Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Missing one of the "default Password Replication Policy groups"
Missing one of the "default Password Replication Policy groups" [message #381261] Sun, 31 January 2010 16:08 Go to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
I'm missing a domain local group required for the operation of Read-only DCs,
I need some way to properly create this group and I'm a little stumped as to
why it missing in the first place...

2 Windows Server 2008 DCs
o forest at Windows 2008 level
o single domain at Windows 2008 level
o SP2 and all updates installed

AD was previously hosted on a single Windows Server 2003 DC
o Upgrade was roughly 45 days ago
o This DC has now been gracefully retired
o (have full system backups of the old DC before the upgrade all the way
through to its retirement)

Wish to add Windows Server 2008 R2 as a RODC
o Following steps here
http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
o ADPREP ran first time without errors, scheme level now 47
§ (Have full system backups before and after ADPREP)

So when I hit next on “Additional Domain Controller Options” (step 7 of “To
install an RODC on a full installation of Windows Server 2008”) I get “The
default Password Replication Policy groups are not present on the PDC [My
PDC]. The parameter is incorrect”.

Sure enough the “Allowed RODC Password Replication Group” is missing. After
some further thought I’m guessing this should have been created during
DCPROMO of the first Windows Server 2008 to the 2003 domain.

The “Denied RODC Password Replication Group” is present so what’s happened
to the Allowed group?

I've used the SysInternals AD Explorer to search for deleted groups with the
right name or SID and there's nothing.

Can anybody give me a new avenue of exploration?

This is a cross post from the Directory Services forum where so far I've had
no response
http://social.technet.microsoft.com/Forums/en-US/winserverDS /thread/56c72e7e-d367-4c13-85a1-64f1df62e328
Re: Missing one of the "default Password Replication Policy groups" [message #381494 is a reply to message #381261] Mon, 01 February 2010 00:40 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
James,

James Brown wrote:
> 2 Windows Server 2008 DCs
> o forest at Windows 2008 level
> o single domain at Windows 2008 level
> o SP2 and all updates installed
>
> So when I hit next on “Additional Domain Controller Options” (step 7 of “To
> install an RODC on a full installation of Windows Server 2008”) I get “The
> default Password Replication Policy groups are not present on the PDC [My
> PDC]. The parameter is incorrect”.

Back then when you prepared the Schema for Server 2008 usage, did you
run /rodcprep and it ran correctly? Were those groups ever created?

Cheers,
Florian
Re: Missing one of the "default Password Replication Policy groups" [message #381594 is a reply to message #381494] Mon, 01 February 2010 06:54 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I think Florian is on to something here. I did try and track down where the
allow and deny groups are created but it doesn't appear to be easily tracked
down.

You should be able to see the error log
C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.

Also check out an article I have on Forest upgrades
http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
> James,
>
> James Brown wrote:
>> 2 Windows Server 2008 DCs
>> o forest at Windows 2008 level
>> o single domain at Windows 2008 level
>> o SP2 and all updates installed
>>
>> So when I hit next on "Additional Domain Controller Options" (step 7 of
>> "To install an RODC on a full installation of Windows Server 2008") I get
>> "The default Password Replication Policy groups are not present on the
>> PDC [My PDC]. The parameter is incorrect".
>
> Back then when you prepared the Schema for Server 2008 usage, did you run
> /rodcprep and it ran correctly? Were those groups ever created?
>
> Cheers,
> Florian
Re: Missing one of the "default Password Replication Policy groups [message #381622 is a reply to message #381494] Mon, 01 February 2010 07:45 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Florian thanks for responing to my post, sorry for the delayed reponse I'm in
the UK and posted pretty late Sunday night (this things keeping me up at
night!)

I'd better explain we're using Essential Business Server 2008; ADPREP was
run by the EBS "Scheme Upgrade Tool" [
http://technet.microsoft.com/en-us/library/cc463425(WS.10).aspx ]. I'm
trying to get more details regarding this tool.
Anyway no errors were noted at the time but I'm just about to spin up a VM
made from the DCs backup image to explore the state or AD both before and
after the installation of EBS. Once I do I'll be able to say definitively
whether or not the “Allowed RODC Password Replication Group” was created, the
“Denied RODC Password Replication Group” was and is present.
BTW I’m trying to raise a support incident through our Software Assurance
but I’m being delayed by some administrative issues with our licensing. It
seems everythings against me!

James


"Florian Frommherz [MVP]" wrote:

> James,
>
> James Brown wrote:
> > 2 Windows Server 2008 DCs
> > o forest at Windows 2008 level
> > o single domain at Windows 2008 level
> > o SP2 and all updates installed
> >
> > So when I hit next on “Additional Domain Controller Options” (step 7 of “To
> > install an RODC on a full installation of Windows Server 2008”) I get “The
> > default Password Replication Policy groups are not present on the PDC [My
> > PDC]. The parameter is incorrect”.
>
> Back then when you prepared the Schema for Server 2008 usage, did you
> run /rodcprep and it ran correctly? Were those groups ever created?
>
> Cheers,
> Florian
> .
>
Re: Missing one of the "default Password Replication Policy groups [message #381636 is a reply to message #381594] Mon, 01 February 2010 08:07 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Thanks for your reply Paul.

I’ve been trying to find out when these groups are created for a few days,
I’m not sure I even have access to the right documentation to be successful.

I'll retrieve the logs from backup. Any particular string for me to be
searching for? I’ll also review your article ASAP.

Many thanks,

James

"Paul Bergson [MVP-DS]" wrote:

> I think Florian is on to something here. I did try and track down where the
> allow and deny groups are created but it doesn't appear to be easily tracked
> down.
>
> You should be able to see the error log
> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>
> Also check out an article I have on Forest upgrades
> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
> > James,
> >
> > James Brown wrote:
> >> 2 Windows Server 2008 DCs
> >> o forest at Windows 2008 level
> >> o single domain at Windows 2008 level
> >> o SP2 and all updates installed
> >>
> >> So when I hit next on "Additional Domain Controller Options" (step 7 of
> >> "To install an RODC on a full installation of Windows Server 2008") I get
> >> "The default Password Replication Policy groups are not present on the
> >> PDC [My PDC]. The parameter is incorrect".
> >
> > Back then when you prepared the Schema for Server 2008 usage, did you run
> > /rodcprep and it ran correctly? Were those groups ever created?
> >
> > Cheers,
> > Florian
>
>
> .
>
Re: Missing one of the "default Password Replication Policy groups [message #381668 is a reply to message #381636] Mon, 01 February 2010 09:02 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Sorry, I have never had to refer to the logs since I have been successful on
every attempt. I would verify that the log exists and if so see if there
are any errors. If you have something you are unable to decipher just post
the log and I'm sure someone from the NewsGroup could assist in reading.
Most of these logs provide good details.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> Thanks for your reply Paul.
>
> I've been trying to find out when these groups are created for a few days,
> I'm not sure I even have access to the right documentation to be
> successful.
>
> I'll retrieve the logs from backup. Any particular string for me to be
> searching for? I'll also review your article ASAP.
>
> Many thanks,
>
> James
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I think Florian is on to something here. I did try and track down where
>> the
>> allow and deny groups are created but it doesn't appear to be easily
>> tracked
>> down.
>>
>> You should be able to see the error log
>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>>
>> Also check out an article I have on Forest upgrades
>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>> > James,
>> >
>> > James Brown wrote:
>> >> 2 Windows Server 2008 DCs
>> >> o forest at Windows 2008 level
>> >> o single domain at Windows 2008 level
>> >> o SP2 and all updates installed
>> >>
>> >> So when I hit next on "Additional Domain Controller Options" (step 7
>> >> of
>> >> "To install an RODC on a full installation of Windows Server 2008") I
>> >> get
>> >> "The default Password Replication Policy groups are not present on the
>> >> PDC [My PDC]. The parameter is incorrect".
>> >
>> > Back then when you prepared the Schema for Server 2008 usage, did you
>> > run
>> > /rodcprep and it ran correctly? Were those groups ever created?
>> >
>> > Cheers,
>> > Florian
>>
>>
>> .
>>
Re: Missing one of the "default Password Replication Policy groups [message #381858 is a reply to message #381668] Mon, 01 February 2010 12:21 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
With assistance from a fellow MVP (Yusuf), it appears that in order to get
these groups created you will have to move the PDCe from your 2003 DC to the
2008 server. This is a recommended strategy anyways.

From a commend prompt run the following to learn where yuor fsmo roles
reside
netdom query fsmo

See:
http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> Sorry, I have never had to refer to the logs since I have been successful
> on every attempt. I would verify that the log exists and if so see if
> there are any errors. If you have something you are unable to decipher
> just post the log and I'm sure someone from the NewsGroup could assist in
> reading. Most of these logs provide good details.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>> Thanks for your reply Paul.
>>
>> I've been trying to find out when these groups are created for a few
>> days,
>> I'm not sure I even have access to the right documentation to be
>> successful.
>>
>> I'll retrieve the logs from backup. Any particular string for me to be
>> searching for? I'll also review your article ASAP.
>>
>> Many thanks,
>>
>> James
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>>> I think Florian is on to something here. I did try and track down where
>>> the
>>> allow and deny groups are created but it doesn't appear to be easily
>>> tracked
>>> down.
>>>
>>> You should be able to see the error log
>>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>>>
>>> Also check out an article I have on Forest upgrades
>>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
>>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>>> > James,
>>> >
>>> > James Brown wrote:
>>> >> 2 Windows Server 2008 DCs
>>> >> o forest at Windows 2008 level
>>> >> o single domain at Windows 2008 level
>>> >> o SP2 and all updates installed
>>> >>
>>> >> So when I hit next on "Additional Domain Controller Options" (step 7
>>> >> of
>>> >> "To install an RODC on a full installation of Windows Server 2008") I
>>> >> get
>>> >> "The default Password Replication Policy groups are not present on
>>> >> the
>>> >> PDC [My PDC]. The parameter is incorrect".
>>> >
>>> > Back then when you prepared the Schema for Server 2008 usage, did you
>>> > run
>>> > /rodcprep and it ran correctly? Were those groups ever created?
>>> >
>>> > Cheers,
>>> > Florian
>>>
>>>
>>> .
>>>
>
>
Re: Missing one of the "default Password Replication Policy groups [message #381976 is a reply to message #381858] Mon, 01 February 2010 15:08 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Paul, firstly thank you once again for your posts.
I’d like to post the log EBS Schema Upgrade Tools Log, it’s a rather neat
summary of the and clearly shows the ADPREP commands issued against the 2003
DC.

**********************************
12/15/09 18:30:21 79208171 Opened logfile
C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
79208171
12/15/09 18:30:21 79208187 File version info:
12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
12/15/09 18:30:21 79208203 Domain Joined: TRUE
12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
12/15/09 18:30:21 79208203 GetDomainSid() returning:
S-1-5-21-1553700716-3413723528-2741516094
12/15/09 18:30:21 79208203 GetSidFromRid() returning:
S-1-5-21-1553700716-3413723528-2741516094-512
12/15/09 18:30:21 79208203 GetSidFromRid() returning:
S-1-5-21-1553700716-3413723528-2741516094-519
12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
12/15/09 18:30:21 79208593 Schema role owner is paris.ndcconsultants.co.uk
12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete: FALSE
12/15/09 18:30:22 79209703 Infrastructure role owner is
paris.ndcconsultants.co.uk
12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
complete: FALSE
12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is complete:
FALSE
12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size 29376512
12/15/09 18:30:23 79209921 .dit file size: 28 MB
12/15/09 18:30:23 79209921 disk space required: 33 MB
12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
12/15/09 18:30:23 79209921 All prerequisites met.
12/15/09 18:30:23 79209921 Prerequisite checking passed.
12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
12/15/09 18:30:23 79209921 Infrastructure role owner is
paris.ndcconsultants.co.uk
12/15/09 18:30:23 79209921 Schema role owner is paris.ndcconsultants.co.uk
12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
Business Server Schema Upgrade Tool is about to upgrade your schema to the
Windows Server 2008 schema level. This process will take between three
minutes and an hour. During this time, this computers CPU and hard disk drive
will be under heavy load. There will be heavy network traffic if you have
multiple domain controllers or many group policy objects.
If you have not checked the physical condition of this computers hard disk
drive recently, consider running a full bad sector test prior to upgrading
the schema. Do not reboot or shut down this computer while the upgrade is in
process. Upgrading the schema is permanent (changes cannot be undone).
Click OK to begin the upgrade, or Cancel to close the tool.
12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
12/15/09 18:30:44 79231406 Temp dir mount point: C:\
12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
12/15/09 18:30:44 79231421 isAclSupported: TRUE
12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
12/15/09 18:30:44 79231421 GetDomainSid() returning:
S-1-5-21-1553700716-3413723528-2741516094
12/15/09 18:30:44 79231421 GetSidFromRid() returning:
S-1-5-21-1553700716-3413723528-2741516094-512
12/15/09 18:30:44 79231437 Copying files to temp directory
C:\WINDOWS\temp\ADP1.tmp
12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
12/15/09 18:30:44 79231437 src dir: D:\
12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
12/15/09 18:30:49 79236390 Done copying files to temp directory.
12/15/09 18:30:49 79236390 adprep path:
C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
12/15/09 18:30:49 79236390 Running forestprep.
12/15/09 18:30:49 79236390 IsWindows2000()
12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
12/15/09 18:30:49 79236390 DoCreateProcess()
12/15/09 18:30:49 79236390 cmdline:
C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
12/15/09 18:37:33 79640187 exit code: 0
12/15/09 18:37:33 79640187 adprep returned 0
12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
12/15/09 18:37:33 79640187 No replication required, running on schema role
owner.
12/15/09 18:37:33 79640187 Running domainprep.
12/15/09 18:37:33 79640187 DoCreateProcess()
12/15/09 18:37:33 79640187 cmdline:
C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg /silent
12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
12/15/09 18:37:39 79646250 exit code: 0
12/15/09 18:37:39 79646250 adprep returned 0
12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
12/15/09 18:37:39 79646250 Writing gpprep complete flag.
12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
C:\WINDOWS\temp\ADP1.tmp
12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
12/15/09 18:37:39 79646359 Closing log.
**********************************
This tool was run once prompted by the Management Server phase of the EBS
installation wizard. At this point in time I believe the wizard had
completed installing, updating and joining a Windows Server 2008 machine to
the 2003 network. The tool didn’t run /rodcprep.
The next step in the wizard was the promotion of the Management Server to
DC, I’m reviewing the DCPROMO.log from this operation. I think, but I’m not
sure, that the FSMO roles were transferred to the Management Server at this
point. BTW I also plan to create VMs of the 2003 DC from our backup images
just before and after in order to check on the troublesome RODC groups but
this will take me a little while.
The rest of the EBS servers were installed and the old 2003 DC gracefully
demoted a few weeks later.
As originally posted before attempting to create a RODC I ran the 2008 R2
adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all without
error. One point I'm not worried about is the 2008 version of /rodcprep had
not been run.
If I could just pinpoint exactly when these groups were supposed to be
created I'd be able to focus on all the events at that time.

To say this problem is frustrating is an understatement!

James


"Paul Bergson [MVP-DS]" wrote:

> With assistance from a fellow MVP (Yusuf), it appears that in order to get
> these groups created you will have to move the PDCe from your 2003 DC to the
> 2008 server. This is a recommended strategy anyways.
>
> From a commend prompt run the following to learn where yuor fsmo roles
> reside
> netdom query fsmo
>
> See:
> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> > Sorry, I have never had to refer to the logs since I have been successful
> > on every attempt. I would verify that the log exists and if so see if
> > there are any errors. If you have something you are unable to decipher
> > just post the log and I'm sure someone from the NewsGroup could assist in
> > reading. Most of these logs provide good details.
> >
> > --
> > Paul Bergson
> > MVP - Directory Services
> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > 2008, 2003, 2000 (Early Achiever), NT4
> > Microsoft's Thrive IT Pro of the Month - June 2009
> >
> > http://www.pbbergs.com
> >
> > Please no e-mails, any questions should be posted in the NewsGroup This
> > posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> >> Thanks for your reply Paul.
> >>
> >> I've been trying to find out when these groups are created for a few
> >> days,
> >> I'm not sure I even have access to the right documentation to be
> >> successful.
> >>
> >> I'll retrieve the logs from backup. Any particular string for me to be
> >> searching for? I'll also review your article ASAP.
> >>
> >> Many thanks,
> >>
> >> James
> >>
> >> "Paul Bergson [MVP-DS]" wrote:
> >>
> >>> I think Florian is on to something here. I did try and track down where
> >>> the
> >>> allow and deny groups are created but it doesn't appear to be easily
> >>> tracked
> >>> down.
> >>>
> >>> You should be able to see the error log
> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
> >>>
> >>> Also check out an article I have on Forest upgrades
> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
> >>>
> >>> --
> >>> Paul Bergson
> >>> MVP - Directory Services
> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>> 2008, 2003, 2000 (Early Achiever), NT4
> >>> Microsoft's Thrive IT Pro of the Month - June 2009
> >>>
> >>> http://www.pbbergs.com
> >>>
> >>> Please no e-mails, any questions should be posted in the NewsGroup This
> >>> posting is provided "AS IS" with no warranties, and confers no rights.
> >>>
> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
> >>> > James,
> >>> >
> >>> > James Brown wrote:
> >>> >> 2 Windows Server 2008 DCs
> >>> >> o forest at Windows 2008 level
> >>> >> o single domain at Windows 2008 level
> >>> >> o SP2 and all updates installed
> >>> >>
> >>> >> So when I hit next on "Additional Domain Controller Options" (step 7
> >>> >> of
> >>> >> "To install an RODC on a full installation of Windows Server 2008") I
> >>> >> get
> >>> >> "The default Password Replication Policy groups are not present on
> >>> >> the
> >>> >> PDC [My PDC]. The parameter is incorrect".
> >>> >
> >>> > Back then when you prepared the Schema for Server 2008 usage, did you
> >>> > run
> >>> > /rodcprep and it ran correctly? Were those groups ever created?
> >>> >
> >>> > Cheers,
> >>> > Florian
> >>>
> >>>
> >>> .
> >>>
> >
> >
>
>
> .
>
Re: Missing one of the "default Password Replication Policy groups [message #382001 is a reply to message #381976] Mon, 01 February 2010 15:36 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Found this little tidbit,

When you install the first RODC in a domain, domain group accounts that are
required for RODCs to function are created. Depending on your replication
topology, the wizard might return an error indicating that these group
accounts are not available when you try to install another RODC in the
domain. In this case, wait for replication to complete before you install
the additional RODC.

.... in stepd for deploying an rodc
http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx


I Usually use an RODC unattend file for DCPromo and specify my own
allow/deny groups, but Try using advance mode in the RODC install and select
your own groups initially.



James Brown wrote:
> Paul, firstly thank you once again for your posts.
> I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
> neat summary of the and clearly shows the ADPREP commands issued
> against the 2003 DC.
>
> **********************************
> 12/15/09 18:30:21 79208171 Opened logfile
> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
> 18:30:21 79208171
> 12/15/09 18:30:21 79208187 File version info:
> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000
> (373555200) 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-519
> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> 12/15/09 18:30:21 79208593 Schema role owner is
> paris.ndcconsultants.co.uk 12/15/09 18:30:22 79209671 Forest Prep
> (Schema Role Owner) is complete: FALSE 12/15/09 18:30:22 79209703
> Infrastructure role owner is paris.ndcconsultants.co.uk
> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> complete: FALSE
> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> complete: FALSE
> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
> TRUE 12/15/09 18:30:23 79209921 .dit file path:
> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
> C:\WINDOWS\NTDS\ntds.dit has size 29376512 12/15/09 18:30:23 79209921
> .dit file size: 28 MB 12/15/09 18:30:23 79209921 disk space required:
> 33 MB 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
> 170962432 12/15/09 18:30:23 79209921 free space on .dit volume: 20643
> MB 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> 12/15/09 18:30:23 79209921 All prerequisites met.
> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 Infrastructure role owner is
> paris.ndcconsultants.co.uk
> 12/15/09 18:30:23 79209921 Schema role owner is
> paris.ndcconsultants.co.uk 12/15/09 18:30:23 79209921
> DisplayMessageBox(): (resourceid=104) 12/15/09 18:30:23 79210109
> DisplayMessageBox(): The Windows Essential Business Server Schema
> Upgrade Tool is about to upgrade your schema to the Windows Server
> 2008 schema level. This process will take between three minutes and
> an hour. During this time, this computers CPU and hard disk drive
> will be under heavy load. There will be heavy network traffic if you
> have multiple domain controllers or many group policy objects.
> If you have not checked the physical condition of this computers hard
> disk drive recently, consider running a full bad sector test prior to
> upgrading the schema. Do not reboot or shut down this computer while
> the upgrade is in process. Upgrading the schema is permanent (changes
> cannot be undone).
> Click OK to begin the upgrade, or Cancel to close the tool.
> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:44 79231437 Copying files to temp directory
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> 12/15/09 18:30:44 79231437 src dir: D:\
> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> 12/15/09 18:30:49 79236390 adprep path:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> 12/15/09 18:30:49 79236390 Running forestprep.
> 12/15/09 18:30:49 79236390 IsWindows2000()
> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> 12/15/09 18:30:49 79236390 DoCreateProcess()
> 12/15/09 18:30:49 79236390 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:33 79640187 exit code: 0
> 12/15/09 18:37:33 79640187 adprep returned 0
> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> 12/15/09 18:37:33 79640187 No replication required, running on schema
> role owner.
> 12/15/09 18:37:33 79640187 Running domainprep.
> 12/15/09 18:37:33 79640187 DoCreateProcess()
> 12/15/09 18:37:33 79640187 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> /silent 12/15/09 18:37:33 79640187 startingDir:
> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:39 79646250 exit code: 0
> 12/15/09 18:37:39 79646250 adprep returned 0
> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> 12/15/09 18:37:39 79646359 Closing log.
> **********************************
> This tool was run once prompted by the Management Server phase of the
> EBS installation wizard. At this point in time I believe the wizard
> had completed installing, updating and joining a Windows Server 2008
> machine to the 2003 network. The tool didn't run /rodcprep.
> The next step in the wizard was the promotion of the Management
> Server to DC, I'm reviewing the DCPROMO.log from this operation. I
> think, but I'm not sure, that the FSMO roles were transferred to the
> Management Server at this point. BTW I also plan to create VMs of the
> 2003 DC from our backup images just before and after in order to
> check on the troublesome RODC groups but this will take me a little
> while.
> The rest of the EBS servers were installed and the old 2003 DC
> gracefully demoted a few weeks later.
> As originally posted before attempting to create a RODC I ran the
> 2008 R2 adpreps: /forestprep, /domainprep /gpprep and finally
> /rodcprep all without error. One point I'm not worried about is the
> 2008 version of /rodcprep had not been run.
> If I could just pinpoint exactly when these groups were supposed to be
> created I'd be able to focus on all the events at that time.
>
> To say this problem is frustrating is an understatement!
>
> James
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> With assistance from a fellow MVP (Yusuf), it appears that in order
>> to get these groups created you will have to move the PDCe from your
>> 2003 DC to the 2008 server. This is a recommended strategy anyways.
>>
>> From a commend prompt run the following to learn where yuor fsmo
>> roles reside
>> netdom query fsmo
>>
>> See:
>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>>> Sorry, I have never had to refer to the logs since I have been
>>> successful on every attempt. I would verify that the log exists
>>> and if so see if there are any errors. If you have something you
>>> are unable to decipher just post the log and I'm sure someone from
>>> the NewsGroup could assist in reading. Most of these logs provide
>>> good details.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>> message news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>>>> Thanks for your reply Paul.
>>>>
>>>> I've been trying to find out when these groups are created for a
>>>> few days,
>>>> I'm not sure I even have access to the right documentation to be
>>>> successful.
>>>>
>>>> I'll retrieve the logs from backup. Any particular string for me
>>>> to be searching for? I'll also review your article ASAP.
>>>>
>>>> Many thanks,
>>>>
>>>> James
>>>>
>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>
>>>>> I think Florian is on to something here. I did try and track
>>>>> down where the
>>>>> allow and deny groups are created but it doesn't appear to be
>>>>> easily tracked
>>>>> down.
>>>>>
>>>>> You should be able to see the error log
>>>>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>>>>>
>>>>> Also check out an article I have on Forest upgrades
>>>>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the
>>>>> NewsGroup This posting is provided "AS IS" with no warranties,
>>>>> and confers no rights.
>>>>>
>>>>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in
>>>>> message news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>>>>>> James,
>>>>>>
>>>>>> James Brown wrote:
>>>>>>> 2 Windows Server 2008 DCs
>>>>>>> o forest at Windows 2008 level
>>>>>>> o single domain at Windows 2008 level
>>>>>>> o SP2 and all updates installed
>>>>>>>
>>>>>>> So when I hit next on "Additional Domain Controller Options"
>>>>>>> (step 7 of
>>>>>>> "To install an RODC on a full installation of Windows Server
>>>>>>> 2008") I get
>>>>>>> "The default Password Replication Policy groups are not present
>>>>>>> on the
>>>>>>> PDC [My PDC]. The parameter is incorrect".
>>>>>>
>>>>>> Back then when you prepared the Schema for Server 2008 usage,
>>>>>> did you run
>>>>>> /rodcprep and it ran correctly? Were those groups ever created?
>>>>>>
>>>>>> Cheers,
>>>>>> Florian
>>>>>
>>>>>
>>>>> .
>>>>>
>>>
>>>
>>
>>
>> .

