none
Adprep /forestprep error [Unable to Promote Win 2012 R2 as DC to Win 2008 R2 based domain]

    Question

  • Hey guys, don't get me wrong on this but I've done my fair bit of research before deciding to post this question.

    I am trying to introduce a 2012 R2 DC into an existing domain which is on a 2008 R2. I encountered an error when promoting the new server as DC.

    I initially run straight from 2012 R2 without running the adprep /forestprep in 2008 R2 since 2012 R2 will take care of this automatically. 

    I'm running as a domain administrator and verified all the required memberships (enterprise, schema and domain admins). I don't have AV

    here's the extract of the adprep.log error

    [2017/04/05:13:24:08.129]
    Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is CN=Claims Configuration,CN=Services,CN=Configuration,DC=xyz,DC=local.
    [2017/04/05:13:24:08.333]
    LDAP API ldap_add_s() finished, return code is 0x13
    [2017/04/05:13:24:08.333]
    Adprep was unable to create the object CN=Claims Configuration,CN=Services,CN=Configuration,DC=xyx,DC=local in Active Directory Domain Services.

    [Status/Consequence]

    This Adprep operation failed.

    [User Action]

    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20170405132339 directory for more information. Restart Adprep.
    [2017/04/05:13:24:08.333]
    Adprep encountered an LDAP error.

    Error code: 0x13. Server extended error code: 0x51b, Server error message: 0000051B: AtrErr: DSID-03150DBE, #1:
     0: 0000051B: DSID-03150DBE, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)

    DSID Info:
    DSID: 0x1811100d
    ldap error = 0x13
    NT BUILD: 9600
    NT BUILD: 16384

    [2017/04/05:13:24:08.333]
    Adprep was unable to update forest information.

    [Status/Consequence]

    Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

    [User Action]

    Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20170405132339 directory for more information.

    ---end---

    Thanks, I'm losing hope on this :(

    Wednesday, April 5, 2017 6:01 PM

All replies

  • Hi

     First make sure fsmo roles holder up and healthy.To find fsmo holder run "netdom query fsmo" ,also check health with "dcdiag"..Other hand check the Forest and Domain Functional levels.

    And you should check this ms troubleshooting article related to schema update issue(maybe already check);

    https://blogs.technet.microsoft.com/askds/2008/12/15/troubleshooting-adprep-errors/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, April 5, 2017 6:22 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 1:51 PM
    Moderator
  • Hi

     First make sure fsmo roles holder up and healthy.To find fsmo holder run "netdom query fsmo" ,also check health with "dcdiag"..Other hand check the Forest and Domain Functional levels.

    And you should check this ms troubleshooting article related to schema update issue(maybe already check);

    https://blogs.technet.microsoft.com/askds/2008/12/15/troubleshooting-adprep-errors/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Hey Burak, I've actually done the steps/checks that you've suggested prior to posting my question and the results were all normal.

    I've actually tried creating another VM just to isolate that it's not the 2012 R2 VM that's causing problem. I really can't think of anything why Adprep was unable to create the object CN=Claims Configuration,CN=Services,CN=Configuration,DC=xyx,DC=local in Active Directory Domain Services.

    Any other recommended work around? Basically my virtualization project is currently put into halt because I can't create a new DC over to VM.

    Thanks!

    Tuesday, April 11, 2017 3:41 PM
  • > Error code: 0x13. Server extended error code: 0x51b, Server error message: 0000051B: AtrErr: DSID-03150DBE, #1:
    >  0: 0000051B: DSID-03150DBE, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
     
    0x13: LDAP_CONSTRAINT_VIOLATION                                     winldap.h
    0x51b: ERROR_INVALID_OWNER                                           winerror.h
    # This security ID may not be assigned as the owner of this
    # object.
     
    Might be sufficient to track down the issue...
     
    Wednesday, April 12, 2017 9:37 AM