adprep problems

  • Thread starter Thread starter idharris
  • Start date Start date
I

idharris

Please can someone help...

We have 2 Windows 2000 SP4 (DC)servers, in the same site. Only 1 domain
in the AD forest. There is also a NAS box (Windows 2000 SP4) which is
a member server of the domain.

We are going to add a 2003 server into the domain but for some reason
adprep /forestprep is giving errors. Adprep is coming from a Win2k3 SP1
CD.

There were no copying errors in the adprep log only this error:

Adprep was unable to extend the schema.
[Status/Consequence]
The schema master did not complete a replication cycle after the last
reboot. The schema master must complete at least one replication cycle
before the schema can be extended.
[User Action]
Verify that the schema master is connected to the network and can
communicate with other domain controllers. Use the Sites and Services
snap-in to replicate between the schema operations master and at least
one replication partner. After replication has succeeded, run adprep
again.

I forced a replication between the two servers and it came back with
the replication succeeded. Repadmin /showreps show that inbound
replication is working fine.

I am running the adprep with an account which is a member of the
Enterprise, Schema & Domain admins.

There are no errors being reported in Event Viewer on either server.

One server has the schema operations FSMO role (where I am running
adprep from) and the other server has the other roles. I don't know
why this would be. We were not involved with the original server
install only this upgrade.

Can someone else help as I have no idea where to turn now?

Thank you in advance!
 
Very quickly I would suggest that you make sure that there are no currect
replication errors. It seems that might be some now. I would suggest
installing the Support Tools from the SP4 CD-Media and run dcdiag /v and
netdiag /v and repadmin /v. This should give us some idea of what is
happening.

Then, once that is all straightened out, I would suggest that you run this
on the WIN2000 DC that holds the fsmo role of Schema Master using an account
that is a member of the Schema Admins.

I am sure that there are some KB articles that explain this process.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
Hi,

I ran the utilities dcdiag and netdiag worked fine but repadmin
wouldn't run with the /v switch. I ran it with the /showrep switch and
here is the output. I can see errors in dcdiag but none in netdiag and
dcdiag.

In the output below, I have changed the name of the Site to OurSite,
the domain is now OURDOMAIN.co.uk and I have changed the names of the
DCs. DC02 has the schema master FSMO role and this is where the adprep
and dcdiag, netdiag & repadmin were being run from.

DCDIAG.EXE /v


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine DC02, is a DC.
* Connecting to directory service on server DC02.
* Collecting site info.
* Identifying all servers.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: OurSite\DC02
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC02 passed test Connectivity

Doing primary tests

Testing server: OurSite\DC02
Starting test: Replications
* Replications Check
......................... DC02 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
* Security Permissions Check for
CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
* Security Permissions Check for
DC=lan,DC=OURDOMAIN,DC=co,DC=uk
......................... DC02 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... DC02 passed test NetLogons
Starting test: Advertising
The DC DC02 is advertising itself as a DC and having a DS.
The DC DC02 is advertising as an LDAP server
The DC DC02 is advertising as having a writeable directory
The DC DC02 is advertising as a Key Distribution Center
The DC DC02 is advertising as a time server
......................... DC02 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN="NTDS Settings
DEL:17e930ee-f414-46e8-8fcf-4f83e779f52b",CN=DC02,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,D

C=uk
Warning: CN="NTDS Settings
DEL:17e930ee-f414-46e8-8fcf-4f83e779f52b",CN=DC02,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,D

C=uk is the Schema Owner, but is deleted.
Role Domain Owner = CN="NTDS Settings
DEL:17e930ee-f414-46e8-8fcf-4f83e779f52b",CN=DC02,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,D

C=uk
Warning: CN="NTDS Settings
DEL:17e930ee-f414-46e8-8fcf-4f83e779f52b",CN=DC02,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,D

C=uk is the Domain Owner, but is deleted.
Role PDC Owner = CN=NTDS

Settings,CN=DC01,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
Role Rid Owner = CN=NTDS

Settings,CN=DC01,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
Role Infrastructure Update Owner = CN=NTDS

