Discussion:
INSUFF_ACCESS_RIGHTS error trying to seize schema master
(too old to reply)
m***@sc.rr.com
2008-10-22 20:56:50 UTC
Permalink
Raw Message
I'm trying to recover from a dead DC, which just happens to the DC
that owned 4 of the 5 FSMO roles.

I was able to seize 3 roles (domain, RID and PDC) but when I attempted
to seize the schema master role I got the error below. I'm logged in
using a domain admin account, so I'm not sure what I'm missing. I
searched an haven't been able to find anyone with a similar problem.
Here's the error:

fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03151D7D,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform
the operation.)
)
Depending on the error code this may indicate a connection, ldap, or
role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
Ldap extended error message is 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x5(Access is denied.)


Advice, direction, or sympathy is fully appreciated.
Regards.
Wayne Tilton
2008-10-22 21:51:15 UTC
Permalink
Raw Message
***@sc.rr.com wrote in news:0c50d180-fbf7-4222-858f-
***@u65g2000hsc.googlegroups.com:

> I'm trying to recover from a dead DC, which just happens to the DC
> that owned 4 of the 5 FSMO roles.
>
> I was able to seize 3 roles (domain, RID and PDC) but when I attempted
> to seize the schema master role I got the error below. I'm logged in
> using a domain admin account, so I'm not sure what I'm missing. I
> searched an haven't been able to find anyone with a similar problem.
> Here's the error:
>
> fsmo maintenance: seize schema master
> Attempting safe transfer of schema FSMO before seizure.
> ldap_modify_sW error 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00002098: SecErr: DSID-03151D7D,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>
> Win32 error returned is 0x2098(Insufficient access rights to perform
> the operation.)
> )
> Depending on the error code this may indicate a connection, ldap, or
> role transfer error.
> Transfer of schema FSMO failed, proceeding with seizure ...
> ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00000005: SecErr: DSID-03151E04,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>
> Win32 error returned is 0x5(Access is denied.)
>
>
> Advice, direction, or sympathy is fully appreciated.
> Regards.
>

In addition to being a Domain Admin, you must be a Schema Admin to
transfer or seize the Schema master Role.

HTH,

Wayne Tilton
Meinolf Weber
2008-10-23 06:22:32 UTC
Permalink
Raw Message
Hello ***@sc.rr.com,

Is your account member of the schema administrators group?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I'm trying to recover from a dead DC, which just happens to the DC
> that owned 4 of the 5 FSMO roles.
>
> I was able to seize 3 roles (domain, RID and PDC) but when I attempted
> to seize the schema master role I got the error below. I'm logged in
> using a domain admin account, so I'm not sure what I'm missing. I
> searched an haven't been able to find anyone with a similar problem.
> Here's the error:
>
> fsmo maintenance: seize schema master
> Attempting safe transfer of schema FSMO before seizure.
> ldap_modify_sW error 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00002098: SecErr: DSID-03151D7D,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> Win32 error returned is 0x2098(Insufficient access rights to perform
> the operation.)
> )
> Depending on the error code this may indicate a connection, ldap, or
> role transfer error.
> Transfer of schema FSMO failed, proceeding with seizure ...
> ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00000005: SecErr: DSID-03151E04,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> Win32 error returned is 0x5(Access is denied.)
>
> Advice, direction, or sympathy is fully appreciated. Regards.
>
m***@sc.rr.com
2008-10-23 13:00:45 UTC
Permalink
Raw Message
On Oct 23, 2:22 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello ***@sc.rr.com,
>
> Is your account member of the schema administrators group?
>

It wasn't, but it is now and I still get the same error.
I also noted that the DC to which I want to assign those roles is not
a global catalog server. Will that make a difference?

Thanks for the help!
Meinolf Weber
2008-10-24 07:56:27 UTC
Permalink
Raw Message
Hello ***@sc.rr.com,

Did you check that it was replicated over all DC's? Do you have any DC as
Global catalog available? Also in a single forest domain you should make
all DC's GC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Oct 23, 2:22 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
>> Hello ***@sc.rr.com,
>>
>> Is your account member of the schema administrators group?
>>
> It wasn't, but it is now and I still get the same error.
> I also noted that the DC to which I want to assign those roles is not
> a global catalog server. Will that make a difference?
> Thanks for the help!
>
m***@sc.rr.com
2008-10-24 19:18:28 UTC
Permalink
Raw Message
On Oct 24, 3:56 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello ***@sc.rr.com,
>
> Did you check that it was replicated over all DC's? Do you have any DC as
> Global catalog available? Also in a single forest domain you should make
> all DC's GC.

