?
Solved

Missing "Pre-Windows 2000 Compatibilty Access" Built-in Group

Posted on 2006-11-09
8
Medium Priority
?
671 Views
Last Modified: 2012-06-21
I am trying to run adprep /domainprep /gpprep. on a win2k Server.
I have run adprep /forestprep succesfullly.

The group is not in the Built-in accounts in Domain or local security policies

Iget an error saying the "Everyone" needs to be added to the"Pre-Windows 2000 Compatibilty Access" Group. Here is the log file:

Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group.

HELP!

Thx

[Status/Consequence]

For backward compatibility, Adprep requires that the Anonymous Logon security group be a member of the pre-Windows 2000 Compatible Access security group if the Everyone group is also a member. On domain controllers running Windows Server 2003, the Everyone group no longer includes Anonymous Logon.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied..



Adprep was unable to update domain-wide information.

[Status/Consequence]

Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20061109142105 directory for more information.

0
Comment
Question by:turnerni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 17912559
Is Domain in Mixed Mode?

Are you running adprep using Schema Admin?

Can you check if Infrastructure Master is alive and reachable?

Can you check if Schema FSMO is available?

Can you add Anonymous Logon user to Pre.....group using Command line?

Check out here:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3140
0
 

Author Comment

by:turnerni
ID: 17916796
The domain is in Native mode.
I am trying to do this on the Infrastructure Admin.
I can not add using the cmd line as the group is not there and the Anonymous Logon User is also missing.

I have already tried net localgroup "Pre....Access" Everyone /add

Not sure what you mean by Schema FSMO.

I am logged in as a scema admin.

I am a bit rusty so bare with me.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\turnerni>net localgroup "Pre-Windows 2000 Compatibilty
 Access" Everyone /add
There is no such user or group: Pre-Windows 2000 Compatibilty Access.

More help is available by typing NET HELPMSG 3780.


C:\Documents and Settings\turnerni>net helpmsg 3780

There is no such user or group: ***.


EXPLANATION

The user or group specified does not exist.

ACTION

Retype the command with a correct user name or group name.

0
 

Author Comment

by:turnerni
ID: 17919583
i had a typo on my post should read compatible instead of compatibilty.
I have been using the right word in my attempts to fix this.

thx
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 5

Expert Comment

by:DhammikaWee
ID: 17920873
so if u want to update the AD then u have to log on using ad schema admin. if ur system is multilevel or not u have to logon to the root server as root forest's admin and that admin must have schema admin rights. and this change is enterprise wide which means the admin must me an enterprise admin of the entire forest.
it is best to logon as the forest's admin at the root server and run the adprep..
and make sure that Shema Master, Infrastucture master roles are running and make sure ther servers who hold those roles are up and running at the time of running adprep.

DB
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 18375260
Did you manage to solve your problem?
0
 

Author Comment

by:turnerni
ID: 18375982
PROBLEM DESCRIPTION:
I broke down and called MS and paid the $245
 
This is the resolution


Unable to bring in the Windows 2003 R2 Server as an Additional Domain Controller in Windows 2000 Domain

 

RESOLUTION:

 

On the Windows 2000 Domain Controller
1.       While trying to run ADPREP /domainprep we were getting the following error: "Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group"
2.       Created the "cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System, DC=domain,DC=com" container object manually going into adsiedit.msc from the run window
3.       Tried to run ADPREP /domainprep, successful
 
On the Windows 2003 Domain Controller
1.       Ran DCPROMO on it and promoted it as an Additional Domain Controller
2.       The SYSVOL and NETLOGON shares were missing after running DCPROMO on it
3.       Disabled Windows Firewall service on it, restarted the File Replication (NTFRS) service, got the SYSVOL and NETLOGON shares
4.       Checked for Active Directory replication successful from Active Directory Sites and Services, successful
5.       Transferred all the FSMO on the win2k3 DC <ServerName> as per KB 324801



 

RELATED KNOWLEDGE BASED ARTICLES:

 

Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest

http://support.microsoft.com/kb/309628/en-us 

 

Schema Updates Require Write Access to Schema in Active Directory

http://support.microsoft.com/kb/285172/en-us 

 

Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers

http://support.microsoft.com/kb/314649/en-us 

 

Error message when you run the Active Directory Installation Wizard: "The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer"

http://support.microsoft.com/kb/917385/en-us 

 

0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18753167
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question