Settings,CN=DC01,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
......................... DC02 failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4617 to 1073741823
* DC01.lan.OURDOMAIN.co.uk is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4117 to 4616
* rIDNextRID: 4130
* rIDPreviousAllocationPool is 4117 to 4616
......................... DC02 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/DC02.lan.OURDOMAIN.co.uk/lan.OURDOMAIN.co.uk
* SPN found :LDAP/DC02.lan.OURDOMAIN.co.uk
* SPN found :LDAP/DC02
* SPN found :LDAP/DC02.lan.OURDOMAIN.co.uk/LAN
* SPN found
:LDAP/fd4bc050-d3b2-4699-8643-55ae89ddcf9d._msdcs.lan.OURDOMAIN.co.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/fd4bc050-d3b2-4699-8643-55ae89ddcf9d/lan.OURDOMAIN.co.uk
* SPN found :HOST/DC02.lan.OURDOMAIN.co.uk/lan.OURDOMAIN.co.uk
* SPN found :HOST/DC02.lan.OURDOMAIN.co.uk
* SPN found :HOST/DC02
* SPN found :HOST/DC02.lan.OURDOMAIN.co.uk/LAN
* SPN found :GC/DC02.lan.OURDOMAIN.co.uk/lan.OURDOMAIN.co.uk
......................... DC02 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... DC02 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DC02 is in domain DC=lan,DC=OURDOMAIN,DC=co,DC=uk
Checking for CN=DC02,OU=Domain
Controllers,DC=lan,DC=OURDOMAIN,DC=co,DC=uk in domain
DC=lan,DC=OURDOMAIN,DC=co,DC=uk

on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS

Settings,CN=DC02,CN=Servers,CN=OurSite,CN=Sites,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
in domain

CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk on 1 servers
Object is up-to-date on all servers.
......................... DC02 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... DC02 passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15 minutes.
......................... DC02 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... DC02 passed test systemlog

Running enterprise tests on : lan.OURDOMAIN.co.uk
Starting test: Intersite
Skipping site OurSite, this site is outside the scope provided
by the command line arguments provided.
......................... lan.OURDOMAIN.co.uk passed test
Intersite
Starting test: FsmoCheck
GC Name: \\DC01.lan.OURDOMAIN.co.uk
Locator Flags: 0xe00001fd
PDC Name: \\DC01.lan.OURDOMAIN.co.uk
Locator Flags: 0xe00001fd
Time Server Name: \\DC02.lan.OURDOMAIN.co.uk
Locator Flags: 0xe00001f8
Preferred Time Server Name: \\DC02.lan.OURDOMAIN.co.uk
Locator Flags: 0xe00001f8
KDC Name: \\DC02.lan.OURDOMAIN.co.uk
Locator Flags: 0xe00001f8
......................... lan.OURDOMAIN.co.uk passed test
FsmoCheck

REPADMIN /SHOWREPS

OurSite\DC02
DSA Options : (none)
objectGuid : fd4bc050-d3b2-4699-8643-55ae89ddcf9d
invocationID: 46d376bd-0db1-4a99-b710-0ba69955cbff

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455
Last attempt @ 2005-10-12 10:46.19 was successful.

CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455
Last attempt @ 2005-10-12 10:46.19 was successful.

DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455
Last attempt @ 2005-10-12 10:48.40 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

CN=Schema,CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455

CN=Configuration,DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455

DC=lan,DC=OURDOMAIN,DC=co,DC=uk
OurSite\DC01 via RPC
objectGuid: 120f5c59-2d73-484f-835a-9a12e1f41455


Netdiag is too large to post here. I have uploaded it here:

http://www.geocities.com/scotcheggmusic/netdiag-changed.txt
 
As an update. It turns out DC02 went bang last year and it lost it's
c:\ drive. The server was reinstalled using the same name etc but
obviously not the same SID.

Is it safe to seize the schema master FSMO role for DC02 onto DC01 with
DC02 still being up? I know DC02 isn't the same DC02 as before. Is it
safe?
 
I would first try a transfer. That might not work, though.

You also might want to look into doing a Metadata Cleanup to remove the
'old' DC02. I noticed that on the results of dcdiag. Take care to remove
the correct one. But first take care of the FSMO Roles. Have you checked
via netdom query fsmo to make sure that all is really okay. And, what
version of the Support Tools are you using: the one from the WIN2000 Server
CD-Media or the one from the Service Pack CD-Media ( or download ). I ask
because there are known issues with the Support Tools installed from the
WIN2000 Server CD-Media.....

And, sorry about the incorrect switch for repadmin. I know that it is
repadmin /showreps or repadmin /showconn!!!! Sometimes I just don't know
about myself!

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
It'd probably be prudent to run DCDiag and Netdiag on DC01 and review before
attempting any further action.

Assuming it's healthy, then proceed with metadata cleanup and proper
promotion of the new DC02.
 
Back
Top