Solved

Error adding 2012 Server as domain controller

Posted on 2014-01-29
8
1,225 Views
Last Modified: 2014-02-12
We had 2 windows 2003 domain controllers in our organization
One of them crashed and we couldn't bring it back up.
I seized the Schema role and Domain role owner on the second dc which now holds all the fsmo roles

I then added a windows server 2012 and when I try to promote it to domain controller, I get the following error when verifying preriquisites

"the user does not have SeSecurityPrivilegeEnabled"

The server is in the domain and I'm logged in as domain admin.

When I log in as domain administrator I see the following privileges assigned to the account in event viewer:

SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege


I run a dcdiag on the server 2003 domain controller and here is the result:

omain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Connectivity
         ......................... ECHO-02-DS passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Replications
         ......................... ECHO-02-DS passed test Replications
      Starting test: NCSecDesc
         ......................... ECHO-02-DS passed test NCSecDesc
      Starting test: NetLogons
         ......................... ECHO-02-DS passed test NetLogons
      Starting test: Advertising
         ......................... ECHO-02-DS passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ECHO-02-DS passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ECHO-02-DS passed test RidManager
      Starting test: MachineAccount
         ......................... ECHO-02-DS passed test MachineAccount
      Starting test: Services
         ......................... ECHO-02-DS passed test Services
      Starting test: ObjectsReplicated
         ......................... ECHO-02-DS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ECHO-02-DS passed test frssysvol
      Starting test: frsevent
         ......................... ECHO-02-DS passed test frsevent
      Starting test: kccevent
         ......................... ECHO-02-DS passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         ......................... ECHO-02-DS failed test systemlog
      Starting test: VerifyReferences
         ......................... ECHO-02-DS passed test VerifyReferences
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : albignasego
      Starting test: CrossRefValidation
         ......................... albignasego passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... albignasego passed test CheckSDRefDom
   
   Running enterprise tests on : albignasego.echostudio.it
      Starting test: Intersite
         ......................... albignasego.echostudio.it passed test Intersite
      Starting test: FsmoCheck
         ......................... albignasego.echostudio.it passed test FsmoCheck

Any solutions?
0
Comment
Question by:uilli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817599
Please check that your account have following right to "Manage Auditing and Security Log".
0
 

Author Comment

by:uilli
ID: 39817614
I added domain\administrator to "Manage Auditing and Security Log" under domain controller policy, logged off the user, but still no SeSecurityPrivilege
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817657
You assigned it under Default Domain Controller Group Policy? Could you try and check in GPO results if really getting this role?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:uilli
ID: 39817940
 this is what I get from gporesults

   Local Group Policy
            Filtering : Not Applied ( Empty)

    The computer is part of the following security groups
    -------------------------------------------------- ----
        BUILTIN \ Administrators
        Everyone
        BUILTIN \ Pre- Windows 2000 Compatible Access
        BUILTIN \ Users
        Windows Authorization Access Group
        NT AUTHORITY \ NETWORK
        NT AUTHORITY \ Authenticated Users
        this organization
        ECHO -02 -DS $
        Domain Controllers
        ENTERPRISE DOMAIN CONTROLLERS
        Cert Publishers
        CERTSVC_DCOM_ACCESS
        

USER SETTINGS
-------------------------
    CN = Administrator , CN = Users, DC = albignasego , echostudio DC = , DC = en
    Last application of

    Group Policy: 01/29/2014 at 16:08:50
    Group Policy applied by: ECHO -02- DS.albignasego.echostudio.it
    Limit of slow link

    Group Policy : 500 kbps
    Domain Name: ECHOSTUDIO
    Domain Type : Windows 2000
    
    GPOs applied
    ------------------------------------
        Default Domain Policy

    The following GPOs were not

applied because they were filtered out
    -----------------------------------------------------------------------------------------------------
        Local Group Policy
            Filtering : Not Applied ( Empty)

    The user is part of the following security groups
    -------------------------------------------------- -
        Domain Users
        Everyone
        BUILTIN \ Administrators
        BUILTIN \ Backup Operators
        BUILTIN \ Users
        BUILTIN \ Pre- Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY \ INTERACTIVE
        NT AUTHORITY \ Authenticated Users
        this organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        EchoStudio
        Organization Management
        schema Admins
        Enterprise Admins
        CERTSVC_DCOM_ACCESS
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818106
Is your domain operating level is Windows 2000?
You can only add 2012 domain controller to domain operating at 2003 level
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818112
0
 

Author Comment

by:uilli
ID: 39818211
Yes it is

Weird thins, when I opened gpedit.msc from the 2003 DC, and under "Manage Auditing and Security Log", there is only Exchange enterprise servers listed, and the add user and groups button is greyed out.

Below is a screenshot, sorry for it being in italian (I hate when people install server language different from english)

Just for test, I added the administrator account to the Exchange Enterprises servers group, and the prerequisite test from the 2012 machine is successfull.
I didn't run the installation yet because before that I want to be sure I'm not doing something wrong.

gpedit
0
 
LVL 1

Accepted Solution

by:
Kirill Morozov earned 500 total points
ID: 39818300
Well =)
just follow TechNet to be sure.
Button is greyed out because this setting is managed from Default Domain Controller Policy
Check setting there again
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question