Getting an Error When Running Server 2012 R2 adprep /forest prep on a 2012 DC (Network Steve Forum)

Getting an Error When Running Server 2012 R2 adprep /forest prep on a 2012 DC

I am getting an error when running adprep /forest prep on a Server 2012 domain controller. The main parts of my domain are as follows:

2 - Domain Controllers running Server 2012

1 - Exchange Server 2013 running on Server 2012

I am trying to either do an in-place upgrade to my domain controllers to Server 2012 R2 or even introduce a Server 2012 R2 domain controller into the domain. The error I am getting is as follows:

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/04/05:09:12:38.873]
Adprep verified the state of operation cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/04/05:09:12:38.905]
Adprep was unable to modify some attributes on object CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.
[2014/04/05:09:12:38.936]
Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:
0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384

[2014/04/05:09:12:38.967]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.

Any Help would be appreciated. Thanks!

April 5th, 2014 3:03pm

Hi,

did you check which servers has FSMO roles?
You can do that via command prompt: netdom query fsmo
For forestprep you must do that on DC which have Schema Operations marter role.

Command

Domain controller

Number of times to run the command

adprep /forestprep

Must be run on the schema operations master for the forest.

Once for the entire forest

adprep /domainprep

Must be run on the infrastructure operations master for the domain.

Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain.

Note
Domains where you will not add a new domain controller will be affected by adprep /forestprep, but they do not require you to run adprep /domainprep.

http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

Free Windows Admin Tool Kit Click here and download it now

April 5th, 2014 3:57pm

Yes, I have tried this from the server that holds the FSMO roles.

April 5th, 2014 3:58pm

okay,
and you have needed rights on your account?

Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

Free Windows Admin Tool Kit Click here and download it now

April 5th, 2014 4:11pm

it seems that you don't have sufficient permissions to run the forestprep. logon with a user that is member of Enterprise Administrator group and try again.

Housam

April 5th, 2014 6:37pm

Yes, I am logged in as the administrator, which is a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group. I am also trying this from the domain controller which is the schema master.

I get this error when trying to manually run adprep /forestprep as well as when I try to do an in-place ugrade which automatically runs that command. Both ways generate the same error.

I have also tried to introduce a new Server 2012 R2 server into the domain as a domain controller and get the same error.

I have also checked the security permissions in ADSI of the object of "CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local". The permissions seems fine.

The one thing that I have found in ADSI is the attribute "ClaimIsValueSpaceRestricted" is set "TRUE". I compared this to another domain that is running Server 2012 R2 DCs and this attribute is set to "FALSE". However the option to change it is greyed out. It appears this attribute was introduces in Server 2012.

Free Windows Admin Tool Kit Click here and download it now

April 5th, 2014 7:15pm

Hi Ryan,

You are right that the attribute ClaimIsValueSpaceRestricted is a new schema update in Windows Server 2012.

Are there any other error messages in the ADPrep.log you would provide for further troubleshooting?

In addition, the forest functional level should be at least Windows Server 2003 to introduce a Windows Server 2012 as Domain Controller.

More information for you:

Windows Server 2012: Forest-Wide Updates

http://technet.microsoft.com/en-us/library/dn250017.aspx

Upgrade Domain Controllers to Windows Server 2012

http://technet.microsoft.com/en-us/library/hh994618.aspx

Troubleshooting ADPREP Errors

http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

Best Regards,

Amy Wang

April 7th, 2014 3:11am

Hi Amy,

The message from my original post is from the ADPrep.log. I can post the entire log, but I don't see the point as the issue is clearly stated in the portion I posted.

The forest functional level is currently at Server 2012, so there is no issue there. I have also read through the ADPREP error page and there is nothing about the error that I am getting.

I have posted here because I am looking for assistance to an issue that I cannot find anything about online. I have searched very thoroughly. Being that this ClaimIsValueSpaceRestricted is new, there is nothing I can find that explains this error.

I will most likely have to open a ticket with Microsoft unless anyone has something I can try.

Thanks!

Free Windows Admin Tool Kit Click here and download it now

April 7th, 2014 2:20pm

Hi Ryan,

Are you able to introduce a new Windows Server 2012 without running Adprep.exe manually? Since it is integrated into AD installation process of Windows Server 2012.

Upgrade Domain Controllers to Windows Server 2012

http://technet.microsoft.com/en-us/library/hh994618.aspx

Regards,

Amy

Edited by Amy Wang_Microsoft contingent staff, Moderator Thursday, April 10, 2014 9:59 AM

April 10th, 2014 9:59am

Hi Ryan,

Do you have any updates by now?

Regards,

Amy

Edited by Amy Wang_Microsoft contingent staff, Moderator Sunday, April 20, 2014 10:15 AM

Free Windows Admin Tool Kit Click here and download it now

April 20th, 2014 10:15am

Did you ever find a solution to this?.

June 6th, 2015 6:31am

This topic is archived. No further replies will be accepted.