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #382401 is a reply to message #381976] Tue, 02 February 2010 06:10 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
From the way I read the tech artcile and was confirmed by Yusuf the groups
do not get created until after the PDCe is a 2008 DC. Has that happened
yet?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> Paul, firstly thank you once again for your posts.
> I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather neat
> summary of the and clearly shows the ADPREP commands issued against the
> 2003
> DC.
>
> **********************************
> 12/15/09 18:30:21 79208171 Opened logfile
> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> 79208171
> 12/15/09 18:30:21 79208187 File version info:
> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-519
> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> 12/15/09 18:30:21 79208593 Schema role owner is paris.ndcconsultants.co.uk
> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> FALSE
> 12/15/09 18:30:22 79209703 Infrastructure role owner is
> paris.ndcconsultants.co.uk
> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> complete: FALSE
> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> complete:
> FALSE
> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
> 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size 29376512
> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> 12/15/09 18:30:23 79209921 disk space required: 33 MB
> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> 12/15/09 18:30:23 79209921 All prerequisites met.
> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 Infrastructure role owner is
> paris.ndcconsultants.co.uk
> 12/15/09 18:30:23 79209921 Schema role owner is paris.ndcconsultants.co.uk
> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> Business Server Schema Upgrade Tool is about to upgrade your schema to the
> Windows Server 2008 schema level. This process will take between three
> minutes and an hour. During this time, this computers CPU and hard disk
> drive
> will be under heavy load. There will be heavy network traffic if you have
> multiple domain controllers or many group policy objects.
> If you have not checked the physical condition of this computers hard disk
> drive recently, consider running a full bad sector test prior to upgrading
> the schema. Do not reboot or shut down this computer while the upgrade is
> in
> process. Upgrading the schema is permanent (changes cannot be undone).
> Click OK to begin the upgrade, or Cancel to close the tool.
> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:44 79231437 Copying files to temp directory
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> 12/15/09 18:30:44 79231437 src dir: D:\
> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> 12/15/09 18:30:49 79236390 adprep path:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> 12/15/09 18:30:49 79236390 Running forestprep.
> 12/15/09 18:30:49 79236390 IsWindows2000()
> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> 12/15/09 18:30:49 79236390 DoCreateProcess()
> 12/15/09 18:30:49 79236390 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:33 79640187 exit code: 0
> 12/15/09 18:37:33 79640187 adprep returned 0
> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> 12/15/09 18:37:33 79640187 No replication required, running on schema role
> owner.
> 12/15/09 18:37:33 79640187 Running domainprep.
> 12/15/09 18:37:33 79640187 DoCreateProcess()
> 12/15/09 18:37:33 79640187 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> /silent
> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:39 79646250 exit code: 0
> 12/15/09 18:37:39 79646250 adprep returned 0
> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> 12/15/09 18:37:39 79646359 Closing log.
> **********************************
> This tool was run once prompted by the Management Server phase of the EBS
> installation wizard. At this point in time I believe the wizard had
> completed installing, updating and joining a Windows Server 2008 machine
> to
> the 2003 network. The tool didn't run /rodcprep.
> The next step in the wizard was the promotion of the Management Server to
> DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> not
> sure, that the FSMO roles were transferred to the Management Server at
> this
> point. BTW I also plan to create VMs of the 2003 DC from our backup images
> just before and after in order to check on the troublesome RODC groups but
> this will take me a little while.
> The rest of the EBS servers were installed and the old 2003 DC gracefully
> demoted a few weeks later.
> As originally posted before attempting to create a RODC I ran the 2008 R2
> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> without
> error. One point I'm not worried about is the 2008 version of /rodcprep
> had
> not been run.
> If I could just pinpoint exactly when these groups were supposed to be
> created I'd be able to focus on all the events at that time.
>
> To say this problem is frustrating is an understatement!
>
> James
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> With assistance from a fellow MVP (Yusuf), it appears that in order to
>> get
>> these groups created you will have to move the PDCe from your 2003 DC to
>> the
>> 2008 server. This is a recommended strategy anyways.
>>
>> From a commend prompt run the following to learn where yuor fsmo roles
>> reside
>> netdom query fsmo
>>
>> See:
>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>> > Sorry, I have never had to refer to the logs since I have been
>> > successful
>> > on every attempt. I would verify that the log exists and if so see if
>> > there are any errors. If you have something you are unable to decipher
>> > just post the log and I'm sure someone from the NewsGroup could assist
>> > in
>> > reading. Most of these logs provide good details.
>> >
>> > --
>> > Paul Bergson
>> > MVP - Directory Services
>> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> > 2008, 2003, 2000 (Early Achiever), NT4
>> > Microsoft's Thrive IT Pro of the Month - June 2009
>> >
>> > http://www.pbbergs.com
>> >
>> > Please no e-mails, any questions should be posted in the NewsGroup This
>> > posting is provided "AS IS" with no warranties, and confers no rights.
>> >
>> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>> >> Thanks for your reply Paul.
>> >>
>> >> I've been trying to find out when these groups are created for a few
>> >> days,
>> >> I'm not sure I even have access to the right documentation to be
>> >> successful.
>> >>
>> >> I'll retrieve the logs from backup. Any particular string for me to
>> >> be
>> >> searching for? I'll also review your article ASAP.
>> >>
>> >> Many thanks,
>> >>
>> >> James
>> >>
>> >> "Paul Bergson [MVP-DS]" wrote:
>> >>
>> >>> I think Florian is on to something here. I did try and track down
>> >>> where
>> >>> the
>> >>> allow and deny groups are created but it doesn't appear to be easily
>> >>> tracked
>> >>> down.
>> >>>
>> >>> You should be able to see the error log
>> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>> >>>
>> >>> Also check out an article I have on Forest upgrades
>> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>> >>>
>> >>> --
>> >>> Paul Bergson
>> >>> MVP - Directory Services
>> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >>> 2008, 2003, 2000 (Early Achiever), NT4
>> >>> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>>
>> >>> http://www.pbbergs.com
>> >>>
>> >>> Please no e-mails, any questions should be posted in the NewsGroup
>> >>> This
>> >>> posting is provided "AS IS" with no warranties, and confers no
>> >>> rights.
>> >>>
>> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
>> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>> >>> > James,
>> >>> >
>> >>> > James Brown wrote:
>> >>> >> 2 Windows Server 2008 DCs
>> >>> >> o forest at Windows 2008 level
>> >>> >> o single domain at Windows 2008 level
>> >>> >> o SP2 and all updates installed
>> >>> >>
>> >>> >> So when I hit next on "Additional Domain Controller Options" (step
>> >>> >> 7
>> >>> >> of
>> >>> >> "To install an RODC on a full installation of Windows Server
>> >>> >> 2008") I
>> >>> >> get
>> >>> >> "The default Password Replication Policy groups are not present on
>> >>> >> the
>> >>> >> PDC [My PDC]. The parameter is incorrect".
>> >>> >
>> >>> > Back then when you prepared the Schema for Server 2008 usage, did
>> >>> > you
>> >>> > run
>> >>> > /rodcprep and it ran correctly? Were those groups ever created?
>> >>> >
>> >>> > Cheers,
>> >>> > Florian
>> >>>
>> >>>
>> >>> .
>> >>>
>> >
>> >
>>
>>
>> .
>>
Re: Missing one of the "default Password Replication Policy groups [message #382416 is a reply to message #382401] Tue, 02 February 2010 06:42 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I have made a mistake, if you promote a server to an RODC these groups
should also be created. See details below:

After you upgrade the Windows Server 2003-based domain controller holding
the role of the PDC emulator master in each domain in the forest to Windows
Server 2008, or after you move the PDC emulator operations master role to a
Windows Server 2008-based domain controller, or after you add a read-only
domain controller (RODC) to your domain, the following new well-known and
built-in groups are created:

a.. Builtin\IIS_IUSRS


b.. Builtin\Cryptographic Operators


c.. Allowed RODC Password Replication Group


d.. Denied RODC Password Replication Group


e.. Read-only Domain Controllers


f.. Builtin\Event Log Readers


g.. Enterprise Read-only Domain Controllers (created only on the forest
root domain)


h.. Builtin\Certificate Service DCOM Access


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:O%23HxhkApKHA.1548@TK2MSFTNGP04.phx.gbl...
> From the way I read the tech artcile and was confirmed by Yusuf the groups
> do not get created until after the PDCe is a 2008 DC. Has that happened
> yet?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>> Paul, firstly thank you once again for your posts.
>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather neat
>> summary of the and clearly shows the ADPREP commands issued against the
>> 2003
>> DC.
>>
>> **********************************
>> 12/15/09 18:30:21 79208171 Opened logfile
>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
>> 79208171
>> 12/15/09 18:30:21 79208187 File version info:
>> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
>> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
>> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
>> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>> S-1-5-21-1553700716-3413723528-2741516094
>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> S-1-5-21-1553700716-3413723528-2741516094-512
>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> S-1-5-21-1553700716-3413723528-2741516094-519
>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>> 12/15/09 18:30:21 79208593 Schema role owner is
>> paris.ndcconsultants.co.uk
>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
>> FALSE
>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>> paris.ndcconsultants.co.uk
>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
>> complete: FALSE
>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>> complete:
>> FALSE
>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
>> 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
>> 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
>> 29376512
>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
>> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
>> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>> 12/15/09 18:30:23 79209921 All prerequisites met.
>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>> paris.ndcconsultants.co.uk
>> 12/15/09 18:30:23 79209921 Schema role owner is
>> paris.ndcconsultants.co.uk
>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
>> Business Server Schema Upgrade Tool is about to upgrade your schema to
>> the
>> Windows Server 2008 schema level. This process will take between three
>> minutes and an hour. During this time, this computers CPU and hard disk
>> drive
>> will be under heavy load. There will be heavy network traffic if you have
>> multiple domain controllers or many group policy objects.
>> If you have not checked the physical condition of this computers hard
>> disk
>> drive recently, consider running a full bad sector test prior to
>> upgrading
>> the schema. Do not reboot or shut down this computer while the upgrade is
>> in
>> process. Upgrading the schema is permanent (changes cannot be undone).
>> Click OK to begin the upgrade, or Cancel to close the tool.
>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>> S-1-5-21-1553700716-3413723528-2741516094
>> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>> S-1-5-21-1553700716-3413723528-2741516094-512
>> 12/15/09 18:30:44 79231437 Copying files to temp directory
>> C:\WINDOWS\temp\ADP1.tmp
>> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>> 12/15/09 18:30:44 79231437 src dir: D:\
>> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>> 12/15/09 18:30:49 79236390 adprep path:
>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>> 12/15/09 18:30:49 79236390 Running forestprep.
>> 12/15/09 18:30:49 79236390 IsWindows2000()
>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>> 12/15/09 18:30:49 79236390 cmdline:
>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
>> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> 12/15/09 18:37:33 79640187 exit code: 0
>> 12/15/09 18:37:33 79640187 adprep returned 0
>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>> 12/15/09 18:37:33 79640187 No replication required, running on schema
>> role
>> owner.
>> 12/15/09 18:37:33 79640187 Running domainprep.
>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>> 12/15/09 18:37:33 79640187 cmdline:
>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
>> /silent
>> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> 12/15/09 18:37:39 79646250 exit code: 0
>> 12/15/09 18:37:39 79646250 adprep returned 0
>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>> C:\WINDOWS\temp\ADP1.tmp
>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>> 12/15/09 18:37:39 79646359 Closing log.
>> **********************************
>> This tool was run once prompted by the Management Server phase of the EBS
>> installation wizard. At this point in time I believe the wizard had
>> completed installing, updating and joining a Windows Server 2008 machine
>> to
>> the 2003 network. The tool didn't run /rodcprep.
>> The next step in the wizard was the promotion of the Management Server to
>> DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
>> not
>> sure, that the FSMO roles were transferred to the Management Server at
>> this
>> point. BTW I also plan to create VMs of the 2003 DC from our backup
>> images
>> just before and after in order to check on the troublesome RODC groups
>> but
>> this will take me a little while.
>> The rest of the EBS servers were installed and the old 2003 DC gracefully
>> demoted a few weeks later.
>> As originally posted before attempting to create a RODC I ran the 2008 R2
>> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
>> without
>> error. One point I'm not worried about is the 2008 version of /rodcprep
>> had
>> not been run.
>> If I could just pinpoint exactly when these groups were supposed to be
>> created I'd be able to focus on all the events at that time.
>>
>> To say this problem is frustrating is an understatement!
>>
>> James
>>
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>>> With assistance from a fellow MVP (Yusuf), it appears that in order to
>>> get
>>> these groups created you will have to move the PDCe from your 2003 DC to
>>> the
>>> 2008 server. This is a recommended strategy anyways.
>>>
>>> From a commend prompt run the following to learn where yuor fsmo roles
>>> reside
>>> netdom query fsmo
>>>
>>> See:
>>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>>> > Sorry, I have never had to refer to the logs since I have been
>>> > successful
>>> > on every attempt. I would verify that the log exists and if so see if
>>> > there are any errors. If you have something you are unable to
>>> > decipher
>>> > just post the log and I'm sure someone from the NewsGroup could assist
>>> > in
>>> > reading. Most of these logs provide good details.
>>> >
>>> > --
>>> > Paul Bergson
>>> > MVP - Directory Services
>>> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> > 2008, 2003, 2000 (Early Achiever), NT4
>>> > Microsoft's Thrive IT Pro of the Month - June 2009
>>> >
>>> > http://www.pbbergs.com
>>> >
>>> > Please no e-mails, any questions should be posted in the NewsGroup
>>> > This
>>> > posting is provided "AS IS" with no warranties, and confers no rights.
>>> >
>>> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>>> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>>> >> Thanks for your reply Paul.
>>> >>
>>> >> I've been trying to find out when these groups are created for a few
>>> >> days,
>>> >> I'm not sure I even have access to the right documentation to be
>>> >> successful.
>>> >>
>>> >> I'll retrieve the logs from backup. Any particular string for me to
>>> >> be
>>> >> searching for? I'll also review your article ASAP.
>>> >>
>>> >> Many thanks,
>>> >>
>>> >> James
>>> >>
>>> >> "Paul Bergson [MVP-DS]" wrote:
>>> >>
>>> >>> I think Florian is on to something here. I did try and track down
>>> >>> where
>>> >>> the
>>> >>> allow and deny groups are created but it doesn't appear to be easily
>>> >>> tracked
>>> >>> down.
>>> >>>
>>> >>> You should be able to see the error log
>>> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>>> >>>
>>> >>> Also check out an article I have on Forest upgrades
>>> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>> >>>
>>> >>> --
>>> >>> Paul Bergson
>>> >>> MVP - Directory Services
>>> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> >>> 2008, 2003, 2000 (Early Achiever), NT4
>>> >>> Microsoft's Thrive IT Pro of the Month - June 2009
>>> >>>
>>> >>> http://www.pbbergs.com
>>> >>>
>>> >>> Please no e-mails, any questions should be posted in the NewsGroup
>>> >>> This
>>> >>> posting is provided "AS IS" with no warranties, and confers no
>>> >>> rights.
>>> >>>
>>> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
>>> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>>> >>> > James,
>>> >>> >
>>> >>> > James Brown wrote:
>>> >>> >> 2 Windows Server 2008 DCs
>>> >>> >> o forest at Windows 2008 level
>>> >>> >> o single domain at Windows 2008 level
>>> >>> >> o SP2 and all updates installed
>>> >>> >>
>>> >>> >> So when I hit next on "Additional Domain Controller Options"
>>> >>> >> (step 7
>>> >>> >> of
>>> >>> >> "To install an RODC on a full installation of Windows Server
>>> >>> >> 2008") I
>>> >>> >> get
>>> >>> >> "The default Password Replication Policy groups are not present
>>> >>> >> on
>>> >>> >> the
>>> >>> >> PDC [My PDC]. The parameter is incorrect".
>>> >>> >
>>> >>> > Back then when you prepared the Schema for Server 2008 usage, did
>>> >>> > you
>>> >>> > run
>>> >>> > /rodcprep and it ran correctly? Were those groups ever created?
>>> >>> >
>>> >>> > Cheers,
>>> >>> > Florian
>>> >>>
>>> >>>
>>> >>> .
>>> >>>
>>> >
>>> >
>>>
>>>
>>> .
>>>
>
>
Re: Missing one of the "default Password Replication Policy groups [message #382452 is a reply to message #382001] Tue, 02 February 2010 07:18 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
I thought the use of the answer file was worth a try so I created a new
domain local group called "My Allowed RODC Password Replication Group" and
crafted an answer file...

C:\Users\Administrator>dcpromo
/unattend:c:\users\Administrator\Desktop\rodcinstall.ini
Checking if Active Directory Domain Services binaries are installed...
Warning: DisableCancelForDnsInstall is deprecated and ignored.

Active Directory Domain Services Setup

Validating environment and parameters...

A read-only domain controller cannot be installed at this time because
default d
omain groups could not be created. The error was:
The default Password Replication Policy groups are not present on the PDC
"MANAG
E-SVR.ndcconsultants.co.uk".

I'm not sure the "domain group accounts" mentioned are the same as the SID
specific Replication Policy groups I'm having issues with.

Can anybody point me towards specifics for the "Allowed RODC Password
Replication Group" http://support.microsoft.com/kb/243330 ?

Am I correct in thinking that I can't just create a group with a specific SID?


James

"kj [SBS MVP]" wrote:

> Found this little tidbit,
>
> When you install the first RODC in a domain, domain group accounts that are
> required for RODCs to function are created. Depending on your replication
> topology, the wizard might return an error indicating that these group
> accounts are not available when you try to install another RODC in the
> domain. In this case, wait for replication to complete before you install
> the additional RODC.
>
> .... in stepd for deploying an rodc
> http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
>
>
> I Usually use an RODC unattend file for DCPromo and specify my own
> allow/deny groups, but Try using advance mode in the RODC install and select
> your own groups initially.
>
>
Re: Missing one of the "default Password Replication Policy groups [message #382464 is a reply to message #381976] Tue, 02 February 2010 07:36 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
What is your domain and forest functional level at? If you have never
updated these they are probably sitting at Windows 2000. I'm guessing you
have changed these but this could be why. I'm not seeing any issues in your
log files.

http://support.microsoft.com/kb/322692

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> Paul, firstly thank you once again for your posts.
> I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather neat
> summary of the and clearly shows the ADPREP commands issued against the
> 2003
> DC.
>
> **********************************
> 12/15/09 18:30:21 79208171 Opened logfile
> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> 79208171
> 12/15/09 18:30:21 79208187 File version info:
> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-519
> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> 12/15/09 18:30:21 79208593 Schema role owner is paris.ndcconsultants.co.uk
> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> FALSE
> 12/15/09 18:30:22 79209703 Infrastructure role owner is
> paris.ndcconsultants.co.uk
> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> complete: FALSE
> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> complete:
> FALSE
> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
> 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size 29376512
> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> 12/15/09 18:30:23 79209921 disk space required: 33 MB
> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> 12/15/09 18:30:23 79209921 All prerequisites met.
> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> 12/15/09 18:30:23 79209921 Infrastructure role owner is
> paris.ndcconsultants.co.uk
> 12/15/09 18:30:23 79209921 Schema role owner is paris.ndcconsultants.co.uk
> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> Business Server Schema Upgrade Tool is about to upgrade your schema to the
> Windows Server 2008 schema level. This process will take between three
> minutes and an hour. During this time, this computers CPU and hard disk
> drive
> will be under heavy load. There will be heavy network traffic if you have
> multiple domain controllers or many group policy objects.
> If you have not checked the physical condition of this computers hard disk
> drive recently, consider running a full bad sector test prior to upgrading
> the schema. Do not reboot or shut down this computer while the upgrade is
> in
> process. Upgrading the schema is permanent (changes cannot be undone).
> Click OK to begin the upgrade, or Cancel to close the tool.
> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> S-1-5-21-1553700716-3413723528-2741516094
> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> S-1-5-21-1553700716-3413723528-2741516094-512
> 12/15/09 18:30:44 79231437 Copying files to temp directory
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> 12/15/09 18:30:44 79231437 src dir: D:\
> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> 12/15/09 18:30:49 79236390 adprep path:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> 12/15/09 18:30:49 79236390 Running forestprep.
> 12/15/09 18:30:49 79236390 IsWindows2000()
> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> 12/15/09 18:30:49 79236390 DoCreateProcess()
> 12/15/09 18:30:49 79236390 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:33 79640187 exit code: 0
> 12/15/09 18:37:33 79640187 adprep returned 0
> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> 12/15/09 18:37:33 79640187 No replication required, running on schema role
> owner.
> 12/15/09 18:37:33 79640187 Running domainprep.
> 12/15/09 18:37:33 79640187 DoCreateProcess()
> 12/15/09 18:37:33 79640187 cmdline:
> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> /silent
> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:39 79646250 exit code: 0
> 12/15/09 18:37:39 79646250 adprep returned 0
> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> C:\WINDOWS\temp\ADP1.tmp
> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> 12/15/09 18:37:39 79646359 Closing log.
> **********************************
> This tool was run once prompted by the Management Server phase of the EBS
> installation wizard. At this point in time I believe the wizard had
> completed installing, updating and joining a Windows Server 2008 machine
> to
> the 2003 network. The tool didn't run /rodcprep.
> The next step in the wizard was the promotion of the Management Server to
> DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> not
> sure, that the FSMO roles were transferred to the Management Server at
> this
> point. BTW I also plan to create VMs of the 2003 DC from our backup images
> just before and after in order to check on the troublesome RODC groups but
> this will take me a little while.
> The rest of the EBS servers were installed and the old 2003 DC gracefully
> demoted a few weeks later.
> As originally posted before attempting to create a RODC I ran the 2008 R2
> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> without
> error. One point I'm not worried about is the 2008 version of /rodcprep
> had
> not been run.
> If I could just pinpoint exactly when these groups were supposed to be
> created I'd be able to focus on all the events at that time.
>
> To say this problem is frustrating is an understatement!
>
> James
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> With assistance from a fellow MVP (Yusuf), it appears that in order to
>> get
>> these groups created you will have to move the PDCe from your 2003 DC to
>> the
>> 2008 server. This is a recommended strategy anyways.
>>
>> From a commend prompt run the following to learn where yuor fsmo roles
>> reside
>> netdom query fsmo
>>
>> See:
>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>> > Sorry, I have never had to refer to the logs since I have been
>> > successful
>> > on every attempt. I would verify that the log exists and if so see if
>> > there are any errors. If you have something you are unable to decipher
>> > just post the log and I'm sure someone from the NewsGroup could assist
>> > in
>> > reading. Most of these logs provide good details.
>> >
>> > --
>> > Paul Bergson
>> > MVP - Directory Services
>> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> > 2008, 2003, 2000 (Early Achiever), NT4
>> > Microsoft's Thrive IT Pro of the Month - June 2009
>> >
>> > http://www.pbbergs.com
>> >
>> > Please no e-mails, any questions should be posted in the NewsGroup This
>> > posting is provided "AS IS" with no warranties, and confers no rights.
>> >
>> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>> >> Thanks for your reply Paul.
>> >>
>> >> I've been trying to find out when these groups are created for a few
>> >> days,
>> >> I'm not sure I even have access to the right documentation to be
>> >> successful.
>> >>
>> >> I'll retrieve the logs from backup. Any particular string for me to
>> >> be
>> >> searching for? I'll also review your article ASAP.
>> >>
>> >> Many thanks,
>> >>
>> >> James
>> >>
>> >> "Paul Bergson [MVP-DS]" wrote:
>> >>
>> >>> I think Florian is on to something here. I did try and track down
>> >>> where
>> >>> the
>> >>> allow and deny groups are created but it doesn't appear to be easily
>> >>> tracked
>> >>> down.
>> >>>
>> >>> You should be able to see the error log
>> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>> >>>
>> >>> Also check out an article I have on Forest upgrades
>> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>> >>>
>> >>> --
>> >>> Paul Bergson
>> >>> MVP - Directory Services
>> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >>> 2008, 2003, 2000 (Early Achiever), NT4
>> >>> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>>
>> >>> http://www.pbbergs.com
>> >>>
>> >>> Please no e-mails, any questions should be posted in the NewsGroup
>> >>> This
>> >>> posting is provided "AS IS" with no warranties, and confers no
>> >>> rights.
>> >>>
>> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
>> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>> >>> > James,
>> >>> >
>> >>> > James Brown wrote:
>> >>> >> 2 Windows Server 2008 DCs
>> >>> >> o forest at Windows 2008 level
>> >>> >> o single domain at Windows 2008 level
>> >>> >> o SP2 and all updates installed
>> >>> >>
>> >>> >> So when I hit next on "Additional Domain Controller Options" (step
>> >>> >> 7
>> >>> >> of
>> >>> >> "To install an RODC on a full installation of Windows Server
>> >>> >> 2008") I
>> >>> >> get
>> >>> >> "The default Password Replication Policy groups are not present on
>> >>> >> the
>> >>> >> PDC [My PDC]. The parameter is incorrect".
>> >>> >
>> >>> > Back then when you prepared the Schema for Server 2008 usage, did
>> >>> > you
>> >>> > run
>> >>> > /rodcprep and it ran correctly? Were those groups ever created?
>> >>> >
>> >>> > Cheers,
>> >>> > Florian
>> >>>
>> >>>
>> >>> .
>> >>>
>> >
>> >
>>
>>
>> .
>>
Re: Missing one of the "default Password Replication Policy groups [message #382530 is a reply to message #382464] Tue, 02 February 2010 09:02 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
They're both at 2008 level now. Forest was at 2003 but I raised it to 2008
just to see if I could resolve this...

