tejs1dhu
asked on
Seize Schema Master Role
Hi
We have a small network with two DC. One of the DC's (server2) went down a while back and this DC had all the operation master roles assigned to it. This computer was rebuilt. When it was rebuilt it didnt assume the roles of the operations master, no one noticed this until we had to bring down the other DC (server 1). When we brought it down AD wasn't working properly and no one could logon to the network (well they could but it would use there cached profile). Users received the following error
"No Windows NT or Windows 2000 Domain Controller is available for domain OFFICE. The following error occured: There are currently no logon servers available to service the logon request."
This is when I started a thorough investigation and found that no DC had the operation master roles and also there was no global catalog. I thought this could be the reason behind the problems we were having. After looking at a Operations Guide for Active Directory on the microsoft site I found how to seize the roles. On attempting to seize the schema master role I got this error:
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031513E2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operation.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315141D, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operation.)
)
I checked my account the one I was logged on with and made sure I was a member of the Enterpise Admins and Schema Admins and tried again, but still no luck.
Does anyone have any ideas? Appreciate any help any one could give with any of the problems above.
Thanks
We have a small network with two DC. One of the DC's (server2) went down a while back and this DC had all the operation master roles assigned to it. This computer was rebuilt. When it was rebuilt it didnt assume the roles of the operations master, no one noticed this until we had to bring down the other DC (server 1). When we brought it down AD wasn't working properly and no one could logon to the network (well they could but it would use there cached profile). Users received the following error
"No Windows NT or Windows 2000 Domain Controller is available for domain OFFICE. The following error occured: There are currently no logon servers available to service the logon request."
This is when I started a thorough investigation and found that no DC had the operation master roles and also there was no global catalog. I thought this could be the reason behind the problems we were having. After looking at a Operations Guide for Active Directory on the microsoft site I found how to seize the roles. On attempting to seize the schema master role I got this error:
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031513E2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operation.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315141D, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operation.)
)
I checked my account the one I was logged on with and made sure I was a member of the Enterpise Admins and Schema Admins and tried again, but still no luck.
Does anyone have any ideas? Appreciate any help any one could give with any of the problems above.
Thanks
mikeleebrla
you probably got those errors b/c you dont have a copy of the Global Catalog..... If i understand you correctly, you currently do NOT have a copy of the global catalog right?
ASKER
When I go to the DNS Snap-In. And browse to
Server
Forward Lookup Zones
Domain
_tcp
I can see an entry for _gc with the data field = [0][100][3268] server2.domain.com
But when I run dcdiag:
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... domain failed test FsmoCheck
I've only made server2 a global catalog server this morning and haven't rebooted since. Not sure if this is the reason behind this but a reboot is scheduled for this weekend.
Server
Forward Lookup Zones
Domain
_tcp
I can see an entry for _gc with the data field = [0][100][3268] server2.domain.com
But when I run dcdiag:
Starting test: FsmoCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
......................... domain failed test FsmoCheck
I've only made server2 a global catalog server this morning and haven't rebooted since. Not sure if this is the reason behind this but a reboot is scheduled for this weekend.
well if you "made" server2 a GC today and it didn't have a live GC to get the full copy of the database from then it really isn't a GC. A GC is a full and complete copy of the whole AD database for the forrest. Just by checking the GC checkbox on server 2 doesn't mean its an actual live and working GC. It would have to get acopy of the AD database from somewhere right?
ASKER
Makes sense, but then how did AD Users and Computers work without a GC? There probably hasn't been a GC for at least a week, but I have been able to use AD Users and Computers like normal. Only when I shutdown server1 did it report an error when going to view AD Users and Computers. Sorry for my lack of knowledge regarding Win 2000. I work for a small company and I am the developer/sys admin/helpdesk person. :-) keeps me busy!
ASKER
Another thing I have just noticed is that there is no SYSVOL or NETLOGON shares on server2?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.