PWyatt1
asked on
Can't Seize schema master
Environement: WIndows 2003 Advanced server on two DCs
The DC(#2) holding the schema master was getting flaky so I did the following:
1. Went to the good DC(#1) and attempted to seize all the roles using ntdsutil. Everything went fine except for the schema master. On the "seize schema master" command I got an error. So-o-o-o.
2. I demoted the DC#2 thinking that the normal demotion would transfer the schema master over to DC#1 but No-o-o-o.
3. I then did a dcpromo /forceremoval seeing if that would work. No go.
4. Did a simple netdom query fsmo on the good DC but I got an error (not related but why an error with netdom command on a good DC?)
5. Though it was maybe hanging entries so deleted all references to the demoted DC in Sites and Services, adsiedit Domain OU, DNS _msdcs, and domain.
6. Rebooted both servers and did a netdom query fsmo on the good DC. Still an error.
7. Did a DCdiag on the good DC and got an error on the KnowsOfRoleHolders. It loods like the reference is to the SID of the demoted server, which means it thinks that server has the schema but it is not available.
Is there a way for me to recover the schema master and get it over onto my good DC?
The DC(#2) holding the schema master was getting flaky so I did the following:
1. Went to the good DC(#1) and attempted to seize all the roles using ntdsutil. Everything went fine except for the schema master. On the "seize schema master" command I got an error. So-o-o-o.
2. I demoted the DC#2 thinking that the normal demotion would transfer the schema master over to DC#1 but No-o-o-o.
3. I then did a dcpromo /forceremoval seeing if that would work. No go.
4. Did a simple netdom query fsmo on the good DC but I got an error (not related but why an error with netdom command on a good DC?)
5. Though it was maybe hanging entries so deleted all references to the demoted DC in Sites and Services, adsiedit Domain OU, DNS _msdcs, and domain.
6. Rebooted both servers and did a netdom query fsmo on the good DC. Still an error.
7. Did a DCdiag on the good DC and got an error on the KnowsOfRoleHolders. It loods like the reference is to the SID of the demoted server, which means it thinks that server has the schema but it is not available.
Is there a way for me to recover the schema master and get it over onto my good DC?
ASKER
Sorry Anthony. I forget to say that I had already done the metadata cleanup and removed the offending server.
I have Windows 2003 SP1 already installed and running.
I have Windows 2003 SP1 already installed and running.
Normally, when both DCs are online, you transfer the roles rather than seize them. Since the other server is no longer online (and plugged in), make the existing DC a Global Catalog server (in Site and Services) then wait an hour.
Now try to seize the Schema role. You MUST be using an account that is a member of the Schema Admins to do this.
Now try to seize the Schema role. You MUST be using an account that is a member of the Schema Admins to do this.
ASKER
Thanks Netman.
The Good server(DC#1) is already a GC. I am logged in as admin.
Interesting what is happening. When I go in to seize the schema master from the DC#1 (the good DC), the confirming popup lists my good server as the role holder. then when I click Yes, I get the errors. However, afterwards, when I do a DCDIAG, I still get the KowsOfRoleHolder errors listing the old server name. In the DC DIAG, I also get SYSVOL errors.
Help would be appreciated.
The Good server(DC#1) is already a GC. I am logged in as admin.
Interesting what is happening. When I go in to seize the schema master from the DC#1 (the good DC), the confirming popup lists my good server as the role holder. then when I click Yes, I get the errors. However, afterwards, when I do a DCDIAG, I still get the KowsOfRoleHolder errors listing the old server name. In the DC DIAG, I also get SYSVOL errors.
Help would be appreciated.
Run DCPROMO /forceremoval on the old server and remove it completely from the network.
Do a metadata cleanup to be certain it's gone. Also remove all references to it from DNS (every container), then open up AD Sites and Services and delete the server from there.
Reboot the new server.
Try to seize it again.
Do a metadata cleanup to be certain it's gone. Also remove all references to it from DNS (every container), then open up AD Sites and Services and delete the server from there.
