none
ADPREP Error when promoting Windows Server 2016 in 2008 R2 forest/domain

    Question

  • When promoting a Windows Server 2016 to DC, adprep fails with an error that an attribute or value already exists.

    The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>.

    Forest and domain functional level is Windows Server 2008 R2, Exchange 2010 is also present in the domain. The result is the same if performed on the new-to-be DC implicit via Install-ADDSDomainController or directly on the schema master.

    Here is the output from adprep:

    PS C:\Temp\support\adprep> .\adprep.exe /forestprep
    
    ADPREP WARNING:
    
    Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat
    er.
    
    You are about to upgrade the schema for the Active Directory forest named '<domain>', using the Active Directo
    ry domain controller (schema master) 'dc1.<domain>'.
    This operation cannot be reversed after it completes.
    
    [User Action]
    If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by
    typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.
    
    
    c
    
    Current Schema Version is 86
    
    
    Upgrading schema to version 87
    
    
    Verifying file signature
    Connecting to "dc1.<domain>"
    Logging in as current user using SSPI
    Importing directory from file "C:\Temp\support\adprep\sch87.ldf"
    Loading entries.
    Add error on entry starting on line 1: Attribute Or Value Exists
    The server side error is: 0x2083 The specified value already exists.
    The extended server error is:
    00002083: AtrErr: DSID-031513D7, #1:
            0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72
    
    0 entries modified successfully.
    An error has occurred in the program
    ERROR: Import from file C:\Temp\support\adprep\sch87.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\201
    61125155706\ldif.err.87.
    
    If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write
     objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forest
    prep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
    
    
    Adprep was unable to upgrade the schema on the schema master.
    [Status/Consequence]
    The schema will not be restored to its original state.
    [User Action]
    Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20161125155706 directory for detailed information.
    
    
    Adprep was unable to update forest information.
    [Status/Consequence]
    Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
    [User Action]
    Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20161125155706 directory for more information.

    The referenced ldif.err.87 file:

    Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057
    
    Add error on entry starting on line 1: Attribute Or Value Exists
    
    The server side error is: 0x2083 The specified value already exists.
    
    The extended server error is:
    
    00002083: AtrErr: DSID-031513D7, #1:
    	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72
    
    
    An error has occurred in the program

    The referenced ldif.err file:

    Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057
    
    Add error on entry starting on line 1: Attribute Or Value Exists
    
    The server side error is: 0x2083 The specified value already exists.
    
    The extended server error is:
    
    00002083: AtrErr: DSID-031513D7, #1:
    	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72
    
    
    An error has occurred in the program

    Can anyone shine some light into this matter and what to do?

    Searching the internet I could not find anything resembling this.

    Thanks a lot for any input!


    • Edited by mpibghe Friday, November 25, 2016 4:26 PM incorrect cmdlet typed before
    Friday, November 25, 2016 4:21 PM

Answers

  • To close this: I have found a solution that is far easier than creating a new domain and migrating everything.

    ADPREP says in the output (as seen in the opening post) which ldiff file it uses to make directory changes. (in this case: <Importing directory from file "C:\Temp\support\adprep\sch87.ldf">)

    This ldiff file contains all changes adprep tries to make. In my case the first entry is also the one failing with the error stated in the opening post:

    dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
    changetype: modify
    add: appliesTo
    appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057

    According to the error adprep cannot perform the "add" operation, because the value exists. So using ADSI Edit, connect to the Configuration naming context, navigate to the DN and remove the value adprep tries to add (in this case "7b8b558a-93a5-4af7-adca-c017e67f1057") from the appliesTo attribute.

    Do this for all commands in the ldiff file if the value exists in the directory. Remove only those values, the ldiff file wants to add to not break your AD!

    Once done, rerun adprep /forestprep and the adprep will complete successfully, as it can now perform the add operation (at least did for me). After that, promote the Windows Server 2016 to DC.

    I hope this helps you as well, Mike (Yevrag35)

    • Marked as answer by mpibghe Thursday, December 15, 2016 10:41 AM
    Thursday, December 15, 2016 10:41 AM

All replies

  • Hi

     You don't prepare manually,server 2012/2016 prepare automatically during promotion process.Check this article to migrate server 2016.(same steps for server 2016).

    http://blogs.msmvps.com/mweber/2012/07/27/upgrading-an-active-directory-domain-from-windows-server-2008-or-windows-server-2008-r2-to-windows-server-2012/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Friday, November 25, 2016 8:31 PM
    • Unproposed as answer by mpibghe Monday, November 28, 2016 9:15 AM
    Friday, November 25, 2016 5:08 PM
  • Thanks for the input Burak.

    Promoting the new servers to DC through Install-ADDSDomainController was the first attempt with the exact same adprep error. So I tried to adprep directly to no avail.

    Maybe I should have stated this more clearly when opening the post.

    Any ideas on what to do with Error 'Attribute or Value exists' on "Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>" during implicit (through the Install-ADDSDoomainController cmdlet) or explicit adprep?