This rabbit hole just gets deaper...
Let me establish a glossary: DC1 is the dead DC, and it's been dead
for 4 months.
DC2 is the other DC in the same domain as DC1 and the one that's
trying to
seize roles. There are two other DCs (DC3 and DC4) in a subdomain.
Those
are all the DCs in my entire forest.

DC1 and DC4 are GCs (and of course DC1 is now dead). So I set DC2 as
a GC server
but noticed that that fact didn't replicate to DC3 and DC4 so I
attempted to force
replication (using "Replicate now" in the Sites and Servers MMC).
That exposed
the fact that the tombstone lifetime has expired and now they won't
allow replication.

I would gladly ignore that fact for now, but I still don't know if
it's affecting my
ability to seize the Schema Master role on DC2 (which still gives the
error
that started this thread). The user acct I'm using is in every Admin
group I
can find (Domain Admin, Enterprise Admin, Schema Admin...).

I must be missing something!

Thanks.
-mark
Meinolf Weber
2008-10-24 19:56:49 UTC
Permalink
Raw Message
Hello ***@sc.rr.com,

Ok, let's start again on another way. Is the "dead" DC1 restored from a backup
or image or still not existing? Please run diagnostics like Paul described
here:

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could generate
significant detail and take a long time. You also want to take into account
slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run (DCDiag
and NetDiag). It also has the option to run individual tests without having
to learn all the switch options. The details will be output in notepad text
files that pop up automagically.

The script is located on my website at http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Oct 24, 3:56 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
>> Hello ***@sc.rr.com,
>>
>> Did you check that it was replicated over all DC's? Do you have any
>> DC as Global catalog available? Also in a single forest domain you
>> should make all DC's GC.
>>
> This rabbit hole just gets deaper...
> Let me establish a glossary: DC1 is the dead DC, and it's been dead
> for 4 months.
> DC2 is the other DC in the same domain as DC1 and the one that's
> trying to
> seize roles. There are two other DCs (DC3 and DC4) in a subdomain.
> Those
> are all the DCs in my entire forest.
> DC1 and DC4 are GCs (and of course DC1 is now dead). So I set DC2 as
> a GC server
> but noticed that that fact didn't replicate to DC3 and DC4 so I
> attempted to force
> replication (using "Replicate now" in the Sites and Servers MMC).
> That exposed
> the fact that the tombstone lifetime has expired and now they won't
> allow replication.
> I would gladly ignore that fact for now, but I still don't know if
> it's affecting my
> ability to seize the Schema Master role on DC2 (which still gives the
> error
> that started this thread). The user acct I'm using is in every Admin
> group I
> can find (Domain Admin, Enterprise Admin, Schema Admin...).
> I must be missing something!
>
> Thanks.
> -mar
Paul Bergson [MVP-DS]
2008-10-23 12:45:10 UTC
Permalink
Raw Message
Hello ***@sc.rr.com,
As others have mentioned you need to be a schema admin, it doesn't matter
if you are parts of other roles this is a must for the Schema seizure.

See:
http://technet.microsoft.com/en-us/library/cc783650.aspx


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.



> I'm trying to recover from a dead DC, which just happens to the DC
> that owned 4 of the 5 FSMO roles.
>
> I was able to seize 3 roles (domain, RID and PDC) but when I attempted
> to seize the schema master role I got the error below. I'm logged in
> using a domain admin account, so I'm not sure what I'm missing. I
> searched an haven't been able to find anyone with a similar problem.
> Here's the error:
>
> fsmo maintenance: seize schema master
> Attempting safe transfer of schema FSMO before seizure.
> ldap_modify_sW error 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00002098: SecErr: DSID-03151D7D,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> Win32 error returned is 0x2098(Insufficient access rights to perform
> the operation.)
> )
> Depending on the error code this may indicate a connection, ldap, or
> role transfer error.
> Transfer of schema FSMO failed, proceeding with seizure ...
> ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
> Ldap extended error message is 00000005: SecErr: DSID-03151E04,
> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> Win32 error returned is 0x5(Access is denied.)
>
> Advice, direction, or sympathy is fully appreciated. Regards.
>
Loading...