Reboot the new server.
Try to seize it again.
ASKER
Please see my first post for what I have done.
OK, please post a DCDIAG /v output.
ASKER
OK here it is. Please note, I also verified all Windows user rights per KB812614.
Thanks
C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator.MCO
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine MCOLLANMGR, is a DC.
* Connecting to directory service on server MCOLLANMGR.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: LakeForest\MCOLLANMGR
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MCOLLANMGR passed test Connectivity
Doing primary tests
Testing server: LakeForest\MCOLLANMGR
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=MCOL
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=ForestDnsZones,DC=MCOL
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Schema,CN=Configuration
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
CN=Configuration,DC=MCOL
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
DC=MCOL
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
* Replication Site Latency Check
......................... MCOLLANMGR passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=DomainDnsZones,DC=MCOL
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=MCOL
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=MCOL
(Configuration,Version 2)
* Security Permissions Check for
DC=MCOL
(Domain,Version 2)
......................... MCOLLANMGR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... MCOLLANMGR passed test NetLogons
Starting test: Advertising
The DC MCOLLANMGR is advertising itself as a DC and having a DS.
The DC MCOLLANMGR is advertising as an LDAP server
The DC MCOLLANMGR is advertising as having a writeable directory
The DC MCOLLANMGR is advertising as a Key Distribution Center
The DC MCOLLANMGR is advertising as a time server
The DS MCOLLANMGR is advertising as a GC.
......................... MCOLLANMGR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings\0ADEL:2c1996ff-95
2ad2e10e,CN=MCOL2C\0ADEL:1
Forest,CN=Sites,CN=Configu
Warning: CN=NTDS Settings\0ADEL:2c1996ff-95
=MCOL2C\0ADEL:11e1e0fc-fc1
ites,CN=Configuration,DC=M
Role Domain Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
rest,CN=Sites,CN=Configura
Role PDC Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
t,CN=Sites,CN=Configuratio
Role Rid Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
t,CN=Sites,CN=Configuratio
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
rvers,CN=LakeForest,CN=Sit
......................... MCOLLANMGR failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 9618 to 1073741823
* MCOLLANMGR.MCOL is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 8618 to 9117
* rIDPreviousAllocationPool is 8618 to 9117
* rIDNextRID: 8632
......................... MCOLLANMGR passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/MCOLLANMGR.MCOL/MCOL
* SPN found :LDAP/MCOLLANMGR.MCOL
* SPN found :LDAP/MCOLLANMGR
* SPN found :LDAP/MCOLLANMGR.MCOL/MCOL
* SPN found :LDAP/b057f733-5ef9-4ae9-a
* SPN found :E3514235-4B06-11D1-AB04-0
74-a2d6c6d18230/MCOL
* SPN found :HOST/MCOLLANMGR.MCOL/MCOL
* SPN found :HOST/MCOLLANMGR.MCOL
* SPN found :HOST/MCOLLANMGR
* SPN found :HOST/MCOLLANMGR.MCOL/MCOL
* SPN found :GC/MCOLLANMGR.MCOL/MCOL
......................... MCOLLANMGR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MCOLLANMGR passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MCOLLANMGR is in domain DC=MCOL
Checking for CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL in domain DC=M
COL on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MCOLLANMGR,CN=
=Sites,CN=Configuration,DC
Object is up-to-date on all servers.
......................... MCOLLANMGR passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MCOLLANMGR passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... MCOLLANMGR passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... MCOLLANMGR passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... MCOLLANMGR passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL and backlink on
CN=MCOLLANMGR,CN=Servers,C
L
are correct.
The system object reference (frsComputerReferenceBL)
CN=MCOLLANMGR,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=MCOL
and backlink on CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL are
correct.
The system object reference (serverReferenceBL)
CN=MCOLLANMGR,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=MCOL
and backlink on
CN=NTDS Settings,CN=MCOLLANMGR,CN=
figuration,DC=MCOL
are correct.
......................... MCOLLANMGR passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MCOL
Starting test: CrossRefValidation
......................... MCOL passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MCOL passed test CheckSDRefDom
Running enterprise tests on : MCOL
Starting test: Intersite
Skipping site LakeForest, this site is outside the scope provided by
the command line arguments provided.
......................... MCOL passed test Intersite
Starting test: FsmoCheck
GC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
PDC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
Time Server Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
KDC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
......................... MCOL passed test FsmoCheck
C:\Documents and Settings\Administrator.MCO
Thanks
C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator.MCO
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine MCOLLANMGR, is a DC.
* Connecting to directory service on server MCOLLANMGR.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: LakeForest\MCOLLANMGR
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... MCOLLANMGR passed test Connectivity
Doing primary tests
Testing server: LakeForest\MCOLLANMGR
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=MCOL
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=ForestDnsZones,DC=MCOL
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Schema,CN=Configuration
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
CN=Configuration,DC=MCOL
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
DC=MCOL
Latency information for 13 entries in the vector were ignored.
13 were retired Invocations. 0 were either: read-only replica
s and are not verifiably latent, or dc's no longer replicating this nc. 0 had n
o latency information (Win2K DC).
* Replication Site Latency Check
......................... MCOLLANMGR passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
DC=DomainDnsZones,DC=MCOL
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=MCOL
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=MCOL
(Configuration,Version 2)
* Security Permissions Check for
DC=MCOL
(Domain,Version 2)
......................... MCOLLANMGR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... MCOLLANMGR passed test NetLogons
Starting test: Advertising
The DC MCOLLANMGR is advertising itself as a DC and having a DS.
The DC MCOLLANMGR is advertising as an LDAP server
The DC MCOLLANMGR is advertising as having a writeable directory
The DC MCOLLANMGR is advertising as a Key Distribution Center
The DC MCOLLANMGR is advertising as a time server
The DS MCOLLANMGR is advertising as a GC.
......................... MCOLLANMGR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings\0ADEL:2c1996ff-95
2ad2e10e,CN=MCOL2C\0ADEL:1
Forest,CN=Sites,CN=Configu
Warning: CN=NTDS Settings\0ADEL:2c1996ff-95
=MCOL2C\0ADEL:11e1e0fc-fc1
ites,CN=Configuration,DC=M
Role Domain Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
rest,CN=Sites,CN=Configura
Role PDC Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
t,CN=Sites,CN=Configuratio
Role Rid Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
t,CN=Sites,CN=Configuratio
Role Infrastructure Update Owner = CN=NTDS Settings,CN=MCOLLANMGR,CN=
rvers,CN=LakeForest,CN=Sit
......................... MCOLLANMGR failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 9618 to 1073741823
* MCOLLANMGR.MCOL is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 8618 to 9117
* rIDPreviousAllocationPool is 8618 to 9117
* rIDNextRID: 8632
......................... MCOLLANMGR passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/MCOLLANMGR.MCOL/MCOL
* SPN found :LDAP/MCOLLANMGR.MCOL
* SPN found :LDAP/MCOLLANMGR
* SPN found :LDAP/MCOLLANMGR.MCOL/MCOL
* SPN found :LDAP/b057f733-5ef9-4ae9-a
* SPN found :E3514235-4B06-11D1-AB04-0
74-a2d6c6d18230/MCOL
* SPN found :HOST/MCOLLANMGR.MCOL/MCOL
* SPN found :HOST/MCOLLANMGR.MCOL
* SPN found :HOST/MCOLLANMGR
* SPN found :HOST/MCOLLANMGR.MCOL/MCOL
* SPN found :GC/MCOLLANMGR.MCOL/MCOL
......................... MCOLLANMGR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... MCOLLANMGR passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
MCOLLANMGR is in domain DC=MCOL
Checking for CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL in domain DC=M
COL on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=MCOLLANMGR,CN=
=Sites,CN=Configuration,DC
Object is up-to-date on all servers.
