2003 adprep forestprep fails

[John Faris]

Hi all.

I tried to run this the 2003 version of adprep /forestprep last night on one
of our servers and it failed (at least I had a system state backup). I had
followed all the steps in the MS article 325379 and did not find any
problems. If anyone can help I will be forever in your debt as I am under
pressure to get this done so that our shiny new 2003 Server can be added to
our domain. Here follows part of the contents of adprep.log
---------------------------------------------------
[User Action]

If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and
press ENTER to quit.

Adprep was about to call the following LDAP API. ldap_search_s(). The base
entry to start the search is
CN=UID,CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk.

LDAP API ldap_search_s() finished, return code is 0x20

Adprep successfully determined whether Microsoft Windows Services for UNIX
(SFU) is installed or not. If adprep detected SFU, adprep also verified that
Microsoft hotfix Q293783 for SFU has been applied.

Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the
C:\WINNT\system32\debug\adprep\logs\20031209215928 directory for detailed
information.

Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to 0

Adprep was unable to update forest-wide information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema
master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the
C:\WINNT\system32\debug\adprep\logs\20031209215928 directory for more
information.

------------------------------------------------
ldif.err.14 contents
------------------------------------------------
Entry DN: CN=When-Created,CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk
Add error on line 4: Busy
The server side error is "A database error has occurred."
An error has occurred in the program

--------------------------------------------------
schupgr.log contents
--------------------------------------------------
Opened Connection to WILDFIRE

SSPI Bind succeeded

Found Naming Context DC=tsigroup,DC=co,DC=uk

Found Naming Context CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk

Found Naming Context CN=Configuration,DC=tsigroup,DC=co,DC=uk

Current Schema Version is 13

Upgrading schema to version 30

The command line passed to ldifde is C:\WINNT\system32\ldifde -i -f
C:\WINNT\system32\sch14.ldf -s WILDFIRE -c DC=X DC=tsigroup,DC=co,DC=uk

ERROR: Import from file C:\WINNT\system32\sch14.ldf failed. Error file is
saved in ldif.err.14.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure
the current logged on user has rights to read/write objects in the schema
and configuration containers, or log off and log in as an user with these
rights and rerun schupgr.exe.

-------------------------------------------------------------------

Please help if you can, as I cannot figure out where to go from here.

Many thanks

John.

 

[tom]

I think but don't hold to this, it looks like your user doesn't have admin
rights to the schema

put your admin user in schema admins group and that should do it.

let me know if this works or if i am completely wrong

cheers

Tom

Hi all.

I tried to run this the 2003 version of adprep /forestprep last night on one
of our servers and it failed (at least I had a system state backup). I had
followed all the steps in the MS article 325379 and did not find any
problems. If anyone can help I will be forever in your debt as I am under
pressure to get this done so that our shiny new 2003 Server can be added to
our domain. Here follows part of the contents of adprep.log
---------------------------------------------------
[User Action]

If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and
press ENTER to quit.

Adprep was about to call the following LDAP API. ldap_search_s(). The base
entry to start the search is
CN=UID,CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk.

LDAP API ldap_search_s() finished, return code is 0x20

Adprep successfully determined whether Microsoft Windows Services for UNIX
(SFU) is installed or not. If adprep detected SFU, adprep also verified that
Microsoft hotfix Q293783 for SFU has been applied.

Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the
C:\WINNT\system32\debug\adprep\logs\20031209215928 directory for detailed
information.

Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed to 0

Adprep was unable to update forest-wide information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema
master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the
C:\WINNT\system32\debug\adprep\logs\20031209215928 directory for more
information.

