When attempting to promote a new domain controller into an existing active directory environment, an error was encountered that wasn’t previously seen.
Error: The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=. The error logs were located: C:\Windows\debug\adprep\logs\
Looking into these folders, find the file ending in .87 and open in Notepad
Note the Attribute 0 appliesTo value
On a functional domain controller, launch ADSI Edit and connect to Configuration
Inside of CN=Extended-Rights, edit the “appliesTo” attribute for the below list of entries to remove the value data mentioned in the log file
List of items to edit:
CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld
Once these have been done, attempt to run ADPREP again.