Jan 31 2011

Adprep 2008 troubleshooting

In this post we will describe some issues we had when extending the schema for Active 2008 or 2008R2. The steps to prepare the schema for AD 2008 are described in this askDS post.

  1. adprep /domainprep /gpprep command line:
    • Insufficient access rights:
    • When running the adprep /domainprep /gpprep command you get the following error: “LDAP API ldap_modify_ext_s() finished, return code is 0x32“. This means there is a privilege problem, although the command was launched with an account member of the “domain admins” group. You can find the following information in the adprep.log file:

      Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN={64E2BDA7-0FC4-48DA-BB70-79261A7B4822},CN=Policies,CN=System
      LDAP API ldap_modify_ext_s() finished, return code is 0x32

      This error message occurs because the gpprep part of the setup has a problem processing a GPO. We will check the permissions on this object:

      The administrator who created the GPO removed the permissions for the “domain admins” group. In order to fix this you need to take ownership of the object and set the permissions back up for this group. After that you can launch the adprep /domainprep /gpprep command successfully.

    • Note about the staging folder:
    • If the replication interval between some of your domain controllers is very long (e.g. one of your DCs replicates every two days with its replication partners) then the staging folder located on the SYSVOL share might temporarly increase consistently. That is because all Group Policy Objects are modified by the gpprep part of the setup, all those changes are stored in that staging folder before they replicate to each downstream partner of SYSVOL. That folder becomes empty again when the DC which replicates the least often has replicated all the modifications.

  2. Adprep /rodcprep command:
  3. If the following error occurs: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=ldap389,DC=info“, then you just to run the script given in this KB article.

If you want more troubleshooting information regarding Active Directory 2008 schema extension I suggest you read this technet article and this askDS post.

This post is also available in: French


  • By Mark, October 8, 2013 @ 7:58 pm

    Thanks, this was exactly my problem.

  • By ldap389, October 8, 2013 @ 9:21 pm

    Hi Mark,
    I am glad this post helped you fix your problem 🙂

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment


WordPress Themes

Blossom Icon Set

Software Top Blogs