adprep /domainprep fails - Problem 4003 (INSUFF_ACCESS_RIGHTS) data 0

Peter Hutchings 1 Reputation point
2022-02-18T19:13:12.1+00:00

First up, my account is DOMAIN ADMIN and ENTERPRISE ADMIN. I am running CMD "as administrator".
(Just wanted to get that out there, as the majority of suggestions I've found on the net state these are prerequisites).

I've run SysInternals Process Explorer and confirmed flag is "Mandatory" as opposed to "Deny". So the CMD is running with the required permissions (as far as I can tell!):
176001-sysinternals.jpg

We're in the process of replacing 3 x old Domain Controllers (running 2008 R2) with 3 x new Domain Controllers (running 2019).

Before the DCPROMO of the first 2019 server, we ran /forestprep with no errors.
We then ran /domainprep and are getting this error:

D:\support\adprep>adprep /domainprep
Adprep was unable to create the object CN=TPM Devices,DC=ecs-ict,DC=net in Active Directory Domain Services.
[Status/Consequence]
This Adprep operation failed.
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20220218172913 directory for more information. Restart Adprep.

Adprep encountered an LDAP error.
Error code: 0x32. Server extended error code: 0x5, Server error message: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Adprep was unable to update domain information.
[Status/Consequence]
Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20220218172913 directory for more information.

I've been Googling the bejesus out of this issue and can't find the solution.

Gone into ADSIEDIT and made sure that the Enterprise Admins, Domain Admins, and my own username have the correct permissions on the CONFIGURATION key, as it seems this is the crux of the problem... my account cannot create a new OU in AD. (See first line of the error above).
175898-adsiedit.jpg

If I open up Active Directory Users and Computers, there is no option for me to create a new OU in the root.
176002-noouadd.jpg

Any pointers in the right direction would be much appreciated!

Thanks,
Peter

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,470 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,171 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2022-02-18T20:09:50.417+00:00

    adprep has been an integrated part of domain controller promo for some time now so you might just try dcpromo.

    Some general info.

    The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  2. Peter Hutchings 1 Reputation point
    2022-02-18T20:37:16.197+00:00

    Hi,

    Thanks for the reply. We've tried ignoring the error and running a DCPROMO, but the latter stages of the DCPROMO process runs it's own Domain Prep, and fails with the same error.

    Appreciate the General Info, but I've run a successful DCPROMO, ForestPrep and DomainPrep on many, many occasions. This isn't the first time.
    I've also run the migration to DFRS successfully on this domain.

    Looking for any advice on the error messages.

    0 comments
  3. Gary Reynolds 9,391 Reputation points
    2022-02-20T01:20:57.55+00:00

    Hi @Peter Hutchings

    The error suggests that the error is related to a permissions issue on the domain context DC=ecs-ict,DC=net, rather than the configuration partition, which is preventing the creation of the CN=TPM Devices,DC=ecs-ict,DC=net object. Which is probably also the reason why the create new objects sub menu is not shown in ADUC.

    I would check what permissions have been assigned and if there is any deny permissions added that may be preventing you creating the object.

    Just for reference the TPM Devices object is not an organizationalUnit object, it's a msTPM-InformationObjectsContainer object, which you can't create in ADUC, you will need to use ADSIEdit to create it manually.

    Gary.

  4. Peter Hutchings 1 Reputation point
    2022-02-28T18:25:29.663+00:00

    Kudos to Tom...

    Found the answer in another forum:
    https://community.spiceworks.com/topic/2325216-domain-controller-replication-failing-replication-access-denied?page=1#entry-9404140

    DENY permissions set on a group that my Administrator account was a member of. These DENY permissions were set on Properties > Security > Advanced on the root partition of the Default Naming Context.
    Took these off (i.e. removed the DENY permissions that were set on the group that I was a member of) and, just like that, all is good!

    Granted, this screenshot shows ALLOW - sorry, I'd already removed the DENY permissions before taking a screenshot! But, the DENY permissions were on the "DESKTOP ADMIN" group, which I'm a member of, hence, preventing my account from performing necessary actions that the domainprep wanted me to:
    178584-image.png

    This was a nightmare to find the answer to, so I'm hoping this will help someone else. I actually found the answer while looking for the fix to another error (which DCDIAG threw up). I never actually found anything when searching for "Problem 4003 (INSUFF_ACCESS_RIGHTS) data 0".

    Cheers,
    Hutch.