Solved

Not a Schema Admin?  Schema Role on Non-AD Controller?

Posted on 2016-09-30
7
48 Views
Last Modified: 2016-10-04
On a 2000 Forest, and 2008 R2 DC, I tried to raise the functional level and it says I cannot because the schema master is not reachable.  Strangely, the Schema and Naming master is on a 2012 Member server.  Yes, I said that right.  I went to seize the roles back to he 2008 R2 DC and it says I do not have sufficient rights as domain admin.  I go to look at the group membership of the schema admins and it says I cannot view the properties.  

All I can think is that some junior admin took offline an old AD controller and did not move these roles.  This old server is gone - years gone.  Not sure how I can proceed.  It is a small network.  Is my best bet to simply create a new domain?  Or can you all help me?

- Stowy
0
Comment
Question by:stowyo
7 Comments
 
LVL 7

Assisted Solution

by:No More
No More earned 125 total points
ID: 41824340
netdom query FSMO      and check if you are correct

Seize it using NTDSUTIL
https://www.briandesmond.com/active-directory/how-to-seize-a-fsmo-role-with-ntdsutil/

Global catalog will more likely save you :D
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41824356
If you are trying to seize the Schema and Domain Naming master, you have to be a member of the Enterprise admins group, which are granted Forest level permissions. Those two roles are Forest level roles (one role holder per AD forest) so a Domain Admin doesn't have the rights necessary to seize them.

As for how a Member server (non-DC) shows as having the roles, it's possible the 2012 server was given the same name as the old Schema Master when it was created. The definitions for role holders remain in AD even if the role holders themselves are deleted, so if you bring up a new server with the same name, you'll see that type of weirdness. Can't think of any other possible causes, though.
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824391
OK I found out more - and there is a CORRECTION to my original question.

The server that has the schema master and the domain naming master is NOT the 2112 server.  It is the old 2000 Domain controller, a parent domain - which is gone.  So this domain that I exist in is a sub domain missing it's parent.  

parent was xxx.local (2000 functional level) - as well as the forest
my current domain (2008 functional level) is office.xxx.local

What a mess.  Is there any way out of this one?  

When I try to seize (using an elevated prompt) I get the error below. - I believe it is because the users group from xxx.local (the parent domain) has no DC.  ...and Enterprise Admins consists of xxx.local\users.  I am logging on as Domain Admin from the sub domain.  Can't get in as Enterprise Admin....

fsmo maintenance: seize naming master
Attempting safe transfer of domain naming FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of domain naming FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
----------------------------------------------------------------------------------

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-031523E0, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03152492, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)
)
fsmo maintenance:
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 41824422
I can't think of a way since the forest is non-existent. you will have to export your group policy, dhcp, and use ADMT to capture the users profiles.  Then start rebuilding the domain basically from scratch and import the exported information. This is a real mess you've got yourself into.. Hopefully another expert can come up with a better solution
0
 
LVL 1

Author Comment

by:stowyo
ID: 41824428
Thanks.  I think you're right.  The former admin did this 5 years ago and probably knew about it.  Thankfully it's a small network and won't be too painful.  Going to leave this open for a while, just to see if a miracle appears.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41824437
Hope springs eternal :=>
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 41828566
Thanks for the help everybody!
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question