    With kind regards,

    Gregor


    Monday, November 28, 2016 9:38 AM
  • Hi Gregor,
    Have you tried to use GUI in the Server Manager console for promoting a Windows Server 2016 to DC? And then please see if any errors are returned.
    You could follow the article as below step by step to try it:
    Promote Windows Server 2016 to Domain Controller step by step
    http://www.tactig.com/promote-windows-server-domain-controller/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 29, 2016 4:28 AM
    Moderator
  • Hi Wendy,

    thanks for your reply on this matter. Yes, I have tried this with the GUI as well. The result is exact the same error, which clearly states that an entry or value that the implicit adprep during DC promotion preparation wants to modify already exists.

    The entry (DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>) in question seems for me to point to Exchange.

    I would like to note that the forest consists of only one domain and had over the years transitions from Windows Server 2000 through Server 2003 to currently Server 2008 R2. The same with integrated Exchang Server from Server 2003 over 2007 to now 2010.

    No manual changes to the schema were configured aside from the installation of newer DC Versions or Exchange server. 

    I'm open to any suggestions!

    Thanks,

    Gregor

    Tuesday, November 29, 2016 11:39 AM
  • Hi Gregor.

    As far as I know, Extended-Rights contains the set of all extended rights for the forest, stored as controlAccessRight objects. Access control on custom actions or operations are called control access rights, or extended rights. Access control determines who is permitted to perform operations on Active Directory objects. Access to standard actions or operations is controlled by two major types of permissions container operations and attribute-based access. Other operations can have semantics that are not tied to specific attributes, and these operations might also require access control. The user class can be granted a Send As right that can be used by Exchange Server, Outlook, or any other e-mail program, to determine whether a particular user can have another user send e-mail messages on their behalf.

    You could check if the user account is already listed on this container from your DC.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 2, 2016 1:32 AM
    Moderator
  • Hi Wendy,

    thank you for your reply. Yes, the Send-As Entry has objectClass controlAccessRight. The extended right Send-As is in use for shared mailboxes in our Exchange 2010 infrastructure.

    I'm afraid I don't follow what you suggest me to check. Do you mean the user account which executed the promotion/adprep? The account has full access to the entry.
    Checking with ADSI Edit, CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain> does not have any child elements and no user accounts are referenced through any attributes. The CN=Send-As entry was created in the year 2000 (whenCreated attibute), but it says modified on November 25th 2016 (whenChanged) which correlates with the first attempt to promote the 2016 server to DC.

    Could you please clarify what I should check?

    Thank you and best regards,
    Gregor


    Monday, December 5, 2016 1:01 PM
  • @mpibghe - This is very interesting.  Our company's in the same boat now as well.  After a failed Server 2016 DC promotion, we now see the very same error about importing from "sch87.ldf".  Because one of our admins didn't realize it was going to extend the schema, he ran the setup.  However, it failed because he was not a member of the "Schema Admins" group.

    Importing directory from file "C:\Windows\system32\adprep\sch87.ldf"
    
    Loading entries
    1: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<ourdomain>,DC=com
    Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<ourdomain>,DC=com
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057
    
    Add error on entry starting on line 1: Attribute Or Value Exists
    
    The server side error is: 0x2083 The specified value already exists.
    
    The extended server error is:
    
    00002083: AtrErr: DSID-031513DD, #1:
    	0: 00002083: DSID-031513DD, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72

    Coincidentally, we have a second (unrelated) forest that I stood up new 2016 domain controllers for via powershell.  That setup ran without a hitch, so it leads me to believe the failed attempt the first time is what's causing this issue.

    Regards,

    Mike

    Tuesday, December 6, 2016 6:20 PM
  • Hi Mike,

    my user account was schema admin on the first try. I've checked the logs from the first promotion attempt again, and it may be that another promotion was executed to quickly in succession to the first - before the first promotion completely finished. That might not have been the best move.

    I strangely do not see any errors in the logs of the first, but the very same error on the second server. I am however sure the same error was displayed in powershell of the first server.

    Now it's the same error every time. Should'nt adprep be able to handle an existing value?

    Is there a way to force it to update or ignore the attribute / value? Any other ideas on how to fix this?

    Thanks,

    Gregor

    Friday, December 9, 2016 9:52 AM
  • I've compared the current attributes of CN=Send-As to attributes of a backup prior to the attempted promotion. The entries differ on the following attributes.

    • allowedAttributesEffective
    • appliesTo
    • modifyTimeStamp
    • msDS-ReplAttributeMetaDAta
    • replPropertyMetaData
    • uSNChanged
    • whenChanged

    I don't know if this matters and I am hesitant to restore the entry. I don't want to cause any more damage.

