Metadata cleanup after a seize (was Error seizing schema master FSMO role...)
Now that raises an interesting question - what metadata cleanup is typically required after a role seizure? Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 From: Mike Leone [oozerd...@gmail.com] Sent: Thursday, November 18, 2010 3:05 PM To: NT System Admin Issues Subject: Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED Don't ask me to explain it, but I logged out of the domain admin account, and logged in as another account (which is *also* in the Domain Admins, Enterprise Admins, Schema Admins groups, exactly like the domain administrator account). And it worked perfectly, exactly as it should. Huh? I had even waited up to an hour, re-trying the command, thinking it was just the fact that it was trying to replicate (and couldn't). Weird. Anyway, off to do the child domain (seizing schema *first* this time, I think :-)), and then to do the metadata cleanup ... Thanks On 11/18/2010 2:41 PM, Mike Leone wrote: So I am setting up a testing version of my domain, to practice upgrading from Win2003 AD to Win2008 AD, by making a copy of my domain on my ESX cluster. We have a parent and child domain structure. I have 1 DC in each domain as a VM (each is a DNS server, but do *not* hold any FSMO roles). So I made a copy of each, and then started the copy on a separate virtual subnet on my ESX server (separate because it is not tied to any physical adapters, so the only things it can talk to are the other systems on this subnet). I changed the IP address to the new subnet, and then went to seize FSMO roles, so I could make a working copy of my domain, to play with. (I've done this before, successfully, using VMs) So I was able to seize 4 roles - domain naming master. infrastructure master, PDC, RID master - in that order. All was well. Then I tried to seize the schema master role, and got: fsmo maintenance: seize schema master Attempting safe transfer of schema FSMO before seizure. ldap_modify_sW error 0x32(50 (Insufficient Rights). Ldap extended error message is 2098: SecErr: DSID-03151D7D, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x2098(Insufficient access rights to perform the operation.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of schema FSMO failed, proceeding with seizure ... ldap_modify of SD failed with 0x32(50 (Insufficient Rights). Ldap extended error message is 0005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x5(Access is denied.) And I don't know why, as I am using the domain administrator account, which *is* a member of Domain Admins, Enterprise Admins, and Schema Admins (I double-checked). And this DC is also a GC. So I don't know why I am getting insufficient access rights. Those 2 things (group membership, GC) seem to be the common culprit, according to searches). Where to look next? Did I seize them in the wrong order or something? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Metadata cleanup after a seize (was Error seizing schema master FSMO role...)
On 11/18/2010 3:07 PM, Kramer, Jack wrote: Now that raises an interesting question - what metadata cleanup is typically required after a role seizure? You have to remove the non-existant DCs. You can't DCPROMO them down from being DCs, since they don't exist. :-) And you can't ignore them, otherwise AD spends all it's time trying to re-connect and replicate with its' lost brethren. So you have to tell AD to forget them. See http://support.microsoft.com/kb/216498 How to remove data in Active Directory after an unsuccessful domain controller demotion Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 From: Mike Leone [oozerd...@gmail.com] Sent: Thursday, November 18, 2010 3:05 PM To: NT System Admin Issues Subject: Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED Don't ask me to explain it, but I logged out of the domain admin account, and logged in as another account (which is *also* in the Domain Admins, Enterprise Admins, Schema Admins groups, exactly like the domain administrator account). And it worked perfectly, exactly as it should. Huh? I had even waited up to an hour, re-trying the command, thinking it was just the fact that it was trying to replicate (and couldn't). Weird. Anyway, off to do the child domain (seizing schema *first* this time, I think :-)), and then to do the metadata cleanup ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Metadata cleanup after a seize (was Error seizing schema master FSMO role...)
Yep - FSMO roles and the simple existence of a DC for replication purposes have no real relationship. You have to clean up both. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 -Original Message- From: Mike Leone [mailto:oozerd...@gmail.com] Sent: Thursday, November 18, 2010 12:15 PM To: NT System Admin Issues Subject: Re: Metadata cleanup after a seize (was Error seizing schema master FSMO role...) On 11/18/2010 3:07 PM, Kramer, Jack wrote: Now that raises an interesting question - what metadata cleanup is typically required after a role seizure? You have to remove the non-existant DCs. You can't DCPROMO them down from being DCs, since they don't exist. :-) And you can't ignore them, otherwise AD spends all it's time trying to re-connect and replicate with its' lost brethren. So you have to tell AD to forget them. See http://support.microsoft.com/kb/216498 How to remove data in Active Directory after an unsuccessful domain controller demotion Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 From: Mike Leone [oozerd...@gmail.com] Sent: Thursday, November 18, 2010 3:05 PM To: NT System Admin Issues Subject: Re: Error seizing schema master FSMO role in Win2003 AD - RESOLVED Don't ask me to explain it, but I logged out of the domain admin account, and logged in as another account (which is *also* in the Domain Admins, Enterprise Admins, Schema Admins groups, exactly like the domain administrator account). And it worked perfectly, exactly as it should. Huh? I had even waited up to an hour, re-trying the command, thinking it was just the fact that it was trying to replicate (and couldn't). Weird. Anyway, off to do the child domain (seizing schema *first* this time, I think :-)), and then to do the metadata cleanup ... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin