Don't let these Adprep and Dcpromo errors take you by surprise
These issues might be familiar to experienced administrators. But if you're a less-experienced administrator who needs to replace DCs that run Windows Server 2003 with those that run Server 2008 R2, this article will shed some light on these issues and can help you avoid problems.
Adprep-Related Errors
Adprep is a utility that you run to prepare an existing Active Directory (AD) environment for the first DC that runs a newer OS, such as Server 2008 R2. If you have an AD environment in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that runs Server 2008 R2, then you need to run certain Adprep commands:
1. Run adprep /forestprep on the schema master.
2. Run adprep /domainprep on each domain's infrastructure master.
3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to run adprep /rodcprep for every domain that will have an RODC.
The article "The Adprep Process" tells more about this process, which is straightforward enough. Still, administrators often have questions:
- What exactly does Adprep do?
- What is the process for making sure that any necessary Adprep commands run successfully?
- How do I work around any errors?
When running Adprep, plan for these important factors:
- Credentials -- Prepare to specify the necessary credentials for each Adprep command. Depending on the command, you might need to supply credentials for an account that is a member of the Schema Admins, Enterprise Admins, or Domain Admins group.
- Access to Flexible Single-Master Operation roles (FSMOs) -- You need to run Adprep on the Schema Master of the forest and on the Infrastructure Master in the domain in which you're installing the new DC. Note that you need either to run the command from the new OS DVD on the Operations Master, or to copy the Adprep utility and its folder contents from the DVD before running it. (See the sidebar "An Adprep Caveat" for a warning about isolating the Schema Master.) Be aware that Server 2008 R2 includes both 32- and 64-bit versions of Adprep (in the \support\adprep folder of the OS disk). The 64-bit version runs by default. If you're running Adprep on a 32-bit system, be sure to use Adprep32.exe instead.
- Replication -- Make sure that replication is working throughout the forest. Take a look at "Troubleshooting Active Directory Replication" and "Active Directory Replication In Depth." for more information about troubleshooting AD replication.
If you can prepare for these potential issues and follow the process that the previously mentioned articles describe, you should have no trouble. In some cases, though, you might see one of these errors during an Adprep operation:
- Rodcprep fails if the DNS partition's Infrastructure Master is assigned to a demoted or invalid FSMO owner. Each application directory partition in a forest has an Infrastructure Master, and the Rodcprep command contacts each one. Rodcprep fails if the Infrastructure Master is assigned to a deleted DC. For example, you might have forced the demotion of a DC without realizing that it was assigned the Infrastructure Master role of an application partition, until you see this error when you run Rodcprep. The Microsoft article "Error message when you run the 'Adprep /rodcprep' command in Windows Server 2008: 'Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com'" includes a script to resolve this error.
- An error, "An attribute with the same link identifier already exists," might occur when you run the adprep/forestprep command on a Windows 2003 computer. You see this error if the adprep /forestprep command tries to add a new object to the schema partition by using a link ID that has already been assigned to an existing object in that partition. The Microsoft article "An error occurs when you run the ADPREP/FORESTPREP command on a Windows Server 2003-based computer: 'An attribute with the same link identifier already exists'" explains how to solve this issue.
The overall Server 2008 or Server 2008 R2 upgrade process is described in the Microsoft article "Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains."
DNS Delegation Error
After Adprep completes successfully, you can install the first DC that runs Server 2008 or Server 2008 R2 into your existing AD. If you choose to install the DNS server role during the DC installation, you might see this warning, which Figure 1 shows:
Figure 1: DNS delegation error
"A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain 'treyresearch5.net.' Otherwise, no action is required."
Before Server 2008, many customer problems with AD installations were caused by underlying problems with the DNS infrastructure, such as missing or incorrect DNS delegation records. One of Microsoft's goals for improving AD DS installation in Server 2008 was to help customers initially configure the correct DNS infrastructure and then to help them maintain that configuration.
