troubleshooting Question

Adprep was unable to modify the security descriptor on object when adding 2012R2 DC to a 2003 domain

Avatar of George_Kostov
George_Kostov asked on
Windows Server 2003Active DirectoryWindows Server 2012
4 Comments1 Solution1177 ViewsLast Modified:
I have a Single forest, single domain installation with a 32 bit 2003 DC. The domain functional level is 2003 (verified). I wanted to add a second DC which is a 2012R2 server, already joined to the domain. My further plans included to change FSMO roles to the new server and demote the old 2003 server. However I ran into problem when adding AD DS role to the new 2012R2 server. I followed the steps outlined here but i got an error after I click "Install": in step 18. The error is: "Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". Here is the excerpt from the adprep.log file (domain name masked with DOMAIN.LOCAL):

[2014/11/17:17:46:08.986]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.

[2014/11/17:17:46:08.987]
LDAP API ldap_modify_ext_s() finished, return code is 0x32 

[2014/11/17:17:46:08.990]
Adprep was unable to modify the security descriptor on object CN=DirectoryEmailReplication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL.
[Status/Consequence]
ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[2014/11/17:17:46:08.990]
Adprep encountered an LDAP error. 
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

DSID Info:
DSID: 0x180e0a8f
ldap error = 0x32
NT BUILD: 9600
NT BUILD: 16384

[2014/11/17:17:46:08.990]
Adprep was unable to update forest information. 
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

I checked twice that I am member of all necessary groups (Domain Admins, Enterprise Admins, Schema Admins). I even tried to run wizard with the credentials of default built-in administrator account (also member of the above three groups) of the 2003 DC with all the same results.

The strange thing: Despite this error, AD schema version was updated to 69 (verified)! However, I still can not make the new server a DC...
ASKER CERTIFIED SOLUTION
George_Kostov

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros