AdPrep logs show an LDAP error
- by Omar
What I am trying to do is transition our domain from Server 2003 Enterprise x32 to Server 2008 R2 Enterprise x64. Here is what I have done thus far. The 2003 server is a physical machine, the 2008 server is a virtual machine
Built a virtual machine that has Server 2008 R2 Enterprise x64 and joined it to the domain as a domain member
On the 2003 DC, Raised Domain Functional Level and Forest Functional Level to Windows Server 2003
On the 2003 DC, went into the registry and navigated to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and verified that the Schema Version is 30
On the 2003 DC, inserted the Windows Server 2008 Enterprise x32 Edition to copy over the adprep folder. This version is the only one that seemed to work
On the 2003 DC, opened command prompt and went to adprep directory and ran adprep /forestprep , adprep /domainprep , and adprep /domainprep /gpprep
On the 2008 server, Installed the Active Directory Domain Services role from Server Manager
On the 2003 DC, went into the registry and navigated to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and verified that the Schema Version is now 44
When I go to run dcpromo on the 2008 server, I get a message that says:
"To install a domain controller into this Active Directory forest, you must first prepare using adprep /forestprep"
I went back to the 2003 DC server and went through the adprep logs and I came across this:
Adprep was unable to modify the security descriptor on object CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
[User Action]
Check the log file ADPrep.log in the C:\WINDOWS\debug\adprep\logs\20100327143517 directory for more information.
Adprep encountered an LDAP error.
*Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com*
In fact, I got three of these errors. The LDAP error is consistent with all three, but the top part where it says "Adprep was unable to modify the security descriptor on object" are different. They are the following:
CN=DomainControllerAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com.
CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com.
CN=KerberosAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=xeroxtoledo,DC=com.
The credentials I am using on the 2008 server when running dcpromo is my domain account. My account is part of the domain and enterprise admin groups.
I've tried various quick fixes that I've came across through Google searches that include:
Disabling AntiVirus on current DCs
Pointing DNS on PDC to point to itself
Changing the Schema Update Allowed key to 1 and tried rerunning adprep - when rerunning adprep, told me that Forest-wide information has already been updated
Disabled Windows Firewall on the Server 2008 box
On the 2003 DC, went to Domain Controller Security Policy Local Policies User Rights Assignment and added Domain Admins to the Enable computer and user accounts to be trusted for delegation policy setting
Both our PDC and BDC are Global Catalog Servers. Not sure if this matters or not
I ran the command netdom query fsmo and verified that the FSMO role holder is the current 2003 PDC
I ran dcdiag /v on the 2003 PDC and the only thing that failed was Services. Dnscache Service is stopped on the PDC
I even went as far as deleting the virtual machine and recreating it from scratch - no avail...
Help :(
