?
Solved

2003 active directory FSMO transfer question

Posted on 2012-09-08
27
Medium Priority
?
1,010 Views
Last Modified: 2012-09-18
Hi
When I try to seize the FSMO roles from another DC in the domain I get a win32 access is denied error 0x5.  Any thoughts on how to fix this?

Wes
0
Comment
Question by:hmcnasty
  • 14
  • 6
  • 6
  • +1
27 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38379998
Is that other DC dead and never being brought back?  What rights does your account have?

Thanks

Mike
0
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 1000 total points
ID: 38380006
Make sure you have Schema and enterprise admin rights while seizing Forest wide roles
Schema Master and Domain Naming Master

Rest you can transfer with domain admin rights

Make sure you are running CMD in "Run as administrator" Mode (incase 2008 or R2)

Refer Below link for step by step Guide

Seize FSMO role:
http://www.petri.co.il/seizing_fsmo_roles.htm
0
 

Author Comment

by:hmcnasty
ID: 38380062
I'm running 2003,  I am logged in as the domain administrator. I get access denied.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38380071
You are logging on to the DC that you want to seize the role to and when are you getting the access denied?
0
 

Author Comment

by:hmcnasty
ID: 38380093
No.  I'm logging into another DC on the domain, trying to seize the roles from the current role holder that is not working properly, I was able to get the RID role but if I try to do operations or schema I get access denied.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38380102
Can you add your account to the schema admins group and try to seize the schema master again?

Thanks

Mike
0
 

Author Comment

by:hmcnasty
ID: 38380111
Hi. I'm using administrator.  Should I creat another account in both places and make a schema admin
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38380118
I'm guessing that is domain admin, put that account into schema admins and try it or a new account should work too.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38380129
Whatever account you are using Make it direct member of Schema Admin Group even domain Administrator is not direct member of Schema Admin Group by default
0
 

Author Comment

by:hmcnasty
ID: 38380132
how to I do that?  its a group in AD right?  What's its exact name because I can t find it?

BTW when I try to connect like SMB to the broken server Im  getting  the target name is incorrect.  this server recently had a bad drive in a raid 1, after the drive was replaced is when this started happening.  

Wes
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38380142
Go to Dsa.msc -> Find Group Named "Schema Admins" -> Add your User ID to be member of Schema Admin Group
0
 

Author Comment

by:hmcnasty
ID: 38380206
the borken DC has 2  kerberos tickets that are the same.  I believe that thsi is the issue.  Does anyone know hwo to fix this?

Ticket list:
krbtgt/LAKEGROVE.INTRANET@LAKEGROVE.INTRANETkrbtgt/LAKEGROVE.INTRANET
krbtgt/LAKEGROVE.INTRANET@LAKEGROVE.INTRANETkrbtgt/LAKEGROVE.INTRANET
cifs/exch01lg.lakegrove.intranet@LAKEGROVE.INTRANETcifs/exch01lg.lakegrove.intranet
LDAP/exch01lg.lakegrove.intranet/lakegrove.intranet@LAKEGROVE.INTRANETLDAP/exch01lg.lakegrove.intranet/lakegrove.intranet
ldap/exch01lg.lakegrove.intranet@LAKEGROVE.INTRANETldap/exch01lg.lakegrove.intranet
host/fs01lg.lakegrove.intranet@LAKEGROVE.INTRANEThost/fs01lg.lakegrove.intranet


Wes
0
 

Author Comment

by:hmcnasty
ID: 38380211
nevermind  I think thats normal above.   anyway i don't see a group anywhere with the name schema.
0
 

Author Comment

by:hmcnasty
ID: 38380222
server connections: connect to server exch01lg
Binding to exch01lg ...
Connected to exch01lg using credentials of locally logged on user.
server connections: q
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03151D7D, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151E04, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
0
 

Author Comment

by:hmcnasty
ID: 38380235
I ge the above error on schema and domain naming master, the other roles were seized no problem.

Wes
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 38380246
Schema admins is usually in the forest root domain  If you look in the users container in the forest root domain it is usually there.

The domain naming master and schema master are the two forest wide roles.

Enterprise admins is another group that has all power, add to both groups and try to seize both roles.

Thanks

Mike
0
 

Author Comment

by:hmcnasty
ID: 38380259
Hi Mike.  No go.  Keep in mind that if I try to access the broken DC from anywhere I get a "Login failure: The target account name is incorrect". Although I can ping it by name.   I don't get the error if I access the server by IP though.  I think the AD on it is hosed and there is another reason I'm getting access denied besides the obvious.

Wes
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38380277
I figured that something was wrong with that DC and that is why you are trying to seize the roles.  Since you have already seized three roles I'd probably turn that box off so no one tries to fix it and bring it back.

So the account you are using for the last two roles are schema  and enterprise admins?

Thanks

Mike
0
 

Author Comment

by:hmcnasty
ID: 38380291
yeah .  i think this is what happened. I thnk a log time ago my client lost a drive in a raid 1 not because of the dirve but because of the controller, the server kept running and nobody know about it.  Then a few days ago they lost the 1 working drive only that drive really was bad.  We got the other drive working again because lile I said the controller kicked it out however we didnt' realize that the drive was not written to for sometime.  So when we put in a new drive synced it up and sent it back only now the AD is messed up since its been so long.  They may explain some of the problem.  

I have a backup of the system state of that server but I can't run it,  again because I can't connect to it from the backup software.  So I tohought by seizing the roles, dc promoing it down then up again and then dc promoing up would solve my issue.

Wes
0
 

Author Comment

by:hmcnasty
ID: 38380292
just a hunch

W
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38380626
I can't be sure but there is something tiny thing which you are missing

Can you confirm Below things

Member Of Schema and Ent Admin Group-
User ID which you are using to demote is it built in or Manually Created?
What is OS of DC from where you are seizing the role
output of netdom query dc and netdom query fsmo
dcdiag /q of the dc from where you are seizing the role
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 38381938
Can you verify the DS service event log are you getting event id 474...etc this could be due to AD DB corruption issue.I have faced the same issue at client end  defraging the AD database has fixed the issue.
http://support.microsoft.com/kb/232122

If the above is true please take full backup of the server and seperate system statebackup and then proceed with defrag of AD database,but first check integrity and then perfrom sysmatic analysis.If error is reported go for symantex go fix sometimes this also fix the issue.
http://support.microsoft.com/kb/258062
http://support.microsoft.com/kb/232122

Hope this helps
0
 

Author Comment

by:hmcnasty
ID: 38382863
Hi guys.  That's for all your help.  Iwas able to fix it. I'm off to work but tonight est.  I will award points and detail what I did.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38402346
What was the RCA..?
0
 

Author Comment

by:hmcnasty
ID: 38405547
There were multiple domains in a trust in this situation.  As stated above when we fixed the drives on the server in question something must have happened to the AD data.  With your help, I was able to determine that the broken server still thought it had the roles even after I moved them or at least 3 of them.  In other words the broken server seemed as thought it was it's own self contained domain and NOT talking to the rest of the domain.  After I determined that the roles were actually on a different server I was able to DC promo /force the server, clean up the metadata and then rejoin it to the domian with no issues. Thanks for all of your help.
0
 

Author Comment

by:hmcnasty
ID: 38405557
I'm going to split the points.  Both helped me determine the problem.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38410488
Thats fine...Seems your problem has been resolved :-)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question