George_Kostov
asked on
Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain
I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):
I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.
The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32
[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error.
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384
[2014/11/17:17:46:08.990]
Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.
The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
Last Comment
Glad you're making progress on this. Don't forget that you need a hot fix or strange things will start happening when mixinf Windows 2003 and 2012 DCs.
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I found the solution myself, by following article mentioned in this comment.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Using ADSIEdit.msc i saw that the object which ADPrep failed to update (CN=DirectoryEmailReplicat
That reminded me, that once this forest used to be part of a bigger enterprise with many forests including one resource forest (which our domain had trust with) where were located enterprise wide services like CA, Exchange, Link, SCCM and so on... After our company has been separated from that enterprise, the trust with their resource forest was broken. Unfortunately this does not restore security on AD objects.
I took ownership of the problem object, added write rights to administrators and ran adprep again. This time it stop on another object. I think that proved the source of the problem. Now I'm going to read some articles about how to clear AD from old connections and old CA presence in order to get things back in order.