Solved

Missing "Pre-Windows 2000 Compatibilty Access" Built-in Group

Posted on 2006-11-09
8
651 Views
Last Modified: 2012-06-21
I am trying to run adprep /domainprep /gpprep. on a win2k Server.
I have run adprep /forestprep succesfullly.

The group is not in the Built-in accounts in Domain or local security policies

Iget an error saying the "Everyone" needs to be added to the"Pre-Windows 2000 Compatibilty Access" Group. Here is the log file:

Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group.

HELP!

Thx

[Status/Consequence]

For backward compatibility, Adprep requires that the Anonymous Logon security group be a member of the pre-Windows 2000 Compatible Access security group if the Everyone group is also a member. On domain controllers running Windows Server 2003, the Everyone group no longer includes Anonymous Logon.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied..



Adprep was unable to update domain-wide information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20061109142105 directory for more information.

0
Comment
Question by:turnerni
8 Comments
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 17912559
Is Domain in Mixed Mode?

Are you running adprep using Schema Admin?

Can you check if Infrastructure Master is alive and reachable?

Can you check if Schema FSMO is available?

Can you add Anonymous Logon user to Pre.....group using Command line?

Check out here:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3140
0
 

Author Comment

by:turnerni
ID: 17916796
The domain is in Native mode.
I am trying to do this on the Infrastructure Admin.
I can not add using the cmd line as the group is not there and the Anonymous Logon User is also missing.

I have already tried net localgroup "Pre....Access" Everyone /add

Not sure what you mean by Schema FSMO.

I am logged in as a scema admin.

I am a bit rusty so bare with me.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\turnerni>net localgroup "Pre-Windows 2000 Compatibilty
 Access" Everyone /add
There is no such user or group: Pre-Windows 2000 Compatibilty Access.

More help is available by typing NET HELPMSG 3780.


C:\Documents and Settings\turnerni>net helpmsg 3780

There is no such user or group: ***.


EXPLANATION

The user or group specified does not exist.

ACTION

Retype the command with a correct user name or group name.

0
 

Author Comment

by:turnerni
ID: 17919583
i had a typo on my post should read compatible instead of compatibilty.
I have been using the right word in my attempts to fix this.

thx
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 5

Expert Comment

by:DhammikaWee
ID: 17920873
so if u want to update the AD then u have to log on using ad schema admin. if ur system is multilevel or not u have to logon to the root server as root forest's admin and that admin must have schema admin rights. and this change is enterprise wide which means the admin must me an enterprise admin of the entire forest.
it is best to logon as the forest's admin at the root server and run the adprep..
and make sure that Shema Master, Infrastucture master roles are running and make sure ther servers who hold those roles are up and running at the time of running adprep.

DB
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 18375260
Did you manage to solve your problem?
0
 

Author Comment

by:turnerni
ID: 18375982
PROBLEM DESCRIPTION:
I broke down and called MS and paid the $245
 
This is the resolution


Unable to bring in the Windows 2003 R2 Server as an Additional Domain Controller in Windows 2000 Domain

 

RESOLUTION:

 

On the Windows 2000 Domain Controller
1.       While trying to run ADPREP /domainprep we were getting the following error: "Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group"
2.       Created the "cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System, DC=domain,DC=com" container object manually going into adsiedit.msc from the run window
3.       Tried to run ADPREP /domainprep, successful
 
On the Windows 2003 Domain Controller
1.       Ran DCPROMO on it and promoted it as an Additional Domain Controller
2.       The SYSVOL and NETLOGON shares were missing after running DCPROMO on it
3.       Disabled Windows Firewall service on it, restarted the File Replication (NTFRS) service, got the SYSVOL and NETLOGON shares
4.       Checked for Active Directory replication successful from Active Directory Sites and Services, successful
5.       Transferred all the FSMO on the win2k3 DC <ServerName> as per KB 324801



 

RELATED KNOWLEDGE BASED ARTICLES:

 

Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest

http://support.microsoft.com/kb/309628/en-us 

 

Schema Updates Require Write Access to Schema in Active Directory

http://support.microsoft.com/kb/285172/en-us 

 

Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers

http://support.microsoft.com/kb/314649/en-us 

 

Error message when you run the Active Directory Installation Wizard: "The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer"

http://support.microsoft.com/kb/917385/en-us 

 

0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18753167
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question