I am putting forth my investigation into this problem and the solution I found hoping it will be helpful to others in similar Scenarios.
Note that the Fix may not be applicable if the cause of failure is any bit different to what I faced.
I have recently upgraded one of my customer’s environments AD to Windows server 2008 R2 from 2003 server
During the course of this activity, command ADPREP / DOMAINPREP returned with the following error statement.
Error Code:
Message: 000020B5: AtrErr: DSID-03152395, #1: 0: 000020B5:
DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9054f (otherWellKnownObjects).
The error code returns 0x13 DSID-03152395 in log file has to be converted to readable format using the tool DSID.exe and is available only with Microsoft and is not for general public. After decoding the code with the help of MS, i have come up with below findings based on the status message.
What caused the Failure?
The execution of adprep /domainprep will work on the various domain wide operations to make the domain configuration changes to adapt for W2K8 R2. In that, one of the operations will be to create Managed Service Accounts container in AD.
Windows Server 2008 R2 introduces a new type of Container account called a Managed Service Accounts that assists in the endpoint administration. In a way, a managed service account can function like the Built-in organizational unit in default domain configurations.
The error cited in the Adprep.log indicated that domain configuration attribute could not be populated, and this is because of the Managed Service Accounts container already being present in the current AD.
By chance or mistake, we had an OU called” managed service account” in 2k3 environment. Hence while preparing the AD, there is a conflict in creating the Managed service account OU by system command.
What fixed the failure?
Delete the Managed service accounts OU from windows 2003 AD and then run the adprep domainprep.
Don’t rename the OU, because, chances of solving the issue by renaming the OU are very slim.
So better delete it.
Action to be performed:
– Take a system state backup on all domain controllers.
– Move the contents of the Managed service account OU to another OU.
– When all users and sub OU have been, delete the OU.
Then run adprep domainprep and it should complete without errors.
Dev's Technical Blog 
Thanks for this blog it will help me in feature…
LikeLiked by 1 person
Hi, Thanks for this, it nearly fixed it for me. I knew I'd created the Managed Service Accounts OU not long before the upgrade, so managed to put two and two together.The problem was that even though I'd removed the OU, the adprep still kept failing. Still hunting through, I found plenty of people suggesting this required a 'confidental fix from Microsoft support'. No chance of us doing that obviously! Anyway, the OU has an additional piece of info that needs removing via ADSIEDIT, as per this…\”CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=,DC=Hope this helps others!CheersAlastair
LikeLiked by 1 person
Thank you, thank you! It absolutely worked beautifully! Louis.
LikeLiked by 1 person
Thank god. Found this post 7 years later and it saved my butt. Thank you!
LikeLiked by 1 person