ADPrep Execution Failed

Question

Hello. I have a virtual machine named V-DIR-SRV01 and it will not promote to a domain controller. It is running server 2022. My pre-existing dc (P-DELL-HYPVSR01) is running Server 2016.

I receive this error:

ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: No Such Object. Server extended error: 8333. Server extended message: 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=contoso,DC=com'

.

Adprep was unable to modify the security descriptor on object CN=Keys,DC=contoso,DC=com.

[Status/Consequence]

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20240617114221 directory for more information..

Check the log files in the C:\Windows\debug\adprep\logs\20240617114221 directory for detailed information.

Some info:

• V-DIR-SRV01 IP: 10.0.0.242
• P-DELL-HYPVSR02 IP: 10.0.0.241
• They're both on the same subnet (/24).
• They can ping each other.
• I have the DNS for both servers set to 10.0.0.241.
• Schema is set to 88 on the current dc.
• I have deleted and recreated the virtual machine. Still the same error.
• I was able to promote another (physical) server (running server 2016) to a dc on the domain. I have cleared that domain controller out.
• Verified time/date settings are correct.
• I've done the typical restarting servers and so on.

repadmin /replsum shows this:

C:\Windows\system32>repadmin /replsum

Replication Summary Start Time: 2024-06-17 13:48:16

Beginning data collection for replication summary, this may take awhile:

....

Source DSA largest delta fails/total %% error

Destination DSA largest delta fails/total %% error

The ADPrep log file is quite long. Here is a paste of the end of the log (I can provide all the logs, ipconfigs for both servers, error message, etc. to whoever needs it):

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.

[2024/06/17:11:42:21.525]

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=c81fc9cc-0130-f4d1-b272-634d74818133,cn=Operations,cn=DomainUpdates,cn=System,DC=contoso,DC=com.

[2024/06/17:11:42:21.526]

LDAP API ldap_search_s() finished, return code is 0x20

[2024/06/17:11:42:21.526]

Adprep verified the state of operation cn=c81fc9cc-0130-f4d1-b272-634d74818133,cn=Operations,cn=DomainUpdates,cn=System,DC=contoso,DC=com.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.

[2024/06/17:11:42:21.526]

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Keys,DC=contoso,DC=com.

[2024/06/17:11:42:21.527]

LDAP API ldap_search_s() finished, return code is 0x20

[2024/06/17:11:42:21.527]

Adprep was unable to modify the security descriptor on object CN=Keys,DC=contoso,DC=com.

[Status/Consequence]

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20240617114221 directory for more information.

[2024/06/17:11:42:21.527]

Adprep encountered an LDAP error.

Error code: 0x20. Server extended error code: 0x208d, Server error message: 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=contoso,DC=com'

DSID Info:

DSID: 0x180e0a0a

ldap error = 0x20

NT BUILD: 20348

NT BUILD: 1

[2024/06/17:11:42:21.527]

Adprep was unable to update domain information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20240617114221 directory for more information.

Any help would be greatly appreciated. I am having a difficult time trying to resolve this.