Score:4

Upgrading Windows Server + Domain Controller to Windows Server 2019 - Fails On "ADPrep.exe"

au flag

I'm am using the instructions here to upgrade my Windows Server 2012 AD Controller to Windows Server 2019. This server is a isolated AD controller that has no other server/clients connected to it in any way.

When I run the following on this server:

./adprep.exe /forestprep /forest Dev

I am presented with the following error:

Adprep could not contact the Schema FSMO STORMDEMO.DEV.EBM.COM. The Schema FSMO must be reachable for this operation to proceed. [Status/Consequence] The Active Directory Domain Services schema is not upgraded. [User Action] Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20220119160049 directory for possible cause of failure .

Adprep encountered a Win32 error. Error code: 0x2095 Error message: A directory service error has occurred.

Adprep was unable to check the specified user's group membership. [Status/Consequence] Adprep has stopped without making changes. [User Action] Verify the specified user is a member of Enterprise Admins group and Schema Admins group if /forestprep is specified, or is a member of Domain Admins group if /domainprep is specified, or is a member of Enterprise Admins group if /rodcprep is specified .

Adprep encountered a Win32 error. Error code: 0x2095 Error message: A directory service error has occurred.

This error is preventing me with proceeding with my windows upgrade process. I've checked my user account running this and attempted to run it with a elevated and under the "Administrator" account but am always presented with the same error message. My user account and the "Administrator" user account are members of the mentioned groups above.

Googling the specific error message(0x2095 Error message: A directory service error has occurred.) only leads me to vague posts related to other operations without clear solutions.

Does anyone understand what causes this issue, and/or have a resolution to this issue?

Update 1

Both answers we're useful, I followed the suggestions and figured out that there was some confusion around the FSMO roles, the server name is "EBM-TFS" and when I ran "netdom query FSMO" I got the following:

Schema master               STORMDEMO.DEV.EBM.COM
Domain naming master        STORMDEMO.DEV.EBM.COM
PDC                         EBM-TFS.DEV.EBM.COM
RID pool manager            EBM-TFS.DEV.EBM.COM
Infrastructure master       EBM-TFS.DEV.EBM.COM

I was able to seize the "Schema Master" role using powershell(First I run Ntdsutil, which fails, then I run Move-ADDirectoryServerOperationMasterRole -Identity "EBM-TFS" -OperationMasterRole schemaMaster), however I wasn't able to seize the "Domain naming master" role with either that or "ntdsutil":

Move-ADDirectoryServerOperationMasterRole : The directory service is unavailable At line:1 char:1

  • Move-ADDirectoryServerOperationMasterRole -Identity "EBM-TFS" -OperationMasterRo ...

ntdsutil:

fsmo maintenance: transfer naming master ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-0321041F, problem 5002 (UN AVAILABLE), data -2146893022

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.) )

Didn't matter though as I was able to run suggestion three(Rerun adprep /forestprep without /forest Dev) by @joeqwerty and this was successful, and I was able to proceed with the windows upgrade process.

NotStanding with GoGotaHome avatar
as flag
You checked *log file ADPrep.log in the C:\Windows\debug\adprep\logs\20220119160049 directory*?
David Rogers avatar
au flag
@VScode_fanboy yep same error as I posted
TylerH avatar
ng flag
Please move your updated contents to an answer; "what I ended up doing" belongs there since it's a solution, not part of the question.
NotStanding with GoGotaHome avatar
as flag
@TylerH adding a short description of the *way his question ended* is not a problem, especially when he accepted a answer.
NotStanding with GoGotaHome avatar
as flag
@DavidRogers No more info? glad that your question got a solution.
TylerH avatar
ng flag
@VScode_fanboy his edit isn't a short description of his question, it's an explanation of what he used as a solution *after reading both answers*... as he literally says at the beginning of the edit. A less charitable interpretation would in fact be "it's all noise and none of it should be posted anywhere; neither question *nor* answer, since he just reaffirms the accepted answer is what worked". Either way, the content doesn't belong in the question.
NotStanding with GoGotaHome avatar
as flag
@TylerH ah, it is not a *way his question ended*, it is a whole new **answer**, it should be removed.
Score:4
cv flag
  1. From a command prompt on the server run the following and confirm that the server knows where the FSMO role holder is:

    netdom query FSMO

  2. Verify that the server is configured correctly for DNS. If it's the only Domain Controller/DNS Server in the domain then it should be using itself for Primary DNS and using 127.0.0.1 for Secondary DNS.

  3. Rerun adprep /forestprep without /forest Dev. I've never seen adprep run with the option of specifying the domain, and it shouldn't be needed in your scenario.

Score:3
cn flag

Run NETDOM QUERY FSMO to see the status.

If the Schema role is unavailable or associated with a system no longer available, you may need to seize it.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.