When attempting to promote a 2012 R2 machine as a domain controller on a 2003 forest\domain level domain I get the following error when it goes through it's adprep and forestprep procedures:
ADPrep execution failed –> System.ComponentModel.Win32Exception
(0x80004005): A device attached to the system is not functioning.
Check the log files in the C:\Windows\debug\adprep\logs\20160128201714
directory for detailed information.
The ADPrep log shows the following error:
[2016/01/28:20:17:14.402] The command line passed to ldifde is ldifde
-i -f "C:\Windows\system32\adprep\sch32.ldf" -s "ral-ad1.AD.mydomain.com" -h -j
"C:\Windows\debug\adprep\logs\20160128201714" -$
"C:\Windows\system32\adprep\schupgrade.cat" [2016/01/28:20:17:33.382]
ERROR: Import from file C:\Windows\system32\adprep\sch32.ldf failed.
Error file is saved in
C:\Windows\debug\adprep\logs\20160128201714\ldif.err.32.If the error is "Insufficient Rights" (Ldap error code 50), please
make sure the specified user has rights to read/write objects in the
schema and configuration containers, or log off and log in as an user
with these rights and rerun forestprep. In most cases, being a member
of both Schema Admins and Enterprise Admins is sufficient to run
forestprep. [2016/01/28:20:17:33.393] Adprep was unable to upgrade the
schema on the schema master.[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the
C:\Windows\debug\adprep\logs\20160128201714 directory for detailed
information. [2016/01/28:20:17:33.393] Adprep was unable to update
forest information.[Status/Consequence]
Adprep requires access to existing forest-wide information from the
schema master in order to complete this operation.
The ldiff.err.32 log shows
15: CN=User,CN=Schema,CN=Configuration,DC=AD,DC=mydomain,DC=com Entry
DN: CN=User,CN=Schema,CN=Configuration,DC=AD,DC=mydomain,DC=com Add
error on entry starting on line 232: Unwilling To PerformThe server side error is: 0x20c5 Schema update failed: class in
aux-class list does not exist or is not an auxiliary class.The extended server error is:
000020C5: SvcErr: DSID-03260249, problem 5003 (WILL_NOT_PERFORM), data
8389
Line 232 of sch32.ldf is the following
dn: CN=User,CN=Schema,CN=Configuration,DC=X changetype:
ntdsSchemaModify add: systemMayContain systemMayContain:
1.2.840.113556.1.4.1929
So it seems it's trying to modify the user schema and failing. I've verified my user account is in the Schema\Domain\Enterprise admin groups. I have also verified these groups have write access to Schema container using adsiedit. The closest hit I could find was this one. Where MS MVP Ned Pyle indicated in comments it could have been caused by a 3rd party tool incorrectly extending the attribute previously. Recommending the user contact Microsoft Support. My guess is that Microsoft no longer supports Windows 2003 so that path might not go far. Has anybody seen this before? Thanks for any assistance.
Best Answer
You might be surprised by the response that you get from Microsoft support, since this problem seems to not be so much about supporting Server 2003, as it is about a roadblock that's preventing you from moving to 2012 R2. At least, you should spin it that way.
I am also almost sure that this is due to schema customization. It's usually by 3rd party software, but sometimes can be something like a botched Exchange install. You can probably bend your schema back into shape so that you can upgrade it, but beware that doing so might break the software that originally made the schema modification in the first place.
The following is provided with no guarantee and no warranty. Try this at your own risk. Attempt in a lab first if possible. The right thing to do would be to call Microsoft and see if they'll help you before attempting this yourself.
Dump the User class definition from the schema:
Look in the file for any
auxiliaryClassfields. You'll probably seeshadowAccount,posixAccount, and possibly some others.For each one of those auxiliary classes, dump their schema definitions also, the same way that you just dumped the User class definition.
In each of those auxiliary class definitions, inspect their
objectClassCategoryproperty. Is it 1? If so, it should be 3. Change it to 3.objectClassCategoryis documented here:https://msdn.microsoft.com/en-us/library/ms679014(v=vs.85).aspx
An auxiliary class should have a value of 3. If an auxiliary class has a value of 1, then someone made a mistake while modifying the schema. Change it to 3 and allow AD to replicate the schema, then try the
adprepagain.The error message you posted:
Makes a lot more sense now in the context of what I outlined above.