No announcement yet.

adprep /rodcprep fails with ForestDnsZones

  • Filter
  • Time
  • Show
Clear All
new posts

  • adprep /rodcprep fails with ForestDnsZones


    I am trying to upgrade my domain controllers and I am having issues with the "adprep /rodcprep" command.
    The error I receive is:

    Adprep found partition DC=ForestDnsZones,DC=example,DC=local, and is about to update the permissions.
    Adprep could not contact a replica for partition DC=ForestDnsZones,DC=example,DC=local.
    Adprep encountered an LDAP error.
    Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
    Adprep failed the operation on partition DC=ForestDnsZones,DC=example,DC=local. Skipping to next partition.

    If I try to connect to "DC=ForestDNSZones,DC=example,DC=local" using ADSI Edit I get the error:
    A referral was returned from the server

    If I attempt to run "cscript fixfsmo.vbs DC=ForestDnsZones,DC=example,DC=local" based on I get the error:
    fixfsmo.vbs(19, 5) (null): The specified domain either does not exist or could not be contacted.

    If I run the command:
    ldifde -f Infra_ForestDNZSones.ldf -d "CN=Infrastructure,DC=ForestDnsZones,DC=example,DC =local" -l fsmoroleowner
    I Get:
    Connecting to "dc1.example.local"
    Logging in as current user using SSPI
    Exporting directory to file Infra_ForestDNZSones.ldf
    Searching for entries...
    Writing out entriesldap://ForestDnsZones.example.local/CN=Infrastructure,DC=ForestDnsZones,DC=example,DC= local
    No Entries found
    The command has completed successfully

    In DNS I do not see a folder for ForestDNSZones and I am unable to create this partition as "The specified directory partition already exists"

    In ADSI Edit in "CN=Configuration,CN=Partitions" I see a crossRef named "DC=ForestDnsZones,DC=example,DC=local"

    I have only 1 simple domain, no child domains.
    My current forest/domain functional levels are Server 2003
    My replication scopes are set to "To all DNS servers in the Active Directory DOMAIN example.local"

    Is the ForestDnsZone completely lost? Just a reference to it but not actually there?
    Should I change the DNS type to be just Primary / not intergrated, delete the Domain/Forest DNS zones and start again?

    I don't know much about AD partitions but have tried the options above with no success.

  • #2
    Re: adprep /rodcprep fails with ForestDnsZones

    I have fixed the problem.
    • I took it into my own hands and firstly backed up AD.
    • I then changed the configuration to 1 DNS server for simplicity and speed (school environment on holiday)
    • I then loosely followed kb294328 and changed the DNS to be standard primary
    • I then deleted both System>MicrosoftDNS (AD users & computers) and also deleted just the crossref for ForestDNSZone (In ADSI Edit)
    • Flushed DNS and restarted Netlogon and DNS
    • Changed Standard to AD-Integrated

    As soon as I did this the crossref automatically re-created and ForestDNSZones appeared in DNS correctly.
    Ran dcdiag and a few other tests - replication, dns is working fine.
    Then ran adprep /rodcprep and this was successful.

    Since I wasn't storing anything in ForestDNSZones I think I am safe and hopefully this is now solved


    • #3
      Re: adprep /rodcprep fails with ForestDnsZones

      Thanks for posting back. Perhaps not relevant to your situation but the only problem I ever have had when running RODCPREP was due to a failed DC in the long and distant past still being marked as an owner of the domain partition. Changing the owner to the relevant FSMO role holder allowed RODCPREP to then run without issues.

      Furthermore, running RODCPREP from a command prompt on a 2008 DC and not explicitly running the command prompt as an administrator can sometimes be the course. The same applies when running DCDIAG. Command prompt needs running as an administrator or you will get results that look to be an issue but in fact are not.

      Again, maybe not relevant here.