ADPREP /forestprep fails

From: D.R. (dr_at_news.postalias)
Date: 01/12/05

  • Next message: Gary: "Isolating a copy of Windows 2000 AD for lab upgrade to W2K3 testin" 
    Date: Wed, 12 Jan 2005 15:19:39 -0500

    ADPREP is failing near the end of the process, previously I had problems
    with the inetOrgPerson due to our Cognos installation. After fixing that I
    have proceeded beyond the schXX.ldf files and it now dies applying
    permissions.

    >From the ADPREP.LOG:
    -------------
    ...
    ADPREP was unable to modify the default security descriptor on object
    CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext.[Status/Consequence]Adprep
    attempts to merge the existing default security descriptors with the new
    access control entry (ACE). [User Action] Check the log file Adprep.log in
    the system root System32\Debug\Adprep\Logs directory for more information.

    Adprep encountered a Win32 error. Error code: 0x57 Error message: The
    parameter is incorrect..
    ...
    -------------

    I ran dsacls as the domain controller:
    -------------
    C:\>dsacls
    \\localdc\CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext /A
    Owner: NT AUTHORITY\SYSTEM
    Group: DOMAINx\Domain Users

    Audit list:
    Effective Permissions on this object are:
    All Everyone SPECIAL ACCESS <Inherited from parent>
                      DELETE
                      WRITE PERMISSIONS
                      CHANGE OWNERSHIP
                      CREATE CHILD
                      DELETE CHILD
                      WRITE SELF
                      WRITE PROPERTY
                      DELETE TREE
                      CONTROL ACCESS

    Permissions inherited to subobjects are:
    Inherited to all subobjects
    All Everyone SPECIAL ACCESS <Inherited from parent>
                      DELETE
                      WRITE PERMISSIONS
                      CHANGE OWNERSHIP
                      CREATE CHILD
                      DELETE CHILD
                      WRITE SELF
                      WRITE PROPERTY
                      DELETE TREE
                      CONTROL ACCESS

    Access list:
    {This object is protected from inheriting permissions from the parent}
    Effective Permissions on this object are:
    Allow NT AUTHORITY\SYSTEM FULL CONTROL

    The command completed successfully
    ------------
    It looks as though the permissions are wrong, but I am unable to reset the
    inheritance or add other users.

  • Next message: Gary: "Isolating a copy of Windows 2000 AD for lab upgrade to W2K3 testin"

    Relevant Pages

    • Re: Lost all security permissions.
      ... Display/Modify File permissions ... Mask can be a letter-coded permissions string or an Hexadecimal mask ... Let's first define "inheriting": ... Minimum Access for saving an open file is Rr on parent and RrRepW on file ...
      (microsoft.public.windows.server.general)
    • Re: ADPREP /forestprep fails
      ... Attributes Tab says "No information is available for this object" The ... Security Tab brings up the Security box "You do not have ... Set the "Allow inheritable permissions from parent object to propagate ... > {This object is protected from inheriting permissions from the> parent} ...
      (microsoft.public.windows.server.migration)
    • Re: Going crazy over this one!
      ... uncheck "Allow inheritable permissions from the parent to propagate to ... Place a check on "Allow inheritable permissions from the parent to ... >> If it is Inheriting from above get a System state backup ...
      (microsoft.public.windows.terminal_services)
    • Re: Something about mailbox rights
      ... if you are looking at the Mailbox Rights and USERS has Full ... Mailbox Access permissions and the checkbox is gray, ... way up to find out where the account is inheriting permissions from. ... Server (also can do this in Exchange System Manager) - if inherited at that ...
      (microsoft.public.exchange.admin)
    Loading