Use something like whoami to see if your token included Schema Admins.
Thanks,
Brian Desmond
br...@briandesmond.com
w - 312.625.1438 | c - 312.731.3132
-Original Message-
From: Mike Leone [mailto:oozerd...@gmail.com]
Sent: Thursday, November 18, 2010 12:05 PM
To: NT System Admin Issues
Subject: Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED
Don't ask me to explain it, but I logged out of the domain admin account, and
logged in as another account (which is *also* in the Domain Admins, Enterprise
Admins, Schema Admins groups, exactly like the domain administrator account).
And it worked perfectly, exactly as it should. Huh?
I had even waited up to an hour, re-trying the command, thinking it was just
the fact that it was trying to replicate (and couldn't). Weird.
Anyway, off to do the child domain (seizing schema *first* this time, I think
:-)), and then to do the metadata cleanup ...
Thanks
On 11/18/2010 2:41 PM, Mike Leone wrote:
So I am setting up a testing version of my domain, to practice
upgrading from Win2003 AD to Win2008 AD, by making a copy of my domain
on my ESX cluster. We have a parent and child domain structure. I have
1 DC in each domain as a VM (each is a DNS server, but do *not* hold
any FSMO roles). So I made a copy of each, and then started the copy
on a separate virtual subnet on my ESX server (separate because it is
not tied to any physical adapters, so the only things it can talk to
are the other systems on this subnet). I changed the IP address to the
new subnet, and then went to seize FSMO roles, so I could make a
working copy of my domain, to play with.
(I've done this before, successfully, using VMs)
So I was able to seize 4 roles - domain naming master. infrastructure
master, PDC, RID master - in that order. All was well. Then I tried to
seize the schema master role, and got:
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 2098: SecErr: DSID-03151D7D,
problem
4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform
the
operation.)
)
Depending on the error code this may indicate a connection, ldap, or
role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 0005: SecErr: DSID-03151E04,
problem
4003 (INSUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x5(Access is denied.)
And I don't know why, as I am using the domain administrator account,
which *is* a member of Domain Admins, Enterprise Admins, and Schema
Admins (I double-checked). And this DC is also a GC.
So I don't know why I am getting insufficient access rights. Those 2
things (group membership, GC) seem to be the common culprit, according
to searches).
Where to look next? Did I seize them in the wrong order or something?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin