Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Missing "Pre-Windows 2000 Compatibilty Access" Built-in Group

Posted on 2006-11-09
8
Medium Priority
?
676 Views
Last Modified: 2012-06-21
I am trying to run adprep /domainprep /gpprep. on a win2k Server.
I have run adprep /forestprep succesfullly.

The group is not in the Built-in accounts in Domain or local security policies

Iget an error saying the "Everyone" needs to be added to the"Pre-Windows 2000 Compatibilty Access" Group. Here is the log file:

Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group.

HELP!

Thx

[Status/Consequence]

For backward compatibility, Adprep requires that the Anonymous Logon security group be a member of the pre-Windows 2000 Compatible Access security group if the Everyone group is also a member. On domain controllers running Windows Server 2003, the Everyone group no longer includes Anonymous Logon.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied..



Adprep was unable to update domain-wide information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20061109142105 directory for more information.

0
Comment
Question by:turnerni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 17912559
Is Domain in Mixed Mode?

Are you running adprep using Schema Admin?

Can you check if Infrastructure Master is alive and reachable?

Can you check if Schema FSMO is available?

Can you add Anonymous Logon user to Pre.....group using Command line?

Check out here:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3140
0
 

Author Comment

by:turnerni
ID: 17916796
The domain is in Native mode.
I am trying to do this on the Infrastructure Admin.
I can not add using the cmd line as the group is not there and the Anonymous Logon User is also missing.

I have already tried net localgroup "Pre....Access" Everyone /add

Not sure what you mean by Schema FSMO.

I am logged in as a scema admin.

I am a bit rusty so bare with me.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\turnerni>net localgroup "Pre-Windows 2000 Compatibilty
 Access" Everyone /add
There is no such user or group: Pre-Windows 2000 Compatibilty Access.

More help is available by typing NET HELPMSG 3780.


C:\Documents and Settings\turnerni>net helpmsg 3780

There is no such user or group: ***.


EXPLANATION

The user or group specified does not exist.

ACTION

Retype the command with a correct user name or group name.

0
 

Author Comment

by:turnerni
ID: 17919583
i had a typo on my post should read compatible instead of compatibilty.
I have been using the right word in my attempts to fix this.

thx
0
Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

 
LVL 5

Expert Comment

by:DhammikaWee
ID: 17920873
so if u want to update the AD then u have to log on using ad schema admin. if ur system is multilevel or not u have to logon to the root server as root forest's admin and that admin must have schema admin rights. and this change is enterprise wide which means the admin must me an enterprise admin of the entire forest.
it is best to logon as the forest's admin at the root server and run the adprep..
and make sure that Shema Master, Infrastucture master roles are running and make sure ther servers who hold those roles are up and running at the time of running adprep.

DB
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 18375260
Did you manage to solve your problem?
0
 

Author Comment

by:turnerni
ID: 18375982
PROBLEM DESCRIPTION:
I broke down and called MS and paid the $245
 
This is the resolution


Unable to bring in the Windows 2003 R2 Server as an Additional Domain Controller in Windows 2000 Domain

 

RESOLUTION:

 

On the Windows 2000 Domain Controller
1.       While trying to run ADPREP /domainprep we were getting the following error: "Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group"
2.       Created the "cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System, DC=domain,DC=com" container object manually going into adsiedit.msc from the run window
3.       Tried to run ADPREP /domainprep, successful
 
On the Windows 2003 Domain Controller
1.       Ran DCPROMO on it and promoted it as an Additional Domain Controller
2.       The SYSVOL and NETLOGON shares were missing after running DCPROMO on it
3.       Disabled Windows Firewall service on it, restarted the File Replication (NTFRS) service, got the SYSVOL and NETLOGON shares
4.       Checked for Active Directory replication successful from Active Directory Sites and Services, successful
5.       Transferred all the FSMO on the win2k3 DC <ServerName> as per KB 324801



 

RELATED KNOWLEDGE BASED ARTICLES:

 

Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest

http://support.microsoft.com/kb/309628/en-us 

 

Schema Updates Require Write Access to Schema in Active Directory

http://support.microsoft.com/kb/285172/en-us 

 

Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers

http://support.microsoft.com/kb/314649/en-us 

 

Error message when you run the Active Directory Installation Wizard: "The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer"

http://support.microsoft.com/kb/917385/en-us 

 

0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18753167
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question