Avatar of George_Kostov
George_Kostov
 asked on

Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain

I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):

[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.

[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32 

[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error. 
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384

[2014/11/17:17:46:08.990]
Adprep was unable to update forest information. 
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

Open in new window


I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.

The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
Windows Server 2012Windows Server 2003Active Directory

Avatar of undefined
Last Comment
George_Kostov

8/22/2022 - Mon
George_Kostov

ASKER
While waiting for experts to come, I did this:

Using ADSIEdit.msc i saw that the object which ADPrep failed to update (CN=DirectoryEmailReplication,CN...) has several "Account unknown" listed in it's security tab. It's owner is an "Account unknown" too.

That reminded me, that once this forest used to be part of a bigger enterprise with many forests including one resource forest (which our domain had trust with) where were located enterprise wide services like CA, Exchange, Link, SCCM and so on... After our company has been separated from that enterprise, the trust with their resource forest was broken. Unfortunately this does not restore security on AD objects.

I took ownership of the problem object, added write rights to administrators and ran adprep again. This time it stop on another object. I think that proved the source of the problem. Now I'm going to read some articles about how to clear AD from old connections and old CA presence in order to get things back in order.
kevinhsieh

Glad you're making progress on this. Don't forget that you need a hot fix or strange things will start happening when mixinf Windows 2003 and 2012 DCs.

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
ASKER CERTIFIED SOLUTION
George_Kostov

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
George_Kostov

ASKER
I found the solution myself, by following article mentioned in this comment.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23