Solved

userAccountControl attribute SBS server

Posted on 2009-03-30
5
713 Views
Last Modified: 2012-05-06
I have a SBS 2003 server that started having a strange problem (detailed here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24201996.html#a24019047).

In attempting to join a Mac to the domain, the Mac took over the server's name...and now the server is classified as a workstation.

Other than the errors detailed in the question above (and similar errors on workstations), the network is running, people are getting email and able to access shared resources.  However, I have to think that I'm just looking for trouble down the road if I leave the setup as is.

When a DCDIAG is run, this is the only error:

Starting test: MachineAccount
         The account COMPANYSBS is not trusted for delegation.  It cannot replicat
e.
         The account COMPANYSBS is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of COMPANYSBS is: 0x1000 = ( UF_WO
RKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... COMPANYSBS failed test MachineAccount

Through other research, I found (and Microsoft confirmed) that the userAccountControl attribute needs to be changed from its current value of 4096 to the correct value of 532480.  However, several different attempts to do so have failed due to insufficient rights or permissions.

The only system state backup that I have that does not have the problem is from 10/9/2007.  Microsoft advised that I restore that backup and I should be all set; but I have a hard time believing that since I'm guessing I'd have to fix a slew of problems with changes made since October 2007.

Any suggestions as to how this attribute can get changed?  We tried via ADSIEDIT and LDP, no dice.
0
Comment
Question by:tmwes
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019294
HI There
When you tried to change the value and got insufficient permissions, were you in the Schema Admins and Enterprise Admins group?
Krystian
0
 

Author Comment

by:tmwes
ID: 24019426
Yes...I am/was logged into the server as Administrator.

in ADSIEDIT I get "A required privilege is not held by the client".  Permissions seem to be sufficient on the Security tab.
0
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019469
You say you were logged in as administrator, but were you Schema Admin and Enterprise Admin? I know you may be Domain Admin but that won't have eough permissions to change what you want to do.
In AD go to your account and add those 2 groups, then log off and back on the machine you will use to make the changes on using ADSIEdit etc.
Cheers
Krystian
0
 

Author Comment

by:tmwes
ID: 24019561
I'm sorry; I guess I wasn't clear.  I am logged into the server as Administrator, and the Administrator account is in both of those groups.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 24050776
So Microsoft has spent a total of 9 hours logged into my server trying various things to address this issue, and they have come up with nothing.  First I had the general tech, then the SBS tech, now a Directory Services tech.  They are supposed to call back today and give it another shot.

I'll update the thread if they are successful.  I'm trying to watch what they are doing and keeping notes so that when they actually ARE successful, I can post the solution here...but so far they have hit a dead end every time.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question