subject:"\"Error seizing schema master FSMO role in Win2003 AD \\\- RESOLVED\""

RE: Error seizing schema master FSMO role in Win2003 AD - RESOLVED

2010-11-18 Thread Brian Desmond

Use something like whoami to see if your token included Schema Admins. 

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c   - 312.731.3132


-Original Message-
From: Mike Leone [mailto:oozerd...@gmail.com] 
Sent: Thursday, November 18, 2010 12:05 PM
To: NT System Admin Issues
Subject: Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED

Don't ask me to explain it, but I logged out of the domain admin account, and 
logged in as another account (which is *also* in the Domain Admins, Enterprise 
Admins, Schema Admins groups, exactly like the domain administrator account).

And it worked perfectly, exactly as it should. Huh?

I had even waited up to an hour, re-trying the command, thinking it was just 
the fact that it was trying to replicate (and couldn't). Weird.

Anyway, off to do the child domain (seizing schema *first* this time, I think 
:-)), and then to do the metadata cleanup ...

Thanks

On 11/18/2010 2:41 PM, Mike Leone wrote:
> So I am setting up a testing version of my domain, to practice 
> upgrading from Win2003 AD to Win2008 AD, by making a copy of my domain 
> on my ESX cluster. We have a parent and child domain structure. I have 
> 1 DC in each domain as a VM (each is a DNS server, but do *not* hold 
> any FSMO roles). So I made a copy of each, and then started the copy 
> on a separate virtual subnet on my ESX server (separate because it is 
> not tied to any physical adapters, so the only things it can talk to 
> are the other systems on this subnet). I changed the IP address to the 
> new subnet, and then went to seize FSMO roles, so I could make a 
> working copy of my domain, to play with.
> 
> (I've done this before, successfully, using VMs)
> 
> So I was able to seize 4 roles - domain naming master. infrastructure 
> master, PDC, RID master - in that order. All was well. Then I tried to 
> seize the schema master role, and got:
> 
> 
> fsmo maintenance: seize schema master
> Attempting safe transfer of schema FSMO before seizure.
> ldap_modify_sW error 0x32(50 (Insufficient Rights).
> Ldap extended error message is 2098: SecErr: DSID-03151D7D, 
> problem
> 4003 (INSUFF_ACCESS_RIGHTS), data 0
> 
> Win32 error returned is 0x2098(Insufficient access rights to perform 
> the
> operation.)
> )
> Depending on the error code this may indicate a connection, ldap, or 
> role transfer error.
> Transfer of schema FSMO failed, proceeding with seizure ...
> ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
> Ldap extended error message is 0005: SecErr: DSID-03151E04, 
> problem
> 4003 (INSUFF_ACCESS_RIGHTS), data 0
> 
> Win32 error returned is 0x5(Access is denied.)
> 
> 
> And I don't know why, as I am using the domain administrator account, 
> which *is* a member of Domain Admins, Enterprise Admins, and Schema 
> Admins (I double-checked). And this DC is also a GC.
> 
> So I don't know why I am getting insufficient access rights. Those 2 
> things (group membership, GC) seem to be the common culprit, according 
> to searches).
> 
> Where to look next? Did I seize them in the wrong order or something?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED

2010-11-18 Thread Mike Leone

Don't ask me to explain it, but I logged out of the domain admin
account, and logged in as another account (which is *also* in the Domain
Admins, Enterprise Admins, Schema Admins groups, exactly like the domain
administrator account).

And it worked perfectly, exactly as it should. Huh?

I had even waited up to an hour, re-trying the command, thinking it was
just the fact that it was trying to replicate (and couldn't). Weird.

Anyway, off to do the child domain (seizing schema *first* this time, I
think :-)), and then to do the metadata cleanup ...

Thanks

On 11/18/2010 2:41 PM, Mike Leone wrote:
> So I am setting up a testing version of my domain, to practice upgrading
> from Win2003 AD to Win2008 AD, by making a copy of my domain on my ESX
> cluster. We have a parent and child domain structure. I have 1 DC in
> each domain as a VM (each is a DNS server, but do *not* hold any FSMO
> roles). So I made a copy of each, and then started the copy on a
> separate virtual subnet on my ESX server (separate because it is not
> tied to any physical adapters, so the only things it can talk to are the
> other systems on this subnet). I changed the IP address to the new
> subnet, and then went to seize FSMO roles, so I could make a working
> copy of my domain, to play with.
> 
> (I've done this before, successfully, using VMs)
> 
> So I was able to seize 4 roles - domain naming master. infrastructure
> master, PDC, RID master - in that order. All was well. Then I tried to
> seize the schema master role, and got:
> 
> 
> fsmo maintenance: seize schema master
> Attempting safe transfer of schema FSMO before seizure.
> ldap_modify_sW error 0x32(50 (Insufficient Rights).
> Ldap extended error message is 2098: SecErr: DSID-03151D7D, problem
> 4003 (INSUFF_ACCESS_RIGHTS), data 0
> 
> Win32 error returned is 0x2098(Insufficient access rights to perform the
> operation.)
> )
> Depending on the error code this may indicate a connection,
> ldap, or role transfer error.
> Transfer of schema FSMO failed, proceeding with seizure ...
> ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
> Ldap extended error message is 0005: SecErr: DSID-03151E04, problem
> 4003 (INSUFF_ACCESS_RIGHTS), data 0
> 
> Win32 error returned is 0x5(Access is denied.)
> 
> 
> And I don't know why, as I am using the domain administrator account,
> which *is* a member of Domain Admins, Enterprise Admins, and Schema
> Admins (I double-checked). And this DC is also a GC.
> 
> So I don't know why I am getting insufficient access rights. Those 2
> things (group membership, GC) seem to be the common culprit, according
> to searches).
> 
> Where to look next? Did I seize them in the wrong order or something?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Error seizing schema master FSMO role in Win2003 AD - RESOLVED

Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED

2 matches

Site Navigation

Mail list logo

Footer information