I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here
but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
LDAP API ldap_modify_ext_s() finished, return code is 0x32
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).
Adprep encountered an LDAP error.
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384
Adprep was unable to update forest information.
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.
The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...