......................... MCOLLANMGR passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... MCOLLANMGR passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... MCOLLANMGR passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minut
es.
......................... MCOLLANMGR passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... MCOLLANMGR passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL and backlink on
CN=MCOLLANMGR,CN=Servers,C
L
are correct.
The system object reference (frsComputerReferenceBL)
CN=MCOLLANMGR,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=MCOL
and backlink on CN=MCOLLANMGR,OU=Domain Controllers,DC=MCOL are
correct.
The system object reference (serverReferenceBL)
CN=MCOLLANMGR,CN=Domain System Volume (SYSVOL share),CN=File Replicatio
n Service,CN=System,DC=MCOL
and backlink on
CN=NTDS Settings,CN=MCOLLANMGR,CN=
figuration,DC=MCOL
are correct.
......................... MCOLLANMGR passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MCOL
Starting test: CrossRefValidation
......................... MCOL passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MCOL passed test CheckSDRefDom
Running enterprise tests on : MCOL
Starting test: Intersite
Skipping site LakeForest, this site is outside the scope provided by
the command line arguments provided.
......................... MCOL passed test Intersite
Starting test: FsmoCheck
GC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
PDC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
Time Server Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
KDC Name: \\MCOLLANMGR.MCOL
Locator Flags: 0xe00003fd
......................... MCOL passed test FsmoCheck
C:\Documents and Settings\Administrator.MCO
Did you follow this procedure to the letter?
1. Open Command Prompt.
2. Type:
ntdsutil
3. At the ntdsutil command prompt, type:
roles
4. At the fsmo maintenance command prompt, type:
connections
5. At the server connections command prompt, type:
connect to server MCOLLANMGR
6. At the server connections prompt, type:
quit
7. At the fsmo maintenance command prompt, type:
seize schema master
If so, save and clear the logs then run it again. Post any and all log entries that are related to this procedure exactly as they appear.
Let me know.
1. Open Command Prompt.
2. Type:
ntdsutil
3. At the ntdsutil command prompt, type:
roles
4. At the fsmo maintenance command prompt, type:
connections
5. At the server connections command prompt, type:
connect to server MCOLLANMGR
6. At the server connections prompt, type:
quit
7. At the fsmo maintenance command prompt, type:
seize schema master
If so, save and clear the logs then run it again. Post any and all log entries that are related to this procedure exactly as they appear.
Let me know.
Oh, and triple check that you are logged in with an account that is in the Schema Admins group.
ASKER
Yes Netman I did follow the ntdsutil to seize the schema master, but I will do it again after clearing the logs and noting any errors. I'l also post the errors from the seize schema master attempt.
I have to leave right noe so I'll have to get back to this in the morning. Thanks for the fast replies.
I have to leave right noe so I'll have to get back to this in the morning. Thanks for the fast replies.
Ok. I'm just asking you to do this from a fresh slate so I can see it all in real time. I'll solve this for you.
ASKER
OK . Here are the results. Strange as I have logged in as enterprise admin.
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03151D7D, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151E04, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
OK: I received NO errors in my logs:
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03151D7D, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151E04, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
OK: I received NO errors in my logs:
It was looking like a permission issue to me, now I'm convinced.
Open up ADUC and find the Schema Admin group.
Manually add the Domain\Administrator if it's missing.
Try again while logged in as the Domain\Administrator.
If this fails, then add your admin account into this group for the purposes of the transfer.
Once the Schema Master has been changed remove your account from the Schema Admins group.
Open up ADUC and find the Schema Admin group.
Manually add the Domain\Administrator if it's missing.
Try again while logged in as the Domain\Administrator.
If this fails, then add your admin account into this group for the purposes of the transfer.
Once the Schema Master has been changed remove your account from the Schema Admins group.
