Re: Adprep /Forestprep Error

From: david (david_at_discussions.microsoft.com)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 05:59:06 -0800

I checked the rights and they are present, the user = administrator and is
member of domain admins, enterprise admins, schema admins.
I don't know if it is related but in event viewer it is impossible to view
the security logs, I get a message : "A required privilege is not held by the
client".

David

"Guido G" wrote:

> so much for good preparation before any important change to your
> infrastructure - allways check your backups...
>
> anyways, your problem should not be a critical one - ADPREP is very smart at
> picking up where it left of and will not destroy your forest even if it
> can't finish running. You can re-run it as often as you wish and it will try
> to continue where it stopped. Likely the account you're using or the groups
> it's a member of does not have sufficient permissions on the Configuration
> NC in your forest.
>
> By default this would be the Enterprise Admins group - and your account must
> also be a member of the Schema Admins group to make schema changes at all.
>
> But I've seen it before, that the Full Control permissions for the
> Enterprise Adminsitrators group of the forest were _removed_ from the Config
> NC (in your case "CN=Configuration,DC=mebumar,DC=be") - this had gone
> unnoticed during everyday administration, since sufficient explicit rights
> were still set on the child objects below the config container. We then had
> the same issues with ADPREP.
>
> I'd suggest you check that you're using the correct account (member of EA
> and SA group) and check the permissions on your config NC using ADSIedit and
> see if the Enteprise Admins group has Full Control (incl. inheritance on
> child objects) as it should have - if not, then re-add these rights and
> re-run ADPREP /forestprep.
>
> Definitely give us feedback if this worked.
>
> /Guido
>
> "David" <David@discussions.microsoft.com> wrote in message
> news:A0224269-957D-4408-870C-CD998BE8665F@microsoft.com...
> > Hi
> > I have a Win2k Forest with several Exchange2k servers running in different
> > sites.
> > I need to promote a W2k3 server to DC. For this I ran the script provided
> by
> > MS.
> > The script ran perfectly.
> > I than tried to run Adprep /Forestprep on the schema master. It failed to
> > run. After rebooting it ran ok up to a certain point and than stopped with
> > the following message in the log :
> > Adprep was unable to modify the security descriptor on object
> > CN=Sites,CN=Configuration,DC=mebumar,DC=be.
> > [Status/Consequence]
> > ADPREP was unable to merge the existing security descriptor with the new
> > access control entry (ACE).
> > [User Action]
> > Check the log file Adprep.log in the system root
> System32\Debug\Adprep\Logs
> > directory for more information.
> > Adprep encountered a Win32 error.
> > Error code: 0x57 Error message: The parameter is incorrect..
> > Adprep set the value of registry key
> > System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to
> 1
> > Adprep was unable to update forest-wide information.
> > [Status/Consequence]
> > Adprep requires access to existing forest-wide information from the schema
> > master in order to complete this operation.
> > [User Action]
> > Check the log file, Adprep.log, in the
> > C:\WINNT\system32\debug\adprep\logs\20041222004235 directory for more
> > information.
> >
> > This is the extract from the adprep log file.
> > I cant seem to find any reason for this. further tries after rebooting the
> > machine result in the same error and nothing seems to happen.
> >
> > Meanwhile Exch2k is still running fine and AD seems to be working fine
> also.
> > This DC is also running Routing and Remote Access and is multihomed. It
> holds
> > all FSMO roles except PDC.
> >
> > Any ideas anyone? Going back to the original state before the adprep ran
> > partially is not possible since the backup made before running adprep is
> bust.
> >
> > Greets
> >
>
>
>

Relevant Pages

  • Re: No user accounts that are Enterpise Admins can connect to othe
    ... enterprise admins is not a member of local servers administrators group, ... only the domain admins group is ... Basically it is from one of the child domains connecting to member servers ... /GROUPS on a w2k3 server or use SECTOK from joeware.net) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise CA options greyed out.
    ... Since you are logged in as the member of the forest root domain's domain admins group, you have the necessary permissions to write information to the Configuration Naming Context. ... server to install Cert services but still got Enterprise and Standalone. ...
    (microsoft.public.security)
  • Access 2007 running Access 2000 database - user level security
    ... 2000 database, all users and permissions have been lost - I have been able to ... you may log on as another member of the ... Admins group or import all objects to a new database." ...
    (microsoft.public.access.security)
  • Re: ForestPrep Issues!
    ... not load exchange 2003 server on a production box as ... >the Domain Admins, Schema Admins, Enterprise Admins ... >a member of the Schema Admin and Enterprise Admins group ... >> I have a domain with a single active directory. ...
    (microsoft.public.exchange.setup)
  • Re: New AD installation issue
    ... Then a second server was added to the domain. ... (I am a member of the Administrators ... Membership of the Administrators group in the domain gives you admin access ... Membership of the Domain Admins group grants you admin privileges to the ...
    (microsoft.public.windows.server.active_directory)