Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 113
  • Last Modified:

Not a Schema Admin? Schema Role on Non-AD Controller?

On a 2000 Forest, and 2008 R2 DC, I tried to raise the functional level and it says I cannot because the schema master is not reachable.  Strangely, the Schema and Naming master is on a 2012 Member server.  Yes, I said that right.  I went to seize the roles back to he 2008 R2 DC and it says I do not have sufficient rights as domain admin.  I go to look at the group membership of the schema admins and it says I cannot view the properties.  

All I can think is that some junior admin took offline an old AD controller and did not move these roles.  This old server is gone - years gone.  Not sure how I can proceed.  It is a small network.  Is my best bet to simply create a new domain?  Or can you all help me?

- Stowy
0
stowyo
Asked:
stowyo
3 Solutions
 
No MoreCommented:
netdom query FSMO      and check if you are correct

Seize it using NTDSUTIL
https://www.briandesmond.com/active-directory/how-to-seize-a-fsmo-role-with-ntdsutil/

Global catalog will more likely save you :D
0
 
Adam BrownSr Solutions ArchitectCommented:
If you are trying to seize the Schema and Domain Naming master, you have to be a member of the Enterprise admins group, which are granted Forest level permissions. Those two roles are Forest level roles (one role holder per AD forest) so a Domain Admin doesn't have the rights necessary to seize them.

As for how a Member server (non-DC) shows as having the roles, it's possible the 2012 server was given the same name as the old Schema Master when it was created. The definitions for role holders remain in AD even if the role holders themselves are deleted, so if you bring up a new server with the same name, you'll see that type of weirdness. Can't think of any other possible causes, though.
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
OK I found out more - and there is a CORRECTION to my original question.

The server that has the schema master and the domain naming master is NOT the 2112 server.  It is the old 2000 Domain controller, a parent domain - which is gone.  So this domain that I exist in is a sub domain missing it's parent.  

parent was xxx.local (2000 functional level) - as well as the forest
my current domain (2008 functional level) is office.xxx.local

What a mess.  Is there any way out of this one?  

When I try to seize (using an elevated prompt) I get the error below. - I believe it is because the users group from xxx.local (the parent domain) has no DC.  ...and Enterprise Admins consists of xxx.local\users.  I am logging on as Domain Admin from the sub domain.  Can't get in as Enterprise Admin....

fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
----------------------------------------------------------------------------------

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
David Johnson, CD, MVPOwnerCommented:
I can't think of a way since the forest is non-existent. you will have to export your group policy, dhcp, and use ADMT to capture the users profiles.  Then start rebuilding the domain basically from scratch and import the exported information. This is a real mess you've got yourself into.. Hopefully another expert can come up with a better solution
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
Thanks.  I think you're right.  The former admin did this 5 years ago and probably knew about it.  Thankfully it's a small network and won't be too painful.  Going to leave this open for a while, just to see if a miracle appears.
0
 
David Johnson, CD, MVPOwnerCommented:
Hope springs eternal :=>
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
Thanks for the help everybody!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now