Forum Discussion
Problem with adprep before in place upgrade of domain controller
- May 23, 2018
I was able to solve this by adding the root certificate to trusted root authorities. Right click schupgrade.cat (in the support\adprep folder) and click properties then go to the Digital Signatures tab. Click on the only signature listed and hit Details. Then hit View Certificate. Go to the Certification Path tab and hit the top certificate, it should have a red x on it and the status should say something about it not being trusted. Then View Certificate on this top cert, and click Install Certificate. Install to Local Machine, and specify to install into the Trusted Root Certificate Authorities store.
After that the cert should be trusted and adprep should work. If you close all the properties windows and reopen the red x should be gone and the signature valid.
Here is the adprep command I ran:
PS D:\support\adprep> .\adprep.exe /forestprep
ADPREP WARNING:
Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or later.
You are about to upgrade the schema for the Active Directory forest named 'amii.ca', using the Active Directory domain controller (schema master) 'AVMVPRDMFT
ADS01.amii.ca'.
This operation cannot be reversed after it completes.
[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by typing 'C' and then press ENTER to co
ntinue. Otherwise, type any other key and press ENTER to quit.
C
Current Schema Version is 87
Upgrading schema to version 88
Verifying file signature
Connecting to "AVMVPRDMFTADS01.amii.ca"
Logging in as current user using SSPI
Importing directory from file "D:\support\adprep\sch88.ldf"
Loading entries...
Add error on entry starting on line 26: Insufficient Rights
The server side error is: 0x2098 Insufficient access rights to perform the operation.
The extended server error is:
00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
2 entries modified successfully.
An error has occurred in the program
ERROR: Import from file D:\support\adprep\sch88.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20240416200415\ldif.err.88.
If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configurat
ion containers, or log off and log in as an user with these rights and rerun forestprep. In most cases, being a member of both Schema Admins and Enterprise A
dmins is sufficient to run forestprep.
Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20240416200415 directory for detailed information.
Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20240416200415 directory for more information.