"Paul Bergson [MVP-DS]" wrote:

> What is your domain and forest functional level at? If you have never
> updated these they are probably sitting at Windows 2000. I'm guessing you
> have changed these but this could be why. I'm not seeing any issues in your
> log files.
>
> http://support.microsoft.com/kb/322692
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> > Paul, firstly thank you once again for your posts.
> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather neat
> > summary of the and clearly shows the ADPREP commands issued against the
> > 2003
> > DC.
> >
> > **********************************
> > 12/15/09 18:30:21 79208171 Opened logfile
> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> > 79208171
> > 12/15/09 18:30:21 79208187 File version info:
> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> > S-1-5-21-1553700716-3413723528-2741516094
> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> > S-1-5-21-1553700716-3413723528-2741516094-512
> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> > S-1-5-21-1553700716-3413723528-2741516094-519
> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> > 12/15/09 18:30:21 79208593 Schema role owner is paris.ndcconsultants.co.uk
> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> > FALSE
> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
> > paris.ndcconsultants.co.uk
> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> > complete: FALSE
> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> > complete:
> > FALSE
> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size 29376512
> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> > 12/15/09 18:30:23 79209921 All prerequisites met.
> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
> > paris.ndcconsultants.co.uk
> > 12/15/09 18:30:23 79209921 Schema role owner is paris.ndcconsultants.co.uk
> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> > Business Server Schema Upgrade Tool is about to upgrade your schema to the
> > Windows Server 2008 schema level. This process will take between three
> > minutes and an hour. During this time, this computers CPU and hard disk
> > drive
> > will be under heavy load. There will be heavy network traffic if you have
> > multiple domain controllers or many group policy objects.
> > If you have not checked the physical condition of this computers hard disk
> > drive recently, consider running a full bad sector test prior to upgrading
> > the schema. Do not reboot or shut down this computer while the upgrade is
> > in
> > process. Upgrading the schema is permanent (changes cannot be undone).
> > Click OK to begin the upgrade, or Cancel to close the tool.
> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> > S-1-5-21-1553700716-3413723528-2741516094
> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> > S-1-5-21-1553700716-3413723528-2741516094-512
> > 12/15/09 18:30:44 79231437 Copying files to temp directory
> > C:\WINDOWS\temp\ADP1.tmp
> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> > 12/15/09 18:30:44 79231437 src dir: D:\
> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> > 12/15/09 18:30:49 79236390 adprep path:
> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> > 12/15/09 18:30:49 79236390 Running forestprep.
> > 12/15/09 18:30:49 79236390 IsWindows2000()
> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> > 12/15/09 18:30:49 79236390 DoCreateProcess()
> > 12/15/09 18:30:49 79236390 cmdline:
> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> > 12/15/09 18:37:33 79640187 exit code: 0
> > 12/15/09 18:37:33 79640187 adprep returned 0
> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> > 12/15/09 18:37:33 79640187 No replication required, running on schema role
> > owner.
> > 12/15/09 18:37:33 79640187 Running domainprep.
> > 12/15/09 18:37:33 79640187 DoCreateProcess()
> > 12/15/09 18:37:33 79640187 cmdline:
> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> > /silent
> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> > 12/15/09 18:37:39 79646250 exit code: 0
> > 12/15/09 18:37:39 79646250 adprep returned 0
> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> > C:\WINDOWS\temp\ADP1.tmp
> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> > 12/15/09 18:37:39 79646359 Closing log.
> > **********************************
> > This tool was run once prompted by the Management Server phase of the EBS
> > installation wizard. At this point in time I believe the wizard had
> > completed installing, updating and joining a Windows Server 2008 machine
> > to
> > the 2003 network. The tool didn't run /rodcprep.
> > The next step in the wizard was the promotion of the Management Server to
> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> > not
> > sure, that the FSMO roles were transferred to the Management Server at
> > this
> > point. BTW I also plan to create VMs of the 2003 DC from our backup images
> > just before and after in order to check on the troublesome RODC groups but
> > this will take me a little while.
> > The rest of the EBS servers were installed and the old 2003 DC gracefully
> > demoted a few weeks later.
> > As originally posted before attempting to create a RODC I ran the 2008 R2
> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> > without
> > error. One point I'm not worried about is the 2008 version of /rodcprep
> > had
> > not been run.
> > If I could just pinpoint exactly when these groups were supposed to be
> > created I'd be able to focus on all the events at that time.
> >
> > To say this problem is frustrating is an understatement!
> >
> > James
> >
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> With assistance from a fellow MVP (Yusuf), it appears that in order to
> >> get
> >> these groups created you will have to move the PDCe from your 2003 DC to
> >> the
> >> 2008 server. This is a recommended strategy anyways.
> >>
> >> From a commend prompt run the following to learn where yuor fsmo roles
> >> reside
> >> netdom query fsmo
> >>
> >> See:
> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> >> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> >> > Sorry, I have never had to refer to the logs since I have been
> >> > successful
> >> > on every attempt. I would verify that the log exists and if so see if
> >> > there are any errors. If you have something you are unable to decipher
> >> > just post the log and I'm sure someone from the NewsGroup could assist
> >> > in
> >> > reading. Most of these logs provide good details.
> >> >
> >> > --
> >> > Paul Bergson
> >> > MVP - Directory Services
> >> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> > 2008, 2003, 2000 (Early Achiever), NT4
> >> > Microsoft's Thrive IT Pro of the Month - June 2009
> >> >
> >> > http://www.pbbergs.com
> >> >
> >> > Please no e-mails, any questions should be posted in the NewsGroup This
> >> > posting is provided "AS IS" with no warranties, and confers no rights.
> >> >
> >> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> >> >> Thanks for your reply Paul.
> >> >>
> >> >> I've been trying to find out when these groups are created for a few
> >> >> days,
> >> >> I'm not sure I even have access to the right documentation to be
> >> >> successful.
> >> >>
> >> >> I'll retrieve the logs from backup. Any particular string for me to
> >> >> be
> >> >> searching for? I'll also review your article ASAP.
> >> >>
> >> >> Many thanks,
> >> >>
> >> >> James
> >> >>
> >> >> "Paul Bergson [MVP-DS]" wrote:
> >> >>
> >> >>> I think Florian is on to something here. I did try and track down
> >> >>> where
> >> >>> the
> >> >>> allow and deny groups are created but it doesn't appear to be easily
> >> >>> tracked
> >> >>> down.
> >> >>>
> >> >>> You should be able to see the error log
> >> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
> >> >>>
> >> >>> Also check out an article I have on Forest upgrades
> >> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
> >> >>>
> >> >>> --
> >> >>> Paul Bergson
> >> >>> MVP - Directory Services
> >> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >>> 2008, 2003, 2000 (Early Achiever), NT4
> >> >>> Microsoft's Thrive IT Pro of the Month - June 2009
> >> >>>
> >> >>> http://www.pbbergs.com
> >> >>>
> >> >>> Please no e-mails, any questions should be posted in the NewsGroup
> >> >>> This
> >> >>> posting is provided "AS IS" with no warranties, and confers no
> >> >>> rights.
> >> >>>
> >> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
> >> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
> >> >>> > James,
> >> >>> >
> >> >>> > James Brown wrote:
> >> >>> >> 2 Windows Server 2008 DCs
> >> >>> >> o forest at Windows 2008 level
> >> >>> >> o single domain at Windows 2008 level
> >> >>> >> o SP2 and all updates installed
> >> >>> >>
> >> >>> >> So when I hit next on "Additional Domain Controller Options" (step
> >> >>> >> 7
> >> >>> >> of
> >> >>> >> "To install an RODC on a full installation of Windows Server
> >> >>> >> 2008") I
> >> >>> >> get
> >> >>> >> "The default Password Replication Policy groups are not present on
> >> >>> >> the
> >> >>> >> PDC [My PDC]. The parameter is incorrect".
> >> >>> >
> >> >>> > Back then when you prepared the Schema for Server 2008 usage, did
> >> >>> > you
> >> >>> > run
> >> >>> > /rodcprep and it ran correctly? Were those groups ever created?
> >> >>> >
> >> >>> > Cheers,
> >> >>> > Florian
> >> >>>
> >> >>>
> >> >>> .
Re: Missing one of the "default Password Replication Policy groups [message #382537 is a reply to message #382416] Tue, 02 February 2010 09:13 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
The first 2008 DC was made PDCe the same day. 'kj' pointed me at
http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
and a note which seemed to indicate the RODC groups should be created the
first time you try to add a RODC (assuming you're NOT trying to do a staged
installation).

Regardless of what should happen and however I run the 2008 R2 DCPROMO I
ultimately run in to "The default Password Replication Policy groups are not
present on the PDC" (a fact that I'm painfully aware of).

I’m trawling through the logs as we speak armed with the creation time of
the “Denied RODC Password Replication Group”.

Quick thought, if I create a new Windows 2008 machine and promote it to a DC
with the PDCe role as part of the promotion do you think these groups may be
re-created?

James

"Paul Bergson [MVP-DS]" wrote:

> I have made a mistake, if you promote a server to an RODC these groups
> should also be created. See details below:
>
> After you upgrade the Windows Server 2003-based domain controller holding
> the role of the PDC emulator master in each domain in the forest to Windows
> Server 2008, or after you move the PDC emulator operations master role to a
> Windows Server 2008-based domain controller, or after you add a read-only
> domain controller (RODC) to your domain, the following new well-known and
> built-in groups are created:
>
> a.. Builtin\IIS_IUSRS
>
>
> b.. Builtin\Cryptographic Operators
>
>
> c.. Allowed RODC Password Replication Group
>
>
> d.. Denied RODC Password Replication Group
>
>
> e.. Read-only Domain Controllers
>
>
> f.. Builtin\Event Log Readers
>
>
> g.. Enterprise Read-only Domain Controllers (created only on the forest
> root domain)
>
>
> h.. Builtin\Certificate Service DCOM Access
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:O%23HxhkApKHA.1548@TK2MSFTNGP04.phx.gbl...
> > From the way I read the tech artcile and was confirmed by Yusuf the groups
> > do not get created until after the PDCe is a 2008 DC. Has that happened
> > yet?
> >
> > --
> > Paul Bergson
> > MVP - Directory Services
> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > 2008, 2003, 2000 (Early Achiever), NT4
> > Microsoft's Thrive IT Pro of the Month - June 2009
> >
> > http://www.pbbergs.com
> >
> > Please no e-mails, any questions should be posted in the NewsGroup This
> > posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> > news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> >> Paul, firstly thank you once again for your posts.
> >> I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather neat
> >> summary of the and clearly shows the ADPREP commands issued against the
> >> 2003
> >> DC.
> >>
> >> **********************************
> >> 12/15/09 18:30:21 79208171 Opened logfile
> >> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> >> 79208171
> >> 12/15/09 18:30:21 79208187 File version info:
> >> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> >> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> >> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> >> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> >> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> >> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> >> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> >> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> >> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> >> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> >> S-1-5-21-1553700716-3413723528-2741516094
> >> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> S-1-5-21-1553700716-3413723528-2741516094-512
> >> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> S-1-5-21-1553700716-3413723528-2741516094-519
> >> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> >> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> >> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> >> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> >> 12/15/09 18:30:21 79208593 Schema role owner is
> >> paris.ndcconsultants.co.uk
> >> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> >> FALSE
> >> 12/15/09 18:30:22 79209703 Infrastructure role owner is
> >> paris.ndcconsultants.co.uk
> >> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> >> complete: FALSE
> >> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> >> complete:
> >> FALSE
> >> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> >> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner: TRUE
> >> 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> >> 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
> >> 29376512
> >> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> >> 12/15/09 18:30:23 79209921 disk space required: 33 MB
> >> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> >> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> >> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> >> 12/15/09 18:30:23 79209921 All prerequisites met.
> >> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> >> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> >> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> >> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> >> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> >> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> >> 12/15/09 18:30:23 79209921 Infrastructure role owner is
> >> paris.ndcconsultants.co.uk
> >> 12/15/09 18:30:23 79209921 Schema role owner is
> >> paris.ndcconsultants.co.uk
> >> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> >> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> >> Business Server Schema Upgrade Tool is about to upgrade your schema to
> >> the
> >> Windows Server 2008 schema level. This process will take between three
> >> minutes and an hour. During this time, this computers CPU and hard disk
> >> drive
> >> will be under heavy load. There will be heavy network traffic if you have
> >> multiple domain controllers or many group policy objects.
> >> If you have not checked the physical condition of this computers hard
> >> disk
> >> drive recently, consider running a full bad sector test prior to
> >> upgrading
> >> the schema. Do not reboot or shut down this computer while the upgrade is
> >> in
> >> process. Upgrading the schema is permanent (changes cannot be undone).
> >> Click OK to begin the upgrade, or Cancel to close the tool.
> >> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> >> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> >> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> >> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> >> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> >> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> >> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> >> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> >> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> >> S-1-5-21-1553700716-3413723528-2741516094
> >> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> >> S-1-5-21-1553700716-3413723528-2741516094-512
> >> 12/15/09 18:30:44 79231437 Copying files to temp directory
> >> C:\WINDOWS\temp\ADP1.tmp
> >> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> >> 12/15/09 18:30:44 79231437 src dir: D:\
> >> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> >> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> >> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> >> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> >> 12/15/09 18:30:49 79236390 adprep path:
> >> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> >> 12/15/09 18:30:49 79236390 Running forestprep.
> >> 12/15/09 18:30:49 79236390 IsWindows2000()
> >> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> >> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> >> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> >> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> >> 12/15/09 18:30:49 79236390 DoCreateProcess()
> >> 12/15/09 18:30:49 79236390 cmdline:
> >> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> >> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> 12/15/09 18:37:33 79640187 exit code: 0
> >> 12/15/09 18:37:33 79640187 adprep returned 0
> >> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> >> 12/15/09 18:37:33 79640187 No replication required, running on schema
> >> role
> >> owner.
> >> 12/15/09 18:37:33 79640187 Running domainprep.
> >> 12/15/09 18:37:33 79640187 DoCreateProcess()
> >> 12/15/09 18:37:33 79640187 cmdline:
> >> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> >> /silent
> >> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> 12/15/09 18:37:39 79646250 exit code: 0
> >> 12/15/09 18:37:39 79646250 adprep returned 0
> >> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> >> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> >> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> >> C:\WINDOWS\temp\ADP1.tmp
> >> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> >> 12/15/09 18:37:39 79646359 Closing log.
> >> **********************************
> >> This tool was run once prompted by the Management Server phase of the EBS
> >> installation wizard. At this point in time I believe the wizard had
> >> completed installing, updating and joining a Windows Server 2008 machine
> >> to
> >> the 2003 network. The tool didn't run /rodcprep.
> >> The next step in the wizard was the promotion of the Management Server to
> >> DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> >> not
> >> sure, that the FSMO roles were transferred to the Management Server at
> >> this
> >> point. BTW I also plan to create VMs of the 2003 DC from our backup
> >> images
> >> just before and after in order to check on the troublesome RODC groups
> >> but
> >> this will take me a little while.
> >> The rest of the EBS servers were installed and the old 2003 DC gracefully
> >> demoted a few weeks later.
> >> As originally posted before attempting to create a RODC I ran the 2008 R2
> >> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> >> without
> >> error. One point I'm not worried about is the 2008 version of /rodcprep
> >> had
> >> not been run.
> >> If I could just pinpoint exactly when these groups were supposed to be
> >> created I'd be able to focus on all the events at that time.
> >>
> >> To say this problem is frustrating is an understatement!
> >>
> >> James
> >>
> >>
> >> "Paul Bergson [MVP-DS]" wrote:
> >>
> >>> With assistance from a fellow MVP (Yusuf), it appears that in order to
> >>> get
> >>> these groups created you will have to move the PDCe from your 2003 DC to
> >>> the
> >>> 2008 server. This is a recommended strategy anyways.
> >>>
> >>> From a commend prompt run the following to learn where yuor fsmo roles
> >>> reside
> >>> netdom query fsmo
> >>>
> >>> See:
> >>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
> >>>
> >>> --
> >>> Paul Bergson
> >>> MVP - Directory Services
> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>> 2008, 2003, 2000 (Early Achiever), NT4
> >>> Microsoft's Thrive IT Pro of the Month - June 2009
> >>>
> >>> http://www.pbbergs.com
> >>>
> >>> Please no e-mails, any questions should be posted in the NewsGroup This
> >>> posting is provided "AS IS" with no warranties, and confers no rights.
> >>>
> >>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> >>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> >>> > Sorry, I have never had to refer to the logs since I have been
> >>> > successful
> >>> > on every attempt. I would verify that the log exists and if so see if
> >>> > there are any errors. If you have something you are unable to
> >>> > decipher
> >>> > just post the log and I'm sure someone from the NewsGroup could assist
> >>> > in
> >>> > reading. Most of these logs provide good details.
> >>> >
> >>> > --
> >>> > Paul Bergson
> >>> > MVP - Directory Services
> >>> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>> > 2008, 2003, 2000 (Early Achiever), NT4
> >>> > Microsoft's Thrive IT Pro of the Month - June 2009
> >>> >
> >>> > http://www.pbbergs.com
> >>> >
> >>> > Please no e-mails, any questions should be posted in the NewsGroup
> >>> > This
> >>> > posting is provided "AS IS" with no warranties, and confers no rights.
> >>> >
> >>> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >>> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> >>> >> Thanks for your reply Paul.
> >>> >>
> >>> >> I've been trying to find out when these groups are created for a few
> >>> >> days,
> >>> >> I'm not sure I even have access to the right documentation to be
> >>> >> successful.
> >>> >>
> >>> >> I'll retrieve the logs from backup. Any particular string for me to
> >>> >> be
> >>> >> searching for? I'll also review your article ASAP.
> >>> >>
> >>> >> Many thanks,
> >>> >>
> >>> >> James
> >>> >>
> >>> >> "Paul Bergson [MVP-DS]" wrote:
> >>> >>
Re: Missing one of the "default Password Replication Policy groups [message #382546 is a reply to message #382416] Tue, 02 February 2010 09:18 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Great documentation Paul. Is there a public MS link to this somewhere?

As I read that any one of the "or" conditions trigger the creation ot these
groups. ( Curious now about just what does this creation as it seems to be
broken for the OP).


Paul Bergson [MVP-DS] wrote:
> I have made a mistake, if you promote a server to an RODC these groups
> should also be created. See details below:
>
> After you upgrade the Windows Server 2003-based domain controller
> holding the role of the PDC emulator master in each domain in the
> forest to Windows Server 2008, or after you move the PDC emulator
> operations master role to a Windows Server 2008-based domain
> controller, or after you add a read-only domain controller (RODC) to
> your domain, the following new well-known and built-in groups are
> created:
> a.. Builtin\IIS_IUSRS
>
>
> b.. Builtin\Cryptographic Operators
>
>
> c.. Allowed RODC Password Replication Group
>
>
> d.. Denied RODC Password Replication Group
>
>
> e.. Read-only Domain Controllers
>
>
> f.. Builtin\Event Log Readers
>
>
> g.. Enterprise Read-only Domain Controllers (created only on the
> forest root domain)
>
>
> h.. Builtin\Certificate Service DCOM Access
>
>
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:O%23HxhkApKHA.1548@TK2MSFTNGP04.phx.gbl...
>> From the way I read the tech artcile and was confirmed by Yusuf the
>> groups do not get created until after the PDCe is a 2008 DC. Has
>> that happened yet?
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>> message
>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>>> Paul, firstly thank you once again for your posts.
>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
>>> rather neat summary of the and clearly shows the ADPREP commands
>>> issued against the 2003
>>> DC.
>>>
>>> **********************************
>>> 12/15/09 18:30:21 79208171 Opened logfile
>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>>> 18:30:21 79208171
>>> 12/15/09 18:30:21 79208187 File version info:
>>> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>>> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>>> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
>>> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
>>> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000
>>> (373555200) 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>>> S-1-5-21-1553700716-3413723528-2741516094
>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>> S-1-5-21-1553700716-3413723528-2741516094-519
>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>>> 12/15/09 18:30:21 79208593 Schema role owner is
>>> paris.ndcconsultants.co.uk
>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>>> complete: FALSE
>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>>> paris.ndcconsultants.co.uk
>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner)
>>> is complete: FALSE
>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>>> complete:
>>> FALSE
>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
>>> TRUE 12/15/09 18:30:23 79209921 .dit file path:
>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>>> 170962432 12/15/09 18:30:23 79209921 free space on .dit volume:
>>> 20643 MB 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>>> 12/15/09 18:30:23 79209921 All prerequisites met.
>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>>> paris.ndcconsultants.co.uk
>>> 12/15/09 18:30:23 79209921 Schema role owner is
>>> paris.ndcconsultants.co.uk
>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>>> Essential Business Server Schema Upgrade Tool is about to upgrade
>>> your schema to the
>>> Windows Server 2008 schema level. This process will take between
>>> three minutes and an hour. During this time, this computers CPU and
>>> hard disk drive
>>> will be under heavy load. There will be heavy network traffic if
>>> you have multiple domain controllers or many group policy objects.
>>> If you have not checked the physical condition of this computers
>>> hard disk
>>> drive recently, consider running a full bad sector test prior to
>>> upgrading
>>> the schema. Do not reboot or shut down this computer while the
>>> upgrade is in
>>> process. Upgrading the schema is permanent (changes cannot be
>>> undone). Click OK to begin the upgrade, or Cancel to close the tool.
>>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>>> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>>> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>>> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>>> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>>> S-1-5-21-1553700716-3413723528-2741516094
>>> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>> 12/15/09 18:30:44 79231437 Copying files to temp directory
>>> C:\WINDOWS\temp\ADP1.tmp
>>> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>>> 12/15/09 18:30:44 79231437 src dir: D:\
>>> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>>> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>>> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>>> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>>> 12/15/09 18:30:49 79236390 adprep path:
>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>>> 12/15/09 18:30:49 79236390 Running forestprep.
>>> 12/15/09 18:30:49 79236390 IsWindows2000()
>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>>> 12/15/09 18:30:49 79236390 cmdline:
>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
>>> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
>>> 12/15/09 18:37:33 79640187 exit code: 0
>>> 12/15/09 18:37:33 79640187 adprep returned 0
>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>>> 12/15/09 18:37:33 79640187 No replication required, running on
>>> schema role
>>> owner.
>>> 12/15/09 18:37:33 79640187 Running domainprep.
>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>>> 12/15/09 18:37:33 79640187 cmdline:
>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
>>> /silent
>>> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>>> 12/15/09 18:37:39 79646250 exit code: 0
>>> 12/15/09 18:37:39 79646250 adprep returned 0
>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>>> C:\WINDOWS\temp\ADP1.tmp
>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>>> 12/15/09 18:37:39 79646359 Closing log.
>>> **********************************
>>> This tool was run once prompted by the Management Server phase of
>>> the EBS installation wizard. At this point in time I believe the
>>> wizard had completed installing, updating and joining a Windows
>>> Server 2008 machine to
>>> the 2003 network. The tool didn't run /rodcprep.
>>> The next step in the wizard was the promotion of the Management
>>> Server to DC, I'm reviewing the DCPROMO.log from this operation. I
>>> think, but I'm not
>>> sure, that the FSMO roles were transferred to the Management Server
>>> at this
>>> point. BTW I also plan to create VMs of the 2003 DC from our backup
>>> images
>>> just before and after in order to check on the troublesome RODC
>>> groups but
>>> this will take me a little while.
>>> The rest of the EBS servers were installed and the old 2003 DC
>>> gracefully demoted a few weeks later.
>>> As originally posted before attempting to create a RODC I ran the
>>> 2008 R2 adpreps: /forestprep, /domainprep /gpprep and finally
>>> /rodcprep all without
>>> error. One point I'm not worried about is the 2008 version of
>>> /rodcprep had
>>> not been run.
>>> If I could just pinpoint exactly when these groups were supposed to
>>> be created I'd be able to focus on all the events at that time.
>>>
>>> To say this problem is frustrating is an understatement!
>>>
>>> James
>>>
>>>
>>> "Paul Bergson [MVP-DS]" wrote:
>>>
>>>> With assistance from a fellow MVP (Yusuf), it appears that in
>>>> order to get
>>>> these groups created you will have to move the PDCe from your 2003
>>>> DC to the
>>>> 2008 server. This is a recommended strategy anyways.
>>>>
>>>> From a commend prompt run the following to learn where yuor fsmo
>>>> roles reside
>>>> netdom query fsmo
>>>>
>>>> See:
>>>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers
>>>> no rights. "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in
>>>> message
>>>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>>>>> Sorry, I have never had to refer to the logs since I have been
>>>>> successful
>>>>> on every attempt. I would verify that the log exists and if so
>>>>> see if there are any errors. If you have something you are
>>>>> unable to decipher
>>>>> just post the log and I'm sure someone from the NewsGroup could
>>>>> assist in
>>>>> reading. Most of these logs provide good details.
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>> This
>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>> rights. "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>>>> message news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>>>>>> Thanks for your reply Paul.
>>>>>>
>>>>>> I've been trying to find out when these groups are created for a
>>>>>> few days,
>>>>>> I'm not sure I even have access to the right documentation to be
>>>>>> successful.
>>>>>>
>>>>>> I'll retrieve the logs from backup. Any particular string for
>>>>>> me to be
>>>>>> searching for? I'll also review your article ASAP.
>>>>>>
>>>>>> Many thanks,
>>>>>>
>>>>>> James
>>>>>>
>>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>>
>>>>>>> I think Florian is on to something here. I did try and track
>>>>>>> down where
>>>>>>> the
>>>>>>> allow and deny groups are created but it doesn't appear to be
>>>>>>> easily tracked
>>>>>>> down.
>>>>>>>
>>>>>>> You should be able to see the error log
>>>>>>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more
>>>>>>> information. Also check out an article I have on Forest upgrades
>>>>>>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>>>>>>
>>>>>>> --
>>>>>>> Paul Bergson
>>>>>>> MVP - Directory Services
>>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>
>>>>>>> http://www.pbbergs.com
>>>>>>>
>>>>>>> Please no e-mails, any questions should be posted in the
>>>>>>> NewsGroup This
>>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in
>>>>>>> message news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>>>>>>>> James,
>>>>>>>>
>>>>>>>> James Brown wrote:
>>>>>>>>> 2 Windows Server 2008 DCs
>>>>>>>>> o forest at Windows 2008 level
>>>>>>>>> o single domain at Windows 2008 level
>>>>>>>>> o SP2 and all updates installed
>>>>>>>>>
>>>>>>>>> So when I hit next on "Additional Domain Controller Options"
>>>>>>>>> (step 7
>>>>>>>>> of
>>>>>>>>> "To install an RODC on a full installation of Windows Server
>>>>>>>>> 2008") I
>>>>>>>>> get
>>>>>>>>> "The default Password Replication Policy groups are not
>>>>>>>>> present on
>>>>>>>>> the
>>>>>>>>> PDC [My PDC]. The parameter is incorrect".
>>>>>>>>
>>>>>>>> Back then when you prepared the Schema for Server 2008 usage,
>>>>>>>> did you
>>>>>>>> run
>>>>>>>> /rodcprep and it ran correctly? Were those groups ever created?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Florian
>>>>>>>
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> .

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #382547 is a reply to message #382537] Tue, 02 February 2010 09:22 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
James Brown wrote:
> The first 2008 DC was made PDCe the same day. 'kj' pointed me at
> http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
> and a note which seemed to indicate the RODC groups should be created
> the first time you try to add a RODC (assuming you're NOT trying to
> do a staged installation).
>
> Regardless of what should happen and however I run the 2008 R2
> DCPROMO I ultimately run in to "The default Password Replication
> Policy groups are not present on the PDC" (a fact that I'm painfully
> aware of).
>
> I'm trawling through the logs as we speak armed with the creation
> time of the "Denied RODC Password Replication Group".
>
> Quick thought, if I create a new Windows 2008 machine and promote it
> to a DC with the PDCe role as part of the promotion do you think
> these groups may be re-created?
>
> James

I think that something in your enviroment is broken as the information Paul
posted indicated that at least two of your actions should have triggered the
creation of the required groups. Are you using an account with delegated
permissions or (the) full builin domain administrator account?

