Solved

Error adding 2012 Server as domain controller

Posted on 2014-01-29
8
1,126 Views
Last Modified: 2014-02-12
We had 2 windows 2003 domain controllers in our organization
One of them crashed and we couldn't bring it back up.
I seized the Schema role and Domain role owner on the second dc which now holds all the fsmo roles

I then added a windows server 2012 and when I try to promote it to domain controller, I get the following error when verifying preriquisites

"the user does not have SeSecurityPrivilegeEnabled"

The server is in the domain and I'm logged in as domain admin.

When I log in as domain administrator I see the following privileges assigned to the account in event viewer:

SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege


I run a dcdiag on the server 2003 domain controller and here is the result:

omain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Connectivity
         ......................... ECHO-02-DS passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\ECHO-02-DS
      Starting test: Replications
         ......................... ECHO-02-DS passed test Replications
      Starting test: NCSecDesc
         ......................... ECHO-02-DS passed test NCSecDesc
      Starting test: NetLogons
         ......................... ECHO-02-DS passed test NetLogons
      Starting test: Advertising
         ......................... ECHO-02-DS passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ECHO-02-DS passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ECHO-02-DS passed test RidManager
      Starting test: MachineAccount
         ......................... ECHO-02-DS passed test MachineAccount
      Starting test: Services
         ......................... ECHO-02-DS passed test Services
      Starting test: ObjectsReplicated
         ......................... ECHO-02-DS passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ECHO-02-DS passed test frssysvol
      Starting test: frsevent
         ......................... ECHO-02-DS passed test frsevent
      Starting test: kccevent
         ......................... ECHO-02-DS passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:32
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 01/29/2014   13:15:33
            (Event String could not be retrieved)
         ......................... ECHO-02-DS failed test systemlog
      Starting test: VerifyReferences
         ......................... ECHO-02-DS passed test VerifyReferences
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : albignasego
      Starting test: CrossRefValidation
         ......................... albignasego passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... albignasego passed test CheckSDRefDom
   
   Running enterprise tests on : albignasego.echostudio.it
      Starting test: Intersite
         ......................... albignasego.echostudio.it passed test Intersite
      Starting test: FsmoCheck
         ......................... albignasego.echostudio.it passed test FsmoCheck

Any solutions?
0
Comment
Question by:uilli
  • 5
  • 3
8 Comments
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817599
Please check that your account have following right to "Manage Auditing and Security Log".
0
 

Author Comment

by:uilli
ID: 39817614
I added domain\administrator to "Manage Auditing and Security Log" under domain controller policy, logged off the user, but still no SeSecurityPrivilege
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39817657
You assigned it under Default Domain Controller Group Policy? Could you try and check in GPO results if really getting this role?
0
 

Author Comment

by:uilli
ID: 39817940
 this is what I get from gporesults

   Local Group Policy
            Filtering : Not Applied ( Empty)

    The computer is part of the following security groups
    -------------------------------------------------- ----
        BUILTIN \ Administrators
        Everyone
        BUILTIN \ Pre- Windows 2000 Compatible Access
        BUILTIN \ Users
        Windows Authorization Access Group
        NT AUTHORITY \ NETWORK
        NT AUTHORITY \ Authenticated Users
        this organization
        ECHO -02 -DS $
        Domain Controllers
        ENTERPRISE DOMAIN CONTROLLERS
        Cert Publishers
        CERTSVC_DCOM_ACCESS
        

USER SETTINGS
-------------------------
    CN = Administrator , CN = Users, DC = albignasego , echostudio DC = , DC = en
    Last application of

    Group Policy: 01/29/2014 at 16:08:50
    Group Policy applied by: ECHO -02- DS.albignasego.echostudio.it
    Limit of slow link

    Group Policy : 500 kbps
    Domain Name: ECHOSTUDIO
    Domain Type : Windows 2000
    
    GPOs applied
    ------------------------------------
        Default Domain Policy

    The following GPOs were not

applied because they were filtered out
    -----------------------------------------------------------------------------------------------------
        Local Group Policy
            Filtering : Not Applied ( Empty)

    The user is part of the following security groups
    -------------------------------------------------- -
        Domain Users
        Everyone
        BUILTIN \ Administrators
        BUILTIN \ Backup Operators
        BUILTIN \ Users
        BUILTIN \ Pre- Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY \ INTERACTIVE
        NT AUTHORITY \ Authenticated Users
        this organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        EchoStudio
        Organization Management
        schema Admins
        Enterprise Admins
        CERTSVC_DCOM_ACCESS
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818106
Is your domain operating level is Windows 2000?
You can only add 2012 domain controller to domain operating at 2003 level
0
 
LVL 1

Expert Comment

by:Kirill Morozov
ID: 39818112
0
 

Author Comment

by:uilli
ID: 39818211
Yes it is

Weird thins, when I opened gpedit.msc from the 2003 DC, and under "Manage Auditing and Security Log", there is only Exchange enterprise servers listed, and the add user and groups button is greyed out.

Below is a screenshot, sorry for it being in italian (I hate when people install server language different from english)

Just for test, I added the administrator account to the Exchange Enterprises servers group, and the prerequisite test from the 2012 machine is successfull.
I didn't run the installation yet because before that I want to be sure I'm not doing something wrong.

gpedit
0
 
LVL 1

Accepted Solution

by:
Kirill Morozov earned 500 total points
ID: 39818300
Well =)
just follow TechNet to be sure.
Button is greyed out because this setting is managed from Default Domain Controller Policy
Check setting there again
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now