?
Solved

Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain

Posted on 2014-11-19
4
Medium Priority
?
710 Views
Last Modified: 2014-11-25
I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):

[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.

[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32 

[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error. 
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384

[2014/11/17:17:46:08.990]
Adprep was unable to update forest information. 
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

Open in new window


I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.

The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
0
Comment
Question by:George_Kostov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 

Author Comment

by:George_Kostov
ID: 40452624
While waiting for experts to come, I did this:

Using ADSIEdit.msc i saw that the object which ADPrep failed to update (CN=DirectoryEmailReplication,CN...) has several "Account unknown" listed in it's security tab. It's owner is an "Account unknown" too.

That reminded me, that once this forest used to be part of a bigger enterprise with many forests including one resource forest (which our domain had trust with) where were located enterprise wide services like CA, Exchange, Link, SCCM and so on... After our company has been separated from that enterprise, the trust with their resource forest was broken. Unfortunately this does not restore security on AD objects.

I took ownership of the problem object, added write rights to administrators and ran adprep again. This time it stop on another object. I think that proved the source of the problem. Now I'm going to read some articles about how to clear AD from old connections and old CA presence in order to get things back in order.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40453934
Glad you're making progress on this. Don't forget that you need a hot fix or strange things will start happening when mixinf Windows 2003 and 2012 DCs.

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
0
 

Accepted Solution

by:
George_Kostov earned 0 total points
ID: 40454612
Thank you for the info about the hotfix, kevinhsien. Meanwhile I was able to remove traces of former CA by following this procedure, and finally I have my first 2012R2 DC in that domain.
0
 

Author Closing Comment

by:George_Kostov
ID: 40464124
I found the solution myself, by following article mentioned in this comment.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question