Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Not a Schema Admin?  Schema Role on Non-AD Controller?

Posted on 2016-09-30
7
52 Views
Last Modified: 2016-10-04
On a 2000 Forest, and 2008 R2 DC, I tried to raise the functional level and it says I cannot because the schema master is not reachable.  Strangely, the Schema and Naming master is on a 2012 Member server.  Yes, I said that right.  I went to seize the roles back to he 2008 R2 DC and it says I do not have sufficient rights as domain admin.  I go to look at the group membership of the schema admins and it says I cannot view the properties.  

All I can think is that some junior admin took offline an old AD controller and did not move these roles.  This old server is gone - years gone.  Not sure how I can proceed.  It is a small network.  Is my best bet to simply create a new domain?  Or can you all help me?

- Stowy
0
Comment
Question by:stowyo
7 Comments
 
LVL 7

Assisted Solution

by:No More
No More earned 125 total points
ID: 41824340
netdom query FSMO      and check if you are correct

Seize it using NTDSUTIL
https://www.briandesmond.com/active-directory/how-to-seize-a-fsmo-role-with-ntdsutil/

Global catalog will more likely save you :D
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41824356
If you are trying to seize the Schema and Domain Naming master, you have to be a member of the Enterprise admins group, which are granted Forest level permissions. Those two roles are Forest level roles (one role holder per AD forest) so a Domain Admin doesn't have the rights necessary to seize them.

As for how a Member server (non-DC) shows as having the roles, it's possible the 2012 server was given the same name as the old Schema Master when it was created. The definitions for role holders remain in AD even if the role holders themselves are deleted, so if you bring up a new server with the same name, you'll see that type of weirdness. Can't think of any other possible causes, though.
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824391
OK I found out more - and there is a CORRECTION to my original question.

The server that has the schema master and the domain naming master is NOT the 2112 server.  It is the old 2000 Domain controller, a parent domain - which is gone.  So this domain that I exist in is a sub domain missing it's parent.  

parent was xxx.local (2000 functional level) - as well as the forest
my current domain (2008 functional level) is office.xxx.local

What a mess.  Is there any way out of this one?  

When I try to seize (using an elevated prompt) I get the error below. - I believe it is because the users group from xxx.local (the parent domain) has no DC.  ...and Enterprise Admins consists of xxx.local\users.  I am logging on as Domain Admin from the sub domain.  Can't get in as Enterprise Admin....

fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
----------------------------------------------------------------------------------

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41824422
I can't think of a way since the forest is non-existent. you will have to export your group policy, dhcp, and use ADMT to capture the users profiles.  Then start rebuilding the domain basically from scratch and import the exported information. This is a real mess you've got yourself into.. Hopefully another expert can come up with a better solution
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824428
Thanks.  I think you're right.  The former admin did this 5 years ago and probably knew about it.  Thankfully it's a small network and won't be too painful.  Going to leave this open for a while, just to see if a miracle appears.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41824437
Hope springs eternal :=>
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 41828566
Thanks for the help everybody!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question