------------------------------------------------
ldif.err.14 contents
------------------------------------------------
Entry DN: CN=When-Created,CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk
Add error on line 4: Busy
The server side error is "A database error has occurred."
An error has occurred in the program

--------------------------------------------------
schupgr.log contents
--------------------------------------------------
Opened Connection to WILDFIRE

SSPI Bind succeeded

Found Naming Context DC=tsigroup,DC=co,DC=uk

Found Naming Context CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk

Found Naming Context CN=Configuration,DC=tsigroup,DC=co,DC=uk

Current Schema Version is 13

Upgrading schema to version 30

The command line passed to ldifde is C:\WINNT\system32\ldifde -i -f
C:\WINNT\system32\sch14.ldf -s WILDFIRE -c DC=X DC=tsigroup,DC=co,DC=uk

ERROR: Import from file C:\WINNT\system32\sch14.ldf failed. Error file is
saved in ldif.err.14.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure
the current logged on user has rights to read/write objects in the schema
and configuration containers, or log off and log in as an user with these
rights and rerun schupgr.exe.

-------------------------------------------------------------------

Please help if you can, as I cannot figure out where to go from here.

Many thanks

John.

 

[John Faris]

I think but don't hold to this, it looks like your user doesn't have admin
rights to the schema

put your admin user in schema admins group and that should do it.

let me know if this works or if i am completely wrong

Hi Tom.

I used the default Administrator account to run adprep, and I have just
confirmed that this is a member of schema admins.

Thanks for your help though. Any other ideas?

John.

 

[tom]

make sure the schema master is up and running ok

not sure apart from that, you could try changing the schema master to
another server and see if that works, not really fixing the problem i know
but it might work

again let me know if it works, i'll try and think of something else

cheers

Tom

 

[John Faris]

make sure the schema master is up and running ok

not sure apart from that, you could try changing the schema master to
another server and see if that works, not really fixing the problem i know
but it might work

again let me know if it works, i'll try and think of something else

cheers

Tom

How do you go about doing that? Sounds a little risky to me considering
there is obviously something wrong.

 

[tom]

you would have to load the mmc snap in for the schema

if you haven't already loaded it type "regsvr32 schmmgmt.dll" in the run
box, then go to mmc and load AD Schema, open the schema snap in then so that
you see classes and attributes (this makes it attach to the server), right
click on the schema in mmc and click operations master in there you have the
option to move the schema master to another server, although you do need to
have another dc available for it. agreed it is bit risky but as a last
resort you might consider it out side of work hours and with a good backup

the other thing i have just found is this
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649 you may have
already read it but if not it has a couple of things to try if you can get
your head around it, not sure if you have exchange or not

and just another thought where are you trying to run adprep from ie
workstation or server? should be a server i think never tryed it from a
workstation, try running it from your schema master (will be first dc in
domain if you haven't moved it)

cheers

Tom

 

[John Faris]

you would have to load the mmc snap in for the schema

if you haven't already loaded it type "regsvr32 schmmgmt.dll" in the run
box, then go to mmc and load AD Schema, open the schema snap in then so that
you see classes and attributes (this makes it attach to the server), right
click on the schema in mmc and click operations master in there you have the
option to move the schema master to another server, although you do need to
have another dc available for it. agreed it is bit risky but as a last
resort you might consider it out side of work hours and with a good backup

I'm only going to look at this as a last resort. I have found this article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;285172
Do you think this could be anything to do with it?

the other thing i have just found is this
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649 you may have
already read it but if not it has a couple of things to try if you can get
your head around it, not sure if you have exchange or not

I have looked at this before, but when I read
http://support.microsoft.com/default.aspx?kbid=325379
it said that this wasn't an issue if you installed Exchange 2K Service Pack
3. I did install Service Pack 3 but hit an error that I posted to
microsoft.public.exchange2000.setup.installation but never received any
answers.
The service pack seemed to continue ok after the error, so I was forced to
ignore it and hope for the best. Maybe that is what the problem is here? I
will revisit this document and see if I can try anything else.

and just another thought where are you trying to run adprep from ie
workstation or server? should be a server i think never tryed it from a
workstation, try running it from your schema master (will be first dc in
domain if you haven't moved it)

I am running it from the Schema master. One thought just occurred to me.
Exchange 2000 is installed on another W2K Server. When you install this is
adds extensions into active directory users & computers that only appear on
the Exchange 2K machine. I don't suppose the lack of these extensions on
the schema master server could cause a problem could they?

