprise Admins groups.

Adprep /Rodcprep Fails Because It Cannot Connect To Domain Naming Master

Adprep could not contact the Domain Naming FSMO to read the partitions. The Domain Naming FSMO must be reachable for this operation to proceed.

[Status/Consequence]

The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080813175105 directory for possible cause of failure.
Adprep encountered a Win32 error. Error code: 0x54b Error message: The specified domain either does not exist or could not be contacted..

Solution

This error indicates that there is a problem with the domain naming master. Verify that you can contact the Domain Naming Master for the forest. You can check the operations master role in Active Directory Users and Computers.

Adprep /Rodcprep Fails Because It Cannot Connect To Infrastructure Master

Adprep found partition DC=Contoso,DC=local, and is about to update the permissions.
Adprep could not contact the Infrastructure FSMO for domain DC=Contoso,DC=local. The Infrastructure FSMO must be reachable for this operation to proceed.

[Status/Consequence]

The Active Directory Domain Services DNS partitions are not prepared for Read Only DCs.

[User Action]

Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080814090356 directory for possible cause of failure.
Adprep encountered a Win32 error. Error code: 0x3a Error message: The specified server cannot perform the requested operation..
Adprep failed the operation on partition DC=Contoso,DC=local. Skipping to next partition.

Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20080814090356 directory for more information. To successfully update all partititions, the current logged on user needs to be a member of Enterprise Admins group. If that is not the case, please correct the problem, and then restart Adprep.

Solution

On the Schema Master run the following command:

Netdom Query FSMO

You should see the five FSMO roles including the Infrastructure Master. Once you have determined who the Infrastructure master is type \\Servername and \\FQDN(servername). Ensure that you can connect to the Infrastructure master

If you need to transfer or seize the Infrastructure master for any reason follow:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Or

How to view and transfer FSMO roles in the graphical user interface

This concludes this post on many of the errors that you may encounter while running ADPREP. For those reading this after running into an error, I hope that it helped to resolve the issue.

- Rob Newhouse