>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I have made a mistake, if you promote a server to an RODC these
>> groups should also be created. See details below:
>>
>> After you upgrade the Windows Server 2003-based domain controller
>> holding the role of the PDC emulator master in each domain in the
>> forest to Windows Server 2008, or after you move the PDC emulator
>> operations master role to a Windows Server 2008-based domain
>> controller, or after you add a read-only domain controller (RODC) to
>> your domain, the following new well-known and built-in groups are
>> created:
>>
>> a.. Builtin\IIS_IUSRS
>>
>>
>> b.. Builtin\Cryptographic Operators
>>
>>
>> c.. Allowed RODC Password Replication Group
>>
>>
>> d.. Denied RODC Password Replication Group
>>
>>
>> e.. Read-only Domain Controllers
>>
>>
>> f.. Builtin\Event Log Readers
>>
>>
>> g.. Enterprise Read-only Domain Controllers (created only on the
>> forest root domain)
>>
>>
>> h.. Builtin\Certificate Service DCOM Access
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:O%23HxhkApKHA.1548@TK2MSFTNGP04.phx.gbl...
>>> From the way I read the tech artcile and was confirmed by Yusuf the
>>> groups do not get created until after the PDCe is a 2008 DC. Has
>>> that happened yet?
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>> message news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>>>> Paul, firstly thank you once again for your posts.
>>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
>>>> rather neat summary of the and clearly shows the ADPREP commands
>>>> issued against the 2003
>>>> DC.
>>>>
>>>> **********************************
>>>> 12/15/09 18:30:21 79208171 Opened logfile
>>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>>>> 18:30:21 79208171
>>>> 12/15/09 18:30:21 79208187 File version info:
>>>> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>>>> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>>>> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000
>>>> (373555200) 12/15/09 18:30:21 79208187 dwProductVersionMS:
>>>> 0x60000 (393216) 12/15/09 18:30:21 79208187 dwProductVersionLS:
>>>> 0x16440000 (373555200) 12/15/09 18:30:21 79208187 buildnum:
>>>> 6.0.5700.0 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094
>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-519
>>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>>>> 12/15/09 18:30:21 79208593 Schema role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>>>> complete: FALSE
>>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner)
>>>> is complete: FALSE
>>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>>>> complete:
>>>> FALSE
>>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role
>>>> Owner: TRUE 12/15/09 18:30:23 79209921 .dit file path:
>>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
>>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
>>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>>>> 170962432 12/15/09 18:30:23 79209921 free space on .dit volume:
>>>> 20643 MB 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>>>> 12/15/09 18:30:23 79209921 All prerequisites met.
>>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:23 79209921 Schema role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>>>> Essential Business Server Schema Upgrade Tool is about to upgrade
>>>> your schema to the
>>>> Windows Server 2008 schema level. This process will take between
>>>> three minutes and an hour. During this time, this computers CPU
>>>> and hard disk drive
>>>> will be under heavy load. There will be heavy network traffic if
>>>> you have multiple domain controllers or many group policy objects.
>>>> If you have not checked the physical condition of this computers
>>>> hard disk
>>>> drive recently, consider running a full bad sector test prior to
>>>> upgrading
>>>> the schema. Do not reboot or shut down this computer while the
>>>> upgrade is in
>>>> process. Upgrading the schema is permanent (changes cannot be
>>>> undone). Click OK to begin the upgrade, or Cancel to close the
>>>> tool. 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>>>> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>>>> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>>>> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>>>> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094
>>>> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>>> 12/15/09 18:30:44 79231437 Copying files to temp directory
>>>> C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>>>> 12/15/09 18:30:44 79231437 src dir: D:\
>>>> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>>>> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>>>> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>>>> 12/15/09 18:30:49 79236390 adprep path:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>>>> 12/15/09 18:30:49 79236390 Running forestprep.
>>>> 12/15/09 18:30:49 79236390 IsWindows2000()
>>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>>>> 12/15/09 18:30:49 79236390 cmdline:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg
>>>> /silent 12/15/09 18:30:49 79236390 startingDir:
>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:33 79640187 exit code: 0
>>>> 12/15/09 18:37:33 79640187 adprep returned 0
>>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>>>> 12/15/09 18:37:33 79640187 No replication required, running on
>>>> schema role
>>>> owner.
>>>> 12/15/09 18:37:33 79640187 Running domainprep.
>>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>>>> 12/15/09 18:37:33 79640187 cmdline:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep
>>>> /wssg /silent
>>>> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:37:39 79646250 exit code: 0
>>>> 12/15/09 18:37:39 79646250 adprep returned 0
>>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>>>> C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>>>> 12/15/09 18:37:39 79646359 Closing log.
>>>> **********************************
>>>> This tool was run once prompted by the Management Server phase of
>>>> the EBS installation wizard. At this point in time I believe the
>>>> wizard had completed installing, updating and joining a Windows
>>>> Server 2008 machine to
>>>> the 2003 network. The tool didn't run /rodcprep.
>>>> The next step in the wizard was the promotion of the Management
>>>> Server to DC, I'm reviewing the DCPROMO.log from this operation. I
>>>> think, but I'm not
>>>> sure, that the FSMO roles were transferred to the Management
>>>> Server at this
>>>> point. BTW I also plan to create VMs of the 2003 DC from our backup
>>>> images
>>>> just before and after in order to check on the troublesome RODC
>>>> groups but
>>>> this will take me a little while.
>>>> The rest of the EBS servers were installed and the old 2003 DC
>>>> gracefully demoted a few weeks later.
>>>> As originally posted before attempting to create a RODC I ran the
>>>> 2008 R2 adpreps: /forestprep, /domainprep /gpprep and finally
>>>> /rodcprep all without
>>>> error. One point I'm not worried about is the 2008 version of
>>>> /rodcprep had
>>>> not been run.
>>>> If I could just pinpoint exactly when these groups were supposed
>>>> to be created I'd be able to focus on all the events at that time.
>>>>
>>>> To say this problem is frustrating is an understatement!
>>>>
>>>> James
>>>>
>>>>
>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>
>>>>> With assistance from a fellow MVP (Yusuf), it appears that in
>>>>> order to get
>>>>> these groups created you will have to move the PDCe from your
>>>>> 2003 DC to the
>>>>> 2008 server. This is a recommended strategy anyways.
>>>>>
>>>>> From a commend prompt run the following to learn where yuor fsmo
>>>>> roles reside
>>>>> netdom query fsmo
>>>>>
>>>>> See:
>>>>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the
>>>>> NewsGroup This posting is provided "AS IS" with no warranties,
>>>>> and confers no rights.
>>>>>
>>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>>>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>>>>>> Sorry, I have never had to refer to the logs since I have been
>>>>>> successful
>>>>>> on every attempt. I would verify that the log exists and if so
>>>>>> see if there are any errors. If you have something you are
>>>>>> unable to decipher
>>>>>> just post the log and I'm sure someone from the NewsGroup could
>>>>>> assist in
>>>>>> reading. Most of these logs provide good details.
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the
>>>>>> NewsGroup This
>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>>
>>>>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>>>>> message
>>>>>> news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>>>>>>> Thanks for your reply Paul.
>>>>>>>
>>>>>>> I've been trying to find out when these groups are created for
>>>>>>> a few days,
>>>>>>> I'm not sure I even have access to the right documentation to be
>>>>>>> successful.
>>>>>>>
>>>>>>> I'll retrieve the logs from backup. Any particular string for
>>>>>>> me to be
>>>>>>> searching for? I'll also review your article ASAP.
>>>>>>>
>>>>>>> Many thanks,
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>> "Paul Bergson [MVP-DS]" wrote:

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #382581 is a reply to message #382530] Tue, 02 February 2010 10:04 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
That shouldn't have mattered if at 2003. Dang had hoped you forgot about
this.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
> They're both at 2008 level now. Forest was at 2003 but I raised it to
> 2008
> just to see if I could resolve this...
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> What is your domain and forest functional level at? If you have never
>> updated these they are probably sitting at Windows 2000. I'm guessing
>> you
>> have changed these but this could be why. I'm not seeing any issues in
>> your
>> log files.
>>
>> http://support.microsoft.com/kb/322692
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>> > Paul, firstly thank you once again for your posts.
>> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
>> > neat
>> > summary of the and clearly shows the ADPREP commands issued against the
>> > 2003
>> > DC.
>> >
>> > **********************************
>> > 12/15/09 18:30:21 79208171 Opened logfile
>> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
>> > 79208171
>> > 12/15/09 18:30:21 79208187 File version info:
>> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
>> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
>> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
>> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>> > S-1-5-21-1553700716-3413723528-2741516094
>> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> > S-1-5-21-1553700716-3413723528-2741516094-512
>> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> > S-1-5-21-1553700716-3413723528-2741516094-519
>> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>> > 12/15/09 18:30:21 79208593 Schema role owner is
>> > paris.ndcconsultants.co.uk
>> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
>> > FALSE
>> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
>> > paris.ndcconsultants.co.uk
>> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
>> > complete: FALSE
>> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>> > complete:
>> > FALSE
>> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
>> > TRUE
>> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
>> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
>> > 29376512
>> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
>> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
>> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
>> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>> > 12/15/09 18:30:23 79209921 All prerequisites met.
>> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
>> > paris.ndcconsultants.co.uk
>> > 12/15/09 18:30:23 79209921 Schema role owner is
>> > paris.ndcconsultants.co.uk
>> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
>> > Business Server Schema Upgrade Tool is about to upgrade your schema to
>> > the
>> > Windows Server 2008 schema level. This process will take between three
>> > minutes and an hour. During this time, this computers CPU and hard disk
>> > drive
>> > will be under heavy load. There will be heavy network traffic if you
>> > have
>> > multiple domain controllers or many group policy objects.
>> > If you have not checked the physical condition of this computers hard
>> > disk
>> > drive recently, consider running a full bad sector test prior to
>> > upgrading
>> > the schema. Do not reboot or shut down this computer while the upgrade
>> > is
>> > in
>> > process. Upgrading the schema is permanent (changes cannot be undone).
>> > Click OK to begin the upgrade, or Cancel to close the tool.
>> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>> > S-1-5-21-1553700716-3413723528-2741516094
>> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>> > S-1-5-21-1553700716-3413723528-2741516094-512
>> > 12/15/09 18:30:44 79231437 Copying files to temp directory
>> > C:\WINDOWS\temp\ADP1.tmp
>> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>> > 12/15/09 18:30:44 79231437 src dir: D:\
>> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>> > 12/15/09 18:30:49 79236390 adprep path:
>> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>> > 12/15/09 18:30:49 79236390 Running forestprep.
>> > 12/15/09 18:30:49 79236390 IsWindows2000()
>> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>> > 12/15/09 18:30:49 79236390 DoCreateProcess()
>> > 12/15/09 18:30:49 79236390 cmdline:
>> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
>> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> > 12/15/09 18:37:33 79640187 exit code: 0
>> > 12/15/09 18:37:33 79640187 adprep returned 0
>> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>> > 12/15/09 18:37:33 79640187 No replication required, running on schema
>> > role
>> > owner.
>> > 12/15/09 18:37:33 79640187 Running domainprep.
>> > 12/15/09 18:37:33 79640187 DoCreateProcess()
>> > 12/15/09 18:37:33 79640187 cmdline:
>> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
>> > /silent
>> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> > 12/15/09 18:37:39 79646250 exit code: 0
>> > 12/15/09 18:37:39 79646250 adprep returned 0
>> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>> > C:\WINDOWS\temp\ADP1.tmp
>> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>> > 12/15/09 18:37:39 79646359 Closing log.
>> > **********************************
>> > This tool was run once prompted by the Management Server phase of the
>> > EBS
>> > installation wizard. At this point in time I believe the wizard had
>> > completed installing, updating and joining a Windows Server 2008
>> > machine
>> > to
>> > the 2003 network. The tool didn't run /rodcprep.
>> > The next step in the wizard was the promotion of the Management Server
>> > to
>> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
>> > not
>> > sure, that the FSMO roles were transferred to the Management Server at
>> > this
>> > point. BTW I also plan to create VMs of the 2003 DC from our backup
>> > images
>> > just before and after in order to check on the troublesome RODC groups
>> > but
>> > this will take me a little while.
>> > The rest of the EBS servers were installed and the old 2003 DC
>> > gracefully
>> > demoted a few weeks later.
>> > As originally posted before attempting to create a RODC I ran the 2008
>> > R2
>> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
>> > without
>> > error. One point I'm not worried about is the 2008 version of
>> > /rodcprep
>> > had
>> > not been run.
>> > If I could just pinpoint exactly when these groups were supposed to be
>> > created I'd be able to focus on all the events at that time.
>> >
>> > To say this problem is frustrating is an understatement!
>> >
>> > James
>> >
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> With assistance from a fellow MVP (Yusuf), it appears that in order to
>> >> get
>> >> these groups created you will have to move the PDCe from your 2003 DC
>> >> to
>> >> the
>> >> 2008 server. This is a recommended strategy anyways.
>> >>
>> >> From a commend prompt run the following to learn where yuor fsmo roles
>> >> reside
>> >> netdom query fsmo
>> >>
>> >> See:
>> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This
>> >> posting is provided "AS IS" with no warranties, and confers no rights.
>> >>
>> >> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> >> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>> >> > Sorry, I have never had to refer to the logs since I have been
>> >> > successful
>> >> > on every attempt. I would verify that the log exists and if so see
>> >> > if
>> >> > there are any errors. If you have something you are unable to
>> >> > decipher
>> >> > just post the log and I'm sure someone from the NewsGroup could
>> >> > assist
>> >> > in
>> >> > reading. Most of these logs provide good details.
>> >> >
>> >> > --
>> >> > Paul Bergson
>> >> > MVP - Directory Services
>> >> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> > 2008, 2003, 2000 (Early Achiever), NT4
>> >> > Microsoft's Thrive IT Pro of the Month - June 2009
>> >> >
>> >> > http://www.pbbergs.com
>> >> >
>> >> > Please no e-mails, any questions should be posted in the NewsGroup
>> >> > This
>> >> > posting is provided "AS IS" with no warranties, and confers no
>> >> > rights.
>> >> >
>> >> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>> >> > message
>> >> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>> >> >> Thanks for your reply Paul.
>> >> >>
>> >> >> I've been trying to find out when these groups are created for a
>> >> >> few
>> >> >> days,
>> >> >> I'm not sure I even have access to the right documentation to be
>> >> >> successful.
>> >> >>
>> >> >> I'll retrieve the logs from backup. Any particular string for me
>> >> >> to
>> >> >> be
>> >> >> searching for? I'll also review your article ASAP.
>> >> >>
>> >> >> Many thanks,
>> >> >>
>> >> >> James
>> >> >>
>> >> >> "Paul Bergson [MVP-DS]" wrote:
>> >> >>
>> >> >>> I think Florian is on to something here. I did try and track down
>> >> >>> where
>> >> >>> the
>> >> >>> allow and deny groups are created but it doesn't appear to be
>> >> >>> easily
>> >> >>> tracked
>> >> >>> down.
>> >> >>>
>> >> >>> You should be able to see the error log
>> >> >>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.
>> >> >>>
>> >> >>> Also check out an article I have on Forest upgrades
>> >> >>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>> >> >>>
>> >> >>> --
>> >> >>> Paul Bergson
>> >> >>> MVP - Directory Services
>> >> >>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> >>> 2008, 2003, 2000 (Early Achiever), NT4
>> >> >>> Microsoft's Thrive IT Pro of the Month - June 2009
>> >> >>>
>> >> >>> http://www.pbbergs.com
>> >> >>>
>> >> >>> Please no e-mails, any questions should be posted in the NewsGroup
>> >> >>> This
>> >> >>> posting is provided "AS IS" with no warranties, and confers no
>> >> >>> rights.
>> >> >>>
>> >> >>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in
>> >> >>> message
>> >> >>> news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>> >> >>> > James,
>> >> >>> >
>> >> >>> > James Brown wrote:
>> >> >>> >> 2 Windows Server 2008 DCs
>> >> >>> >> o forest at Windows 2008 level
>> >> >>> >> o single domain at Windows 2008 level
>> >> >>> >> o SP2 and all updates installed
>> >> >>> >>
>> >> >>> >> So when I hit next on "Additional Domain Controller Options"
>> >> >>> >> (step
>> >> >>> >> 7
>> >> >>> >> of
>> >> >>> >> "To install an RODC on a full installation of Windows Server
>> >> >>> >> 2008") I
>> >> >>> >> get
>> >> >>> >> "The default Password Replication Policy groups are not present
>> >> >>> >> on
>> >> >>> >> the
>> >> >>> >> PDC [My PDC]. The parameter is incorrect".
>> >> >>> >
>> >> >>> > Back then when you prepared the Schema for Server 2008 usage,
>> >> >>> > did
>> >> >>> > you
>> >> >>> > run
>> >> >>> > /rodcprep and it ran correctly? Were those groups ever created?
>> >> >>> >
>> >> >>> > Cheers,
>> >> >>> > Florian
>> >> >>>
>> >> >>>
>> >> >>> .
Re: Missing one of the "default Password Replication Policy groups [message #382583 is a reply to message #382546] Tue, 02 February 2010 10:05 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
[Appendix A: Background Information for Upgrading Active Directory Domains]
http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:ODFIeNCpKHA.1892@TK2MSFTNGP02.phx.gbl...
> Great documentation Paul. Is there a public MS link to this somewhere?
>
> As I read that any one of the "or" conditions trigger the creation ot
> these groups. ( Curious now about just what does this creation as it seems
> to be broken for the OP).
>
>
> Paul Bergson [MVP-DS] wrote:
>> I have made a mistake, if you promote a server to an RODC these groups
>> should also be created. See details below:
>>
>> After you upgrade the Windows Server 2003-based domain controller
>> holding the role of the PDC emulator master in each domain in the
>> forest to Windows Server 2008, or after you move the PDC emulator
>> operations master role to a Windows Server 2008-based domain
>> controller, or after you add a read-only domain controller (RODC) to
>> your domain, the following new well-known and built-in groups are
>> created:
>> a.. Builtin\IIS_IUSRS
>>
>>
>> b.. Builtin\Cryptographic Operators
>>
>>
>> c.. Allowed RODC Password Replication Group
>>
>>
>> d.. Denied RODC Password Replication Group
>>
>>
>> e.. Read-only Domain Controllers
>>
>>
>> f.. Builtin\Event Log Readers
>>
>>
>> g.. Enterprise Read-only Domain Controllers (created only on the
>> forest root domain)
>>
>>
>> h.. Builtin\Certificate Service DCOM Access
>>
>>
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:O%23HxhkApKHA.1548@TK2MSFTNGP04.phx.gbl...
>>> From the way I read the tech artcile and was confirmed by Yusuf the
>>> groups do not get created until after the PDCe is a 2008 DC. Has
>>> that happened yet?
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>> message
>>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>>>> Paul, firstly thank you once again for your posts.
>>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
>>>> rather neat summary of the and clearly shows the ADPREP commands
>>>> issued against the 2003
>>>> DC.
>>>>
>>>> **********************************
>>>> 12/15/09 18:30:21 79208171 Opened logfile
>>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>>>> 18:30:21 79208171
>>>> 12/15/09 18:30:21 79208187 File version info:
>>>> 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>>>> 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>>>> 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
>>>> 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
>>>> 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000
>>>> (373555200) 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>>>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094
>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-519
>>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>>>> 12/15/09 18:30:21 79208593 Schema role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>>>> complete: FALSE
>>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner)
>>>> is complete: FALSE
>>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>>>> complete:
>>>> FALSE
>>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
>>>> TRUE 12/15/09 18:30:23 79209921 .dit file path:
>>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
>>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
>>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>>>> 170962432 12/15/09 18:30:23 79209921 free space on .dit volume:
>>>> 20643 MB 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>>>> 12/15/09 18:30:23 79209921 All prerequisites met.
>>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:23 79209921 Schema role owner is
>>>> paris.ndcconsultants.co.uk
>>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>>>> Essential Business Server Schema Upgrade Tool is about to upgrade
>>>> your schema to the
>>>> Windows Server 2008 schema level. This process will take between
>>>> three minutes and an hour. During this time, this computers CPU and
>>>> hard disk drive
>>>> will be under heavy load. There will be heavy network traffic if
>>>> you have multiple domain controllers or many group policy objects.
>>>> If you have not checked the physical condition of this computers
>>>> hard disk
>>>> drive recently, consider running a full bad sector test prior to
>>>> upgrading
>>>> the schema. Do not reboot or shut down this computer while the
>>>> upgrade is in
>>>> process. Upgrading the schema is permanent (changes cannot be
>>>> undone). Click OK to begin the upgrade, or Cancel to close the tool.
>>>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>>>> C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>>>> 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>>>> 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>>>> 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094
>>>> 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>>> 12/15/09 18:30:44 79231437 Copying files to temp directory
>>>> C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>>>> 12/15/09 18:30:44 79231437 src dir: D:\
>>>> 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>>>> 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>>>> 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>>>> 12/15/09 18:30:49 79236390 adprep path:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>>>> 12/15/09 18:30:49 79236390 Running forestprep.
>>>> 12/15/09 18:30:49 79236390 IsWindows2000()
>>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>>>> 12/15/09 18:30:49 79236390 cmdline:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
>>>> 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:37:33 79640187 exit code: 0
>>>> 12/15/09 18:37:33 79640187 adprep returned 0
>>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>>>> 12/15/09 18:37:33 79640187 No replication required, running on
>>>> schema role
>>>> owner.
>>>> 12/15/09 18:37:33 79640187 Running domainprep.
>>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>>>> 12/15/09 18:37:33 79640187 cmdline:
>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
>>>> /silent
>>>> 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:37:39 79646250 exit code: 0
>>>> 12/15/09 18:37:39 79646250 adprep returned 0
>>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>>>> C:\WINDOWS\temp\ADP1.tmp
>>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>>>> 12/15/09 18:37:39 79646359 Closing log.
>>>> **********************************
>>>> This tool was run once prompted by the Management Server phase of
>>>> the EBS installation wizard. At this point in time I believe the
>>>> wizard had completed installing, updating and joining a Windows
>>>> Server 2008 machine to
>>>> the 2003 network. The tool didn't run /rodcprep.
>>>> The next step in the wizard was the promotion of the Management
>>>> Server to DC, I'm reviewing the DCPROMO.log from this operation. I
>>>> think, but I'm not
>>>> sure, that the FSMO roles were transferred to the Management Server
>>>> at this
>>>> point. BTW I also plan to create VMs of the 2003 DC from our backup
>>>> images
>>>> just before and after in order to check on the troublesome RODC
>>>> groups but
>>>> this will take me a little while.
>>>> The rest of the EBS servers were installed and the old 2003 DC
>>>> gracefully demoted a few weeks later.
>>>> As originally posted before attempting to create a RODC I ran the
>>>> 2008 R2 adpreps: /forestprep, /domainprep /gpprep and finally
>>>> /rodcprep all without
>>>> error. One point I'm not worried about is the 2008 version of
>>>> /rodcprep had
>>>> not been run.
>>>> If I could just pinpoint exactly when these groups were supposed to
>>>> be created I'd be able to focus on all the events at that time.
>>>>
>>>> To say this problem is frustrating is an understatement!
>>>>
>>>> James
>>>>
>>>>
>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>
>>>>> With assistance from a fellow MVP (Yusuf), it appears that in
>>>>> order to get
>>>>> these groups created you will have to move the PDCe from your 2003
>>>>> DC to the
>>>>> 2008 server. This is a recommended strategy anyways.
>>>>>
>>>>> From a commend prompt run the following to learn where yuor fsmo
>>>>> roles reside
>>>>> netdom query fsmo
>>>>>
>>>>> See:
>>>>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>> no rights. "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in
>>>>> message
>>>>> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>>>>>> Sorry, I have never had to refer to the logs since I have been
>>>>>> successful
>>>>>> on every attempt. I would verify that the log exists and if so
>>>>>> see if there are any errors. If you have something you are
>>>>>> unable to decipher
>>>>>> just post the log and I'm sure someone from the NewsGroup could
>>>>>> assist in
>>>>>> reading. Most of these logs provide good details.
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>>> This
>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights. "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>>>>> message news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>>>>>>> Thanks for your reply Paul.
>>>>>>>
>>>>>>> I've been trying to find out when these groups are created for a
>>>>>>> few days,
>>>>>>> I'm not sure I even have access to the right documentation to be
>>>>>>> successful.
>>>>>>>
>>>>>>> I'll retrieve the logs from backup. Any particular string for
>>>>>>> me to be
>>>>>>> searching for? I'll also review your article ASAP.
>>>>>>>
>>>>>>> Many thanks,
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>>>
>>>>>>>> I think Florian is on to something here. I did try and track
>>>>>>>> down where
>>>>>>>> the
>>>>>>>> allow and deny groups are created but it doesn't appear to be
>>>>>>>> easily tracked
>>>>>>>> down.
>>>>>>>>
>>>>>>>> You should be able to see the error log
>>>>>>>> C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more
>>>>>>>> information. Also check out an article I have on Forest upgrades
>>>>>>>> http://www.pbbergs.com/windows/articles/Upgrading_Active_Dir ectory_from_2003_to_2008.htm
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paul Bergson
>>>>>>>> MVP - Directory Services
>>>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>>
>>>>>>>> http://www.pbbergs.com
>>>>>>>>
>>>>>>>> Please no e-mails, any questions should be posted in the
>>>>>>>> NewsGroup This
>>>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>>>> rights.
>>>>>>>>
>>>>>>>> "Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in
>>>>>>>> message news:uoAHKHxoKHA.5696@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> James,
>>>>>>>>>
>>>>>>>>> James Brown wrote:
>>>>>>>>>> 2 Windows Server 2008 DCs
>>>>>>>>>> o forest at Windows 2008 level
>>>>>>>>>> o single domain at Windows 2008 level
>>>>>>>>>> o SP2 and all updates installed
>>>>>>>>>>
>>>>>>>>>> So when I hit next on "Additional Domain Controller Options"
>>>>>>>>>> (step 7
>>>>>>>>>> of
>>>>>>>>>> "To install an RODC on a full installation of Windows Server
>>>>>>>>>> 2008") I
>>>>>>>>>> get
>>>>>>>>>> "The default Password Replication Policy groups are not
>>>>>>>>>> present on
>>>>>>>>>> the
>>>>>>>>>> PDC [My PDC]. The parameter is incorrect".
>>>>>>>>>
>>>>>>>>> Back then when you prepared the Schema for Server 2008 usage,
>>>>>>>>> did you
>>>>>>>>> run
>>>>>>>>> /rodcprep and it ran correctly? Were those groups ever created?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Florian
>>>>>>>>
>>>>>>>>
>>>>>>>> .
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> .
>
> --
> /kj
>
Re: Missing one of the "default Password Replication Policy groups [message #382596 is a reply to message #382547] Tue, 02 February 2010 10:12 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
> I think that something in your enviroment is broken as the information Paul
> posted indicated that at least two of your actions should have triggered the
> creation of the required groups. Are you using an account with delegated
> permissions or (the) full builin domain administrator account?

