Solved

userAccountControl attribute SBS server

Posted on 2009-03-30
5
710 Views
Last Modified: 2012-05-06
I have a SBS 2003 server that started having a strange problem (detailed here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24201996.html#a24019047).

In attempting to join a Mac to the domain, the Mac took over the server's name...and now the server is classified as a workstation.

Other than the errors detailed in the question above (and similar errors on workstations), the network is running, people are getting email and able to access shared resources.  However, I have to think that I'm just looking for trouble down the road if I leave the setup as is.

When a DCDIAG is run, this is the only error:

Starting test: MachineAccount
         The account COMPANYSBS is not trusted for delegation.  It cannot replicat
e.
         The account COMPANYSBS is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of COMPANYSBS is: 0x1000 = ( UF_WO
RKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... COMPANYSBS failed test MachineAccount

Through other research, I found (and Microsoft confirmed) that the userAccountControl attribute needs to be changed from its current value of 4096 to the correct value of 532480.  However, several different attempts to do so have failed due to insufficient rights or permissions.

The only system state backup that I have that does not have the problem is from 10/9/2007.  Microsoft advised that I restore that backup and I should be all set; but I have a hard time believing that since I'm guessing I'd have to fix a slew of problems with changes made since October 2007.

Any suggestions as to how this attribute can get changed?  We tried via ADSIEDIT and LDP, no dice.
0
Comment
Question by:tmwes
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019294
HI There
When you tried to change the value and got insufficient permissions, were you in the Schema Admins and Enterprise Admins group?
Krystian
0
 

Author Comment

by:tmwes
ID: 24019426
Yes...I am/was logged into the server as Administrator.

in ADSIEDIT I get "A required privilege is not held by the client".  Permissions seem to be sufficient on the Security tab.
0
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019469
You say you were logged in as administrator, but were you Schema Admin and Enterprise Admin? I know you may be Domain Admin but that won't have eough permissions to change what you want to do.
In AD go to your account and add those 2 groups, then log off and back on the machine you will use to make the changes on using ADSIEdit etc.
Cheers
Krystian
0
 

Author Comment

by:tmwes
ID: 24019561
I'm sorry; I guess I wasn't clear.  I am logged into the server as Administrator, and the Administrator account is in both of those groups.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 24050776
So Microsoft has spent a total of 9 hours logged into my server trying various things to address this issue, and they have come up with nothing.  First I had the general tech, then the SBS tech, now a Directory Services tech.  They are supposed to call back today and give it another shot.

I'll update the thread if they are successful.  I'm trying to watch what they are doing and keeping notes so that when they actually ARE successful, I can post the solution here...but so far they have hit a dead end every time.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ADMT Intra Forest migration questions 7 78
Windows 10 VPN? 6 44
Active Directory screwed 9 34
Question on security Audit 2 55
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now