userAccountControl attribute SBS server

I have a SBS 2003 server that started having a strange problem (detailed here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24201996.html#a24019047).

In attempting to join a Mac to the domain, the Mac took over the server's name...and now the server is classified as a workstation.

Other than the errors detailed in the question above (and similar errors on workstations), the network is running, people are getting email and able to access shared resources.  However, I have to think that I'm just looking for trouble down the road if I leave the setup as is.

When a DCDIAG is run, this is the only error:

Starting test: MachineAccount
         The account COMPANYSBS is not trusted for delegation.  It cannot replicat
e.
         The account COMPANYSBS is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of COMPANYSBS is: 0x1000 = ( UF_WO
RKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... COMPANYSBS failed test MachineAccount

Through other research, I found (and Microsoft confirmed) that the userAccountControl attribute needs to be changed from its current value of 4096 to the correct value of 532480.  However, several different attempts to do so have failed due to insufficient rights or permissions.

The only system state backup that I have that does not have the problem is from 10/9/2007.  Microsoft advised that I restore that backup and I should be all set; but I have a hard time believing that since I'm guessing I'd have to fix a slew of problems with changes made since October 2007.

Any suggestions as to how this attribute can get changed?  We tried via ADSIEDIT and LDP, no dice.
tmwesAsked:
Who is Participating?
 
tmwesConnect With a Mentor Author Commented:
So Microsoft has spent a total of 9 hours logged into my server trying various things to address this issue, and they have come up with nothing.  First I had the general tech, then the SBS tech, now a Directory Services tech.  They are supposed to call back today and give it another shot.

I'll update the thread if they are successful.  I'm trying to watch what they are doing and keeping notes so that when they actually ARE successful, I can post the solution here...but so far they have hit a dead end every time.
0
 
Krys_KCommented:
HI There
When you tried to change the value and got insufficient permissions, were you in the Schema Admins and Enterprise Admins group?
Krystian
0
 
tmwesAuthor Commented:
Yes...I am/was logged into the server as Administrator.

in ADSIEDIT I get "A required privilege is not held by the client".  Permissions seem to be sufficient on the Security tab.
0
 
Krys_KCommented:
You say you were logged in as administrator, but were you Schema Admin and Enterprise Admin? I know you may be Domain Admin but that won't have eough permissions to change what you want to do.
In AD go to your account and add those 2 groups, then log off and back on the machine you will use to make the changes on using ADSIEdit etc.
Cheers
Krystian
0
 
tmwesAuthor Commented:
I'm sorry; I guess I wasn't clear.  I am logged into the server as Administrator, and the Administrator account is in both of those groups.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.