| Author |
Message |
D.R.
Guest
|
 Posted:
Thu Jan 13, 2005 2:19 am Post subject:
ADPREP /forestprep fails |
|
|
ADPREP is failing near the end of the process, previously I had problems
with the inetOrgPerson due to our Cognos installation. After fixing that I
have proceeded beyond the schXX.ldf files and it now dies applying
permissions.
From the ADPREP.LOG:
-------------
....
ADPREP was unable to modify the default security descriptor on object
CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext.[Status/Consequence]Adprep
attempts to merge the existing default security descriptors with the new
access control entry (ACE). [User Action] Check the log file Adprep.log in
the system root System32\Debug\Adprep\Logs directory for more information.
Adprep encountered a Win32 error. Error code: 0x57 Error message: The
parameter is incorrect..
....
-------------
I ran dsacls as the domain controller:
-------------
C:\>dsacls
\\localdc\CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext /A
Owner: NT AUTHORITY\SYSTEM
Group: DOMAINx\Domain Users
Audit list:
Effective Permissions on this object are:
All Everyone SPECIAL ACCESS <Inherited from parent>
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
All Everyone SPECIAL ACCESS <Inherited from parent>
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Access list:
{This object is protected from inheriting permissions from the parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\SYSTEM FULL CONTROL
The command completed successfully
------------
It looks as though the permissions are wrong, but I am unable to reset the
inheritance or add other users. |
|
| Back to top |
|
 |
Bob Qin [MSFT]
Guest
|
| Posted:
Thu Jan 13, 2005 3:02 pm Post subject:
RE: ADPREP /forestprep fails |
|
|
Hello,
Thanks for your posting here.
I would like to suggest that you manually setting the defaultsecurity
descriptor attribute on the inetorgperson attribute before running adprep
/forestprep. Please use the following steps to do this:
1. Log on to the DC that has the Schema Master role (be sure to use a
schema admin account).
2. Open Adsiedit and navigate to
CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=qa,DC=ms,DC=com
3. Right click on the inetorgperson object and select Properties.
4. In the "Select which properties to view" box, select "Both".
5. In the "Select a property to view" box, select
"defaultsecuritydescriptor".
6. Highlight the entire string in the "Value(s)" box, right click and
select copy.
7. Paste this into a notepad file (as backup).
8. Now click on the "clear" button, then remove the value from the "Edit
attribute" box.
9. Copy the text from the attached
inetorgperson_defaultsecuritydescriptor.txt file and paste it into the
"Edit Attribute" box in adsiedit and click on Apply and Ok. (the text in
this file was taken from the efaultsecuritydescriptor attribute of the
inetorgperson object in the sch18.ldf file from the \i386 directory on the
Windows Server 2003 CD).
10. Now try running adprep /forestprep.
Wish it helps!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "D.R." <dr@news.postalias>
Subject: ADPREP /forestprep fails
Date: Wed, 12 Jan 2005 15:19:39 -0500
Newsgroups: microsoft.public.windows.server.migration
ADPREP is failing near the end of the process, previously I had
problems
with the inetOrgPerson due to our Cognos installation. After fixing
that I
have proceeded beyond the schXX.ldf files and it now dies applying
permissions.
From the ADPREP.LOG:
-------------
...
ADPREP was unable to modify the default security descriptor on object
CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext.[Status/Conseq
uence]Adprep
attempts to merge the existing default security descriptors with the
new
access control entry (ACE). [User Action] Check the log file
Adprep.log in
the system root System32\Debug\Adprep\Logs directory for more
information.
Adprep encountered a Win32 error. Error code: 0x57 Error message: The
parameter is incorrect..
...
-------------
I ran dsacls as the domain controller:
-------------
C:\>dsacls
\\localdc\CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext /A
Owner: NT AUTHORITY\SYSTEM
Group: DOMAINx\Domain Users
Audit list:
Effective Permissions on this object are:
All Everyone SPECIAL ACCESS <Inherited from parent>
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
All Everyone SPECIAL ACCESS <Inherited from parent>
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Access list:
{This object is protected from inheriting permissions from the parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\SYSTEM FULL CONTROL
The command completed successfully
------------
It looks as though the permissions are wrong, but I am unable to
reset the
inheritance or add other users. |
|
| Back to top |
|
|
D.R.
Guest
|
| Posted:
Thu Jan 13, 2005 10:08 pm Post subject:
Re: ADPREP /forestprep fails |
|
|
Bob,
Thank you for the quick reply, but I had already tried this here are the
details when I attempted again:
When I go in as a Schema Admin the object has no class listed and right
clicking properties brings up an adsiedit (warning) box "The specified
directory service attribute or value does not exist." Clicking Ok, the
Attributes Tab says "No information is available for this object" The
Security Tab brings up the Security (warning) box "You do not have
permission to view the current permission settings for inetOrgPerson, but
you can make permission changes." I click Ok, and the Security tab has no
names listed.