I'm pretty sure there's something broken but I'm having trouble finding it!
For all operations mentioned in the post I am logged into a DC using the
full builtin domain adminisrtrator account.

[My Domain]\Administrator is a member of:-

[My Domain]/Builtin, Administrators
[My Domain]/Users, CA Administrators
[My Domain]/Users, Certificate Publishers
[My Domain]/Users, Domain Admins
[My Domain]/Users, Domain Users
[My Domain]/Users, Enterprise Admins
[My Domain]/Users, Exchange Full Admins
[My Domain]/Microsoft Exchange Security Groups, Exchange Organiszation
Administrators
[My Domain]/Users, Group Policy Creator Owners
[My Domain]/Users, Remote Web Workplace Users
[My Domain]/Users, Schema Admins

I try not to use Administrator unless necessary and delegate permissions for
day-to-day operations.



"kj [SBS MVP]" wrote:

> James Brown wrote:
> > The first 2008 DC was made PDCe the same day. 'kj' pointed me at
> > http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
> > and a note which seemed to indicate the RODC groups should be created
> > the first time you try to add a RODC (assuming you're NOT trying to
> > do a staged installation).
> >
> > Regardless of what should happen and however I run the 2008 R2
> > DCPROMO I ultimately run in to "The default Password Replication
> > Policy groups are not present on the PDC" (a fact that I'm painfully
> > aware of).
> >
> > I'm trawling through the logs as we speak armed with the creation
> > time of the "Denied RODC Password Replication Group".
> >
> > Quick thought, if I create a new Windows 2008 machine and promote it
> > to a DC with the PDCe role as part of the promotion do you think
> > these groups may be re-created?
> >
> > James
>
> I think that something in your enviroment is broken as the information Paul
> posted indicated that at least two of your actions should have triggered the
> creation of the required groups. Are you using an account with delegated
> permissions or (the) full builin domain administrator account?
>
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> I have made a mistake, if you promote a server to an RODC these
> >> groups should also be created. See details below:
> >>
> >> After you upgrade the Windows Server 2003-based domain controller
> >> holding the role of the PDC emulator master in each domain in the
> >> forest to Windows Server 2008, or after you move the PDC emulator
> >> operations master role to a Windows Server 2008-based domain
> >> controller, or after you add a read-only domain controller (RODC) to
> >> your domain, the following new well-known and built-in groups are
> >> created:
> >>
> >> a.. Builtin\IIS_IUSRS
> >>
> >>
> >> b.. Builtin\Cryptographic Operators
> >>
> >>
> >> c.. Allowed RODC Password Replication Group
> >>
> >>
> >> d.. Denied RODC Password Replication Group
> >>
> >>
> >> e.. Read-only Domain Controllers
> >>
> >>
> >> f.. Builtin\Event Log Readers
> >>
> >>
> >> g.. Enterprise Read-only Domain Controllers (created only on the
> >> forest root domain)
> >>
> >>
> >> h.. Builtin\Certificate Service DCOM Access
> >>
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
Re: Missing one of the "default Password Replication Policy groups [message #382609 is a reply to message #382596] Tue, 02 February 2010 10:34 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Probably going to need some additional logging enabled, but I'm not sure
just where - not knowing just what process creates those groups.... ( Thanks
Paul for citing the reference link ).

In the mean time anything interesting in the directory services event log
about the time you attempt your RODC promotion. Same for the security logs
of the PDCe ?



James Brown wrote:
>> I think that something in your enviroment is broken as the
>> information Paul posted indicated that at least two of your actions
>> should have triggered the creation of the required groups. Are you
>> using an account with delegated permissions or (the) full builin
>> domain administrator account?
>
> I'm pretty sure there's something broken but I'm having trouble
> finding it! For all operations mentioned in the post I am logged into
> a DC using the full builtin domain adminisrtrator account.
>
> [My Domain]\Administrator is a member of:-
>
> [My Domain]/Builtin, Administrators
> [My Domain]/Users, CA Administrators
> [My Domain]/Users, Certificate Publishers
> [My Domain]/Users, Domain Admins
> [My Domain]/Users, Domain Users
> [My Domain]/Users, Enterprise Admins
> [My Domain]/Users, Exchange Full Admins
> [My Domain]/Microsoft Exchange Security Groups, Exchange
> Organiszation Administrators
> [My Domain]/Users, Group Policy Creator Owners
> [My Domain]/Users, Remote Web Workplace Users
> [My Domain]/Users, Schema Admins
>
> I try not to use Administrator unless necessary and delegate
> permissions for day-to-day operations.
>
>
>
> "kj [SBS MVP]" wrote:
>
>> James Brown wrote:
>>> The first 2008 DC was made PDCe the same day. 'kj' pointed me at
>>> http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
>>> and a note which seemed to indicate the RODC groups should be
>>> created the first time you try to add a RODC (assuming you're NOT
>>> trying to do a staged installation).
>>>
>>> Regardless of what should happen and however I run the 2008 R2
>>> DCPROMO I ultimately run in to "The default Password Replication
>>> Policy groups are not present on the PDC" (a fact that I'm painfully
>>> aware of).
>>>
>>> I'm trawling through the logs as we speak armed with the creation
>>> time of the "Denied RODC Password Replication Group".
>>>
>>> Quick thought, if I create a new Windows 2008 machine and promote it
>>> to a DC with the PDCe role as part of the promotion do you think
>>> these groups may be re-created?
>>>
>>> James
>>
>> I think that something in your enviroment is broken as the
>> information Paul posted indicated that at least two of your actions
>> should have triggered the creation of the required groups. Are you
>> using an account with delegated permissions or (the) full builin
>> domain administrator account?
>>
>>>
>>> "Paul Bergson [MVP-DS]" wrote:
>>>
>>>> I have made a mistake, if you promote a server to an RODC these
>>>> groups should also be created. See details below:
>>>>
>>>> After you upgrade the Windows Server 2003-based domain controller
>>>> holding the role of the PDC emulator master in each domain in the
>>>> forest to Windows Server 2008, or after you move the PDC emulator
>>>> operations master role to a Windows Server 2008-based domain
>>>> controller, or after you add a read-only domain controller (RODC)
>>>> to your domain, the following new well-known and built-in groups
>>>> are created:
>>>>
>>>> a.. Builtin\IIS_IUSRS
>>>>
>>>>
>>>> b.. Builtin\Cryptographic Operators
>>>>
>>>>
>>>> c.. Allowed RODC Password Replication Group
>>>>
>>>>
>>>> d.. Denied RODC Password Replication Group
>>>>
>>>>
>>>> e.. Read-only Domain Controllers
>>>>
>>>>
>>>> f.. Builtin\Event Log Readers
>>>>
>>>>
>>>> g.. Enterprise Read-only Domain Controllers (created only on the
>>>> forest root domain)
>>>>
>>>>
>>>> h.. Builtin\Certificate Service DCOM Access
>>>>
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #382615 is a reply to message #382546] Tue, 02 February 2010 10:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:ODFIeNCpKHA.1892@TK2MSFTNGP02.phx.gbl...
> Great documentation Paul. Is there a public MS link to this somewhere?
>
> As I read that any one of the "or" conditions trigger the creation ot
> these groups. ( Curious now about just what does this creation as it seems
> to be broken for the OP).
>
>

KJ, see if this link helps.

Appendix A: Background Information for Upgrading Active Directory Domains
Proivdes info on ADPREP, SRV records, well known groups created, security
policy changes, SMB singing differences, and much more.
http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: Missing one of the "default Password Replication Policy groups [message #382634 is a reply to message #382583] Tue, 02 February 2010 11:06 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:e8ocvnCpKHA.5328@TK2MSFTNGP04.phx.gbl...
> [Appendix A: Background Information for Upgrading Active Directory
> Domains]
> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>

You beat me to it! I should have refreshed my newsreader first. :-)

Ace
Re: Missing one of the "default Password Replication Policy groups [message #382657 is a reply to message #382615] Tue, 02 February 2010 11:09 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Ace Fekay [MVP-DS, MCT] wrote:
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:ODFIeNCpKHA.1892@TK2MSFTNGP02.phx.gbl...
>> Great documentation Paul. Is there a public MS link to this
>> somewhere? As I read that any one of the "or" conditions trigger the
>> creation ot
>> these groups. ( Curious now about just what does this creation as it
>> seems to be broken for the OP).
>>
>>
>
> KJ, see if this link helps.
>
> Appendix A: Background Information for Upgrading Active Directory
> Domains Proivdes info on ADPREP, SRV records, well known groups
> created, security policy changes, SMB singing differences, and much
> more. http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx

Thanks Ace, that was the one Paul cited a post or two back. Just a WAG to
the OP at this point, but check to see if the other groups got created or it
just the allowed/denied ones did not. (The forest root entrprise rodc domain
controllers might be a clue. Is this more than a single domain forest?)


a.. Builtin\IIS_IUSRS


a.. Builtin\Cryptographic Operators


a.. Allowed RODC Password Replication Group


a.. Denied RODC Password Replication Group


a.. Read-only Domain Controllers


a.. Builtin\Event Log Readers


a.. Enterprise Read-only Domain Controllers (created only on the forest root
domain)


a.. Builtin\Certificate Service DCOM Access



--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #382679 is a reply to message #382609] Tue, 02 February 2010 11:42 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Ok, from various logs it’s timeline time.

LEGEND:
[SBS2003] = Small Business Server 2003 R2, the existing 2003 DC
[EBS2008-Manage] = Essential Business Server 2008 Management Server role,
the 1st 2008 DC
[EBS2008-Message] = Essential Business Server 2008 Message Server role, the
2nd 2008 DC

The events:
2009/12/15 18:22:08 - [EBS2008-Manage] - The 1st 2008 server (EBS
Management role) was joined to the 2003 domain (forest and domain functional
levels were 2003)
2009/12/15 18:30:49 - [SBS2003] - adprep.exe /forestprep /wssg /silent
2009/12/15 18:37:33 - [SBS2003] - adprep returned 0 for forestprep.
2009/12/15 18:37:33 - [SBS2003] - adprep.exe /domainprep /gpprep /wssg /silent
2009/12/15 18:37:39 - [SBS2003] - adprep returned 0 for domainprep.
2009/12/15 18:37:39 - [SBS2003] - Writing gpprep complete flag.
2009/12/15 18:54:35 - [EBS2008-Manage] - [INFO] Promotion request for
replica domain controller
2009/12/15 18:55:13 - [EBS2008-Manage] - [INFO] The attempted domain
controller operation has completed
2009/12/15 18:55:13 - [EBS2008-Manage] - [INFO] DsRolepSetOperationDone
returned 0
2009/12/16 23:07:22 - [EBS2008-Message] - The 3rd 2008 server (EBS Message
role, 2nd DC) Joined the domain
2009/12/16 23:15:56 - [EBS2008-Message] - [INFO] Promotion request for
replica domain controller
2009/12/16 23:16:34 - [EBS2008-Message] - [INFO] The attempted domain
controller operation has completed
2009/12/16 23:16:34 - [EBS2008-Message] - [INFO] DsRolepSetOperationDone
returned 0
Once promoted the installation wizard will have transferred all FSMO rolls
to [EBS2008-Message]. From [
http://technet.microsoft.com/en-gb/library/cc463519(WS.10).aspx ] there’s a
note regarding the PDCe “This role is not moved immediately during
installation. It is transferred after Windows EBS has been running for
several hours.”
2009/12/16 23:21:35 – [?] - “IIS_IUSRS” AD creation time
2009/12/16 23:21:35 – [?] - “Cryptographic Operators” AD creation time
?????????????????? - “Allowed RODC Password Replication Group” missing!!!
2009/12/16 23:21:35 – [?] - “Denied RODC Password Replication Group” AD
creation time
2009/12/16 23:21:35 – [?] - “Read-only Domain Controllers” AD creation time
2009/12/16 23:21:36 – [?] - “Event Log Readers” AD creation time
2009/12/16 23:21:36 – [?] - “Enterprise Read-only Domain Controllers” AD
creation time
2009/12/16 23:21:36 – [?] - “Certificate Service DCOM Access” AD creation time
The PRCe role has to be (and was) transferred back to [EBS2008-Manage]
within 30 days, can’t say exactly when at the momement
[http://technet.microsoft.com/en-gb/library/cc540520(WS.10).aspx ]
2009/12/29 11:42:13 - [SBS2003] - [INFO] Request for demotion of domain
controller
2009/12/29 11:45:40 - [SBS2003] - [INFO] The attempted domain controller
operation has completed
2009/12/29 11:45:40 - [SBS2003] - [INFO] DsRolepSetOperationDone returned 0

An outline of the EBS installation steps is available here [
http://technet.microsoft.com/en-gb/library/cc463474(WS.10).aspx ]

At the moment I'm virtualising a backup image of the SBS 2003 DC as it was
2009/12/16 07:09 so that I can examine the AD at that point in time.

James

"kj [SBS MVP]" wrote:

> Probably going to need some additional logging enabled, but I'm not sure
> just where - not knowing just what process creates those groups.... ( Thanks
> Paul for citing the reference link ).
>
> In the mean time anything interesting in the directory services event log
> about the time you attempt your RODC promotion. Same for the security logs
> of the PDCe ?
>
>
>
> James Brown wrote:
> >> I think that something in your enviroment is broken as the
> >> information Paul posted indicated that at least two of your actions
> >> should have triggered the creation of the required groups. Are you
> >> using an account with delegated permissions or (the) full builin
> >> domain administrator account?
> >
> > I'm pretty sure there's something broken but I'm having trouble
> > finding it! For all operations mentioned in the post I am logged into
> > a DC using the full builtin domain adminisrtrator account.
> >
> > [My Domain]\Administrator is a member of:-
> >
> > [My Domain]/Builtin, Administrators
> > [My Domain]/Users, CA Administrators
> > [My Domain]/Users, Certificate Publishers
> > [My Domain]/Users, Domain Admins
> > [My Domain]/Users, Domain Users
> > [My Domain]/Users, Enterprise Admins
> > [My Domain]/Users, Exchange Full Admins
> > [My Domain]/Microsoft Exchange Security Groups, Exchange
> > Organiszation Administrators
> > [My Domain]/Users, Group Policy Creator Owners
> > [My Domain]/Users, Remote Web Workplace Users
> > [My Domain]/Users, Schema Admins
> >
> > I try not to use Administrator unless necessary and delegate
> > permissions for day-to-day operations.
> >
> >
> >
> > "kj [SBS MVP]" wrote:
> >
> >> James Brown wrote:
> >>> The first 2008 DC was made PDCe the same day. 'kj' pointed me at
> >>> http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
> >>> and a note which seemed to indicate the RODC groups should be
> >>> created the first time you try to add a RODC (assuming you're NOT
> >>> trying to do a staged installation).
> >>>
> >>> Regardless of what should happen and however I run the 2008 R2
> >>> DCPROMO I ultimately run in to "The default Password Replication
> >>> Policy groups are not present on the PDC" (a fact that I'm painfully
> >>> aware of).
> >>>
> >>> I'm trawling through the logs as we speak armed with the creation
> >>> time of the "Denied RODC Password Replication Group".
> >>>
> >>> Quick thought, if I create a new Windows 2008 machine and promote it
> >>> to a DC with the PDCe role as part of the promotion do you think
> >>> these groups may be re-created?
> >>>
> >>> James
> >>
> >> I think that something in your enviroment is broken as the
> >> information Paul posted indicated that at least two of your actions
> >> should have triggered the creation of the required groups. Are you
> >> using an account with delegated permissions or (the) full builin
> >> domain administrator account?
> >>
> >>>
> >>> "Paul Bergson [MVP-DS]" wrote:
> >>>
> >>>> I have made a mistake, if you promote a server to an RODC these
> >>>> groups should also be created. See details below:
> >>>>
> >>>> After you upgrade the Windows Server 2003-based domain controller
> >>>> holding the role of the PDC emulator master in each domain in the
> >>>> forest to Windows Server 2008, or after you move the PDC emulator
> >>>> operations master role to a Windows Server 2008-based domain
> >>>> controller, or after you add a read-only domain controller (RODC)
> >>>> to your domain, the following new well-known and built-in groups
> >>>> are created:
> >>>>
> >>>> a.. Builtin\IIS_IUSRS
> >>>>
> >>>>
> >>>> b.. Builtin\Cryptographic Operators
> >>>>
> >>>>
> >>>> c.. Allowed RODC Password Replication Group
> >>>>
> >>>>
> >>>> d.. Denied RODC Password Replication Group
> >>>>
> >>>>
> >>>> e.. Read-only Domain Controllers
> >>>>
> >>>>
> >>>> f.. Builtin\Event Log Readers
> >>>>
> >>>>
> >>>> g.. Enterprise Read-only Domain Controllers (created only on the
> >>>> forest root domain)
> >>>>
> >>>>
> >>>> h.. Builtin\Certificate Service DCOM Access
> >>>>
> >>>>
> >>>> --
> >>>> Paul Bergson
> >>>> MVP - Directory Services
> >>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>>> 2008, 2003, 2000 (Early Achiever), NT4
> >>>> Microsoft's Thrive IT Pro of the Month - June 2009
> >>>>
> >>>> http://www.pbbergs.com
> >>>>
> >>>> Please no e-mails, any questions should be posted in the NewsGroup
> >>>> This posting is provided "AS IS" with no warranties, and confers no
> >>>> rights.
>
> --
> /kj
>
>
> .
>
Re: Missing one of the "default Password Replication Policy groups [message #382690 is a reply to message #382657] Tue, 02 February 2010 11:59 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
This is a single domain forest.

See my reply (2/2/2010 10:41 AM PST) to your post (2/2/2010 10:12 AM PST)
for full timings of various AD operations including the creation of groups;
basically everything but the "Allowed" group got created.

James

"kj [SBS MVP]" wrote:

> Ace Fekay [MVP-DS, MCT] wrote:
> > "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> > news:ODFIeNCpKHA.1892@TK2MSFTNGP02.phx.gbl...
> >> Great documentation Paul. Is there a public MS link to this
> >> somewhere? As I read that any one of the "or" conditions trigger the
> >> creation ot
> >> these groups. ( Curious now about just what does this creation as it
> >> seems to be broken for the OP).
> >>
> >>
> >
> > KJ, see if this link helps.
> >
> > Appendix A: Background Information for Upgrading Active Directory
> > Domains Proivdes info on ADPREP, SRV records, well known groups
> > created, security policy changes, SMB singing differences, and much
> > more. http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>
> Thanks Ace, that was the one Paul cited a post or two back. Just a WAG to
> the OP at this point, but check to see if the other groups got created or it
> just the allowed/denied ones did not. (The forest root entrprise rodc domain
> controllers might be a clue. Is this more than a single domain forest?)
>
>
> a.. Builtin\IIS_IUSRS
>
>
> a.. Builtin\Cryptographic Operators
>
>
> a.. Allowed RODC Password Replication Group
>
>
> a.. Denied RODC Password Replication Group
>
>
> a.. Read-only Domain Controllers
>
>
> a.. Builtin\Event Log Readers
>
>
> a.. Enterprise Read-only Domain Controllers (created only on the forest root
> domain)
>
>
> a.. Builtin\Certificate Service DCOM Access
>
>
>
> --
> /kj
>
>
> .
>
Re: Missing one of the "default Password Replication Policy groups [message #382711 is a reply to message #382581] Tue, 02 February 2010 12:13 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Do you think promoting a new (and temporary) Server 2008 / Server 2008 R2
machine to DC and assigning it PDCe could spur mysterious processes into
action?

James

"Paul Bergson [MVP-DS]" wrote:

> That shouldn't have mattered if at 2003. Dang had hoped you forgot about
> this.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
> > They're both at 2008 level now. Forest was at 2003 but I raised it to
> > 2008
> > just to see if I could resolve this...
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> What is your domain and forest functional level at? If you have never
> >> updated these they are probably sitting at Windows 2000. I'm guessing
> >> you
> >> have changed these but this could be why. I'm not seeing any issues in
> >> your
> >> log files.
> >>
> >> http://support.microsoft.com/kb/322692
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> >> > Paul, firstly thank you once again for your posts.
> >> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
> >> > neat
> >> > summary of the and clearly shows the ADPREP commands issued against the
> >> > 2003
> >> > DC.
> >> >
> >> > **********************************
> >> > 12/15/09 18:30:21 79208171 Opened logfile
> >> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> >> > 79208171
> >> > 12/15/09 18:30:21 79208187 File version info:
> >> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> >> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> >> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> >> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> >> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> >> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> >> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> >> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> >> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> >> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-519
> >> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> >> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> >> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> >> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> >> > 12/15/09 18:30:21 79208593 Schema role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> >> > FALSE
> >> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> >> > complete: FALSE
> >> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> >> > complete:
> >> > FALSE
> >> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> >> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
> >> > TRUE
> >> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> >> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
> >> > 29376512
> >> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> >> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
> >> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> >> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> >> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> >> > 12/15/09 18:30:23 79209921 All prerequisites met.
> >> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> >> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> >> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> >> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:23 79209921 Schema role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> >> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> >> > Business Server Schema Upgrade Tool is about to upgrade your schema to
> >> > the
> >> > Windows Server 2008 schema level. This process will take between three
> >> > minutes and an hour. During this time, this computers CPU and hard disk
> >> > drive
> >> > will be under heavy load. There will be heavy network traffic if you
> >> > have
> >> > multiple domain controllers or many group policy objects.
> >> > If you have not checked the physical condition of this computers hard
> >> > disk
> >> > drive recently, consider running a full bad sector test prior to
> >> > upgrading
> >> > the schema. Do not reboot or shut down this computer while the upgrade
> >> > is
> >> > in
> >> > process. Upgrading the schema is permanent (changes cannot be undone).
> >> > Click OK to begin the upgrade, or Cancel to close the tool.
> >> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> >> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> >> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> >> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> >> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> >> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> >> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> >> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> >> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> > 12/15/09 18:30:44 79231437 Copying files to temp directory
> >> > C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> >> > 12/15/09 18:30:44 79231437 src dir: D:\
> >> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> >> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> >> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> >> > 12/15/09 18:30:49 79236390 adprep path:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> >> > 12/15/09 18:30:49 79236390 Running forestprep.
> >> > 12/15/09 18:30:49 79236390 IsWindows2000()
> >> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> >> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> >> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> >> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> >> > 12/15/09 18:30:49 79236390 DoCreateProcess()
> >> > 12/15/09 18:30:49 79236390 cmdline:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> >> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:33 79640187 exit code: 0
> >> > 12/15/09 18:37:33 79640187 adprep returned 0
> >> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> >> > 12/15/09 18:37:33 79640187 No replication required, running on schema
> >> > role
> >> > owner.
> >> > 12/15/09 18:37:33 79640187 Running domainprep.
> >> > 12/15/09 18:37:33 79640187 DoCreateProcess()
> >> > 12/15/09 18:37:33 79640187 cmdline:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> >> > /silent
> >> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:39 79646250 exit code: 0
> >> > 12/15/09 18:37:39 79646250 adprep returned 0
> >> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> >> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> >> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> >> > C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> >> > 12/15/09 18:37:39 79646359 Closing log.
> >> > **********************************
> >> > This tool was run once prompted by the Management Server phase of the
> >> > EBS
> >> > installation wizard. At this point in time I believe the wizard had
> >> > completed installing, updating and joining a Windows Server 2008
> >> > machine
> >> > to
> >> > the 2003 network. The tool didn't run /rodcprep.
> >> > The next step in the wizard was the promotion of the Management Server
> >> > to
> >> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> >> > not
> >> > sure, that the FSMO roles were transferred to the Management Server at
> >> > this
> >> > point. BTW I also plan to create VMs of the 2003 DC from our backup
> >> > images
> >> > just before and after in order to check on the troublesome RODC groups
> >> > but
> >> > this will take me a little while.
> >> > The rest of the EBS servers were installed and the old 2003 DC
> >> > gracefully
> >> > demoted a few weeks later.
> >> > As originally posted before attempting to create a RODC I ran the 2008
> >> > R2
> >> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> >> > without
> >> > error. One point I'm not worried about is the 2008 version of
> >> > /rodcprep
> >> > had
> >> > not been run.
> >> > If I could just pinpoint exactly when these groups were supposed to be
> >> > created I'd be able to focus on all the events at that time.
> >> >
> >> > To say this problem is frustrating is an understatement!
> >> >
> >> > James
> >> >
> >> >
> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >
> >> >> With assistance from a fellow MVP (Yusuf), it appears that in order to
> >> >> get
> >> >> these groups created you will have to move the PDCe from your 2003 DC
> >> >> to
> >> >> the
> >> >> 2008 server. This is a recommended strategy anyways.
> >> >>
> >> >> From a commend prompt run the following to learn where yuor fsmo roles
> >> >> reside
> >> >> netdom query fsmo
> >> >>
> >> >> See:
> >> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
> >> >>
> >> >> --
> >> >> Paul Bergson
> >> >> MVP - Directory Services
> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >> >>
> >> >> http://www.pbbergs.com
> >> >>
> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> This
> >> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >> >>
> >> >> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> >> >> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> >> >> > Sorry, I have never had to refer to the logs since I have been
> >> >> > successful
> >> >> > on every attempt. I would verify that the log exists and if so see
> >> >> > if
> >> >> > there are any errors. If you have something you are unable to
> >> >> > decipher
> >> >> > just post the log and I'm sure someone from the NewsGroup could
> >> >> > assist
> >> >> > in
> >> >> > reading. Most of these logs provide good details.
> >> >> >
> >> >> > --
> >> >> > Paul Bergson
> >> >> > MVP - Directory Services
> >> >> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> > 2008, 2003, 2000 (Early Achiever), NT4
> >> >> > Microsoft's Thrive IT Pro of the Month - June 2009
> >> >> >
> >> >> > http://www.pbbergs.com
> >> >> >
> >> >> > Please no e-mails, any questions should be posted in the NewsGroup
> >> >> > This
> >> >> > posting is provided "AS IS" with no warranties, and confers no
> >> >> > rights.
> >> >> >
> >> >> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
> >> >> > message
> >> >> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> >> >> >> Thanks for your reply Paul.
> >> >> >>
> >> >> >> I've been trying to find out when these groups are created for a
> >> >> >> few
> >> >> >> days,
> >> >> >> I'm not sure I even have access to the right documentation to be
> >> >> >> successful.
> >> >> >>
> >> >> >> I'll retrieve the logs from backup. Any particular string for me
> >> >> >> to
> >> >> >> be
> >> >> >> searching for? I'll also review your article ASAP.
> >> >> >>
> >> >> >> Many thanks,
> >> >> >>
> >> >> >> James
> >> >> >>
> >> >> >> "Paul Bergson [MVP-DS]" wrote:
> >> >> >>
> >> >> >>> I think Florian is on to something here. I did try and track down
> >> >> >>> where
> >> >> >>> the
Re: Missing one of the "default Password Replication Policy groups [message #382721 is a reply to message #382711] Tue, 02 February 2010 12:36 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
No.

