Solved

Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain

Posted on 2014-11-19
4
576 Views
Last Modified: 2014-11-25
I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):

[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.

[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32 

[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error. 
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384

[2014/11/17:17:46:08.990]
Adprep was unable to update forest information. 
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

Open in new window


I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.

The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
0
Comment
Question by:George_Kostov
  • 3
4 Comments
 

Author Comment

by:George_Kostov
ID: 40452624
While waiting for experts to come, I did this:

Using ADSIEdit.msc i saw that the object which ADPrep failed to update (CN=DirectoryEmailReplication,CN...) has several "Account unknown" listed in it's security tab. It's owner is an "Account unknown" too.

That reminded me, that once this forest used to be part of a bigger enterprise with many forests including one resource forest (which our domain had trust with) where were located enterprise wide services like CA, Exchange, Link, SCCM and so on... After our company has been separated from that enterprise, the trust with their resource forest was broken. Unfortunately this does not restore security on AD objects.

I took ownership of the problem object, added write rights to administrators and ran adprep again. This time it stop on another object. I think that proved the source of the problem. Now I'm going to read some articles about how to clear AD from old connections and old CA presence in order to get things back in order.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40453934
Glad you're making progress on this. Don't forget that you need a hot fix or strange things will start happening when mixinf Windows 2003 and 2012 DCs.

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
0
 

Accepted Solution

by:
George_Kostov earned 0 total points
ID: 40454612
Thank you for the info about the hotfix, kevinhsien. Meanwhile I was able to remove traces of former CA by following this procedure, and finally I have my first 2012R2 DC in that domain.
0
 

Author Closing Comment

by:George_Kostov
ID: 40464124
I found the solution myself, by following article mentioned in this comment.
0

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now