none
ADPrep /ANYprep encounters error: access is denied when running on Single 2008 DC

    Question

  • I have a single DC which is 2008. 

    I performed an UNSUPPORTED RESTORE of this DC 1 week ago via VMware snap shot.  ( i know... VERY BAD)

    I am trying to add a second DC, either 2008 or 2k8R2, and I intend to demote the corrupted DC.

    Current DC will not replicate, and no matter what I try, short of destroying to domain and starting over, I always end up back here at...

    ADprep encountered a WIN32 error:

    Error code: 0x5 error message:  Access is denied.

    But I have God level credentials.  I also tried creating a new account with minimal group membership, which yielded the same results.

    Can I cut and paste my AD into a new DC?  No???  didnt think so....

    Wednesday, March 30, 2011 4:08 PM

Answers

  • If you demote this DC, you will lose your domain and you will have to create a new domain,to rejoin computers to it and create users accounts ...

    You have demoted the second DC but it was a solution so that you will not lose your domain.

    For the The source server is currently rejecting replication request error, have a look to this Microsoft article:

    http://support.microsoft.com/kb/2023007

    What is mentioned is not applicable in your case because you have no backups and you have no other DCs.

    No backup for the second DC also?

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

     


    Wednesday, March 30, 2011 6:17 PM
  • Like I told you, the resolution mentioned in the link I gave can not be used in your case because you deleted your second DC.

    Any Backups for the second DC?

    If you will create a new domain with the same name, the domain SID will not be the same. So, it is possible that you will have a problem with an application that uses the old domain SID. Other than that, you have to re-create user accounts and join your client computers to your new domain.

    I recommand that in the future, you:

    • perform periodically backups for your DCs
    • Use Microsoft Windows Server 2008 R2 funtional level (All your DCs should be 2008 R2) and enable AD recycle Bin to avoid such problems

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 30, 2011 7:25 PM
  • All, as you may have guessed by my lack of further posts... all issues have been resolved.

    The†DSA not writeable 4 = USN. REGISTRY entry DELETION resolved the perceived USN.
    I then needed to repadmin -disable, to enable the replication again.
    Then I was able to run adprep/ forestprep as well as domainprep, as long as I remembered to "run as admin" even though I was logged in as admin.
    Yes, I know that, but remembering is the key.
    Thank you all for your assistance, I am rolling up to r2 today and will be using AD recycle bin, and backing up my servers appropriately.

     

     

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by IT.Guy Thursday, April 07, 2011 2:11 PM
    Thursday, April 07, 2011 2:10 PM

All replies

  • It says if you got too many nested group ID which is used for configuring DC can show kind of error. Make sure you open cmd using run as & id used should be member of schema admin,domain admin, enterprise admin.

    Adprep encountered a Win32 error.

    Error code: 0x5 Error message: Access is denied

    Solution

    Check your group membership. If you are a member of many nested groups, you may experience the problem due to your token size. In this case, you may choose to create a new account in Active Directory Users and computers, make the new account a member of the Domain Admins, Enterprise Admins, and Schema Admin groups only, logon to the Schema Master as that account and rerun the Adprep /ForestPrep command.

    As an alternative to creating a new account you can

    1. Increase Maxtokensize in the registry

    a) Open Regedit
    b) Navigate to HKLM\System\Current Control Set\Control\Lsa\Kerberos\Parameters
    c) Add a new Dword
    d) MaxtokenSize
    e) Value 65535

    or

    2. Remove all unnecessary groups

    Even though its not recommended still you are trying solution that's strange.

    http://blogs.technet.com/b/askds/archive/2008/12/15/troubleshooting-adprep-errors.aspx

    http://andywolf.com/windows-server-2008-r2-adprep-domainprep-gpprep-error-0x5-access-denied/

     

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, March 30, 2011 4:20 PM
  • Your problem is not enough clear.

    You said that you have got a single DC and you said that replication is not working. How can a single DC replicate when you have an only DC in the domain? If you had a second DC that you forced its demotion then perform a metadata cleanup.

    For the Access denied error check that you are a schema admin (You don't need to prepare your schema if you will ad a 2008 DC in your current AD environment).

    For the restore, you should perform a restore using a recently performed backup and all should be fine.

    Once done, add your second DC and if you want to delete the first one then transfer the FSMO roles and demote it but I recommand that you have at least two DCs per domain.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 30, 2011 4:21 PM
  • I was not entirely clear.  Understood.  Here's what happened.

    I HAD this DC and a second, both running AD DS and DNS.  While logged onto the Primary, I removed a large number of accounts.  I then found that I was unable to recreate these accounts due to the tool I was using being non functional.  I rolled back the primary to the snapshot immeadiately prior to the deletion to recover the accounts.  The second DC didn't like this of course, and stopped talking to my primary.  As I needed the accounts, I kept the primary and forcibly demoted the secondary DC.  I reclaimed all roles and cleaned up all metedata as decribed in those links.  The secondary DC was then destroyed.

    As it sits, the Primary is back up and running, and has been so for a week in this state.  NETLOGON will sometimes pause due to the UNSUPPORTED RECOVERY.  But, functional still.

    I have tried:

    1-Using Server Migration tools to migrate the AD DS and DNS over to a new 2k8R2 server, and got stuck at the APDRPEP /domainprep.  I HAD sucessfully run ADprep Forest prep previously, and verified the schema update took.  Then when I tried ADPrep /DomainPrep I got the error above.  To check, I tried ADPrep /forestprep again, and got the above error.  I created a new ADPrepUser with only the group memberships mentioned above, STILL NO.  Still only that one DC.

    2-Creating a 2k8R2 server to promote, and ran into ADPrep error.

    3-Creating a 2008 server to promote, and upon running DCPROMO I got:

    Delegation for this DNS server cannot be created because the authoritive parent zone cannot be found...

    then if I proceed past that I get:

    The operation failed beacuse: Active Directory Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=***,DC=*** from the remote Active Directory Domain Controller myDC.local.com

    "The source server is currently rejecting replication requests"

    4-I downloaded the Essential Buisiness Server Preparation Wizzard to check the configuration of directory services onto the one and only DC, and failed for:

    Error:  The domain description could not be changed during the replication convergence check.  Ensure that write permission is set for the acitve directory node of the domain.

    Error:  A connection cannot be made to the WMI provider with a scope of \\myDC.local.com\root\microsoftDNS and a path of MicrosoftDNS_rootHints.

    Error:  The Microsoft.WEBS.BPA.Extensions.dataCollectors.sysVolDataCollector+FileSystemAction'1[System.UInt64] FileSystemAction could not be applied to the contents of \\myDC.local.com\C$\Windows\SYSVOL\staging areas\local.com.  You do not have permission to access the file or the file could not be found.  Ensure that you have appropriate permissions and that the file can be accessed on the network.

    ??? SO... yeah... pretty much.

    NOTE- There are two systems that auth to AD, there are 20 servers joined to this domain.  What would the impact and process be if I demoted the ONLY DC, and rebiult?  This is a fledgling domain that was pushed into production before it was ready, and I want it done right. 

    If need be I'll do it over.

    Thank you for ANY and ALL help as I am at my end and dont rest well with leeting things just march happily along in a messed up state.

    @Mr. X- I dont have a back up, cause I'm a moron, AND I thought that VMware SnapShots would suffice.  Yes, that is correct, I was wrong.

    Wednesday, March 30, 2011 5:43 PM
  • If you demote this DC, you will lose your domain and you will have to create a new domain,to rejoin computers to it and create users accounts ...

    You have demoted the second DC but it was a solution so that you will not lose your domain.

    For the The source server is currently rejecting replication request error, have a look to this Microsoft article:

    http://support.microsoft.com/kb/2023007

    What is mentioned is not applicable in your case because you have no backups and you have no other DCs.

    No backup for the second DC also?

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

     


    Wednesday, March 30, 2011 6:17 PM
  • So that was helpful.  I have identified that the replication has been automaticialy disabled due to the detection of the unsupported rollback.  DSA not writeable 4 = USN.

    So now, to recover from the USN Rollback I need to demote this DC, but it's my one and only DC ?!?!?!

    Right, can I modify the DSN not writeable value to allow/enable replication manualy? 

    I would do this to promote another DC into the domain BEFORE demoting the corrupted Primary.

    and no, sadly, the VMware snapshots WERE my backups.  They work for everything else so migicaly.

    Wednesday, March 30, 2011 7:09 PM
  • also, if I go crazy and delete the Domain alltogether by killing off this last DC, will I encounter any issues in recreating a new domain of the same name?

     

    Wednesday, March 30, 2011 7:11 PM
  • Like I told you, the resolution mentioned in the link I gave can not be used in your case because you deleted your second DC.

    Any Backups for the second DC?

    If you will create a new domain with the same name, the domain SID will not be the same. So, it is possible that you will have a problem with an application that uses the old domain SID. Other than that, you have to re-create user accounts and join your client computers to your new domain.

    I recommand that in the future, you:

    • perform periodically backups for your DCs
    • Use Microsoft Windows Server 2008 R2 funtional level (All your DCs should be 2008 R2) and enable AD recycle Bin to avoid such problems

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 30, 2011 7:25 PM
  • I was being serious when I said that link was helpfull.  It led me to the DSA not writeable = 4.

    Which, when googled, brought me this:  http://exchangeserverpro.com/event-id-2095-and-the-usn-rollback-adventure

    halfway down there is a reply that details what Microsoft support did.  Which was... ready for this?

    Anyway, to stop the server from “thinking” it’s messed up, you need to remove the following from the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters “Dsa Not Writable”=dword:00000004

    Remove the entire value “Dsa Not Writable”, not just the “4″

    and TA DA !

    I'm in the process of backing up now, then I will go forward with this and let you know.

    Thank you again for your time, I would not have resolved this if not for your link.

    Wednesday, March 30, 2011 7:37 PM
  • Personally, I had never performed that.

    Backup you system state and try.

    Waiting for advance.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Wednesday, March 30, 2011 8:01 PM
  • Hello,

    please see the great article from Paul Bergson about a snapshot restore:

    http://blogs.dirteam.com/blogs/paulbergson/archive/2011/01/14/restoring-a-dc-from-a-snapshot.aspx

    KEEP IN MIND THAT THIS WAY IS NOT SUPPORTED FROM MICROSOFT.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, March 30, 2011 9:06 PM
  • All, as you may have guessed by my lack of further posts... all issues have been resolved.

    The†DSA not writeable 4 = USN. REGISTRY entry DELETION resolved the perceived USN.
    I then needed to repadmin -disable, to enable the replication again.
    Then I was able to run adprep/ forestprep as well as domainprep, as long as I remembered to "run as admin" even though I was logged in as admin.
    Yes, I know that, but remembering is the key.
    Thank you all for your assistance, I am rolling up to r2 today and will be using AD recycle bin, and backing up my servers appropriately.

     

     

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by IT.Guy Thursday, April 07, 2011 2:11 PM
    Thursday, April 07, 2011 2:10 PM