We have a domain called test-companyname.com containing three DCs, namely XXX01, XXX02, and XXX03. All three machines are running 2008 R2. We had to add a new DC into the domain, which would be a 2012 R2 machine.
In the process, I have a user who is part of Domain / Enterprise / Schema Admins, with whom I am trying to promote my 2012 R2 member server to a DC.
In the last phase I get an error -
Adprep execution failed - System.ComponentModel.System32Exception (0x80004005)
In Debug Logs:
Adprep Log - If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forestprep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.
Entry DN: CN=Top,CN=Schema,CN=Configuration,DC=XXX,DC=local Add error on entry starting on line 617: Insufficient Rights
The server side error is: 0x2098 Insufficient access rights to perform the operation.
The extended server error is:
00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
An error has occurred in the program
Working on this for past 12 hours with many teams and am unable to find the root cause. Really strange, this one!
Be sure to launch your Command Prompt or PowerShell window as an elevated process.
Right-click on the Command Prompt (or PowerShell) shortcut and select "Run as Administrator". This is required even if you are already logged on as an administrator.
Also, make sure that the user account is still in the Domain Admins and Schema Admins groups. It is possible that a group policy setting could be removing the account from restricted groups such as these two.
Now, try dcpromo
again or adprep /forestprep /domainprep
. It should work fine.
User contributions licensed under CC BY-SA 3.0