Solved

Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain

Posted on 2014-11-19
4
659 Views
Last Modified: 2014-11-25
I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):

[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.

[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32 

[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error. 
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384

[2014/11/17:17:46:08.990]
Adprep was unable to update forest information. 
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

Open in new window


I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.

The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
0
Comment
Question by:George_Kostov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 

Author Comment

by:George_Kostov
ID: 40452624
While waiting for experts to come, I did this:

Using ADSIEdit.msc i saw that the object which ADPrep failed to update (CN=DirectoryEmailReplication,CN...) has several "Account unknown" listed in it's security tab. It's owner is an "Account unknown" too.

That reminded me, that once this forest used to be part of a bigger enterprise with many forests including one resource forest (which our domain had trust with) where were located enterprise wide services like CA, Exchange, Link, SCCM and so on... After our company has been separated from that enterprise, the trust with their resource forest was broken. Unfortunately this does not restore security on AD objects.

I took ownership of the problem object, added write rights to administrators and ran adprep again. This time it stop on another object. I think that proved the source of the problem. Now I'm going to read some articles about how to clear AD from old connections and old CA presence in order to get things back in order.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40453934
Glad you're making progress on this. Don't forget that you need a hot fix or strange things will start happening when mixinf Windows 2003 and 2012 DCs.

http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
0
 

Accepted Solution

by:
George_Kostov earned 0 total points
ID: 40454612
Thank you for the info about the hotfix, kevinhsien. Meanwhile I was able to remove traces of former CA by following this procedure, and finally I have my first 2012R2 DC in that domain.
0
 

Author Closing Comment

by:George_Kostov
ID: 40464124
I found the solution myself, by following article mentioned in this comment.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ntp server 15 76
PowerShell:  foreach where object notmatch? 17 70
Run .vbs file as admin on remote computers 8 22
Run powershell against OU 7 67
In-place Upgrading Dirsync to Azure AD Connect
A hard and fast method for reducing Active Directory Administrators members.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question