Solved

userAccountControl attribute SBS server

Posted on 2009-03-30
5
718 Views
Last Modified: 2012-05-06
I have a SBS 2003 server that started having a strange problem (detailed here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24201996.html#a24019047).

In attempting to join a Mac to the domain, the Mac took over the server's name...and now the server is classified as a workstation.

Other than the errors detailed in the question above (and similar errors on workstations), the network is running, people are getting email and able to access shared resources.  However, I have to think that I'm just looking for trouble down the road if I leave the setup as is.

When a DCDIAG is run, this is the only error:

Starting test: MachineAccount
         The account COMPANYSBS is not trusted for delegation.  It cannot replicat
e.
         The account COMPANYSBS is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of COMPANYSBS is: 0x1000 = ( UF_WO
RKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... COMPANYSBS failed test MachineAccount

Through other research, I found (and Microsoft confirmed) that the userAccountControl attribute needs to be changed from its current value of 4096 to the correct value of 532480.  However, several different attempts to do so have failed due to insufficient rights or permissions.

The only system state backup that I have that does not have the problem is from 10/9/2007.  Microsoft advised that I restore that backup and I should be all set; but I have a hard time believing that since I'm guessing I'd have to fix a slew of problems with changes made since October 2007.

Any suggestions as to how this attribute can get changed?  We tried via ADSIEDIT and LDP, no dice.
0
Comment
Question by:tmwes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019294
HI There
When you tried to change the value and got insufficient permissions, were you in the Schema Admins and Enterprise Admins group?
Krystian
0
 

Author Comment

by:tmwes
ID: 24019426
Yes...I am/was logged into the server as Administrator.

in ADSIEDIT I get "A required privilege is not held by the client".  Permissions seem to be sufficient on the Security tab.
0
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019469
You say you were logged in as administrator, but were you Schema Admin and Enterprise Admin? I know you may be Domain Admin but that won't have eough permissions to change what you want to do.
In AD go to your account and add those 2 groups, then log off and back on the machine you will use to make the changes on using ADSIEdit etc.
Cheers
Krystian
0
 

Author Comment

by:tmwes
ID: 24019561
I'm sorry; I guess I wasn't clear.  I am logged into the server as Administrator, and the Administrator account is in both of those groups.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 24050776
So Microsoft has spent a total of 9 hours logged into my server trying various things to address this issue, and they have come up with nothing.  First I had the general tech, then the SBS tech, now a Directory Services tech.  They are supposed to call back today and give it another shot.

I'll update the thread if they are successful.  I'm trying to watch what they are doing and keeping notes so that when they actually ARE successful, I can post the solution here...but so far they have hit a dead end every time.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question