lost enterprise admin rights

  • Thread starter Thread starter Bill Barnard
  • Start date Start date
B

Bill Barnard

I've recently brought up a new domain controller attempting
to consolidate a poorly named domain into a correctly named
one. It's a small domain, and had only one DC.

I used the admt (Active Directory Migration Tool) to
migrate all my users, their computers, and their ACLs to
the new domain. However I was unable to demote the old DC,
and attempted to join it to the new domain by reinstalling
Win2K by reinstalling Win2K Server on it, then joining the
new domain and running dcpromo.

I find that I've missed some very important points in my
hurry to complete the job. I cannot promote the DC into the
new domain because I don't have the correct access rights,
nor did I transfer the two universal FSMOs (the domain
naming master and the schema master).

I have a backup of the old DC made prior to the creation of
the tree root trust which allowed me to run admt. I do not
have a backup of the old DC from after the creation of that
trust.

My network is functional, and users are working. However I
can no longer run DHCP because of the Enterprise Admins
problem. Nor can I add any new DCs or domains since I don't
have all the FSMOs.

I suspect that I'm in pretty big trouble, and that my only
path to restoring normality is reinstalling everything, and
dealing with lots of nasty downstream affects, like all my
users' SIDs being orphaned.

I'm going to try restoring the old pre-trust DC from tape
to see if I can possibly give Enterprise & Schema admin
rights to my new DC, then transfer the two missing FSMOs. I
suspect that will not work.

Can anyone suggest anything useful, other than taking the
domain controllers out the window with me for a free-fall
conclusion to this fiasco?

Thanks in advance,

Bill B
 
Bill Barnard said:
I've recently brought up a new domain controller attempting
to consolidate a poorly named domain into a correctly named
one. It's a small domain, and had only one DC.
Click to expand...

You cannot "incorporate" one domain into another (after they are created.)
The attempt is futile.
I used the admt (Active Directory Migration Tool) to
migrate all my users, their computers, and their ACLs to
the new domain.
Click to expand...

That's migration of the objects from one domain into the other, not
incorporation.
However I was unable to demote the old DC,
and attempted to join it to the new domain by reinstalling
Win2K by reinstalling Win2K Server on it, then joining the
new domain and running dcpromo.
Click to expand...

Perfectly normal.
I find that I've missed some very important points in my
hurry to complete the job. I cannot promote the DC into the
new domain because I don't have the correct access rights,
nor did I transfer the two universal FSMOs (the domain
naming master and the schema master).
Click to expand...

Almost always a DNS issue (first thing to check anyway.)

All DNS clients (including DCs) must point to the correct, internal,
DYNAMIC DNS server (set).

In the process you likely have some of the clients pointing at either
another
DNS set or even externally (to the Internet.)
[/QUOTE]
 
Bill,

The "enterprise admins group" is a built in group that cannot be migrated
with ADMT. It should be there by default just like "domain admins" and
"schema admins". If you look in Active Directory Users and Computers in the
"users" container and you do not see the enterprise admins group, then maybe
you moved it to some other OU. Right click your domain name and do a find
and search AD for the enterprise admins group. You should have one. If you
find it, you might move the enterprise admins group back into the "users"
container. Then make sure that your "administrator" account is a member of
this group. In addition, make sure that the "enterprise admins" group is a
member of the "administrators" group. Make sure that none of these are
members of the guests or domain guests groups.

As far as your FSMO roles, you can seize those over to your good DC using
ntdsutil. The following KB article explains how to do this.
http://support.microsoft.com/?id=255504

If none of these things help, then you may have to consider restoring from
backup and starting over.

I hope this helps.

Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights
 
Hi Ray,

Thanks for your reply. I believe you correctly understand
the nature of my problem.

However my situation is a little worse than your
assessment. I sure wish I'd properly backed up the old DC
at the time I had both domains working in a Tree Root
Trust, as they were when I used ADMT to migrate my users
and computers. My only working backup of the old DC was
made prior to the establishment of the trust.

It seems there were four different critical things I
overlooked; the enterprise admins group, the schema admins
group; and two FSMO roles: the domain naming master, and
the schema master.

My new domain has no information in AD regarding the
missing admin groups. It does know the two FSMO roles
reside on the DC of the old domain.

I have a (now restored) backup of the old domain, but it
was made prior to the creation of the Tree Root Trust. I
made what appears to be a fatal mistake in not correctly
backing up the old domain after the creation of that trust.

My new domain believes the Tree Root Trust still exists.
My restored old domain has a newly created non-transitive
trust with the new domain. The trusts can be verified.

However I cannot transfer the FSMO roles via the normal
methods. Every attempt has failed with error messages
like "The transfer of the current operations master role
cannot be performed for the following reason: Insufficient
access rights to perform the operation." (This was an
attempt from new domain Domains & Trusts tool to transfer
the Domain naming operations master role from the old
domain to the new.)

Similarly I cannot seem to find a way to add any new
domain users or groups to the old domain enterprise/schema
admins groups. I'm guessing that even should I succeed in
seizing the two critical FSMO roles, that I'll still be
unable to resolve the missing enterprise/schema admins
groups. It seems I've created an uncrossable chasm between
the two domains.

I'm thinking that my only hope of recovering from this
will be to work directly with MS Support, though it seems
pretty hopeless to me. I'm guessing that I'm going to have
to completely recreate the new domain, recreate the Tree
Root Trust, and do the job correctly. The downside of that
solution is that all the new resource ACLs that have been
created in the new domain will be orphaned on all the
user's computers. There are not a large number of users,
but fixing this is likely to require a lot of time on my
part, and is likely to make me very unpopular.

So I have two questions, really.

1) Do you think MS Support MIGHT have a way to help me out
of this mess? (No guarantee is expected of course...)

2) Is there any tool that will allow me to find all files,
or other resources, on a computer using the criteria of
ownership. I have not yet found any such tool for Windows.
(I'm still wishing I'd remained in the unix world...)

Again, many thanks for your reply.

Best regards,

Bill
 
Back
Top