none
Schema Transfer Problem

    Question

  • I have a PDC (windows server 2003 Enterprise) hard drive failure.  I have been able to seize all roles except the Schema on the BDC.  The schema comes up with the following error:

    ntdsutil
    ntdsutil: roles
    fsmo maintenance: quit
    ntdsutil: connect to server datas.nabishi.pri
    Error 80070057 parsing input - illegal syntax?
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server datas.nabishi.pri
    Binding to datas.nabishi.pri ...
    Connected to datas.nabishi.pri using credentials of locally logged on user.
    server connections: quit
    fsmo maintenance: seize schema master
    Attempting safe transfer of schema FSMO before seizure.
    ldap_modify_sW error 0x32(50 (Insufficient Rights).
    Ldap extended error message is 00002098: SecErr: DSID-03151D80, problem 4003 (IN
    SUFF_ACCESS_RIGHTS), data 0

    Win32 error returned is 0x2098(Insufficient access rights to perform the operati
    on.)
    )
    Depending on the error code this may indicate a connection,
    ldap, or role transfer error.
    Transfer of schema FSMO failed, proceeding with seizure ...
    ldap_modify of SD failed with 0x32(50 (Insufficient Rights).
    Ldap extended error message is 00000005: SecErr: DSID-03151E07, problem 4003 (IN
    SUFF_ACCESS_RIGHTS), data 0

    Win32 error returned is 0x5(Access is denied.)
    )
    fsmo maintenance:

    I can see the schema using adsiedit.msc and all contents as far as I know are correct.

    I can use active directory restore from an earlier backup which in the end produces the same result. 

    Also the controllers carry the GC, these report as un-contactable even though they show in DNS and as selected in the AD Sites and services.

    I got myself a little stuck on this one, What am I doing wrong?

    I have also tried the change via the active directory schema plugin (MMC) in addition to the Ntdsutil method

    Any ideas, I need to restore this domain into working order, it has three BDC in the system, two dns servers

    Alison

    • Changed type Dr Johnston Tuesday, January 3, 2012 12:41 PM wrong thread type selected
    Tuesday, January 3, 2012 12:26 PM

Answers

  • Hi,

    Error shows : Win32 error returned is 0x2098(Insufficient access rights to perform the operation).

    You need schema administrator permission to perform this action. Verify that the user is a part of schema admin group.

    Also you have created this thread as a "Disscussion" and I think this need to be change as a "Question".

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    • Edited by Abhijit Waikar Tuesday, January 3, 2012 12:39 PM
    • Marked as answer by Dr Johnston Tuesday, January 3, 2012 12:41 PM
    Tuesday, January 3, 2012 12:38 PM
  • Hi
    Is this domain part of a forest with other domains? Note that you must be logged on as the built-in “administrator” in the root domain in order to be member of the Schema Admins group (In a default configuration)
     
    You can run the following command to ensure that the account really got the “Schema Admins” group as a part of it’s token:
     
    “whoami /groups”
     
     
    ----------------------------------------------------------

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    "Dr Johnston" wrote in message news:640376f2-32a4-4bd1-beec-294b10f27a86...

    Thank you for the reply Abhijit

    I should have added that I am logged on as Administrator which is included in the schema admins


    Enfo Zipper Christoffer Andersson – Principal Advisor
    • Marked as answer by Dr Johnston Wednesday, January 4, 2012 6:16 AM
    • Unmarked as answer by Dr Johnston Wednesday, January 4, 2012 6:18 AM
    • Marked as answer by Dr Johnston Wednesday, January 4, 2012 6:18 AM
    Wednesday, January 4, 2012 4:50 AM

All replies

  • Hi,

    Error shows : Win32 error returned is 0x2098(Insufficient access rights to perform the operation).

    You need schema administrator permission to perform this action. Verify that the user is a part of schema admin group.

    Also you have created this thread as a "Disscussion" and I think this need to be change as a "Question".

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    • Edited by Abhijit Waikar Tuesday, January 3, 2012 12:39 PM
    • Marked as answer by Dr Johnston Tuesday, January 3, 2012 12:41 PM
    Tuesday, January 3, 2012 12:38 PM
  • Thank you for the reply Abhijit

    I should have added that I am logged on as Administrator which is included in the schema admins

    Tuesday, January 3, 2012 12:43 PM
  • Hi
    Is this domain part of a forest with other domains? Note that you must be logged on as the built-in “administrator” in the root domain in order to be member of the Schema Admins group (In a default configuration)
     
    You can run the following command to ensure that the account really got the “Schema Admins” group as a part of it’s token:
     
    “whoami /groups”
     
     
    ----------------------------------------------------------

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    "Dr Johnston" wrote in message news:640376f2-32a4-4bd1-beec-294b10f27a86...

    Thank you for the reply Abhijit

    I should have added that I am logged on as Administrator which is included in the schema admins


    Enfo Zipper Christoffer Andersson – Principal Advisor
    • Marked as answer by Dr Johnston Wednesday, January 4, 2012 6:16 AM
    • Unmarked as answer by Dr Johnston Wednesday, January 4, 2012 6:18 AM
    • Marked as answer by Dr Johnston Wednesday, January 4, 2012 6:18 AM
    Wednesday, January 4, 2012 4:50 AM
  • Hi Christoffer

    The PDC was in this case is in a single domain of a large system.  The Administrator account has all the usual rights including schema admins.

    Alison

    Wednesday, January 4, 2012 6:22 AM
  • Thanks for your replay. Just want to make sure that the domain controller
    that had a HDD failure hasn’t been bought online again/restored, nor that it’s
    dns name has been reused:
     
    Please see the following KB for recommendations and advisory to not seize
    FSMO roles unless the current owner is permanent offline:
    http://support.microsoft.com/kb/255504
     
    Dose it make any difference if you logon locally to the DC desired to take
    over the Schema FSMO role using "localhost" in ntdsutil instead of the DNS
    name?
    Ex: server connections: connect to server localhost
     
    ----------------------------------------------------------
     
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    "Dr Johnston" wrote in message news:1d5c5713-ddf4-453d-a689-bb390c330bb2...
     
    Hi Christoffer
     
    The PDC was in this case is in a single domain of a large system. The
    Administrator account has all the usual rights including schema admins.
     
    Alison
     
     

    Enfo Zipper Christoffer Andersson – Principal Advisor
    Wednesday, January 4, 2012 6:50 AM
  • Hi,

    Error shows : Win32 error returned is 0x2098(Insufficient access rights to perform the operation).

    You need schema administrator permission to perform this action. Verify that the user is a part of schema admin group.

    Also you have created this thread as a "Disscussion" and I think this need to be change as a "Question".

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    I solved this same problem, adding the group Enterprise Admin User.

    an2nathan

    Tuesday, March 10, 2015 7:48 PM
  • Hi

    tried Schema master and it failed added it to Enterprice Admins and it worked like a charm.

    Regards

    Sailas 

    Thursday, October 15, 2015 8:46 AM