IMHO you will have to contact PSS and get someone to tell you that certain
process will need to be run. Highly unlikely you will be able to compelte
this w/o assistance from them. Before you do this consider reposting this
at activedir.org. There are multiple Microsoft MVP's there plus, Microsoft
employees. The best of the best hang out there.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:49133AAA-6EFE-480B-80AC-FCADF84D68C7@microsoft.com...
> Do you think promoting a new (and temporary) Server 2008 / Server 2008 R2
> machine to DC and assigning it PDCe could spur mysterious processes into
> action?
>
> James
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> That shouldn't have mattered if at 2003. Dang had hoped you forgot about
>> this.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
>> > They're both at 2008 level now. Forest was at 2003 but I raised it to
>> > 2008
>> > just to see if I could resolve this...
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> What is your domain and forest functional level at? If you have never
>> >> updated these they are probably sitting at Windows 2000. I'm guessing
>> >> you
>> >> have changed these but this could be why. I'm not seeing any issues
>> >> in
>> >> your
>> >> log files.
>> >>
>> >> http://support.microsoft.com/kb/322692
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This
>> >> posting is provided "AS IS" with no warranties, and confers no rights.
>> >>
>> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> >> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>> >> > Paul, firstly thank you once again for your posts.
>> >> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
>> >> > neat
>> >> > summary of the and clearly shows the ADPREP commands issued against
>> >> > the
>> >> > 2003
>> >> > DC.
>> >> >
>> >> > **********************************
>> >> > 12/15/09 18:30:21 79208171 Opened logfile
>> >> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>> >> > 18:30:21
>> >> > 79208171
>> >> > 12/15/09 18:30:21 79208187 File version info:
>> >> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
>> >> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
>> >> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
>> >> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
>> >> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000
>> >> > (373555200)
>> >> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>> >> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>> >> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>> >> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>> >> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>> >> > S-1-5-21-1553700716-3413723528-2741516094
>> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> >> > S-1-5-21-1553700716-3413723528-2741516094-512
>> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> >> > S-1-5-21-1553700716-3413723528-2741516094-519
>> >> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>> >> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>> >> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>> >> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>> >> > 12/15/09 18:30:21 79208593 Schema role owner is
>> >> > paris.ndcconsultants.co.uk
>> >> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>> >> > complete:
>> >> > FALSE
>> >> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
>> >> > paris.ndcconsultants.co.uk
>> >> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner)
>> >> > is
>> >> > complete: FALSE
>> >> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
>> >> > complete:
>> >> > FALSE
>> >> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>> >> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
>> >> > TRUE
>> >> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
>> >> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
>> >> > 29376512
>> >> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>> >> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
>> >> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>> >> > 170962432
>> >> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
>> >> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>> >> > 12/15/09 18:30:23 79209921 All prerequisites met.
>> >> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>> >> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>> >> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>> >> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>> >> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>> >> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>> >> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
>> >> > paris.ndcconsultants.co.uk
>> >> > 12/15/09 18:30:23 79209921 Schema role owner is
>> >> > paris.ndcconsultants.co.uk
>> >> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>> >> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>> >> > Essential
>> >> > Business Server Schema Upgrade Tool is about to upgrade your schema
>> >> > to
>> >> > the
>> >> > Windows Server 2008 schema level. This process will take between
>> >> > three
>> >> > minutes and an hour. During this time, this computers CPU and hard
>> >> > disk
>> >> > drive
>> >> > will be under heavy load. There will be heavy network traffic if you
>> >> > have
>> >> > multiple domain controllers or many group policy objects.
>> >> > If you have not checked the physical condition of this computers
>> >> > hard
>> >> > disk
>> >> > drive recently, consider running a full bad sector test prior to
>> >> > upgrading
>> >> > the schema. Do not reboot or shut down this computer while the
>> >> > upgrade
>> >> > is
>> >> > in
>> >> > process. Upgrading the schema is permanent (changes cannot be
>> >> > undone).
>> >> > Click OK to begin the upgrade, or Cancel to close the tool.
>> >> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>> >> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>> >> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>> >> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>> >> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>> >> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
>> >> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
>> >> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
>> >> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
>> >> > S-1-5-21-1553700716-3413723528-2741516094
>> >> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
>> >> > S-1-5-21-1553700716-3413723528-2741516094-512
>> >> > 12/15/09 18:30:44 79231437 Copying files to temp directory
>> >> > C:\WINDOWS\temp\ADP1.tmp
>> >> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
>> >> > 12/15/09 18:30:44 79231437 src dir: D:\
>> >> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
>> >> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
>> >> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
>> >> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
>> >> > 12/15/09 18:30:49 79236390 adprep path:
>> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>> >> > 12/15/09 18:30:49 79236390 Running forestprep.
>> >> > 12/15/09 18:30:49 79236390 IsWindows2000()
>> >> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>> >> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>> >> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>> >> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>> >> > 12/15/09 18:30:49 79236390 DoCreateProcess()
>> >> > 12/15/09 18:30:49 79236390 cmdline:
>> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
>> >> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> >> > 12/15/09 18:37:33 79640187 exit code: 0
>> >> > 12/15/09 18:37:33 79640187 adprep returned 0
>> >> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>> >> > 12/15/09 18:37:33 79640187 No replication required, running on
>> >> > schema
>> >> > role
>> >> > owner.
>> >> > 12/15/09 18:37:33 79640187 Running domainprep.
>> >> > 12/15/09 18:37:33 79640187 DoCreateProcess()
>> >> > 12/15/09 18:37:33 79640187 cmdline:
>> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
>> >> > /silent
>> >> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
>> >> > 12/15/09 18:37:39 79646250 exit code: 0
>> >> > 12/15/09 18:37:39 79646250 adprep returned 0
>> >> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>> >> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>> >> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
>> >> > C:\WINDOWS\temp\ADP1.tmp
>> >> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>> >> > 12/15/09 18:37:39 79646359 Closing log.
>> >> > **********************************
>> >> > This tool was run once prompted by the Management Server phase of
>> >> > the
>> >> > EBS
>> >> > installation wizard. At this point in time I believe the wizard had
>> >> > completed installing, updating and joining a Windows Server 2008
>> >> > machine
>> >> > to
>> >> > the 2003 network. The tool didn't run /rodcprep.
>> >> > The next step in the wizard was the promotion of the Management
>> >> > Server
>> >> > to
>> >> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but
>> >> > I'm
>> >> > not
>> >> > sure, that the FSMO roles were transferred to the Management Server
>> >> > at
>> >> > this
>> >> > point. BTW I also plan to create VMs of the 2003 DC from our backup
>> >> > images
>> >> > just before and after in order to check on the troublesome RODC
>> >> > groups
>> >> > but
>> >> > this will take me a little while.
>> >> > The rest of the EBS servers were installed and the old 2003 DC
>> >> > gracefully
>> >> > demoted a few weeks later.
>> >> > As originally posted before attempting to create a RODC I ran the
>> >> > 2008
>> >> > R2
>> >> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
>> >> > without
>> >> > error. One point I'm not worried about is the 2008 version of
>> >> > /rodcprep
>> >> > had
>> >> > not been run.
>> >> > If I could just pinpoint exactly when these groups were supposed to
>> >> > be
>> >> > created I'd be able to focus on all the events at that time.
>> >> >
>> >> > To say this problem is frustrating is an understatement!
>> >> >
>> >> > James
>> >> >
>> >> >
>> >> > "Paul Bergson [MVP-DS]" wrote:
>> >> >
>> >> >> With assistance from a fellow MVP (Yusuf), it appears that in order
>> >> >> to
>> >> >> get
>> >> >> these groups created you will have to move the PDCe from your 2003
>> >> >> DC
>> >> >> to
>> >> >> the
>> >> >> 2008 server. This is a recommended strategy anyways.
>> >> >>
>> >> >> From a commend prompt run the following to learn where yuor fsmo
>> >> >> roles
>> >> >> reside
>> >> >> netdom query fsmo
>> >> >>
>> >> >> See:
>> >> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>> >> >>
>> >> >> --
>> >> >> Paul Bergson
>> >> >> MVP - Directory Services
>> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >> >> Microsoft's Thrive IT Pro of the Month - June 2009
>> >> >>
>> >> >> http://www.pbbergs.com
>> >> >>
>> >> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> >> This
>> >> >> posting is provided "AS IS" with no warranties, and confers no
>> >> >> rights.
>> >> >>
>> >> >> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> >> >> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
>> >> >> > Sorry, I have never had to refer to the logs since I have been
>> >> >> > successful
>> >> >> > on every attempt. I would verify that the log exists and if so
>> >> >> > see
>> >> >> > if
>> >> >> > there are any errors. If you have something you are unable to
>> >> >> > decipher
>> >> >> > just post the log and I'm sure someone from the NewsGroup could
>> >> >> > assist
>> >> >> > in
>> >> >> > reading. Most of these logs provide good details.
>> >> >> >
>> >> >> > --
>> >> >> > Paul Bergson
>> >> >> > MVP - Directory Services
>> >> >> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> >> > 2008, 2003, 2000 (Early Achiever), NT4
>> >> >> > Microsoft's Thrive IT Pro of the Month - June 2009
>> >> >> >
>> >> >> > http://www.pbbergs.com
>> >> >> >
>> >> >> > Please no e-mails, any questions should be posted in the
>> >> >> > NewsGroup
>> >> >> > This
>> >> >> > posting is provided "AS IS" with no warranties, and confers no
>> >> >> > rights.
>> >> >> >
>> >> >> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>> >> >> > message
>> >> >> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
>> >> >> >> Thanks for your reply Paul.
>> >> >> >>
>> >> >> >> I've been trying to find out when these groups are created for a
>> >> >> >> few
>> >> >> >> days,
>> >> >> >> I'm not sure I even have access to the right documentation to be
>> >> >> >> successful.
>> >> >> >>
>> >> >> >> I'll retrieve the logs from backup. Any particular string for
>> >> >> >> me
>> >> >> >> to
>> >> >> >> be
>> >> >> >> searching for? I'll also review your article ASAP.
>> >> >> >>
>> >> >> >> Many thanks,
>> >> >> >>
>> >> >> >> James
>> >> >> >>
>> >> >> >> "Paul Bergson [MVP-DS]" wrote:
>> >> >> >>
>> >> >> >>> I think Florian is on to something here. I did try and track
>> >> >> >>> down
>> >> >> >>> where
>> >> >> >>> the
Re: Missing one of the "default Password Replication Policy groups [message #382803 is a reply to message #382721] Tue, 02 February 2010 13:46 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Thank you very much for the advice and for all your assistance so far. I’ll
head over to activedir.org and also continue to try to sort the mess of
Software Assurance benefits so I can log an incident.

"Paul Bergson [MVP-DS]" wrote:

> No.
>
> IMHO you will have to contact PSS and get someone to tell you that certain
> process will need to be run. Highly unlikely you will be able to compelte
> this w/o assistance from them. Before you do this consider reposting this
> at activedir.org. There are multiple Microsoft MVP's there plus, Microsoft
> employees. The best of the best hang out there.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:49133AAA-6EFE-480B-80AC-FCADF84D68C7@microsoft.com...
> > Do you think promoting a new (and temporary) Server 2008 / Server 2008 R2
> > machine to DC and assigning it PDCe could spur mysterious processes into
> > action?
> >
> > James
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> That shouldn't have mattered if at 2003. Dang had hoped you forgot about
> >> this.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
> >> > They're both at 2008 level now. Forest was at 2003 but I raised it to
> >> > 2008
> >> > just to see if I could resolve this...
> >> >
> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >
> >> >> What is your domain and forest functional level at? If you have never
> >> >> updated these they are probably sitting at Windows 2000. I'm guessing
> >> >> you
> >> >> have changed these but this could be why. I'm not seeing any issues
> >> >> in
> >> >> your
> >> >> log files.
> >> >>
> >> >> http://support.microsoft.com/kb/322692
> >> >>
> >> >> --
> >> >> Paul Bergson
> >> >> MVP - Directory Services
> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >> >>
> >> >> http://www.pbbergs.com
> >> >>
> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> This
> >> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >> >>
> >> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> >> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> >> >> > Paul, firstly thank you once again for your posts.
> >> >> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
> >> >> > neat
> >> >> > summary of the and clearly shows the ADPREP commands issued against
> >> >> > the
> >> >> > 2003
> >> >> > DC.
> >> >> >
> >> >> > **********************************
> >> >> > 12/15/09 18:30:21 79208171 Opened logfile
> >> >> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
> >> >> > 18:30:21
> >> >> > 79208171
> >> >> > 12/15/09 18:30:21 79208187 File version info:
> >> >> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> >> >> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> >> >> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> >> >> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> >> >> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000
> >> >> > (373555200)
> >> >> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> >> >> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> >> >> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> >> >> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> >> >> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> >> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> >> > S-1-5-21-1553700716-3413723528-2741516094-519
> >> >> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> >> >> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> >> >> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> >> >> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> >> >> > 12/15/09 18:30:21 79208593 Schema role owner is
> >> >> > paris.ndcconsultants.co.uk
> >> >> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
> >> >> > complete:
> >> >> > FALSE
> >> >> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
> >> >> > paris.ndcconsultants.co.uk
> >> >> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner)
> >> >> > is
> >> >> > complete: FALSE
> >> >> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> >> >> > complete:
> >> >> > FALSE
> >> >> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> >> >> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
> >> >> > TRUE
> >> >> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> >> >> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
> >> >> > 29376512
> >> >> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> >> >> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
> >> >> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
> >> >> > 170962432
> >> >> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> >> >> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> >> >> > 12/15/09 18:30:23 79209921 All prerequisites met.
> >> >> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> >> >> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> >> >> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> >> >> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> >> >> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> >> >> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> >> >> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
> >> >> > paris.ndcconsultants.co.uk
> >> >> > 12/15/09 18:30:23 79209921 Schema role owner is
> >> >> > paris.ndcconsultants.co.uk
> >> >> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> >> >> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
> >> >> > Essential
> >> >> > Business Server Schema Upgrade Tool is about to upgrade your schema
> >> >> > to
> >> >> > the
> >> >> > Windows Server 2008 schema level. This process will take between
> >> >> > three
> >> >> > minutes and an hour. During this time, this computers CPU and hard
> >> >> > disk
> >> >> > drive
> >> >> > will be under heavy load. There will be heavy network traffic if you
> >> >> > have
> >> >> > multiple domain controllers or many group policy objects.
> >> >> > If you have not checked the physical condition of this computers
> >> >> > hard
> >> >> > disk
> >> >> > drive recently, consider running a full bad sector test prior to
> >> >> > upgrading
> >> >> > the schema. Do not reboot or shut down this computer while the
> >> >> > upgrade
> >> >> > is
> >> >> > in
> >> >> > process. Upgrading the schema is permanent (changes cannot be
> >> >> > undone).
> >> >> > Click OK to begin the upgrade, or Cancel to close the tool.
> >> >> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> >> >> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> >> >> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> >> >> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> >> >> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> >> >> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> >> >> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> >> >> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> >> >> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> >> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> >> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> >> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> >> > 12/15/09 18:30:44 79231437 Copying files to temp directory
> >> >> > C:\WINDOWS\temp\ADP1.tmp
> >> >> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> >> >> > 12/15/09 18:30:44 79231437 src dir: D:\
> >> >> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> >> >> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> >> >> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> >> >> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> >> >> > 12/15/09 18:30:49 79236390 adprep path:
> >> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> >> >> > 12/15/09 18:30:49 79236390 Running forestprep.
> >> >> > 12/15/09 18:30:49 79236390 IsWindows2000()
> >> >> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> >> >> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> >> >> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> >> >> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> >> >> > 12/15/09 18:30:49 79236390 DoCreateProcess()
> >> >> > 12/15/09 18:30:49 79236390 cmdline:
> >> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> >> >> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> >> > 12/15/09 18:37:33 79640187 exit code: 0
> >> >> > 12/15/09 18:37:33 79640187 adprep returned 0
> >> >> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> >> >> > 12/15/09 18:37:33 79640187 No replication required, running on
> >> >> > schema
> >> >> > role
> >> >> > owner.
> >> >> > 12/15/09 18:37:33 79640187 Running domainprep.
> >> >> > 12/15/09 18:37:33 79640187 DoCreateProcess()
> >> >> > 12/15/09 18:37:33 79640187 cmdline:
> >> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> >> >> > /silent
> >> >> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> >> > 12/15/09 18:37:39 79646250 exit code: 0
> >> >> > 12/15/09 18:37:39 79646250 adprep returned 0
> >> >> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> >> >> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> >> >> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> >> >> > C:\WINDOWS\temp\ADP1.tmp
> >> >> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> >> >> > 12/15/09 18:37:39 79646359 Closing log.
> >> >> > **********************************
> >> >> > This tool was run once prompted by the Management Server phase of
> >> >> > the
> >> >> > EBS
> >> >> > installation wizard. At this point in time I believe the wizard had
> >> >> > completed installing, updating and joining a Windows Server 2008
> >> >> > machine
> >> >> > to
> >> >> > the 2003 network. The tool didn't run /rodcprep.
> >> >> > The next step in the wizard was the promotion of the Management
> >> >> > Server
> >> >> > to
> >> >> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but
> >> >> > I'm
> >> >> > not
> >> >> > sure, that the FSMO roles were transferred to the Management Server
> >> >> > at
> >> >> > this
> >> >> > point. BTW I also plan to create VMs of the 2003 DC from our backup
> >> >> > images
> >> >> > just before and after in order to check on the troublesome RODC
> >> >> > groups
> >> >> > but
> >> >> > this will take me a little while.
> >> >> > The rest of the EBS servers were installed and the old 2003 DC
> >> >> > gracefully
> >> >> > demoted a few weeks later.
> >> >> > As originally posted before attempting to create a RODC I ran the
> >> >> > 2008
> >> >> > R2
> >> >> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> >> >> > without
> >> >> > error. One point I'm not worried about is the 2008 version of
> >> >> > /rodcprep
> >> >> > had
> >> >> > not been run.
> >> >> > If I could just pinpoint exactly when these groups were supposed to
> >> >> > be
> >> >> > created I'd be able to focus on all the events at that time.
> >> >> >
> >> >> > To say this problem is frustrating is an understatement!
> >> >> >
> >> >> > James
> >> >> >
> >> >> >
> >> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >> >
> >> >> >> With assistance from a fellow MVP (Yusuf), it appears that in order
> >> >> >> to
> >> >> >> get
> >> >> >> these groups created you will have to move the PDCe from your 2003
> >> >> >> DC
> >> >> >> to
> >> >> >> the
> >> >> >> 2008 server. This is a recommended strategy anyways.
> >> >> >>
> >> >> >> From a commend prompt run the following to learn where yuor fsmo
> >> >> >> roles
> >> >> >> reside
> >> >> >> netdom query fsmo
> >> >> >>
> >> >> >> See:
> >> >> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
> >> >> >>
> >> >> >> --
> >> >> >> Paul Bergson
> >> >> >> MVP - Directory Services
> >> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >> >> >>
> >> >> >> http://www.pbbergs.com
> >> >> >>
Re: Missing one of the "default Password Replication Policy groups [message #382866 is a reply to message #382803] Tue, 02 February 2010 15:00 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
While waiting for a better idea, try removing the adminstrator membership
from the RWW group. I don't have an EBS lab to compare to and it doesn't
make sense that the other groups would be created but not the allowed group.

Otherwise, I'm out of ideas, but please post back PSS's solution if it gets
that far.

James Brown wrote:
> Thank you very much for the advice and for all your assistance so
> far. I'll head over to activedir.org and also continue to try to
> sort the mess of Software Assurance benefits so I can log an incident.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> No.
>>
>> IMHO you will have to contact PSS and get someone to tell you that
>> certain process will need to be run. Highly unlikely you will be
>> able to compelte this w/o assistance from them. Before you do this
>> consider reposting this at activedir.org. There are multiple
>> Microsoft MVP's there plus, Microsoft employees. The best of the
>> best hang out there.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> news:49133AAA-6EFE-480B-80AC-FCADF84D68C7@microsoft.com...
>>> Do you think promoting a new (and temporary) Server 2008 / Server
>>> 2008 R2 machine to DC and assigning it PDCe could spur mysterious
>>> processes into action?
>>>
>>> James
>>>
>>> "Paul Bergson [MVP-DS]" wrote:
>>>
>>>> That shouldn't have mattered if at 2003. Dang had hoped you
>>>> forgot about this.
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers
>>>> no rights.
>>>>
>>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>>> message news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
>>>>> They're both at 2008 level now. Forest was at 2003 but I raised
>>>>> it to 2008
>>>>> just to see if I could resolve this...
>>>>>
>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>
>>>>>> What is your domain and forest functional level at? If you have
>>>>>> never updated these they are probably sitting at Windows 2000.
>>>>>> I'm guessing you
>>>>>> have changed these but this could be why. I'm not seeing any
>>>>>> issues in
>>>>>> your
>>>>>> log files.
>>>>>>
>>>>>> http://support.microsoft.com/kb/322692
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the
>>>>>> NewsGroup This
>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>>
>>>>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>>>>>> message
>>>>>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>>>>>>> Paul, firstly thank you once again for your posts.
>>>>>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
>>>>>>> rather neat
>>>>>>> summary of the and clearly shows the ADPREP commands issued
>>>>>>> against the
>>>>>>> 2003
>>>>>>> DC.
>>>>>>>
>>>>>>> **********************************
>>>>>>> 12/15/09 18:30:21 79208171 Opened logfile
>>>>>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>>>>>>> 18:30:21
>>>>>>> 79208171
>>>>>>> 12/15/09 18:30:21 79208187 File version info:
>>>>>>> 12/15/09 18:30:21 79208187 modulePath:
>>>>>>> D:\SCHEMAUPGRADETOOL.EXE 12/15/09 18:30:21 79208187
>>>>>>> dwFileVersionMS: 0x60000 (393216) 12/15/09 18:30:21 79208187
>>>>>>> dwFileVersionLS: 0x16440000 (373555200) 12/15/09 18:30:21
>>>>>>> 79208187 dwProductVersionMS: 0x60000 (393216) 12/15/09
>>>>>>> 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
>>>>>>> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>>>>>>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>>>>>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>>>>>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>>>>>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>>>>>>> S-1-5-21-1553700716-3413723528-2741516094
>>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>>>>>>> S-1-5-21-1553700716-3413723528-2741516094-519
>>>>>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>>>>>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>>>>>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>>>>>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>>>>>>> 12/15/09 18:30:21 79208593 Schema role owner is
>>>>>>> paris.ndcconsultants.co.uk
>>>>>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>>>>>>> complete:
>>>>>>> FALSE
>>>>>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>>>>>>> paris.ndcconsultants.co.uk
>>>>>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role
>>>>>>> Owner) is
>>>>>>> complete: FALSE
>>>>>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner)
>>>>>>> is complete:
>>>>>>> FALSE
>>>>>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>>>>>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role
>>>>>>> Owner: TRUE
>>>>>>> 12/15/09 18:30:23 79209921 .dit file path:
>>>>>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
>>>>>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
>>>>>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>>>>>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>>>>>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>>>>>>> 170962432
>>>>>>> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
>>>>>>> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>>>>>>> 12/15/09 18:30:23 79209921 All prerequisites met.
>>>>>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>>>>>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>>>>>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>>>>>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>>>>>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>>>>>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>>>>>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>>>>>>> paris.ndcconsultants.co.uk
>>>>>>> 12/15/09 18:30:23 79209921 Schema role owner is
>>>>>>> paris.ndcconsultants.co.uk
>>>>>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>>>>>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>>>>>>> Essential
>>>>>>> Business Server Schema Upgrade Tool is about to upgrade your
>>>>>>> schema to
>>>>>>> the
>>>>>>> Windows Server 2008 schema level. This process will take between
>>>>>>> three
>>>>>>> minutes and an hour. During this time, this computers CPU and
>>>>>>> hard disk
>>>>>>> drive
>>>>>>> will be under heavy load. There will be heavy network traffic
>>>>>>> if you have
>>>>>>> multiple domain controllers or many group policy objects.
>>>>>>> If you have not checked the physical condition of this computers
>>>>>>> hard
>>>>>>> disk
>>>>>>> drive recently, consider running a full bad sector test prior to
>>>>>>> upgrading
>>>>>>> the schema. Do not reboot or shut down this computer while the
>>>>>>> upgrade
>>>>>>> is
>>>>>>> in
>>>>>>> process. Upgrading the schema is permanent (changes cannot be
>>>>>>> undone).
>>>>>>> Click OK to begin the upgrade, or Cancel to close the tool.
>>>>>>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>>>>>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>>>>>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>>>>>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>>>>>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>>>>>>> C:\WINDOWS\temp already exists (dwError=0xb7,
>>>>>>> GetLastError()=0xb7). 12/15/09 18:30:44 79231421
>>>>>>> LsaFreeMemory() returned: 0x0 12/15/09 18:30:44 79231421
>>>>>>> LsaClose() returned: 0x0 12/15/09 18:30:44 79231421
>>>>>>> GetDomainSid() returning:
>>>>>>> S-1-5-21-1553700716-3413723528-2741516094 12/15/09 18:30:44
>>>>>>> 79231421 GetSidFromRid() returning:
>>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512 12/15/09 18:30:44
>>>>>>> 79231437 Copying files to temp directory
>>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:44 79231437
>>>>>>> CopyFilesToTempDirectory() 12/15/09 18:30:44 79231437 src dir:
>>>>>>> D:\ 12/15/09 18:30:44 79231437 dest dir:
>>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:49 79236390
>>>>>>> SHFileOperation() returned 0x0 12/15/09 18:30:49 79236390
>>>>>>> fileOp.fAnyOperationsAborted: FALSE 12/15/09 18:30:49 79236390
>>>>>>> Done copying files to temp directory. 12/15/09 18:30:49
>>>>>>> 79236390 adprep path: C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>>>>>>> 12/15/09 18:30:49 79236390 Running forestprep.
>>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000()
>>>>>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>>>>>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>>>>>>> 12/15/09 18:30:49 79236390 cmdline:
>>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg
>>>>>>> /silent 12/15/09 18:30:49 79236390 startingDir:
>>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:33 79640187 exit
>>>>>>> code: 0 12/15/09 18:37:33 79640187 adprep returned 0
>>>>>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>>>>>>> 12/15/09 18:37:33 79640187 No replication required, running on
>>>>>>> schema
>>>>>>> role
>>>>>>> owner.
>>>>>>> 12/15/09 18:37:33 79640187 Running domainprep.
>>>>>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>>>>>>> 12/15/09 18:37:33 79640187 cmdline:
>>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep
>>>>>>> /wssg /silent
>>>>>>> 12/15/09 18:37:33 79640187 startingDir:
>>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:39 79646250 exit
>>>>>>> code: 0 12/15/09 18:37:39 79646250 adprep returned 0
>>>>>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>>>>>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>>>>>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp
>>>>>>> dir C:\WINDOWS\temp\ADP1.tmp
>>>>>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>>>>>>> 12/15/09 18:37:39 79646359 Closing log.
>>>>>>> **********************************
>>>>>>> This tool was run once prompted by the Management Server phase
>>>>>>> of the
>>>>>>> EBS
>>>>>>> installation wizard. At this point in time I believe the
>>>>>>> wizard had completed installing, updating and joining a Windows
>>>>>>> Server 2008 machine
>>>>>>> to
>>>>>>> the 2003 network. The tool didn't run /rodcprep.
>>>>>>> The next step in the wizard was the promotion of the Management
>>>>>>> Server
>>>>>>> to
>>>>>>> DC, I'm reviewing the DCPROMO.log from this operation. I think,
>>>>>>> but I'm
>>>>>>> not
>>>>>>> sure, that the FSMO roles were transferred to the Management
>>>>>>> Server at
>>>>>>> this
>>>>>>> point. BTW I also plan to create VMs of the 2003 DC from our
>>>>>>> backup images
>>>>>>> just before and after in order to check on the troublesome RODC
>>>>>>> groups
>>>>>>> but
>>>>>>> this will take me a little while.
>>>>>>> The rest of the EBS servers were installed and the old 2003 DC
>>>>>>> gracefully
>>>>>>> demoted a few weeks later.
>>>>>>> As originally posted before attempting to create a RODC I ran
>>>>>>> the 2008
>>>>>>> R2
>>>>>>> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep
>>>>>>> all without
>>>>>>> error. One point I'm not worried about is the 2008 version of
>>>>>>> /rodcprep
>>>>>>> had
>>>>>>> not been run.
>>>>>>> If I could just pinpoint exactly when these groups were
>>>>>>> supposed to be
>>>>>>> created I'd be able to focus on all the events at that time.
>>>>>>>
>>>>>>> To say this problem is frustrating is an understatement!
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>>
>>>>>>> "Paul Bergson [MVP-DS]" wrote:
>>>>>>>
>>>>>>>> With assistance from a fellow MVP (Yusuf), it appears that in
>>>>>>>> order to
>>>>>>>> get
>>>>>>>> these groups created you will have to move the PDCe from your
>>>>>>>> 2003 DC
>>>>>>>> to
>>>>>>>> the
>>>>>>>> 2008 server. This is a recommended strategy anyways.
>>>>>>>>
>>>>>>>> From a commend prompt run the following to learn where yuor
>>>>>>>> fsmo roles
>>>>>>>> reside
>>>>>>>> netdom query fsmo
>>>>>>>>
>>>>>>>> See:
>>>>>>>> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paul Bergson
>>>>>>>> MVP - Directory Services
>>>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>>
>>>>>>>> http://www.pbbergs.com

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #383186 is a reply to message #382866] Wed, 03 February 2010 02:57 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
No joy I'm afraid.

"kj [SBS MVP]" wrote:

> While waiting for a better idea, try removing the adminstrator membership
> from the RWW group. I don't have an EBS lab to compare to and it doesn't
> make sense that the other groups would be created but not the allowed group.
>
> Otherwise, I'm out of ideas, but please post back PSS's solution if it gets
> that far.
>
> James Brown wrote:
> > Thank you very much for the advice and for all your assistance so
> > far. I'll head over to activedir.org and also continue to try to
> > sort the mess of Software Assurance benefits so I can log an incident.
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> No.
> >>
> >> IMHO you will have to contact PSS and get someone to tell you that
> >> certain process will need to be run. Highly unlikely you will be
> >> able to compelte this w/o assistance from them. Before you do this
> >> consider reposting this at activedir.org. There are multiple
> >> Microsoft MVP's there plus, Microsoft employees. The best of the
> >> best hang out there.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> news:49133AAA-6EFE-480B-80AC-FCADF84D68C7@microsoft.com...
> >>> Do you think promoting a new (and temporary) Server 2008 / Server
> >>> 2008 R2 machine to DC and assigning it PDCe could spur mysterious
> >>> processes into action?
> >>>
> >>> James
> >>>
> >>> "Paul Bergson [MVP-DS]" wrote:
> >>>
> >>>> That shouldn't have mattered if at 2003. Dang had hoped you
> >>>> forgot about this.
> >>>>
> >>>> --
> >>>> Paul Bergson
> >>>> MVP - Directory Services
> >>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>>> 2008, 2003, 2000 (Early Achiever), NT4
> >>>> Microsoft's Thrive IT Pro of the Month - June 2009
> >>>>
> >>>> http://www.pbbergs.com
> >>>>
> >>>> Please no e-mails, any questions should be posted in the NewsGroup
> >>>> This posting is provided "AS IS" with no warranties, and confers
> >>>> no rights.
> >>>>
> >>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
> >>>> message news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
> >>>>> They're both at 2008 level now. Forest was at 2003 but I raised
> >>>>> it to 2008
> >>>>> just to see if I could resolve this...
> >>>>>
> >>>>> "Paul Bergson [MVP-DS]" wrote:
> >>>>>
> >>>>>> What is your domain and forest functional level at? If you have
> >>>>>> never updated these they are probably sitting at Windows 2000.
> >>>>>> I'm guessing you
> >>>>>> have changed these but this could be why. I'm not seeing any
> >>>>>> issues in
> >>>>>> your
> >>>>>> log files.
> >>>>>>
> >>>>>> http://support.microsoft.com/kb/322692
> >>>>>>
> >>>>>> --
> >>>>>> Paul Bergson
> >>>>>> MVP - Directory Services
> >>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >>>>>> 2008, 2003, 2000 (Early Achiever), NT4
> >>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
> >>>>>>
> >>>>>> http://www.pbbergs.com
> >>>>>>
> >>>>>> Please no e-mails, any questions should be posted in the
> >>>>>> NewsGroup This
> >>>>>> posting is provided "AS IS" with no warranties, and confers no
> >>>>>> rights.
> >>>>>>
> >>>>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
> >>>>>> message
> >>>>>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> >>>>>>> Paul, firstly thank you once again for your posts.
> >>>>>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
> >>>>>>> rather neat
> >>>>>>> summary of the and clearly shows the ADPREP commands issued
> >>>>>>> against the
> >>>>>>> 2003
> >>>>>>> DC.
> >>>>>>>
> >>>>>>> **********************************
> >>>>>>> 12/15/09 18:30:21 79208171 Opened logfile
> >>>>>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
> >>>>>>> 18:30:21
> >>>>>>> 79208171
> >>>>>>> 12/15/09 18:30:21 79208187 File version info:
> >>>>>>> 12/15/09 18:30:21 79208187 modulePath:
> >>>>>>> D:\SCHEMAUPGRADETOOL.EXE 12/15/09 18:30:21 79208187
> >>>>>>> dwFileVersionMS: 0x60000 (393216) 12/15/09 18:30:21 79208187
> >>>>>>> dwFileVersionLS: 0x16440000 (373555200) 12/15/09 18:30:21
> >>>>>>> 79208187 dwProductVersionMS: 0x60000 (393216) 12/15/09
> >>>>>>> 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> >>>>>>> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> >>>>>>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> >>>>>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> >>>>>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> >>>>>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094
> >>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512
> >>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-519
> >>>>>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> >>>>>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> >>>>>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> >>>>>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> >>>>>>> 12/15/09 18:30:21 79208593 Schema role owner is
> >>>>>>> paris.ndcconsultants.co.uk
> >>>>>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
> >>>>>>> complete:
> >>>>>>> FALSE
> >>>>>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
> >>>>>>> paris.ndcconsultants.co.uk
> >>>>>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role
> >>>>>>> Owner) is
> >>>>>>> complete: FALSE
> >>>>>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner)
> >>>>>>> is complete:
> >>>>>>> FALSE
> >>>>>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> >>>>>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role
> >>>>>>> Owner: TRUE
> >>>>>>> 12/15/09 18:30:23 79209921 .dit file path:
> >>>>>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
> >>>>>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
> >>>>>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> >>>>>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
> >>>>>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
> >>>>>>> 170962432
> >>>>>>> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> >>>>>>> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> >>>>>>> 12/15/09 18:30:23 79209921 All prerequisites met.
> >>>>>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> >>>>>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> >>>>>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> >>>>>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> >>>>>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> >>>>>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> >>>>>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
> >>>>>>> paris.ndcconsultants.co.uk
> >>>>>>> 12/15/09 18:30:23 79209921 Schema role owner is
> >>>>>>> paris.ndcconsultants.co.uk
> >>>>>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> >>>>>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
> >>>>>>> Essential
> >>>>>>> Business Server Schema Upgrade Tool is about to upgrade your
> >>>>>>> schema to
> >>>>>>> the
> >>>>>>> Windows Server 2008 schema level. This process will take between
> >>>>>>> three
> >>>>>>> minutes and an hour. During this time, this computers CPU and
> >>>>>>> hard disk
> >>>>>>> drive
> >>>>>>> will be under heavy load. There will be heavy network traffic
> >>>>>>> if you have
> >>>>>>> multiple domain controllers or many group policy objects.
> >>>>>>> If you have not checked the physical condition of this computers
> >>>>>>> hard
> >>>>>>> disk
> >>>>>>> drive recently, consider running a full bad sector test prior to
> >>>>>>> upgrading
> >>>>>>> the schema. Do not reboot or shut down this computer while the
> >>>>>>> upgrade
> >>>>>>> is
> >>>>>>> in
> >>>>>>> process. Upgrading the schema is permanent (changes cannot be
> >>>>>>> undone).
> >>>>>>> Click OK to begin the upgrade, or Cancel to close the tool.
> >>>>>>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> >>>>>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> >>>>>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> >>>>>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> >>>>>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> >>>>>>> C:\WINDOWS\temp already exists (dwError=0xb7,
> >>>>>>> GetLastError()=0xb7). 12/15/09 18:30:44 79231421
> >>>>>>> LsaFreeMemory() returned: 0x0 12/15/09 18:30:44 79231421
> >>>>>>> LsaClose() returned: 0x0 12/15/09 18:30:44 79231421
> >>>>>>> GetDomainSid() returning:
> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094 12/15/09 18:30:44
> >>>>>>> 79231421 GetSidFromRid() returning:
> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512 12/15/09 18:30:44
> >>>>>>> 79231437 Copying files to temp directory
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:44 79231437
> >>>>>>> CopyFilesToTempDirectory() 12/15/09 18:30:44 79231437 src dir:
> >>>>>>> D:\ 12/15/09 18:30:44 79231437 dest dir:
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:49 79236390
> >>>>>>> SHFileOperation() returned 0x0 12/15/09 18:30:49 79236390
> >>>>>>> fileOp.fAnyOperationsAborted: FALSE 12/15/09 18:30:49 79236390
> >>>>>>> Done copying files to temp directory. 12/15/09 18:30:49
> >>>>>>> 79236390 adprep path: C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> >>>>>>> 12/15/09 18:30:49 79236390 Running forestprep.
> >>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000()
> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> >>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> >>>>>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
> >>>>>>> 12/15/09 18:30:49 79236390 cmdline:
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg
> >>>>>>> /silent 12/15/09 18:30:49 79236390 startingDir:
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:33 79640187 exit
> >>>>>>> code: 0 12/15/09 18:37:33 79640187 adprep returned 0
> >>>>>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> >>>>>>> 12/15/09 18:37:33 79640187 No replication required, running on
> >>>>>>> schema
> >>>>>>> role
> >>>>>>> owner.
> >>>>>>> 12/15/09 18:37:33 79640187 Running domainprep.
> >>>>>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
> >>>>>>> 12/15/09 18:37:33 79640187 cmdline:
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep
> >>>>>>> /wssg /silent
> >>>>>>> 12/15/09 18:37:33 79640187 startingDir:
> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:39 79646250 exit
> >>>>>>> code: 0 12/15/09 18:37:39 79646250 adprep returned 0
> >>>>>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> >>>>>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> >>>>>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp
> >>>>>>> dir C:\WINDOWS\temp\ADP1.tmp
> >>>>>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> >>>>>>> 12/15/09 18:37:39 79646359 Closing log.
> >>>>>>> **********************************
> >>>>>>> This tool was run once prompted by the Management Server phase
> >>>>>>> of the
> >>>>>>> EBS
> >>>>>>> installation wizard. At this point in time I believe the
> >>>>>>> wizard had completed installing, updating and joining a Windows
> >>>>>>> Server 2008 machine
> >>>>>>> to
> >>>>>>> the 2003 network. The tool didn't run /rodcprep.
> >>>>>>> The next step in the wizard was the promotion of the Management
> >>>>>>> Server
> >>>>>>> to
> >>>>>>> DC, I'm reviewing the DCPROMO.log from this operation. I think,
> >>>>>>> but I'm
> >>>>>>> not
> >>>>>>> sure, that the FSMO roles were transferred to the Management
> >>>>>>> Server at
> >>>>>>> this
> >>>>>>> point. BTW I also plan to create VMs of the 2003 DC from our
> >>>>>>> backup images
> >>>>>>> just before and after in order to check on the troublesome RODC
> >>>>>>> groups
> >>>>>>> but
> >>>>>>> this will take me a little while.
> >>>>>>> The rest of the EBS servers were installed and the old 2003 DC
> >>>>>>> gracefully
> >>>>>>> demoted a few weeks later.
> >>>>>>> As originally posted before attempting to create a RODC I ran
> >>>>>>> the 2008
> >>>>>>> R2
> >>>>>>> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep
> >>>>>>> all without
> >>>>>>> error. One point I'm not worried about is the 2008 version of
> >>>>>>> /rodcprep
> >>>>>>> had
> >>>>>>> not been run.
> >>>>>>> If I could just pinpoint exactly when these groups were
> >>>>>>> supposed to be
> >>>>>>> created I'd be able to focus on all the events at that time.
> >>>>>>>
> >>>>>>> To say this problem is frustrating is an understatement!
> >>>>>>>
> >>>>>>> James
> >>>>>>>
> >>>>>>>
> >>>>>>> "Paul Bergson [MVP-DS]" wrote:
> >>>>>>>
> >>>>>>>> With assistance from a fellow MVP (Yusuf), it appears that in
> >>>>>>>> order to
> >>>>>>>> get
> >>>>>>>> these groups created you will have to move the PDCe from your
> >>>>>>>> 2003 DC
> >>>>>>>> to
> >>>>>>>> the
Re: Missing one of the "default Password Replication Policy groups [message #383271 is a reply to message #383186] Wed, 03 February 2010 06:30 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Check out Christopher Anderson's reply, I think that is what you need. I
wanted to repost this so as if someone starts to follow this thread they
have an option to try.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++

You can re-try trigger the operational attribute runSamUpgradeTasks if I
recall correct this operational attribute is responsible to create those
groups.

http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:C0871E47-E782-40E6-924D-C3153DAFB375@microsoft.com...
> No joy I'm afraid.
>
> "kj [SBS MVP]" wrote:
>
>> While waiting for a better idea, try removing the adminstrator membership
>> from the RWW group. I don't have an EBS lab to compare to and it doesn't
>> make sense that the other groups would be created but not the allowed
>> group.
>>
>> Otherwise, I'm out of ideas, but please post back PSS's solution if it
>> gets
>> that far.
>>
>> James Brown wrote:
>> > Thank you very much for the advice and for all your assistance so
>> > far. I'll head over to activedir.org and also continue to try to
>> > sort the mess of Software Assurance benefits so I can log an incident.
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> No.
>> >>
>> >> IMHO you will have to contact PSS and get someone to tell you that
>> >> certain process will need to be run. Highly unlikely you will be
>> >> able to compelte this w/o assistance from them. Before you do this
>> >> consider reposting this at activedir.org. There are multiple
>> >> Microsoft MVP's there plus, Microsoft employees. The best of the
>> >> best hang out there.
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2008, 2003, 2000 (Early Achiever), NT4
>> >> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
>> >> news:49133AAA-6EFE-480B-80AC-FCADF84D68C7@microsoft.com...
>> >>> Do you think promoting a new (and temporary) Server 2008 / Server
>> >>> 2008 R2 machine to DC and assigning it PDCe could spur mysterious
>> >>> processes into action?
>> >>>
>> >>> James
>> >>>
>> >>> "Paul Bergson [MVP-DS]" wrote:
>> >>>
>> >>>> That shouldn't have mattered if at 2003. Dang had hoped you
>> >>>> forgot about this.
>> >>>>
>> >>>> --
>> >>>> Paul Bergson
>> >>>> MVP - Directory Services
>> >>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >>>> 2008, 2003, 2000 (Early Achiever), NT4
>> >>>> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>>>
>> >>>> http://www.pbbergs.com
>> >>>>
>> >>>> Please no e-mails, any questions should be posted in the NewsGroup
>> >>>> This posting is provided "AS IS" with no warranties, and confers
>> >>>> no rights.
>> >>>>
>> >>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>> >>>> message news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
>> >>>>> They're both at 2008 level now. Forest was at 2003 but I raised
>> >>>>> it to 2008
>> >>>>> just to see if I could resolve this...
>> >>>>>
>> >>>>> "Paul Bergson [MVP-DS]" wrote:
>> >>>>>
>> >>>>>> What is your domain and forest functional level at? If you have
>> >>>>>> never updated these they are probably sitting at Windows 2000.
>> >>>>>> I'm guessing you
>> >>>>>> have changed these but this could be why. I'm not seeing any
>> >>>>>> issues in
>> >>>>>> your
>> >>>>>> log files.
>> >>>>>>
>> >>>>>> http://support.microsoft.com/kb/322692
>> >>>>>>
>> >>>>>> --
>> >>>>>> Paul Bergson
>> >>>>>> MVP - Directory Services
>> >>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> >>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>> >>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>>>>>
>> >>>>>> http://www.pbbergs.com
>> >>>>>>
>> >>>>>> Please no e-mails, any questions should be posted in the
>> >>>>>> NewsGroup This
>> >>>>>> posting is provided "AS IS" with no warranties, and confers no
>> >>>>>> rights.
>> >>>>>>
>> >>>>>> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
>> >>>>>> message
>> >>>>>> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
>> >>>>>>> Paul, firstly thank you once again for your posts.
>> >>>>>>> I'd like to post the log EBS Schema Upgrade Tools Log, it's a
>> >>>>>>> rather neat
>> >>>>>>> summary of the and clearly shows the ADPREP commands issued
>> >>>>>>> against the
>> >>>>>>> 2003
>> >>>>>>> DC.
>> >>>>>>>
>> >>>>>>> **********************************
>> >>>>>>> 12/15/09 18:30:21 79208171 Opened logfile
>> >>>>>>> C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09
>> >>>>>>> 18:30:21
>> >>>>>>> 79208171
>> >>>>>>> 12/15/09 18:30:21 79208187 File version info:
>> >>>>>>> 12/15/09 18:30:21 79208187 modulePath:
>> >>>>>>> D:\SCHEMAUPGRADETOOL.EXE 12/15/09 18:30:21 79208187
>> >>>>>>> dwFileVersionMS: 0x60000 (393216) 12/15/09 18:30:21 79208187
>> >>>>>>> dwFileVersionLS: 0x16440000 (373555200) 12/15/09 18:30:21
>> >>>>>>> 79208187 dwProductVersionMS: 0x60000 (393216) 12/15/09
>> >>>>>>> 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
>> >>>>>>> 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
>> >>>>>>> 12/15/09 18:30:21 79208203 Domain Joined: TRUE
>> >>>>>>> 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
>> >>>>>>> 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
>> >>>>>>> 12/15/09 18:30:21 79208203 GetDomainSid() returning:
>> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094
>> >>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512
>> >>>>>>> 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
>> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-519
>> >>>>>>> 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
>> >>>>>>> 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
>> >>>>>>> 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
>> >>>>>>> 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
>> >>>>>>> 12/15/09 18:30:21 79208593 Schema role owner is
>> >>>>>>> paris.ndcconsultants.co.uk
>> >>>>>>> 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is
>> >>>>>>> complete:
>> >>>>>>> FALSE
>> >>>>>>> 12/15/09 18:30:22 79209703 Infrastructure role owner is
>> >>>>>>> paris.ndcconsultants.co.uk
>> >>>>>>> 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role
>> >>>>>>> Owner) is
>> >>>>>>> complete: FALSE
>> >>>>>>> 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner)
>> >>>>>>> is complete:
>> >>>>>>> FALSE
>> >>>>>>> 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
>> >>>>>>> 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role
>> >>>>>>> Owner: TRUE
>> >>>>>>> 12/15/09 18:30:23 79209921 .dit file path:
>> >>>>>>> C:\WINDOWS\NTDS\ntds.dit 12/15/09 18:30:23 79209921 File
>> >>>>>>> C:\WINDOWS\NTDS\ntds.dit has size 29376512
>> >>>>>>> 12/15/09 18:30:23 79209921 .dit file size: 28 MB
>> >>>>>>> 12/15/09 18:30:23 79209921 disk space required: 33 MB
>> >>>>>>> 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is
>> >>>>>>> 170962432
>> >>>>>>> 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
>> >>>>>>> 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
>> >>>>>>> 12/15/09 18:30:23 79209921 All prerequisites met.
>> >>>>>>> 12/15/09 18:30:23 79209921 Prerequisite checking passed.
>> >>>>>>> 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
>> >>>>>>> 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
>> >>>>>>> 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
>> >>>>>>> 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
>> >>>>>>> 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
>> >>>>>>> 12/15/09 18:30:23 79209921 Infrastructure role owner is
>> >>>>>>> paris.ndcconsultants.co.uk
>> >>>>>>> 12/15/09 18:30:23 79209921 Schema role owner is
>> >>>>>>> paris.ndcconsultants.co.uk
>> >>>>>>> 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
>> >>>>>>> 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows
>> >>>>>>> Essential
>> >>>>>>> Business Server Schema Upgrade Tool is about to upgrade your
>> >>>>>>> schema to
>> >>>>>>> the
>> >>>>>>> Windows Server 2008 schema level. This process will take between
>> >>>>>>> three
>> >>>>>>> minutes and an hour. During this time, this computers CPU and
>> >>>>>>> hard disk
>> >>>>>>> drive
>> >>>>>>> will be under heavy load. There will be heavy network traffic
>> >>>>>>> if you have
>> >>>>>>> multiple domain controllers or many group policy objects.
>> >>>>>>> If you have not checked the physical condition of this computers
>> >>>>>>> hard
>> >>>>>>> disk
>> >>>>>>> drive recently, consider running a full bad sector test prior to
>> >>>>>>> upgrading
>> >>>>>>> the schema. Do not reboot or shut down this computer while the
>> >>>>>>> upgrade
>> >>>>>>> is
>> >>>>>>> in
>> >>>>>>> process. Upgrading the schema is permanent (changes cannot be
>> >>>>>>> undone).
>> >>>>>>> Click OK to begin the upgrade, or Cancel to close the tool.
>> >>>>>>> 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
>> >>>>>>> 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
>> >>>>>>> 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
>> >>>>>>> 12/15/09 18:30:44 79231421 isAclSupported: TRUE
>> >>>>>>> 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
>> >>>>>>> C:\WINDOWS\temp already exists (dwError=0xb7,
>> >>>>>>> GetLastError()=0xb7). 12/15/09 18:30:44 79231421
>> >>>>>>> LsaFreeMemory() returned: 0x0 12/15/09 18:30:44 79231421
>> >>>>>>> LsaClose() returned: 0x0 12/15/09 18:30:44 79231421
>> >>>>>>> GetDomainSid() returning:
>> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094 12/15/09 18:30:44
>> >>>>>>> 79231421 GetSidFromRid() returning:
>> >>>>>>> S-1-5-21-1553700716-3413723528-2741516094-512 12/15/09 18:30:44
>> >>>>>>> 79231437 Copying files to temp directory
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:44 79231437
>> >>>>>>> CopyFilesToTempDirectory() 12/15/09 18:30:44 79231437 src dir:
>> >>>>>>> D:\ 12/15/09 18:30:44 79231437 dest dir:
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:30:49 79236390
>> >>>>>>> SHFileOperation() returned 0x0 12/15/09 18:30:49 79236390
>> >>>>>>> fileOp.fAnyOperationsAborted: FALSE 12/15/09 18:30:49 79236390
>> >>>>>>> Done copying files to temp directory. 12/15/09 18:30:49
>> >>>>>>> 79236390 adprep path: C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
>> >>>>>>> 12/15/09 18:30:49 79236390 Running forestprep.
>> >>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000()
>> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
>> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
>> >>>>>>> 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
>> >>>>>>> 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
>> >>>>>>> 12/15/09 18:30:49 79236390 DoCreateProcess()
>> >>>>>>> 12/15/09 18:30:49 79236390 cmdline:
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg
>> >>>>>>> /silent 12/15/09 18:30:49 79236390 startingDir:
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:33 79640187 exit
>> >>>>>>> code: 0 12/15/09 18:37:33 79640187 adprep returned 0
>> >>>>>>> 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
>> >>>>>>> 12/15/09 18:37:33 79640187 No replication required, running on
>> >>>>>>> schema
>> >>>>>>> role
>> >>>>>>> owner.
>> >>>>>>> 12/15/09 18:37:33 79640187 Running domainprep.
>> >>>>>>> 12/15/09 18:37:33 79640187 DoCreateProcess()
>> >>>>>>> 12/15/09 18:37:33 79640187 cmdline:
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep
>> >>>>>>> /wssg /silent
>> >>>>>>> 12/15/09 18:37:33 79640187 startingDir:
>> >>>>>>> C:\WINDOWS\temp\ADP1.tmp 12/15/09 18:37:39 79646250 exit
>> >>>>>>> code: 0 12/15/09 18:37:39 79646250 adprep returned 0
>> >>>>>>> 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
>> >>>>>>> 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
>> >>>>>>> 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp
>> >>>>>>> dir C:\WINDOWS\temp\ADP1.tmp
>> >>>>>>> 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
>> >>>>>>> 12/15/09 18:37:39 79646359 Closing log.
>> >>>>>>> **********************************
>> >>>>>>> This tool was run once prompted by the Management Server phase
>> >>>>>>> of the
>> >>>>>>> EBS
>> >>>>>>> installation wizard. At this point in time I believe the
>> >>>>>>> wizard had completed installing, updating and joining a Windows
>> >>>>>>> Server 2008 machine
>> >>>>>>> to
>> >>>>>>> the 2003 network. The tool didn't run /rodcprep.
>> >>>>>>> The next step in the wizard was the promotion of the Management
>> >>>>>>> Server
>> >>>>>>> to
>> >>>>>>> DC, I'm reviewing the DCPROMO.log from this operation. I think,
>> >>>>>>> but I'm
>> >>>>>>> not
>> >>>>>>> sure, that the FSMO roles were transferred to the Management
>> >>>>>>> Server at
>> >>>>>>> this
>> >>>>>>> point. BTW I also plan to create VMs of the 2003 DC from our
>> >>>>>>> backup images
>> >>>>>>> just before and after in order to check on the troublesome RODC
>> >>>>>>> groups
>> >>>>>>> but
>> >>>>>>> this will take me a little while.
>> >>>>>>> The rest of the EBS servers were installed and the old 2003 DC
>> >>>>>>> gracefully
>> >>>>>>> demoted a few weeks later.
>> >>>>>>> As originally posted before attempting to create a RODC I ran
>> >>>>>>> the 2008
>> >>>>>>> R2
>> >>>>>>> adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep
>> >>>>>>> all without
>> >>>>>>> error. One point I'm not worried about is the 2008 version of
>> >>>>>>> /rodcprep
>> >>>>>>> had
>> >>>>>>> not been run.
>> >>>>>>> If I could just pinpoint exactly when these groups were
>> >>>>>>> supposed to be
>> >>>>>>> created I'd be able to focus on all the events at that time.
>> >>>>>>>
>> >>>>>>> To say this problem is frustrating is an understatement!
>> >>>>>>>
>> >>>>>>> James
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> "Paul Bergson [MVP-DS]" wrote:
>> >>>>>>>
>> >>>>>>>> With assistance from a fellow MVP (Yusuf), it appears that in
>> >>>>>>>> order to
>> >>>>>>>> get
>> >>>>>>>> these groups created you will have to move the PDCe from your
>> >>>>>>>> 2003 DC
>> >>>>>>>> to
>> >>>>>>>> the
Re: Missing one of the "default Password Replication Policy groups [message #383308 is a reply to message #382581] Wed, 03 February 2010 07:26 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
I've checked my notes and I was mistaken, I actually raised the forest to
2008 level shortly after the domain and before the 2003 R2 ADPREPs; at this
point /rodcprep hadn't been run.

