Just a quick reminder now that we seem to have a flood of folks moving from 2003 to 2008R2 and 2012 Active Directory…
Your application partitions like the Domain and Forest DNS Zones also have an Infrastructure Master (IM) FSMO role attached to them that may cause certain things to break if you don’t keep them up to date.
So for example, if you try to run the ADPREP /RODCPREP and you start seeing errors like:
Adprep encountered an LDAP error. Error code: 0×0. Server extended error code: 0×0, Server error message: (null).
Then check the infrastructure object of the NC with AdFind or some other tool and look at the fSMORoleHolder attribute to make sure that the value is a correct and valid value.
For example something like this:
G:\adprep>adfind -domaindns -f name=infrastructure fSMORoleOwner
AdFind V01.47.00cpp Joe Richards (email@example.com) October 2012
Using server: DC1.dev.wtf.corp.com:389
Directory: Windows Server 2008 R2
Base DN: DC=DomainDnsZones,DC=dev,DC=wtf,DC=corp,DC=com
>fSMORoleOwner: CN=NTDS Settings\0ADEL:036c1840-901a-405e-a9c9-57b2991bee0a,CN=DELETED_DC\0ADEL:a0f01247-672
1 Objects returned
You can read more at
Of course if you have AdMod, you don’t need to use the script to modify the value. You can simply do something like
admod -b <DN_of_IM_Object> fSMORoleOwner::<DN_of_NTDS_Settings_Object_of_Desired_DC>
P.S. Yes I agree that error from AdPrep sucks ass. When someone says they received LDAP Error Code 0×00 I am happy for them since the command completed successfully as LDAP Error 0×00 is LDAP_SUCCESS aka Sucessful request (sic). See more LDAP error codes (and perhaps some typos) at http://support.microsoft.com/kb/218185.