ASKER
Did it and still got the permissions error. However, I noted down the popup message before I actually executed the command as I thought it was starnge:
Are you sure you want server "mcollanmgr" to seize the schema role with the value:
CN=NTDS Settings, CN=MCOLLANMGR, CN= Servers, CN= Lake Forest, CN= Sites, CN=Configuration, DC=MCOL
Note that the system is asking me if I want to seize the schema role that is apparently already owned by the server I am attempting to transfer/seize to. Don't know if this helps.
Are you sure you want server "mcollanmgr" to seize the schema role with the value:
CN=NTDS Settings, CN=MCOLLANMGR, CN= Servers, CN= Lake Forest, CN= Sites, CN=Configuration, DC=MCOL
Note that the system is asking me if I want to seize the schema role that is apparently already owned by the server I am attempting to transfer/seize to. Don't know if this helps.
Goto the Run box and type MMC.
From File menu - Add/Remove snap-in.
Select ADD.
Pick Active Directory Schema.
Click ADD.
Click Close.
Click OK.
Expand Active Directory Schema.
Right click Active Directory Schema and select Operations Master.
If you don't get an error, what is the next screen telling you?
From File menu - Add/Remove snap-in.
Select ADD.
Pick Active Directory Schema.
Click ADD.
Click Close.
Click OK.
Expand Active Directory Schema.
Right click Active Directory Schema and select Operations Master.
If you don't get an error, what is the next screen telling you?
ASKER
Got an ERROR on the top window of the popup
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yup. All 3.
Loook, you and I have spent an inordinate amount of time on this. I'm just going to start from scratch and rebuild the server and the domain. I appreciate all the help. I'll give you the points for the effort.
I just wished Microsoft would build products that didn't break so easy and they built self-healing features into the OS.Ah Well, wishful thinking.
Loook, you and I have spent an inordinate amount of time on this. I'm just going to start from scratch and rebuild the server and the domain. I appreciate all the help. I'll give you the points for the effort.
I just wished Microsoft would build products that didn't break so easy and they built self-healing features into the OS.Ah Well, wishful thinking.
Just hang tight.
Run this command:
repadmin /showreps
Check to make sure the tag "IS_GC" shows true.
If not then it's just a matter of the GC build process needing to complete. It cannot move the Schema until there is a valid, complete GC online.
See if this server is also showing up in DNS as a GC.
Run this command:
repadmin /showreps
Check to make sure the tag "IS_GC" shows true.
If not then it's just a matter of the GC build process needing to complete. It cannot move the Schema until there is a valid, complete GC online.
See if this server is also showing up in DNS as a GC.
ASKER
Ran the repadmin /showreps and got "DC Options: IS_GC which I assume is that it recocnizes the server (MCOLLANMGGR) as a DC.
Yes, it's a GC now.
Try this one more thing before you give up on this.
Create a new user named "Transfer"
Add this user to the Domain Admins, Enterprise Admins and Schema Admins groups.
Make sure this user is not in the path of any GPOs that may lock down the console of the server.
Attempt to seize the role again using the steps that showed the error last time.
Let me know.
Try this one more thing before you give up on this.
Create a new user named "Transfer"
Add this user to the Domain Admins, Enterprise Admins and Schema Admins groups.
Make sure this user is not in the path of any GPOs that may lock down the console of the server.
Attempt to seize the role again using the steps that showed the error last time.
Let me know.
ASKER
Created a new user, added to the three groups, ran ntdsutil for seizing the fsmo roles, tried to seize teh schema master. NADA.
Let me know when you're ready to give up. :)
Let me know when you're ready to give up. :)
hehe...
I have a hard time letting a machine beat me!
Well, if you've got the time and not many users you could rebuild it. I hate not being able to solve issues such as this.
If you want a remote diag, let me know. Otherwise, carry on with the axe!
NM
I have a hard time letting a machine beat me!
Well, if you've got the time and not many users you could rebuild it. I hate not being able to solve issues such as this.
