none
Access Rights insufficient RRS feed

  • 질문

  • All the pre-requisites pass, and then when i run the DC promotion to a DC or back up DC, it ends with this error below. 

    ADPrep execution failed --> Microsoft.DirectoryServices.Deployment.ADPrepLdapException: Insufficient Rights. Server extended error: 5. Server extended message: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    .
    Adprep was unable to create the object CN=Managed Service Accounts,DC=abaqulusi,DC=gov,DC=za in Active Directory Domain Services.
    [Status/Consequence]
    This Adprep operation failed.
    [User Action]
    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20150312115304 directory for more information. Restart Adprep..
    Check the log files in the C:\Windows\debug\adprep\logs\20150312115304 directory for detailed information.

    Can someone assist urgently. The old DC is a 2k8 standard. The new DC to be the primary after this is complete is 2k12 R2. 


    • 편집됨 Phoenixfire 2015년 3월 12일 목요일 오전 9:58
    2015년 3월 12일 목요일 오전 9:57

답변

  • Hello,

    from the other thread you opened in another forum i could see that in the adprep/log is mentioned "Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation"

    So was there a restore on your DCs sometime before?

    Please provide the following files so we could check the current DCs for problems:

    ipconfig /all >c:\ipconfig.log [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows OneDrive(with open access!) https://onedrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    2015년 4월 7일 화요일 오전 11:39

모든 응답

  • Hi,

    Which ADprep commands did you run?

    According to the error message, it seems that it was due to the account has no permission to do that. If you run "adprep /domainprep", please make sure that you used a domain admin account to do that.

    Best regards,

    Susie


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2015년 3월 13일 금요일 오전 9:16
    중재자
  • http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

    Domain Admin can be insufficient, for some operations you need to be Schema or Enterprise Admin. The Build-In Administrator Account of the Domain has those rights, if you use your own admin accounts, check if they are "only" domain admin

    2015년 3월 13일 금요일 오전 9:21
  • Hello,

    so you have assured:

    - Forest functional level - Windows Server 2003 or higher

    - Domain functional level - Windows Server 2003 or higher

    - netdom query fsmo on the existing Windows Server 2008 shows the correct DC for all 5 FSMO roles

    - the used account is member from Schema, Domain and Enterprise Admins


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  


    • 편집됨 Meinolf Weber 2015년 3월 17일 화요일 오후 12:15
    2015년 3월 17일 화요일 오후 12:15
  • Hello,

    so you have assured:

    - Forest functional level - Windows Server 2003 or higher

    - Domain functional level - Windows Server 2003 or higher

    - netdom query fsmo on the existing Windows Server 2008 shows the correct DC for all 5 FSMO roles

    - the used account is member from Schema, Domain and Enterprise Admins


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  


    Yes. I have done all of the above correctly. Yet it fails still. I have check the rights and they are correct. The account of am using is the administrator of the server account. Its full administrator with all rights. I did also add Ent. Admin, domain admin, and schema admin and tested it like that. It still fails. 

    I get so tired of Microsoft. It always got something broken. Any other ideas guys. 

    2015년 3월 23일 월요일 오후 1:20
  • Hello,

    from the other thread you opened in another forum i could see that in the adprep/log is mentioned "Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation"

    So was there a restore on your DCs sometime before?

    Please provide the following files so we could check the current DCs for problems:

    ipconfig /all >c:\ipconfig.log [all DCs]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS: http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows OneDrive(with open access!) https://onedrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    2015년 4월 7일 화요일 오전 11:39
  • I ran into exactly this same problem. Brand new 2003R2 DC, Brand new 2012R2 member server. No previous restore. Clean clean clean. Why? Because my first three tests FAILED on virtualized live 2003 R2 DC  in a lab and cleanly installed 2012R2 member server following specific instructions from experts. Failures each time. The schema master said it came over, but it didn't really. I couldn't access it from the new DC and other problems where I got backward results from doing the same thing found in the instructions.

    I abandoned trying to upgrade a copy of our existing DC and created new cleanly installed servers with brand new roles and permissions. Brand new 2003R2 DC and a 2012R2 member server, joined to a fake domain in a lab environment. I still ended up in a FAILED upgrade but this time with the same adprep error above.  Really?

    I also am growing very tired of Microsoft's promises about how things should work, and then don't. I am being pressured to upgrade our "live" domain of over 250 users from 2003R2 to 2012R2. How can I possibly if my own tests (4 so far) fail every time?

    Do any of you guys know how I can successfully upgrade our domain without disastrous results? We are a tight ship and so all I have is "me" to rely on.


    Sue, Senior Network Administrator

    2015년 10월 9일 금요일 오후 11:45
  • I just ran into this issue. Yes, even though you may have been in correct security group. You may have run into an issue where you have inherited a non default ad config. I ended up having to open up ADSIedit, open the configuration context, right click on the CN=Configuration,DC=(domainnamesuch as contoso),DC=(domainname such as com) go into security tab and give your user or group access to create child object, as well as read and write. add the permissions until it works or give your account full control temporarily until your done.

    My issue wasn't for Managed Service accounts CN but it was for configuration, you may have to look through ADSIedit and figure out where its supposed to be and make sure the groups your part of has the right permissions on the level above.
    2020년 6월 16일 화요일 오후 2:00