It seems I may have shot myself in the foot.

"Paul Bergson [MVP-DS]" wrote:

> That shouldn't have mattered if at 2003. Dang had hoped you forgot about
> this.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:D9E10431-3BAA-4AE6-8945-B7EE373E6EA2@microsoft.com...
> > They're both at 2008 level now. Forest was at 2003 but I raised it to
> > 2008
> > just to see if I could resolve this...
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> What is your domain and forest functional level at? If you have never
> >> updated these they are probably sitting at Windows 2000. I'm guessing
> >> you
> >> have changed these but this could be why. I'm not seeing any issues in
> >> your
> >> log files.
> >>
> >> http://support.microsoft.com/kb/322692
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> >> news:BA56FCA1-71DA-4353-896E-497DBBA21A0D@microsoft.com...
> >> > Paul, firstly thank you once again for your posts.
> >> > I'd like to post the log EBS Schema Upgrade Tools Log, it's a rather
> >> > neat
> >> > summary of the and clearly shows the ADPREP commands issued against the
> >> > 2003
> >> > DC.
> >> >
> >> > **********************************
> >> > 12/15/09 18:30:21 79208171 Opened logfile
> >> > C:\WINDOWS\Debug\Adprep\Logs\SchemaUpgradeTool.log at 12/15/09 18:30:21
> >> > 79208171
> >> > 12/15/09 18:30:21 79208187 File version info:
> >> > 12/15/09 18:30:21 79208187 modulePath: D:\SCHEMAUPGRADETOOL.EXE
> >> > 12/15/09 18:30:21 79208187 dwFileVersionMS: 0x60000 (393216)
> >> > 12/15/09 18:30:21 79208187 dwFileVersionLS: 0x16440000 (373555200)
> >> > 12/15/09 18:30:21 79208187 dwProductVersionMS: 0x60000 (393216)
> >> > 12/15/09 18:30:21 79208187 dwProductVersionLS: 0x16440000 (373555200)
> >> > 12/15/09 18:30:21 79208187 buildnum: 6.0.5700.0
> >> > 12/15/09 18:30:21 79208203 Domain Joined: TRUE
> >> > 12/15/09 18:30:21 79208203 LsaFreeMemory() returned: 0x0
> >> > 12/15/09 18:30:21 79208203 LsaClose() returned: 0x0
> >> > 12/15/09 18:30:21 79208203 GetDomainSid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> > 12/15/09 18:30:21 79208203 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-519
> >> > 12/15/09 18:30:21 79208203 bIsDomainAdmin: 1
> >> > 12/15/09 18:30:21 79208203 bIsEnterpriseAdmin: 1
> >> > 12/15/09 18:30:21 79208546 Ready for forest prep: TRUE
> >> > 12/15/09 18:30:21 79208546 Schema.ini path: D:\adprep\schema.ini
> >> > 12/15/09 18:30:21 79208593 Schema role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:22 79209671 Forest Prep (Schema Role Owner) is complete:
> >> > FALSE
> >> > 12/15/09 18:30:22 79209703 Infrastructure role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:22 79209750 Domain Prep (Infrastructure Role Owner) is
> >> > complete: FALSE
> >> > 12/15/09 18:30:22 79209828 GP Prep (Infrastructure Role Owner) is
> >> > complete:
> >> > FALSE
> >> > 12/15/09 18:30:22 79209875 Is Local Host Schema Role Owner: TRUE
> >> > 12/15/09 18:30:23 79209921 Is Local Host Infrastructure Role Owner:
> >> > TRUE
> >> > 12/15/09 18:30:23 79209921 .dit file path: C:\WINDOWS\NTDS\ntds.dit
> >> > 12/15/09 18:30:23 79209921 File C:\WINDOWS\NTDS\ntds.dit has size
> >> > 29376512
> >> > 12/15/09 18:30:23 79209921 .dit file size: 28 MB
> >> > 12/15/09 18:30:23 79209921 disk space required: 33 MB
> >> > 12/15/09 18:30:23 79209921 Free space on C:\WINDOWS\NTDS is 170962432
> >> > 12/15/09 18:30:23 79209921 free space on .dit volume: 20643 MB
> >> > 12/15/09 18:30:23 79209921 Sufficient disk space: TRUE
> >> > 12/15/09 18:30:23 79209921 All prerequisites met.
> >> > 12/15/09 18:30:23 79209921 Prerequisite checking passed.
> >> > 12/15/09 18:30:23 79209921 forestPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 domainPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 gpPrepComplete: FALSE
> >> > 12/15/09 18:30:23 79209921 bIsSchemaRoleOwner: TRUE
> >> > 12/15/09 18:30:23 79209921 bIsInfrastructureRoleOwner: TRUE
> >> > 12/15/09 18:30:23 79209921 Infrastructure role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:23 79209921 Schema role owner is
> >> > paris.ndcconsultants.co.uk
> >> > 12/15/09 18:30:23 79209921 DisplayMessageBox(): (resourceid=104)
> >> > 12/15/09 18:30:23 79210109 DisplayMessageBox(): The Windows Essential
> >> > Business Server Schema Upgrade Tool is about to upgrade your schema to
> >> > the
> >> > Windows Server 2008 schema level. This process will take between three
> >> > minutes and an hour. During this time, this computers CPU and hard disk
> >> > drive
> >> > will be under heavy load. There will be heavy network traffic if you
> >> > have
> >> > multiple domain controllers or many group policy objects.
> >> > If you have not checked the physical condition of this computers hard
> >> > disk
> >> > drive recently, consider running a full bad sector test prior to
> >> > upgrading
> >> > the schema. Do not reboot or shut down this computer while the upgrade
> >> > is
> >> > in
> >> > process. Upgrading the schema is permanent (changes cannot be undone).
> >> > Click OK to begin the upgrade, or Cancel to close the tool.
> >> > 12/15/09 18:30:44 79231406 Using temp dir: C:\WINDOWS\temp
> >> > 12/15/09 18:30:44 79231406 Temp dir mount point: C:\
> >> > 12/15/09 18:30:44 79231421 File system flags for C:\: 0x000700ff
> >> > 12/15/09 18:30:44 79231421 isAclSupported: TRUE
> >> > 12/15/09 18:30:44 79231421 CreateDirectoryIfNonExistent(): dir
> >> > C:\WINDOWS\temp already exists (dwError=0xb7, GetLastError()=0xb7).
> >> > 12/15/09 18:30:44 79231421 LsaFreeMemory() returned: 0x0
> >> > 12/15/09 18:30:44 79231421 LsaClose() returned: 0x0
> >> > 12/15/09 18:30:44 79231421 GetDomainSid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094
> >> > 12/15/09 18:30:44 79231421 GetSidFromRid() returning:
> >> > S-1-5-21-1553700716-3413723528-2741516094-512
> >> > 12/15/09 18:30:44 79231437 Copying files to temp directory
> >> > C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:30:44 79231437 CopyFilesToTempDirectory()
> >> > 12/15/09 18:30:44 79231437 src dir: D:\
> >> > 12/15/09 18:30:44 79231437 dest dir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:30:49 79236390 SHFileOperation() returned 0x0
> >> > 12/15/09 18:30:49 79236390 fileOp.fAnyOperationsAborted: FALSE
> >> > 12/15/09 18:30:49 79236390 Done copying files to temp directory.
> >> > 12/15/09 18:30:49 79236390 adprep path:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe
> >> > 12/15/09 18:30:49 79236390 Running forestprep.
> >> > 12/15/09 18:30:49 79236390 IsWindows2000()
> >> > 12/15/09 18:30:49 79236390 osvi.dwPlatformId: 2
> >> > 12/15/09 18:30:49 79236390 osvi.dwMajorVersion: 5
> >> > 12/15/09 18:30:49 79236390 osvi.dwMinorVersion: 2
> >> > 12/15/09 18:30:49 79236390 IsWindows2000() returning: FALSE
> >> > 12/15/09 18:30:49 79236390 DoCreateProcess()
> >> > 12/15/09 18:30:49 79236390 cmdline:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /forestprep /wssg /silent
> >> > 12/15/09 18:30:49 79236390 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:33 79640187 exit code: 0
> >> > 12/15/09 18:37:33 79640187 adprep returned 0
> >> > 12/15/09 18:37:33 79640187 adprep returned 0 for forestprep.
> >> > 12/15/09 18:37:33 79640187 No replication required, running on schema
> >> > role
> >> > owner.
> >> > 12/15/09 18:37:33 79640187 Running domainprep.
> >> > 12/15/09 18:37:33 79640187 DoCreateProcess()
> >> > 12/15/09 18:37:33 79640187 cmdline:
> >> > C:\WINDOWS\temp\ADP1.tmp\adprep\adprep.exe /domainprep /gpprep /wssg
> >> > /silent
> >> > 12/15/09 18:37:33 79640187 startingDir: C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:39 79646250 exit code: 0
> >> > 12/15/09 18:37:39 79646250 adprep returned 0
> >> > 12/15/09 18:37:39 79646250 adprep returned 0 for domainprep.
> >> > 12/15/09 18:37:39 79646250 Writing gpprep complete flag.
> >> > 12/15/09 18:37:39 79646281 RemoveTempDirectory() removing temp dir
> >> > C:\WINDOWS\temp\ADP1.tmp
> >> > 12/15/09 18:37:39 79646359 SHFileOperation() returned 0x0
> >> > 12/15/09 18:37:39 79646359 Closing log.
> >> > **********************************
> >> > This tool was run once prompted by the Management Server phase of the
> >> > EBS
> >> > installation wizard. At this point in time I believe the wizard had
> >> > completed installing, updating and joining a Windows Server 2008
> >> > machine
> >> > to
> >> > the 2003 network. The tool didn't run /rodcprep.
> >> > The next step in the wizard was the promotion of the Management Server
> >> > to
> >> > DC, I'm reviewing the DCPROMO.log from this operation. I think, but I'm
> >> > not
> >> > sure, that the FSMO roles were transferred to the Management Server at
> >> > this
> >> > point. BTW I also plan to create VMs of the 2003 DC from our backup
> >> > images
> >> > just before and after in order to check on the troublesome RODC groups
> >> > but
> >> > this will take me a little while.
> >> > The rest of the EBS servers were installed and the old 2003 DC
> >> > gracefully
> >> > demoted a few weeks later.
> >> > As originally posted before attempting to create a RODC I ran the 2008
> >> > R2
> >> > adpreps: /forestprep, /domainprep /gpprep and finally /rodcprep all
> >> > without
> >> > error. One point I'm not worried about is the 2008 version of
> >> > /rodcprep
> >> > had
> >> > not been run.
> >> > If I could just pinpoint exactly when these groups were supposed to be
> >> > created I'd be able to focus on all the events at that time.
> >> >
> >> > To say this problem is frustrating is an understatement!
> >> >
> >> > James
> >> >
> >> >
> >> > "Paul Bergson [MVP-DS]" wrote:
> >> >
> >> >> With assistance from a fellow MVP (Yusuf), it appears that in order to
> >> >> get
> >> >> these groups created you will have to move the PDCe from your 2003 DC
> >> >> to
> >> >> the
> >> >> 2008 server. This is a recommended strategy anyways.
> >> >>
> >> >> From a commend prompt run the following to learn where yuor fsmo roles
> >> >> reside
> >> >> netdom query fsmo
> >> >>
> >> >> See:
> >> >> http://technet.microsoft.com/en-us/library/cc732838(WS.10).aspx
> >> >>
> >> >> --
> >> >> Paul Bergson
> >> >> MVP - Directory Services
> >> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >> >>
> >> >> http://www.pbbergs.com
> >> >>
> >> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> >> This
> >> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >> >>
> >> >> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> >> >> news:%23hI$Bg1oKHA.5520@TK2MSFTNGP05.phx.gbl...
> >> >> > Sorry, I have never had to refer to the logs since I have been
> >> >> > successful
> >> >> > on every attempt. I would verify that the log exists and if so see
> >> >> > if
> >> >> > there are any errors. If you have something you are unable to
> >> >> > decipher
> >> >> > just post the log and I'm sure someone from the NewsGroup could
> >> >> > assist
> >> >> > in
> >> >> > reading. Most of these logs provide good details.
> >> >> >
> >> >> > --
> >> >> > Paul Bergson
> >> >> > MVP - Directory Services
> >> >> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> >> > 2008, 2003, 2000 (Early Achiever), NT4
> >> >> > Microsoft's Thrive IT Pro of the Month - June 2009
> >> >> >
> >> >> > http://www.pbbergs.com
> >> >> >
> >> >> > Please no e-mails, any questions should be posted in the NewsGroup
> >> >> > This
> >> >> > posting is provided "AS IS" with no warranties, and confers no
> >> >> > rights.
> >> >> >
> >> >> > "James Brown" <JamesBrown@discussions.microsoft.com> wrote in
> >> >> > message
> >> >> > news:9071EC02-81C1-4D3A-8275-81AD7A2AA319@microsoft.com...
> >> >> >> Thanks for your reply Paul.
> >> >> >>
> >> >> >> I've been trying to find out when these groups are created for a
> >> >> >> few
> >> >> >> days,
> >> >> >> I'm not sure I even have access to the right documentation to be
> >> >> >> successful.
> >> >> >>
> >> >> >> I'll retrieve the logs from backup. Any particular string for me
> >> >> >> to
> >> >> >> be
> >> >> >> searching for? I'll also review your article ASAP.
> >> >> >>
> >> >> >> Many thanks,
> >> >> >>
> >> >> >> James
> >> >> >>
> >> >> >> "Paul Bergson [MVP-DS]" wrote:
> >> >> >>
> >> >> >>> I think Florian is on to something here. I did try and track down
> >> >> >>> where
> >> >> >>> the
Re: Missing one of the "default Password Replication Policy groups [message #383322 is a reply to message #383271] Wed, 03 February 2010 07:38 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Rest assured that once I solve this I'll post back to this forum and cross
link it to the rapidly multiplying number of forums I've posted in...

James

"Paul Bergson [MVP-DS]" wrote:

> Check out Christopher Anderson's reply, I think that is what you need. I
> wanted to repost this so as if someone starts to follow this thread they
> have an option to try.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++
>
> You can re-try trigger the operational attribute runSamUpgradeTasks if I
> recall correct this operational attribute is responsible to create those
> groups.
>
> http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
Re: Missing one of the "default Password Replication Policy groups [message #383517 is a reply to message #383322] Wed, 03 February 2010 11:23 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
The community in general will appreciate that tho several of us have
visibility into the EBS and activedir.org threads as well.

The manual trigger method find of Chris's is nice to know, but I'm
suspicious at this point more about the lack of the rodcprep step in the
adprep.


James Brown wrote:
> Rest assured that once I solve this I'll post back to this forum and
> cross link it to the rapidly multiplying number of forums I've posted
> in...
>
> James
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Check out Christopher Anderson's reply, I think that is what you
>> need. I wanted to repost this so as if someone starts to follow
>> this thread they have an option to try.
>>
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++
>>
>> You can re-try trigger the operational attribute runSamUpgradeTasks
>> if I recall correct this operational attribute is responsible to
>> create those groups.
>>
>> http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.

--
/kj
Re: Missing one of the "default Password Replication Policy groups [message #384080 is a reply to message #383517] Thu, 04 February 2010 06:18 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Agreed. Originally stated that it was done. I would assume it still can be
done.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
news:eDMGF4PpKHA.1548@TK2MSFTNGP06.phx.gbl...
> The community in general will appreciate that tho several of us have
> visibility into the EBS and activedir.org threads as well.
>
> The manual trigger method find of Chris's is nice to know, but I'm
> suspicious at this point more about the lack of the rodcprep step in the
> adprep.
>
>
> James Brown wrote:
>> Rest assured that once I solve this I'll post back to this forum and
>> cross link it to the rapidly multiplying number of forums I've posted
>> in...
>>
>> James
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>>> Check out Christopher Anderson's reply, I think that is what you
>>> need. I wanted to repost this so as if someone starts to follow
>>> this thread they have an option to try.
>>>
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++
>>>
>>> You can re-try trigger the operational attribute runSamUpgradeTasks
>>> if I recall correct this operational attribute is responsible to
>>> create those groups.
>>>
>>> http://msdn.microsoft.com/en-us/library/dd240061(PROT.13).aspx
>>>
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>
> --
> /kj
>
Re: Missing one of the "default Password Replication Policy groups [message #384234 is a reply to message #384080] Thu, 04 February 2010 09:53 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
Sorry about that, rather dropped the ball and put too much reliance on the
rather excellent EBS installation wizards doing my job for me. It wasn't
until I went through things step-by-step that I picked up my mistakes.

James

"Paul Bergson [MVP-DS]" wrote:

> Agreed. Originally stated that it was done. I would assume it still can be
> done.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:eDMGF4PpKHA.1548@TK2MSFTNGP06.phx.gbl...
> > The community in general will appreciate that tho several of us have
> > visibility into the EBS and activedir.org threads as well.
> >
> > The manual trigger method find of Chris's is nice to know, but I'm
> > suspicious at this point more about the lack of the rodcprep step in the
> > adprep.
> >
> >
> > James Brown wrote:
> >> Rest assured that once I solve this I'll post back to this forum and
> >> cross link it to the rapidly multiplying number of forums I've posted
> >> in...
> >>
> >> James
> >>
Re: Missing one of the "default Password Replication Policy groups [message #384914 is a reply to message #384234] Fri, 05 February 2010 06:45 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Not a problem, don't worry about it. Did you get it resolved?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
news:92D36265-E337-4BF2-B0D2-EAF5A53E513B@microsoft.com...
> Sorry about that, rather dropped the ball and put too much reliance on the
> rather excellent EBS installation wizards doing my job for me. It wasn't
> until I went through things step-by-step that I picked up my mistakes.
>
> James
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Agreed. Originally stated that it was done. I would assume it still can
>> be
>> done.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:eDMGF4PpKHA.1548@TK2MSFTNGP06.phx.gbl...
>> > The community in general will appreciate that tho several of us have
>> > visibility into the EBS and activedir.org threads as well.
>> >
>> > The manual trigger method find of Chris's is nice to know, but I'm
>> > suspicious at this point more about the lack of the rodcprep step in
>> > the
>> > adprep.
>> >
>> >
>> > James Brown wrote:
>> >> Rest assured that once I solve this I'll post back to this forum and
>> >> cross link it to the rapidly multiplying number of forums I've posted
>> >> in...
>> >>
>> >> James
>> >>
>
Re: Missing one of the "default Password Replication Policy groups [message #387622 is a reply to message #384914] Tue, 09 February 2010 09:30 Go to previous messageGo to next message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
I'm having issues regarding our support entitlement which the "Microsoft
Volume Licensing Services Team" are helping me with, I'm still to actually
talk to MS support :-(

The MD wasn't impressed at my suggest to just purchase an incident as we're
supposed to be entitled to some anyway.

I'll get there and I will post back.

James

"Paul Bergson [MVP-DS]" wrote:

> Not a problem, don't worry about it. Did you get it resolved?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "James Brown" <JamesBrown@discussions.microsoft.com> wrote in message
> news:92D36265-E337-4BF2-B0D2-EAF5A53E513B@microsoft.com...
> > Sorry about that, rather dropped the ball and put too much reliance on the
> > rather excellent EBS installation wizards doing my job for me. It wasn't
> > until I went through things step-by-step that I picked up my mistakes.
> >
> > James
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Agreed. Originally stated that it was done. I would assume it still can
> >> be
> >> done.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> >> news:eDMGF4PpKHA.1548@TK2MSFTNGP06.phx.gbl...
> >> > The community in general will appreciate that tho several of us have
> >> > visibility into the EBS and activedir.org threads as well.
> >> >
> >> > The manual trigger method find of Chris's is nice to know, but I'm
> >> > suspicious at this point more about the lack of the rodcprep step in
> >> > the
> >> > adprep.
> >> >
> >> >
> >> > James Brown wrote:
> >> >> Rest assured that once I solve this I'll post back to this forum and
> >> >> cross link it to the rapidly multiplying number of forums I've posted
> >> >> in...
> >> >>
> >> >> James
> >> >>
> >
>
>
> .
>
RE: Missing one of the "default Password Replication Policy groups" [message #400420 is a reply to message #381261] Fri, 26 February 2010 07:40 Go to previous messageGo to previous message
James Brown  is currently offline James Brown
Messages: 20
Registered: June 2009
Junior Member
This issue has been solved through Microsofts Product Support.

It is highly unlikely anybody else will have this particular problem, if
both the groups are missing they will created during DCPromo of the RODC.
The MS PS solution involved retriggering a process run during DCPromo by
setting the runSamUpgradeTasks attribute after tweaking the value of
samDomainUpdates.

I'll hold off posting the specfic values as anybody experiencing this
problem is best off contacting Microsoft so their environment can be properly
evaluated.

As to what caused the issue the best guess was random corruption on just the
wrong database page on the PDCe (NTDS ISAM 614, DS Schema 1153 warning
events).

Thanks to Paul, KJ and Florian who got me as close as was actually possible
to a solution before I had to contact Microsoft.

James

"James Brown" wrote:

> I'm missing a domain local group required for the operation of Read-only DCs,
> I need some way to properly create this group and I'm a little stumped as to
> why it missing in the first place...
>
> 2 Windows Server 2008 DCs
> o forest at Windows 2008 level
> o single domain at Windows 2008 level
> o SP2 and all updates installed
>
> AD was previously hosted on a single Windows Server 2003 DC
> o Upgrade was roughly 45 days ago
> o This DC has now been gracefully retired
> o (have full system backups of the old DC before the upgrade all the way
> through to its retirement)
>
> Wish to add Windows Server 2008 R2 as a RODC
> o Following steps here
> http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
> o ADPREP ran first time without errors, scheme level now 47
> § (Have full system backups before and after ADPREP)
>
> So when I hit next on “Additional Domain Controller Options” (step 7 of “To
> install an RODC on a full installation of Windows Server 2008”) I get “The
> default Password Replication Policy groups are not present on the PDC [My
> PDC]. The parameter is incorrect”.
>
> Sure enough the “Allowed RODC Password Replication Group” is missing. After
> some further thought I’m guessing this should have been created during
> DCPROMO of the first Windows Server 2008 to the 2003 domain.
>
> The “Denied RODC Password Replication Group” is present so what’s happened
> to the Allowed group?
>
> I've used the SysInternals AD Explorer to search for deleted groups with the
> right name or SID and there's nothing.
>
> Can anybody give me a new avenue of exploration?
>
> This is a cross post from the Directory Services forum where so far I've had
> no response
> http://social.technet.microsoft.com/Forums/en-US/winserverDS /thread/56c72e7e-d367-4c13-85a1-64f1df62e328
Previous Topic:Problems getting Sysvol to replicate on new Domain Controllers
Next Topic:Re: Unable to run dsquery / dsget for large number of group members
Goto Forum:
  


Current Time: Tue Jan 16 10:41:35 MST 2018

Total time taken to generate the page: 1.09494 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software