Error promoting 2012 R2 server to domain controller on 2003 domain

7

When attempting to promote a 2012 R2 machine as a domain controller on a 2003 forest\domain level domain I get the following error when it goes through it's adprep and forestprep procedures:

ADPrep execution failed --> System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning. Check the log files in the C:\Windows\debug\adprep\logs\20160128201714 directory for detailed information.

The ADPrep log shows the following error:

[2016/01/28:20:17:14.402] The command line passed to ldifde is ldifde -i -f "C:\Windows\system32\adprep\sch32.ldf" -s "ral-ad1.AD.mydomain.com" -h -j "C:\Windows\debug\adprep\logs\20160128201714" -$ "C:\Windows\system32\adprep\schupgrade.cat" [2016/01/28:20:17:33.382] ERROR: Import from file C:\Windows\system32\adprep\sch32.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\20160128201714\ldif.err.32.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep. [2016/01/28:20:17:33.393] Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20160128201714 directory for detailed information. [2016/01/28:20:17:33.393] Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

The ldiff.err.32 log shows

15: CN=User,CN=Schema,CN=Configuration,DC=AD,DC=mydomain,DC=com Entry DN: CN=User,CN=Schema,CN=Configuration,DC=AD,DC=mydomain,DC=com Add error on entry starting on line 232: Unwilling To Perform

The server side error is: 0x20c5 Schema update failed: class in aux-class list does not exist or is not an auxiliary class.

The extended server error is:

000020C5: SvcErr: DSID-03260249, problem 5003 (WILL_NOT_PERFORM), data 8389

Line 232 of sch32.ldf is the following

dn: CN=User,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaModify add: systemMayContain systemMayContain: 1.2.840.113556.1.4.1929

So it seems it's trying to modify the user schema and failing. I've verified my user account is in the Schema\Domain\Enterprise admin groups. I have also verified these groups have write access to Schema container using adsiedit. The closest hit I could find was this one. Where MS MVP Ned Pyle indicated in comments it could have been caused by a 3rd party tool incorrectly extending the attribute previously. Recommending the user contact Microsoft Support. My guess is that Microsoft no longer supports Windows 2003 so that path might not go far. Has anybody seen this before? Thanks for any assistance.

active-directory
windows-server-2003
windows-server-2012-r2
asked on Server Fault Jan 29, 2016 by floyd

1 Answer

10

You might be surprised by the response that you get from Microsoft support, since this problem seems to not be so much about supporting Server 2003, as it is about a roadblock that's preventing you from moving to 2012 R2. At least, you should spin it that way.

I am also almost sure that this is due to schema customization. It's usually by 3rd party software, but sometimes can be something like a botched Exchange install. You can probably bend your schema back into shape so that you can upgrade it, but beware that doing so might break the software that originally made the schema modification in the first place.

The following is provided with no guarantee and no warranty. Try this at your own risk. Attempt in a lab first if possible. The right thing to do would be to call Microsoft and see if they'll help you before attempting this yourself.

Dump the User class definition from the schema:

ldifde -d "CN=User,CN=Schema,CN=Configuration,DC=contoso,DC=com" -f user.txt

Look in the file for any auxiliaryClass fields. You'll probably see shadowAccount, posixAccount, and possibly some others.

For each one of those auxiliary classes, dump their schema definitions also, the same way that you just dumped the User class definition.

In each of those auxiliary class definitions, inspect their objectClassCategory property. Is it 1? If so, it should be 3. Change it to 3.

objectClassCategory is documented here:

https://msdn.microsoft.com/en-us/library/ms679014(v=vs.85).aspx

4 bytes. Structural 1, abstract 2, auxiliary 3. Class 88, 0 should not be used.

An auxiliary class should have a value of 3. If an auxiliary class has a value of 1, then someone made a mistake while modifying the schema. Change it to 3 and allow AD to replicate the schema, then try the adprep again.

The error message you posted:

The server side error is: 0x20c5 Schema update failed: class in aux-class list does not exist or is not an auxiliary class.

Makes a lot more sense now in the context of what I outlined above.

answered on Server Fault Jan 29, 2016 by Ryan Ries

User contributions licensed under CC BY-SA 3.0