?
Solved

userAccountControl attribute SBS server

Posted on 2009-03-30
5
Medium Priority
?
719 Views
Last Modified: 2012-05-06
I have a SBS 2003 server that started having a strange problem (detailed here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24201996.html#a24019047).

In attempting to join a Mac to the domain, the Mac took over the server's name...and now the server is classified as a workstation.

Other than the errors detailed in the question above (and similar errors on workstations), the network is running, people are getting email and able to access shared resources.  However, I have to think that I'm just looking for trouble down the road if I leave the setup as is.

When a DCDIAG is run, this is the only error:

Starting test: MachineAccount
         The account COMPANYSBS is not trusted for delegation.  It cannot replicat
e.
         The account COMPANYSBS is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of COMPANYSBS is: 0x1000 = ( UF_WO
RKSTATION_TRUST_ACCOUNT )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... COMPANYSBS failed test MachineAccount

Through other research, I found (and Microsoft confirmed) that the userAccountControl attribute needs to be changed from its current value of 4096 to the correct value of 532480.  However, several different attempts to do so have failed due to insufficient rights or permissions.

The only system state backup that I have that does not have the problem is from 10/9/2007.  Microsoft advised that I restore that backup and I should be all set; but I have a hard time believing that since I'm guessing I'd have to fix a slew of problems with changes made since October 2007.

Any suggestions as to how this attribute can get changed?  We tried via ADSIEDIT and LDP, no dice.
0
Comment
Question by:tmwes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019294
HI There
When you tried to change the value and got insufficient permissions, were you in the Schema Admins and Enterprise Admins group?
Krystian
0
 

Author Comment

by:tmwes
ID: 24019426
Yes...I am/was logged into the server as Administrator.

in ADSIEDIT I get "A required privilege is not held by the client".  Permissions seem to be sufficient on the Security tab.
0
 
LVL 12

Expert Comment

by:Krys_K
ID: 24019469
You say you were logged in as administrator, but were you Schema Admin and Enterprise Admin? I know you may be Domain Admin but that won't have eough permissions to change what you want to do.
In AD go to your account and add those 2 groups, then log off and back on the machine you will use to make the changes on using ADSIEdit etc.
Cheers
Krystian
0
 

Author Comment

by:tmwes
ID: 24019561
I'm sorry; I guess I wasn't clear.  I am logged into the server as Administrator, and the Administrator account is in both of those groups.
0
 

Accepted Solution

by:
tmwes earned 0 total points
ID: 24050776
So Microsoft has spent a total of 9 hours logged into my server trying various things to address this issue, and they have come up with nothing.  First I had the general tech, then the SBS tech, now a Directory Services tech.  They are supposed to call back today and give it another shot.

I'll update the thread if they are successful.  I'm trying to watch what they are doing and keeping notes so that when they actually ARE successful, I can post the solution here...but so far they have hit a dead end every time.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question