Thanks for helping me out here it is very much appreciated.

 

[tom]

backup

I'm only going to look at this as a last resort. I have found this article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;285172
Do you think this could be anything to do with it?

it said in your log file that it set this value in the reg to 0 you could
try setting it to 1 but i don't think it will make a diference as i think
that adprep would ignore this value, might be worth a shot though.
..

I have looked at this before, but when I read
http://support.microsoft.com/default.aspx?kbid=325379
it said that this wasn't an issue if you installed Exchange 2K Service Pack
3. I did install Service Pack 3 but hit an error that I posted to
microsoft.public.exchange2000.setup.installation but never received any
answers.
The service pack seemed to continue ok after the error, so I was forced to
ignore it and hope for the best. Maybe that is what the problem is here? I
will revisit this document and see if I can try anything else.

I can't see anything else in that artical that might help except trying to
put the schema updates in but as you say it should be alright with sp3

I am running it from the Schema master. One thought just occurred to me.
Exchange 2000 is installed on another W2K Server. When you install this is
adds extensions into active directory users & computers that only appear on
the Exchange 2K machine. I don't suppose the lack of these extensions on
the schema master server could cause a problem could they?

It shouldn't mater because the schema master would hold all of this
information (if it is set in the schema)

have you looked at the ldap error file called ldif.err should be in
system32?

Thanks for helping me out here it is very much appreciated.

no problem I like the chalenge,

 

[John Faris]

have you looked at the ldap error file called ldif.err should be in

system32?

I have, and it helpfully contains the exact same text as ldiff14.err

Here it is again.

Entry DN: CN=When-Created,CN=Schema,CN=Configuration,DC=tsigroup,DC=co,DC=uk
Add error on line 4: Busy
The server side error is "A database error has occurred."
An error has occurred in the program

How meaningfull!

I am going to try the part in
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649 where it
describes Scenario 2. Maybe the error I received applying Exchange Service
Pack 3 meant it did not complete this part correctly.

 

[tom]

same error twice, really helpful!

running out of options now, if you do that scenario2 you may have to use
that allow changes to schema switch mentioned in
http://support.microsoft.com/default.aspx?scid=kb;EN-US;285172

 

[John Faris]

same error twice, really helpful!

running out of options now, if you do that scenario2 you may have to use
that allow changes to schema switch mentioned in
http://support.microsoft.com/default.aspx?scid=kb;EN-US;285172

Yeah, figures. I'll try it tonight when the users have gone home. I'll post
back my findings tomorrow, if you're still around <g>.

 

[John Faris]

Yeah, figures. I'll try it tonight when the users have gone home. I'll
post

back my findings tomorrow, if you're still around <g>.

Hi Tom.

I re-ran the Exchange 2000 SP3 and actually got it to go through OK. I then
had another go at running adprep and lo and behold it worked! All changes
went through successfully. Great! But.... somehow I still seem to have
managed to get the mangled LDAP display names problem.

http://support.microsoft.com/?id=314649 tells you how to fix this, but I am
a little confused by the instructions. It says to enter a command as
follows:-

From the console of the schema operations master, load the
InetOrgPersonfix.ldf file by using Ldifde.exe to correct the LdapDisplayName
attribute of the houseIdentifier, the Secretary, and the labeledURI
attributes. To do this, type the following command, where X is a
case-sensitive constant and dn path for forest root domain is the domain
name path for the root domain of the forest wrapped in quotation marks:

ldifde -i -f inetorgpersonfix.ldf -v -c DC=X "dn path for forest root
domain"

I do not know what it means for the "dn path for forest root domain" part.
Can you explain?

Thanks.

John.

 

[John Faris]

I do not know what it means for the "dn path for forest root domain" part.

Can you explain?

Thanks.

John.

Don't worry about it, I figured it out.

 

[tom]

oh cool good to hear you got it working, amazing how one little thing can
cause so much trouble.

cheers

Tom