If you want a remote diag, let me know. Otherwise, carry on with the axe!
NM
ASKER
I have no problem with a remote diagnostic. Let me know.
Regards.
Regards.
I'm not sure of your timeline, but it'll have to be Saturday sometime.
If this isn't going to give you enough time to rebuild should things look no different, then better be safe than sorry.
Let me know.
If this isn't going to give you enough time to rebuild should things look no different, then better be safe than sorry.
Let me know.
ASKER
OK. Give me a time and software to download for the session.
My email is my alias here at gmail. Drop me a line and let me know where you're located (for time zone purposes).
ASKER
I am in Lake Forest IL, north of Chicago (CST). <<Phone Number Removed by PE>>
Thanks
Thanks
Send me an email. I've asked the PE to remove your last post since posting your phone number is a terrible idea - it's a public forum.
I'm on AST so you are 2 hours behind me now.
I'm on AST so you are 2 hours behind me now.
ASKER
<<<Email Removed By PE>>>
ASKER
I FIXED THE PROBLEM!!!
I had a suspicion thet the demoted server had lingering objects in the schema master area of the registry that was screwing up the fsmo role holder so I did a windows repair on the demoted unit.
It took a while, but after everything was done, I did a netdom query fsmo on the domain controller, and it has all the roles FINALLY!
Thanks for all the help. What a pain!!!
I had a suspicion thet the demoted server had lingering objects in the schema master area of the registry that was screwing up the fsmo role holder so I did a windows repair on the demoted unit.
It took a while, but after everything was done, I did a netdom query fsmo on the domain controller, and it has all the roles FINALLY!
Thanks for all the help. What a pain!!!
Were you attempting to seize the roles with the old server still plugged into the network?
ASKER
Yes
Did you not see my post here:
Date: 11/02/2006 04:03PM AST
Your Comment
Run DCPROMO /forceremoval on the old server and remove it completely from the network.
Do a metadata cleanup to be certain it's gone. Also remove all references to it from DNS (every container), then open up AD Sites and Services and delete the server from there.
Reboot the new server.
Try to seize it again.
NOTE: Remove it from the network.......
You forceremoved it from AD - it cannot be allowed to stay on the network after this time. If you had removed it from the LAN, my bet is the seize process would have worked.
Date: 11/02/2006 04:03PM AST
Your Comment
Run DCPROMO /forceremoval on the old server and remove it completely from the network.
Do a metadata cleanup to be certain it's gone. Also remove all references to it from DNS (every container), then open up AD Sites and Services and delete the server from there.
Reboot the new server.
Try to seize it again.
NOTE: Remove it from the network.......
You forceremoved it from AD - it cannot be allowed to stay on the network after this time. If you had removed it from the LAN, my bet is the seize process would have worked.
ASKER
Did #1 and demoted it to a workgroup long ago
Did # 2 and it is not there. Deleted from all folders in DNS
Rebooted the new server.
Put it back on the LAN. I need it! Remember, when I did the repair after deomting it and moving it to a workgroup, that process deletes all lingering entries, including the screwy schem master entry. It cleaned everything up on that server.
Did a netdom query fsmo on the only DC and it has all the roles, including the schema master.
Everything is fine.
Thanks
Did # 2 and it is not there. Deleted from all folders in DNS
Rebooted the new server.
Put it back on the LAN. I need it! Remember, when I did the repair after deomting it and moving it to a workgroup, that process deletes all lingering entries, including the screwy schem master entry. It cleaned everything up on that server.
Did a netdom query fsmo on the only DC and it has all the roles, including the schema master.
Everything is fine.
Thanks
http://technet2.microsoft.com/WindowsServer/en/library/012793ee-5e8c-4a5c-9f66-4a486a7114fd1033.mspx?mfr=true
Here's some other information as well..
http://support.microsoft.com/kb/255504
"Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata."
If you're running Windows 2003 SP1, the metadata cleanup should transfer the schema master back to the remaining DC.