?
Solved

Error adding 2012 Server as domain controller

Posted on 2014-01-29
8
Medium Priority
?
1,252 Views
Last Modified: 2014-02-12
We had 2 windows 2003 domain controllers in our organization
One of them crashed and we couldn't bring it back up.
I seized the Schema role and Domain role owner on the second dc which now holds all the fsmo roles

I then added a windows server 2012 and when I try to promote it to domain controller, I get the following error when verifying preriquisites

"the user does not have SeSecurityPrivilegeEnabled"

The server is in the domain and I'm logged in as domain admin.

When I log in as domain administrator I see the following privileges assigned to the account in event viewer:

SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege


I run a dcdiag on the server 2003 domain controller and here is the result:

omain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Connectivity
         ......................... ECHO-02-DS passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Replications
         ......................... ECHO-02-DS passed test Replications
      Starting test: NCSecDesc
         ......................... ECHO-02-DS passed test NCSecDesc
      Starting test: NetLogons
         ......................... ECHO-02-DS passed test NetLogons
      Starting test: Advertising
         ......................... ECHO-02-DS passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ECHO-02-DS passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ECHO-02-DS passed test RidManager
      Starting test: MachineAccount
         ......................... ECHO-02-DS passed test MachineAccount
      Starting test: Services
         ......................... ECHO-02-DS passed test Services
      Starting test: ObjectsReplicated
         ......................... ECHO-02-DS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ECHO-02-DS passed test frssysvol
      Starting test: frsevent
         ......................... ECHO-02-DS passed test frsevent
      Starting test: kccevent
         ......................... ECHO-02-DS passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         ......................... ECHO-02-DS failed test systemlog
      Starting test: VerifyReferences
         ......................... ECHO-02-DS passed test VerifyReferences
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : albignasego
      Starting test: CrossRefValidation
         ......................... albignasego passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... albignasego passed test CheckSDRefDom
   
   Running enterprise tests on : albignasego.echostudio.it
      Starting test: Intersite
         ......................... albignasego.echostudio.it passed test Intersite
      Starting test: FsmoCheck
         ......................... albignasego.echostudio.it passed test FsmoCheck

Any solutions?
0
Comment
Question by:uilli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817599
Please check that your account have following right to "Manage Auditing and Security Log".
0
 

Author Comment

by:uilli
ID: 39817614
I added domain\administrator to "Manage Auditing and Security Log" under domain controller policy, logged off the user, but still no SeSecurityPrivilege
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817657
You assigned it under Default Domain Controller Group Policy? Could you try and check in GPO results if really getting this role?
0
Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

 

Author Comment

by:uilli
ID: 39817940
 this is what I get from gporesults

   Local Group Policy
            Filtering : Not Applied ( Empty)

    The computer is part of the following security groups
    -------------------------------------------------- ----
        BUILTIN \ Administrators
        Everyone
        BUILTIN \ Pre- Windows 2000 Compatible Access
        BUILTIN \ Users
        Windows Authorization Access Group
        NT AUTHORITY \ NETWORK
        NT AUTHORITY \ Authenticated Users
        this organization
        ECHO -02 -DS $
        Domain Controllers
        ENTERPRISE DOMAIN CONTROLLERS
        Cert Publishers
        CERTSVC_DCOM_ACCESS
        

USER SETTINGS
-------------------------
    CN = Administrator , CN = Users, DC = albignasego , echostudio DC = , DC = en
    Last application of

    Group Policy: 01/29/2014 at 16:08:50
    Group Policy applied by: ECHO -02- DS.albignasego.echostudio.it
    Limit of slow link

    Group Policy : 500 kbps
    Domain Name: ECHOSTUDIO
    Domain Type : Windows 2000
    
    GPOs applied
    ------------------------------------
        Default Domain Policy

    The following GPOs were not

applied because they were filtered out
    -----------------------------------------------------------------------------------------------------
        Local Group Policy
            Filtering : Not Applied ( Empty)

    The user is part of the following security groups
    -------------------------------------------------- -
        Domain Users
        Everyone
        BUILTIN \ Administrators
        BUILTIN \ Backup Operators
        BUILTIN \ Users
        BUILTIN \ Pre- Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY \ INTERACTIVE
        NT AUTHORITY \ Authenticated Users
        this organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        EchoStudio
        Organization Management
        schema Admins
        Enterprise Admins
        CERTSVC_DCOM_ACCESS
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818106
Is your domain operating level is Windows 2000?
You can only add 2012 domain controller to domain operating at 2003 level
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818112
0
 

Author Comment

by:uilli
ID: 39818211
Yes it is

Weird thins, when I opened gpedit.msc from the 2003 DC, and under "Manage Auditing and Security Log", there is only Exchange enterprise servers listed, and the add user and groups button is greyed out.

Below is a screenshot, sorry for it being in italian (I hate when people install server language different from english)

Just for test, I added the administrator account to the Exchange Enterprises servers group, and the prerequisite test from the 2012 machine is successfull.
I didn't run the installation yet because before that I want to be sure I'm not doing something wrong.

gpedit
0
 
LVL 1

Accepted Solution

by:
Kirill Morozov earned 1500 total points
ID: 39818300
Well =)
just follow TechNet to be sure.
Button is greyed out because this setting is managed from Default Domain Controller Policy
Check setting there again
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question