Solved

Missing "Pre-Windows 2000 Compatibilty Access" Built-in Group

Posted on 2006-11-09
8
642 Views
Last Modified: 2012-06-21
I am trying to run adprep /domainprep /gpprep. on a win2k Server.
I have run adprep /forestprep succesfullly.

The group is not in the Built-in accounts in Domain or local security policies

Iget an error saying the "Everyone" needs to be added to the"Pre-Windows 2000 Compatibilty Access" Group. Here is the log file:

Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group.

HELP!

Thx

[Status/Consequence]

For backward compatibility, Adprep requires that the Anonymous Logon security group be a member of the pre-Windows 2000 Compatible Access security group if the Everyone group is also a member. On domain controllers running Windows Server 2003, the Everyone group no longer includes Anonymous Logon.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied..



Adprep was unable to update domain-wide information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20061109142105 directory for more information.

0
Comment
Question by:turnerni
8 Comments
 
LVL 35

Expert Comment

by:Nick Sui
Comment Utility
Is Domain in Mixed Mode?

Are you running adprep using Schema Admin?

Can you check if Infrastructure Master is alive and reachable?

Can you check if Schema FSMO is available?

Can you add Anonymous Logon user to Pre.....group using Command line?

Check out here:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3140
0
 

Author Comment

by:turnerni
Comment Utility
The domain is in Native mode.
I am trying to do this on the Infrastructure Admin.
I can not add using the cmd line as the group is not there and the Anonymous Logon User is also missing.

I have already tried net localgroup "Pre....Access" Everyone /add

Not sure what you mean by Schema FSMO.

I am logged in as a scema admin.

I am a bit rusty so bare with me.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\turnerni>net localgroup "Pre-Windows 2000 Compatibilty
 Access" Everyone /add
There is no such user or group: Pre-Windows 2000 Compatibilty Access.

More help is available by typing NET HELPMSG 3780.


C:\Documents and Settings\turnerni>net helpmsg 3780

There is no such user or group: ***.


EXPLANATION

The user or group specified does not exist.

ACTION

Retype the command with a correct user name or group name.

0
 

Author Comment

by:turnerni
Comment Utility
i had a typo on my post should read compatible instead of compatibilty.
I have been using the right word in my attempts to fix this.

thx
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:DhammikaWee
Comment Utility
so if u want to update the AD then u have to log on using ad schema admin. if ur system is multilevel or not u have to logon to the root server as root forest's admin and that admin must have schema admin rights. and this change is enterprise wide which means the admin must me an enterprise admin of the entire forest.
it is best to logon as the forest's admin at the root server and run the adprep..
and make sure that Shema Master, Infrastucture master roles are running and make sure ther servers who hold those roles are up and running at the time of running adprep.

DB
0
 
LVL 35

Expert Comment

by:Nick Sui
Comment Utility
Did you manage to solve your problem?
0
 

Author Comment

by:turnerni
Comment Utility
PROBLEM DESCRIPTION:
I broke down and called MS and paid the $245
 
This is the resolution


Unable to bring in the Windows 2003 R2 Server as an Additional Domain Controller in Windows 2000 Domain

 

RESOLUTION:

 

On the Windows 2000 Domain Controller
1.       While trying to run ADPREP /domainprep we were getting the following error: "Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group"
2.       Created the "cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System, DC=domain,DC=com" container object manually going into adsiedit.msc from the run window
3.       Tried to run ADPREP /domainprep, successful
 
On the Windows 2003 Domain Controller
1.       Ran DCPROMO on it and promoted it as an Additional Domain Controller
2.       The SYSVOL and NETLOGON shares were missing after running DCPROMO on it
3.       Disabled Windows Firewall service on it, restarted the File Replication (NTFRS) service, got the SYSVOL and NETLOGON shares
4.       Checked for Active Directory replication successful from Active Directory Sites and Services, successful
5.       Transferred all the FSMO on the win2k3 DC <ServerName> as per KB 324801



 

RELATED KNOWLEDGE BASED ARTICLES:

 

Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest

http://support.microsoft.com/kb/309628/en-us

 

Schema Updates Require Write Access to Schema in Active Directory

http://support.microsoft.com/kb/285172/en-us

 

Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers

http://support.microsoft.com/kb/314649/en-us

 

Error message when you run the Active Directory Installation Wizard: "The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer"

http://support.microsoft.com/kb/917385/en-us

 

0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now