Don't ask me to explain it, but I logged out of the domain admin account, and logged in as another account (which is *also* in the Domain Admins, Enterprise Admins, Schema Admins groups, exactly like the domain administrator account).
And it worked perfectly, exactly as it should. Huh? I had even waited up to an hour, re-trying the command, thinking it was just the fact that it was trying to replicate (and couldn't). Weird. Anyway, off to do the child domain (seizing schema *first* this time, I think :-)), and then to do the metadata cleanup ... Thanks On 11/18/2010 2:41 PM, Mike Leone wrote: > So I am setting up a testing version of my domain, to practice upgrading > from Win2003 AD to Win2008 AD, by making a copy of my domain on my ESX > cluster. We have a parent and child domain structure. I have 1 DC in > each domain as a VM (each is a DNS server, but do *not* hold any FSMO > roles). So I made a copy of each, and then started the copy on a > separate virtual subnet on my ESX server (separate because it is not > tied to any physical adapters, so the only things it can talk to are the > other systems on this subnet). I changed the IP address to the new > subnet, and then went to seize FSMO roles, so I could make a working > copy of my domain, to play with. > > (I've done this before, successfully, using VMs) > > So I was able to seize 4 roles - domain naming master. infrastructure > master, PDC, RID master - in that order. All was well. Then I tried to > seize the schema master role, and got: > > ---------------------------------------- > fsmo maintenance: seize schema master > Attempting safe transfer of schema FSMO before seizure. > ldap_modify_sW error 0x32(50 (Insufficient Rights). > Ldap extended error message is 00002098: SecErr: DSID-03151D7D, problem > 4003 (INSUFF_ACCESS_RIGHTS), data 0 > > Win32 error returned is 0x2098(Insufficient access rights to perform the > operation.) > ) > Depending on the error code this may indicate a connection, > ldap, or role transfer error. > Transfer of schema FSMO failed, proceeding with seizure ... > ldap_modify of SD failed with 0x32(50 (Insufficient Rights). > Ldap extended error message is 00000005: SecErr: DSID-03151E04, problem > 4003 (INSUFF_ACCESS_RIGHTS), data 0 > > Win32 error returned is 0x5(Access is denied.) > ---------------------------------------- > > And I don't know why, as I am using the domain administrator account, > which *is* a member of Domain Admins, Enterprise Admins, and Schema > Admins (I double-checked). And this DC is also a GC. > > So I don't know why I am getting insufficient access rights. Those 2 > things (group membership, GC) seem to be the common culprit, according > to searches). > > Where to look next? Did I seize them in the wrong order or something? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin