• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 106
  • Last Modified:

Not a Schema Admin? Schema Role on Non-AD Controller?

On a 2000 Forest, and 2008 R2 DC, I tried to raise the functional level and it says I cannot because the schema master is not reachable.  Strangely, the Schema and Naming master is on a 2012 Member server.  Yes, I said that right.  I went to seize the roles back to he 2008 R2 DC and it says I do not have sufficient rights as domain admin.  I go to look at the group membership of the schema admins and it says I cannot view the properties.  

All I can think is that some junior admin took offline an old AD controller and did not move these roles.  This old server is gone - years gone.  Not sure how I can proceed.  It is a small network.  Is my best bet to simply create a new domain?  Or can you all help me?

- Stowy
0
stowyo
Asked:
stowyo
3 Solutions
 
No MoreCommented:
netdom query FSMO      and check if you are correct

Seize it using NTDSUTIL
https://www.briandesmond.com/active-directory/how-to-seize-a-fsmo-role-with-ntdsutil/

Global catalog will more likely save you :D
0
 
Adam BrownSr Solutions ArchitectCommented:
If you are trying to seize the Schema and Domain Naming master, you have to be a member of the Enterprise admins group, which are granted Forest level permissions. Those two roles are Forest level roles (one role holder per AD forest) so a Domain Admin doesn't have the rights necessary to seize them.

As for how a Member server (non-DC) shows as having the roles, it's possible the 2012 server was given the same name as the old Schema Master when it was created. The definitions for role holders remain in AD even if the role holders themselves are deleted, so if you bring up a new server with the same name, you'll see that type of weirdness. Can't think of any other possible causes, though.
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
OK I found out more - and there is a CORRECTION to my original question.

The server that has the schema master and the domain naming master is NOT the 2112 server.  It is the old 2000 Domain controller, a parent domain - which is gone.  So this domain that I exist in is a sub domain missing it's parent.  

parent was xxx.local (2000 functional level) - as well as the forest
my current domain (2008 functional level) is office.xxx.local

What a mess.  Is there any way out of this one?  

When I try to seize (using an elevated prompt) I get the error below. - I believe it is because the users group from xxx.local (the parent domain) has no DC.  ...and Enterprise Admins consists of xxx.local\users.  I am logging on as Domain Admin from the sub domain.  Can't get in as Enterprise Admin....

fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
----------------------------------------------------------------------------------

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
David Johnson, CD, MVPOwnerCommented:
I can't think of a way since the forest is non-existent. you will have to export your group policy, dhcp, and use ADMT to capture the users profiles.  Then start rebuilding the domain basically from scratch and import the exported information. This is a real mess you've got yourself into.. Hopefully another expert can come up with a better solution
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
Thanks.  I think you're right.  The former admin did this 5 years ago and probably knew about it.  Thankfully it's a small network and won't be too painful.  Going to leave this open for a while, just to see if a miracle appears.
0
 
David Johnson, CD, MVPOwnerCommented:
Hope springs eternal :=>
0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
Thanks for the help everybody!
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now