So I am setting up a testing version of my domain, to practice upgrading from Win2003 AD to Win2008 AD, by making a copy of my domain on my ESX cluster. We have a parent and child domain structure. I have 1 DC in each domain as a VM (each is a DNS server, but do *not* hold any FSMO roles). So I made a copy of each, and then started the copy on a separate virtual subnet on my ESX server (separate because it is not tied to any physical adapters, so the only things it can talk to are the other systems on this subnet). I changed the IP address to the new subnet, and then went to seize FSMO roles, so I could make a working copy of my domain, to play with.
(I've done this before, successfully, using VMs) So I was able to seize 4 roles - domain naming master. infrastructure master, PDC, RID master - in that order. All was well. Then I tried to seize the schema master role, and got: ---------------------------------------- fsmo maintenance: seize schema master Attempting safe transfer of schema FSMO before seizure. ldap_modify_sW error 0x32(50 (Insufficient Rights). Ldap extended error message is 00002098: SecErr: DSID-03151D7D, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x2098(Insufficient access rights to perform the operation.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of schema FSMO failed, proceeding with seizure ... ldap_modify of SD failed with 0x32(50 (Insufficient Rights). Ldap extended error message is 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x5(Access is denied.) ---------------------------------------- And I don't know why, as I am using the domain administrator account, which *is* a member of Domain Admins, Enterprise Admins, and Schema Admins (I double-checked). And this DC is also a GC. So I don't know why I am getting insufficient access rights. Those 2 things (group membership, GC) seem to be the common culprit, according to searches). Where to look next? Did I seize them in the wrong order or something? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin