?
Solved

Not a Schema Admin?  Schema Role on Non-AD Controller?

Posted on 2016-09-30
7
Medium Priority
?
87 Views
Last Modified: 2016-10-04
On a 2000 Forest, and 2008 R2 DC, I tried to raise the functional level and it says I cannot because the schema master is not reachable.  Strangely, the Schema and Naming master is on a 2012 Member server.  Yes, I said that right.  I went to seize the roles back to he 2008 R2 DC and it says I do not have sufficient rights as domain admin.  I go to look at the group membership of the schema admins and it says I cannot view the properties.  

All I can think is that some junior admin took offline an old AD controller and did not move these roles.  This old server is gone - years gone.  Not sure how I can proceed.  It is a small network.  Is my best bet to simply create a new domain?  Or can you all help me?

- Stowy
0
Comment
Question by:stowyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Assisted Solution

by:No More
No More earned 500 total points
ID: 41824340
netdom query FSMO      and check if you are correct

Seize it using NTDSUTIL
https://www.briandesmond.com/active-directory/how-to-seize-a-fsmo-role-with-ntdsutil/

Global catalog will more likely save you :D
0
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41824356
If you are trying to seize the Schema and Domain Naming master, you have to be a member of the Enterprise admins group, which are granted Forest level permissions. Those two roles are Forest level roles (one role holder per AD forest) so a Domain Admin doesn't have the rights necessary to seize them.

As for how a Member server (non-DC) shows as having the roles, it's possible the 2012 server was given the same name as the old Schema Master when it was created. The definitions for role holders remain in AD even if the role holders themselves are deleted, so if you bring up a new server with the same name, you'll see that type of weirdness. Can't think of any other possible causes, though.
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824391
OK I found out more - and there is a CORRECTION to my original question.

The server that has the schema master and the domain naming master is NOT the 2112 server.  It is the old 2000 Domain controller, a parent domain - which is gone.  So this domain that I exist in is a sub domain missing it's parent.  

parent was xxx.local (2000 functional level) - as well as the forest
my current domain (2008 functional level) is office.xxx.local

What a mess.  Is there any way out of this one?  

When I try to seize (using an elevated prompt) I get the error below. - I believe it is because the users group from xxx.local (the parent domain) has no DC.  ...and Enterprise Admins consists of xxx.local\users.  I am logging on as Domain Admin from the sub domain.  Can't get in as Enterprise Admin....

fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
----------------------------------------------------------------------------------

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points
ID: 41824422
I can't think of a way since the forest is non-existent. you will have to export your group policy, dhcp, and use ADMT to capture the users profiles.  Then start rebuilding the domain basically from scratch and import the exported information. This is a real mess you've got yourself into.. Hopefully another expert can come up with a better solution
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824428
Thanks.  I think you're right.  The former admin did this 5 years ago and probably knew about it.  Thankfully it's a small network and won't be too painful.  Going to leave this open for a while, just to see if a miracle appears.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41824437
Hope springs eternal :=>
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 41828566
Thanks for the help everybody!
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question