I try a number of things from reopening the Properties each time...
1. Set the "Allow inheritable permissions from parent object to propagate
to this object" on the security tab and Click Apply and a Security (error)
box says "Unable to save permission changes on inetOrgPerson. There is no
such object on the server. (Retry/cancel)"
2. Try to add a user...same result.
3. In advanced (the Audit tab is missing) the Permissions tab (it has
"Allow inheritable permissions from parent object to propagate to this
object" checked) I try to add an entry and I get the same Error, but it has
an OK button rather than Retry/Cancel buttons.
4. The Owner tab says "Unable to display current owner." I try to change
it to myself and Administrators (only two choices) both give the error with
the OK button.
These all make sense based on the dsacls info I included originally.
I go in as the system (c:\>at 10:47 /interactive
"C:\winnt\system32\cmd.exe") (this is how I ran the dsacls in the original
post) run MMC.EXE and add ADSI Edit snap-in. This time it shows the
inetOrgPerson class as ClassSchema. The Attributes Tab looks fine, the
Security Tab only lists SYSTEM with Full Control. I try the following
(again I do back all the way out each time)
1. The "Allow inheritable permissions from parent object to propagate to
this object" is cleared I try to set it and Click Apply and a Security
(error) box says "Unable to save permission changes on inetOrgPerson. There
is no such object on the server. (Ok).
2. Now in Advanced the Permissions Tab has the "Allow inheritable
permissions from parent object to propagate to this object" box cleared
(hmm..). I try to set it and click apply and get the Error Box (OK).
3. The Owner is SYSTEM, I try to change it to Administrators and get the
Error again (OK).
4. Finally I try to change the entry like you said (you attachment did
not show up so I pulled it myself) the defaultSecurityDescriptor starts off
<not set>, when I try to set it I get an adsiedit (warning) box "Directory
object not found." (OK)
--
Steve Hellwig
remove ".NoSpam" from email to reply
"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:zoNGp6U%23EHA.2504@cpmsftngxa10.phx.gbl...
| Quote: | Hello,
Thanks for your posting here.
I would like to suggest that you manually setting the defaultsecurity
descriptor attribute on the inetorgperson attribute before running adprep
/forestprep. Please use the following steps to do this:
1. Log on to the DC that has the Schema Master role (be sure to use a
schema admin account).
2. Open Adsiedit and navigate to
CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=qa,DC=ms,DC=com
3. Right click on the inetorgperson object and select Properties.
4. In the "Select which properties to view" box, select "Both".
5. In the "Select a property to view" box, select
"defaultsecuritydescriptor".
6. Highlight the entire string in the "Value(s)" box, right click and
select copy.
7. Paste this into a notepad file (as backup).
8. Now click on the "clear" button, then remove the value from the "Edit
attribute" box.
9. Copy the text from the attached
inetorgperson_defaultsecuritydescriptor.txt file and paste it into the
"Edit Attribute" box in adsiedit and click on Apply and Ok. (the text in
this file was taken from the efaultsecuritydescriptor attribute of the
inetorgperson object in the sch18.ldf file from the \i386 directory on the
Windows Server 2003 CD).
10. Now try running adprep /forestprep.
Wish it helps!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "D.R." <dr@news.postalias
Subject: ADPREP /forestprep fails
Date: Wed, 12 Jan 2005 15:19:39 -0500
Newsgroups: microsoft.public.windows.server.migration
ADPREP is failing near the end of the process, previously I had
problems
with the inetOrgPerson due to our Cognos installation. After fixing
that I
have proceeded beyond the schXX.ldf files and it now dies applying
permissions.
From the ADPREP.LOG:
-------------
...
ADPREP was unable to modify the default security descriptor on object
CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext.[Status/Conseq
uence]Adprep
attempts to merge the existing default security descriptors with the
new
access control entry (ACE). [User Action] Check the log file
Adprep.log in
the system root System32\Debug\Adprep\Logs directory for more
information.
Adprep encountered a Win32 error. Error code: 0x57 Error message: The
parameter is incorrect..
...
-------------
I ran dsacls as the domain controller:
-------------
C:\>dsacls
\\localdc\CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=domainx,DC=ext
/A
Owner: NT AUTHORITY\SYSTEM
Group: DOMAINx\Domain Users
Audit list:
Effective Permissions on this object are:
All Everyone SPECIAL ACCESS <Inherited from parent
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
All Everyone SPECIAL ACCESS <Inherited from parent
DELETE
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
WRITE SELF
WRITE PROPERTY
DELETE TREE
CONTROL ACCESS
Access list:
{This object is protected from inheriting permissions from the
parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\SYSTEM FULL CONTROL
The command completed successfully
------------
It looks as though the permissions are wrong, but I am unable to
reset the
inheritance or add other users.
|
|
|
| Back to top |
|
|
Bob Qin [MSFT]
Guest
|
| Posted:
Mon Jan 17, 2005 6:03 pm Post subject:
Re: ADPREP /forestprep fails |
|
|
Hi Steve,
Please check if current DC is Shema Master and please run ADdiag to check
if there is any error there.
In addition, please try to use DSacls to change the permissions of that
object.
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
Please first remove all non-vital accounts from the Enterprise Admins and
Schema Admins group (only keep two or three accounts). Then add schema
admins with full control to that schema objects.
You can also try to grant full control permissions for administrator to the
parent object CN=Schema,CN=Configuration,DC=qa,DC=ms,DC=com.
At last, I would like to suggest that you contact Cognos to get the utility
called "Ads_update.exe", then run the utility from the command prompt on
the Schema Master DC with an Enterprise Admin/Schema Master Account.
Wish it helps.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
-------------------- |
|
| Back to top |
|
|
D.R.
Guest
|
| Posted:
Sat Jan 22, 2005 1:36 am Post subject:
Re: ADPREP /forestprep fails |
|
|
Commented inline with **
--
Steve
"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:y7c5PyI$EHA.2504@cpmsftngxa10.phx.gbl...
| Quote: | Hi Steve,
Please check if current DC is Shema Master and please run ADdiag to check
if there is any error there.
|
** Ran it, no errors
| Quote: |
In addition, please try to use DSacls to change the permissions of that
object.
|
** DSACLS show the rights, but when I tried to modify them it said there was
no such object
| Quote: |
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
Please first remove all non-vital accounts from the Enterprise Admins and
Schema Admins group (only keep two or three accounts). Then add schema
admins with full control to that schema objects.
You can also try to grant full control permissions for administrator to
the
parent object CN=Schema,CN=Configuration,DC=qa,DC=ms,DC=com.
At last, I would like to suggest that you contact Cognos to get the
utility
called "Ads_update.exe", then run the utility from the command prompt on
the Schema Master DC with an Enterprise Admin/Schema Master Account.
|
** I had already run the utility it fixed a problem that occurred earlier in
the process.
** I copied DSRM.EXE from a Windows XP machine to the 2000 DC, though the
help did not seem to document this when logged in as the system I was able
to use it to delete from the schema.
** I than used LDIF to import the inetOrgPerson section from SCH18.LDF, and
rerun adprep successfully.
** After upgradeing to Windows 2003 everything seems fine (knocking on wood
with crossed fingers).
| Quote: |
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
|
|
|
| Back to top |
|
|
Bob Qin [MSFT]
Guest
|
| Posted:
Tue Jan 25, 2005 6:47 am Post subject:
Re: ADPREP /forestprep fails |
|
|
Cool!
I am glad to hear you have resolved this issue. Thanks for your great
information sharing here!
Thank you again for using our newsgroup!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "D.R." <dr@news.postalias>
Subject: Re: ADPREP /forestprep fails
Date: Fri, 21 Jan 2005 14:36:33 -0500
Newsgroups: microsoft.public.windows.server.migration
Commented inline with **
--
Steve
"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:y7c5PyI$EHA.2504@cpmsftngxa10.phx.gbl...
| Quote: | Hi Steve,
Please check if current DC is Shema Master and please run ADdiag to
check
if there is any error there.
|
** Ran it, no errors
| Quote: |
In addition, please try to use DSacls to change the permissions of
that
object.
|
** DSACLS show the rights, but when I tried to modify them it said
there was
no such object
| Quote: |
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
Please first remove all non-vital accounts from the Enterprise
Admins and
Schema Admins group (only keep two or three accounts). Then add
schema
admins with full control to that schema objects.
You can also try to grant full control permissions for
administrator to
the
parent object CN=Schema,CN=Configuration,DC=qa,DC=ms,DC=com.
At last, I would like to suggest that you contact Cognos to get the
utility
called "Ads_update.exe", then run the utility from the command
prompt on
the Schema Master DC with an Enterprise Admin/Schema Master Account.
|
** I had already run the utility it fixed a problem that occurred
earlier in
the process.
** I copied DSRM.EXE from a Windows XP machine to the 2000 DC, though
the
help did not seem to document this when logged in as the system I was
able
to use it to delete from the schema.
** I than used LDIF to import the inetOrgPerson section from
SCH18.LDF, and
rerun adprep successfully.
** After upgradeing to Windows 2003 everything seems fine (knocking
on wood
with crossed fingers).
| Quote: |
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your
newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in