    Friday, December 9, 2016 12:36 PM
  • Hi,
    For me, I would build a new domain, and promote windows server 2016 as DC, then see if the same error appear again. If not, I would migrate old domain into this new one. It may be easier than continuing troubleshooting on this problem. Just a suggestion.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 12, 2016 2:13 AM
    Moderator
  • To close this: I have found a solution that is far easier than creating a new domain and migrating everything.

    ADPREP says in the output (as seen in the opening post) which ldiff file it uses to make directory changes. (in this case: <Importing directory from file "C:\Temp\support\adprep\sch87.ldf">)

    This ldiff file contains all changes adprep tries to make. In my case the first entry is also the one failing with the error stated in the opening post:

    dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
    changetype: modify
    add: appliesTo
    appliesTo: 7b8b558a-93a5-4af7-adca-c017e67f1057

    According to the error adprep cannot perform the "add" operation, because the value exists. So using ADSI Edit, connect to the Configuration naming context, navigate to the DN and remove the value adprep tries to add (in this case "7b8b558a-93a5-4af7-adca-c017e67f1057") from the appliesTo attribute.

    Do this for all commands in the ldiff file if the value exists in the directory. Remove only those values, the ldiff file wants to add to not break your AD!

    Once done, rerun adprep /forestprep and the adprep will complete successfully, as it can now perform the add operation (at least did for me). After that, promote the Windows Server 2016 to DC.

    I hope this helps you as well, Mike (Yevrag35)

    • Marked as answer by mpibghe Thursday, December 15, 2016 10:41 AM
    Thursday, December 15, 2016 10:41 AM
  • Hi,
    Great share and update, it will be greatly helpful to others who have the same question.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 16, 2016 1:40 AM
    Moderator
  • Hi,

    I had a similar problem when adding a 2016 DC to a 2008r2 forest.
    To be fair, I also joined 2 new 2016 DC's at the same time, which was more likely the cause of my problems...

    I had to remove the value 7b8b558a-93a5-4af7-adca-c017e67f1057 from the following items:

    Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    Entry DN: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    Entry DN: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    Entry DN: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    Entry DN: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    Entry DN: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    changetype: modify

    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

     

    CN=MS-TS-Gateway,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

     

    CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=PL,DC=local

    I hope this helps someone else and saves you the trouble of running dcpromo x number of times to find out all the items...

    Wednesday, April 19, 2017 12:49 PM
  • Hello Gloin,

    your solution really save me. I was in the same situation, trying to add 2 2016 dc in same time.

    Thanks very much

    Thursday, June 8, 2017 11:55 AM
  • This was my issue too. Thank you for listing those out-- it made things much easier for me. When the dcpromo fails, the values listed above are logged in:

    "C:\Windows\debug\adprep\logs\[dateandtime]\ldif.log"


    Tuesday, August 1, 2017 10:45 PM
  • Hi,

    This works for me. As i found the errors in  ldiff file.log in the errors and removed all the 5 difference values from the ADSIEDIT. Send As, Receive As, Public Information, Validated SPN and one more values which i found the log of the  ldiff file.

    Thank you very much for such a good article.

    Nashim Khan

    Sunday, September 10, 2017 9:22 PM
  • Gloin,

    Thank you for the extensive list. I went through the pain of diagnosing before I looked up the issue. Reading the logs led me where I needed to go but your list is exact and correct. Thank you for the excellent post and advice on the solution.

    Friday, August 10, 2018 2:19 AM
  • I had similar problems. 

    I kept removing the attribute like he suggested an trying again and it would get 1 attribute string further. 

    eventually I just opened all of the attributes in that folder and looked for the troublesome "appliesto" GUID and removed it everywhere I found it. A short list is below

    1: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local

    2: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local

    3: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    4: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local

    5: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    6: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    7: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    8: CN=Schema,CN=Configuration,DC=companywear,DC=local

    Sanitized log file below

    --------------------

    Connecting to "compDC1.companywear.local"

    Logging in as current user using SSPI

    Importing directory from file "C:\Windows\system32\adprep\sch87.ldf"

    Loading entries
    1: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    2: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    3: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    4: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    5: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    6: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    7: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=companywear,DC=local
    changetype: modify
    Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

    Entry modified successfully.



    8: CN=Schema,CN=Configuration,DC=companywear,DC=local
    Entry DN: CN=Schema,CN=Configuration,DC=companywear,DC=local
    Entry modified successfully.



    9: (null)
    Entry DN: (null)
    changetype: modify
    Attribute 0) schemaUpdateNow:1

    Entry modified successfully.



    16 entries modified successfully.


    The command has completed successfully

    Tuesday, September 25, 2018 6:07 AM
  • Thank you for this - worked like a charm. 

    I would add that you might want to check whatever schXX.ldf file that adprep is trying to run (Drive:\setup\adprep).  In our case it was sch87.ldf (for 2016).  in that file you will see a list of all of the DNs it will try and hit so you can change them all without having to run the cmd over and over.  I was chasing my tail  :)

    Thursday, October 25, 2018 10:52 PM