Re: Adprep /Forestprep Error

From: david (david_at_discussions.microsoft.com)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 07:03:05 -0800

Furthermore, do you think it is an option to first upgrade Exch2k to Exch2k3
before completing adprep or is this not a good idea. Perhaps this will make
the same changes?

david

"david" wrote:

> I checked the rights and they are present, the user = administrator and is
> member of domain admins, enterprise admins, schema admins.
> I don't know if it is related but in event viewer it is impossible to view
> the security logs, I get a message : "A required privilege is not held by the
> client".
>
> David
>
> "Guido G" wrote:
>
> > so much for good preparation before any important change to your
> > infrastructure - allways check your backups...
> >
> > anyways, your problem should not be a critical one - ADPREP is very smart at
> > picking up where it left of and will not destroy your forest even if it
> > can't finish running. You can re-run it as often as you wish and it will try
> > to continue where it stopped. Likely the account you're using or the groups
> > it's a member of does not have sufficient permissions on the Configuration
> > NC in your forest.
> >
> > By default this would be the Enterprise Admins group - and your account must
> > also be a member of the Schema Admins group to make schema changes at all.
> >
> > But I've seen it before, that the Full Control permissions for the
> > Enterprise Adminsitrators group of the forest were _removed_ from the Config
> > NC (in your case "CN=Configuration,DC=mebumar,DC=be") - this had gone
> > unnoticed during everyday administration, since sufficient explicit rights
> > were still set on the child objects below the config container. We then had
> > the same issues with ADPREP.
> >
> > I'd suggest you check that you're using the correct account (member of EA
> > and SA group) and check the permissions on your config NC using ADSIedit and
> > see if the Enteprise Admins group has Full Control (incl. inheritance on
> > child objects) as it should have - if not, then re-add these rights and
> > re-run ADPREP /forestprep.
> >
> > Definitely give us feedback if this worked.
> >
> > /Guido
> >
> > "David" <David@discussions.microsoft.com> wrote in message
> > news:A0224269-957D-4408-870C-CD998BE8665F@microsoft.com...
> > > Hi
> > > I have a Win2k Forest with several Exchange2k servers running in different
> > > sites.
> > > I need to promote a W2k3 server to DC. For this I ran the script provided
> > by
> > > MS.
> > > The script ran perfectly.
> > > I than tried to run Adprep /Forestprep on the schema master. It failed to
> > > run. After rebooting it ran ok up to a certain point and than stopped with
> > > the following message in the log :
> > > Adprep was unable to modify the security descriptor on object
> > > CN=Sites,CN=Configuration,DC=mebumar,DC=be.
> > > [Status/Consequence]
> > > ADPREP was unable to merge the existing security descriptor with the new
> > > access control entry (ACE).
> > > [User Action]
> > > Check the log file Adprep.log in the system root
> > System32\Debug\Adprep\Logs
> > > directory for more information.
> > > Adprep encountered a Win32 error.
> > > Error code: 0x57 Error message: The parameter is incorrect..
> > > Adprep set the value of registry key
> > > System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to
> > 1
> > > Adprep was unable to update forest-wide information.
> > > [Status/Consequence]
> > > Adprep requires access to existing forest-wide information from the schema
> > > master in order to complete this operation.
> > > [User Action]
> > > Check the log file, Adprep.log, in the
> > > C:\WINNT\system32\debug\adprep\logs\20041222004235 directory for more
> > > information.
> > >
> > > This is the extract from the adprep log file.
> > > I cant seem to find any reason for this. further tries after rebooting the
> > > machine result in the same error and nothing seems to happen.
> > >
> > > Meanwhile Exch2k is still running fine and AD seems to be working fine
> > also.
> > > This DC is also running Routing and Remote Access and is multihomed. It
> > holds
> > > all FSMO roles except PDC.
> > >
> > > Any ideas anyone? Going back to the original state before the adprep ran
> > > partially is not possible since the backup made before running adprep is
> > bust.
> > >
> > > Greets
> > >
> >
> >
> >